diff --git a/src/afterfact.rs b/src/afterfact.rs index 95012876..dd1ae5fb 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -106,7 +106,7 @@ fn emit_csv(writer: &mut W, displayflag: bool) -> io::Result< wtr.flush()?; println!(""); - println!("Total Events Detected:{:?}", detect_count); + println!("Total events detected: {:?}", detect_count); Ok(()) } @@ -202,7 +202,7 @@ fn test_emit_csv() { assert!(emit_csv(&mut file, false).is_ok()); match read_to_string("./test_emit_csv.csv") { - Err(_) => panic!("Failed to open file"), + Err(_) => panic!("Failed to open file."), Ok(s) => { assert_eq!(s, expect); } diff --git a/src/detections/configs.rs b/src/detections/configs.rs index b4b18c21..02499876 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -47,23 +47,23 @@ fn build_app<'a>() -> ArgMatches<'a> { return ArgMatches::default(); } - let usages = "-f --filepath=[FILEPATH] 'Event file path' - --csv-timeline=[CSV_TIMELINE] 'Csv output timeline' + let usages = "-f --filepath=[FILEPATH] 'File path to one .evtx file' + --csv-timeline=[CSV_TIMELINE] 'Save the timeline in CSV format' --rfc-2822 'Output date and time in RFC 2822 format. Example: Mon, 07 Aug 2006 12:34:56 -0600' --rfc-3339 'Output date and time in RFC 3339 format. Example: 2006-08-07T12:34:56.485214 -06:00' - --verbose 'Output check information to target event file path and rule file.' - -q 'Quiet Output Logo' - -r --rules=[RULEDIRECTORY] 'using target of rule file directory' - -L --level=[LEVEL] 'Specified execute rule level(default: LOW)' - -u --utc 'Output time in UTC format(default: local time)' - -d --directory=[DIRECTORY] 'Event log files directory' - -s --statistics 'Prints statistics for event logs' - -t --threadnum=[NUM] 'Thread number' + --verbose 'Output verbose information to target event file path and rule file' + -q 'Quiet mode. Do not display the launch banner' + -r --rules=[RULEDIRECTORY] 'Rule file directory (default: ./rules)' + -L --level=[LEVEL] 'Minimum level for rules (default: low)' + -u --utc 'Output time in UTC format (default: local time)' + -d --directory=[DIRECTORY] 'Directory of multiple .evtx files' + -s --statistics 'Prints statistics of event IDs' + -t --threadnum=[NUM] 'Thread number (default: optimal number for performance)' --contributors 'Prints the list of contributors'"; App::new(&program) - .about("hayabusa. Aiming to be the world's greatest Windows event log analysis tool!") + .about("Hayabusa: Aiming to be the world's greatest Windows event log analysis tool!") .version("1.0.0") - .author("Author name Yamato-Security(https://github.com/Yamato-Security/hayabusa)") + .author("Yamato-Security(https://github.com/Yamato-Security/hayabusa)") .setting(AppSettings::VersionlessSubcommands) .usage(usages) .args_from_usage(usages) diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 3f02c616..b6233769 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -73,7 +73,7 @@ impl Detection { // ruleファイルのパースに失敗した場合はエラー出力 err_msgs_result.err().iter().for_each(|err_msgs| { let errmsg_body = - format!("Failed to parse Rule file. (FilePath : {})", rule.rulepath); + format!("Failed to parse rule file. (FilePath : {})", rule.rulepath); AlertMessage::warn(&mut std::io::stdout().lock(), errmsg_body).ok(); err_msgs.iter().for_each(|err_msg| { @@ -145,8 +145,8 @@ impl Detection { pub fn print_unique_results(&self) { let rules = &self.rules; - let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undeifned"]); - // levclcounts is [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] + let levellabel = Vec::from(["Critical", "High", "Medium", "Low", "Info", "Undefined"]); + // levels are [(Undeifned), (Info), (Low),(Medium),(High),(Critical)] let mut levelcounts = Vec::from([0, 0, 0, 0, 0, 0]); for rule in rules.into_iter() { if rule.check_exist_countdata() { @@ -165,10 +165,10 @@ impl Detection { let mut total_unique = 0; levelcounts.reverse(); for (i, value) in levelcounts.iter().enumerate() { - println!("{} alerts {}", levellabel[i], value); + println!("{} alerts: {}", levellabel[i], value); total_unique += value; } - println!("Unique Events Detected: {}", total_unique); + println!("Unique events detected: {}", total_unique); } // 複数のイベントレコードに対して、ルールを1個実行します。 @@ -246,12 +246,12 @@ impl Detection { ) { let mut total = parseerror_count + ignore_count; rc.into_iter().for_each(|(key, value)| { - println!("{} Rules: {}", key, value); + println!("{} rules: {}", key, value); total += value; }); - println!("Ignored Rule Count: {}", ignore_count); - println!("Rule Parse Errors Count: {}", parseerror_count); - println!("Total Detection Rules: {}", total); + println!("Ignored rules: {}", ignore_count); + println!("Rule parsing errors: {}", parseerror_count); + println!("Total detection rules: {}", total); println!(""); } } diff --git a/src/detections/rule/aggregation_parser.rs b/src/detections/rule/aggregation_parser.rs index bcc84bf1..92fd56ff 100644 --- a/src/detections/rule/aggregation_parser.rs +++ b/src/detections/rule/aggregation_parser.rs @@ -52,7 +52,7 @@ impl AggegationConditionCompiler { let result = self.compile_body(condition_str); if let Result::Err(msg) = result { return Result::Err(format!( - "aggregation condition parse error has occurred. {}", + "An aggregation condition parse error has occurred. {}", msg )); } else { @@ -137,7 +137,7 @@ impl AggegationConditionCompiler { ) -> Result, String> { if tokens.is_empty() { // パイプしか無いのはおかしいのでエラー - return Result::Err("There are no strings after pipe(|).".to_string()); + return Result::Err("There are no strings after the pipe(|).".to_string()); } let mut token_ite = tokens.into_iter(); @@ -150,14 +150,14 @@ impl AggegationConditionCompiler { } } else { // いろんなパターンがあるので難しいが、countというキーワードしか使えないことを説明しておく。 - return Result::Err("aggregation condition can use count only.".to_string()); + return Result::Err("The aggregation condition can only use count.".to_string()); } let token = token_ite.next(); if token.is_none() { // 論理演算子がないのはだめ return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } @@ -168,14 +168,18 @@ impl AggegationConditionCompiler { let after_by = token_ite.next(); if after_by.is_none() { // BYの後に何もないのはだめ - return Result::Err("by keyword needs field name like 'by EventID'".to_string()); + return Result::Err( + "The by keyword needs a field name like 'by EventID'".to_string(), + ); } if let AggregationConditionToken::KEYWORD(keyword) = after_by.unwrap() { by_field_name = Option::Some(keyword); token_ite.next() } else { - return Result::Err("by keyword needs field name like 'by EventID'".to_string()); + return Result::Err( + "The by keyword needs a field name like 'by EventID'".to_string(), + ); } } else { Option::Some(token) @@ -185,14 +189,14 @@ impl AggegationConditionCompiler { if token.is_none() { // 論理演算子がないのはだめ return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } let cmp_token = token.unwrap(); if !self.is_cmp_op(&cmp_token) { return Result::Err( - "count keyword needs compare operator and number like '> 3'".to_string(), + "The count keyword needs a compare operator and number like '> 3'".to_string(), ); } @@ -201,17 +205,17 @@ impl AggegationConditionCompiler { let number: Result = number.parse(); if number.is_err() { // 比較演算子の後に数値が無い。 - return Result::Err("compare operator needs a number like '> 3'.".to_string()); + return Result::Err("The compare operator needs a number like '> 3'.".to_string()); } else { number.unwrap() } } else { // 比較演算子の後に数値が無い。 - return Result::Err("compare operator needs a number like '> 3'.".to_string()); + return Result::Err("The compare operator needs a number like '> 3'.".to_string()); }; if token_ite.next().is_some() { - return Result::Err("unnecessary word was found.".to_string()); + return Result::Err("An unnecessary word was found.".to_string()); } let info = AggregationParseInfo { @@ -379,7 +383,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. There are no strings after pipe(|)." + "An aggregation condition parse error has occurred. There are no strings after the pipe(|)." .to_string(), result.unwrap_err() ); @@ -393,7 +397,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. An unusable character was found." + "An aggregation condition parse error has occurred. An unusable character was found." .to_string(), result.unwrap_err() ); @@ -407,7 +411,7 @@ mod tests { compiler.compile("select1 or select2 | by count( hogehoge) by snsn > 3".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. aggregation condition can use count only.".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The aggregation condition can only use count.".to_string(),result.unwrap_err()); } #[test] @@ -417,7 +421,7 @@ mod tests { let result = compiler.compile("select1 or select2 | count( hogehoge) 3".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. count keyword needs compare operator and number like '> 3'".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The count keyword needs a compare operator and number like '> 3'".to_string(),result.unwrap_err()); } #[test] @@ -427,7 +431,7 @@ mod tests { let result = compiler.compile("select1 or select2 | count( hogehoge) by".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. by keyword needs field name like 'by EventID'".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The by keyword needs a field name like 'by EventID'".to_string(),result.unwrap_err()); } #[test] @@ -438,7 +442,7 @@ mod tests { compiler.compile("select1 or select2 | count( hogehoge ) by hoe >".to_string()); assert_eq!(true, result.is_err()); - assert_eq!("aggregation condition parse error has occurred. compare operator needs a number like '> 3'.".to_string(),result.unwrap_err()); + assert_eq!("An aggregation condition parse error has occurred. The compare operator needs a number like '> 3'.".to_string(),result.unwrap_err()); } #[test] @@ -450,7 +454,7 @@ mod tests { assert_eq!(true, result.is_err()); assert_eq!( - "aggregation condition parse error has occurred. unnecessary word was found." + "An aggregation condition parse error has occurred. An unnecessary word was found." .to_string(), result.unwrap_err() ); diff --git a/src/detections/rule/condition_parser.rs b/src/detections/rule/condition_parser.rs index c7958b14..3a1e3af4 100644 --- a/src/detections/rule/condition_parser.rs +++ b/src/detections/rule/condition_parser.rs @@ -130,7 +130,7 @@ impl ConditionCompiler { let result = self.compile_condition_body(condition_str, name_2_node); if let Result::Err(msg) = result { - return Result::Err(format!("condition parse error has occured. {}", msg)); + return Result::Err(format!("A condition parse error has occured. {}", msg)); } else { return result; } @@ -269,7 +269,7 @@ impl ConditionCompiler { } // 最後までついても対応する右括弧が見つからないことを表している if left_cnt != right_cnt { - return Result::Err("expected ')'. but not found.".to_string()); + return Result::Err("')' was expected but not found.".to_string()); } // ここで再帰的に呼び出す。 @@ -284,7 +284,7 @@ impl ConditionCompiler { }; }); if is_right_left { - return Result::Err("expected '('. but not found.".to_string()); + return Result::Err("'(' was expected but not found.".to_string()); } return Result::Ok(ret); @@ -294,7 +294,7 @@ impl ConditionCompiler { fn parse_and_or_operator(&self, tokens: Vec) -> Result { if tokens.len() == 0 { // 長さ0は呼び出してはいけない - return Result::Err("unknown error.".to_string()); + return Result::Err("Unknown error.".to_string()); } // まず、selection1 and not selection2みたいな式のselection1やnot selection2のように、ANDやORでつながるトークンをまとめる。 @@ -302,7 +302,7 @@ impl ConditionCompiler { // 先頭又は末尾がAND/ORなのはだめ if self.is_logical(&tokens[0]) || self.is_logical(&tokens[tokens.len() - 1]) { - return Result::Err("illegal Logical Operator(and, or) was found.".to_string()); + return Result::Err("An illegal logical operator(and, or) was found.".to_string()); } // OperandContainerとLogicalOperator(AndとOR)が交互に並んでいるので、それぞれリストに投入 @@ -311,7 +311,9 @@ impl ConditionCompiler { for (i, token) in tokens.into_iter().enumerate() { if (i % 2 == 1) != self.is_logical(&token) { // インデックスが奇数の時はLogicalOperatorで、インデックスが偶数のときはOperandContainerになる - return Result::Err("The use of logical operator(and, or) was wrong.".to_string()); + return Result::Err( + "The use of a logical operator(and, or) was wrong.".to_string(), + ); } if i % 2 == 0 { @@ -354,21 +356,21 @@ impl ConditionCompiler { // 上記の通り、3つ以上入っていることはないはず。 if sub_tokens.len() >= 3 { return Result::Err( - "unknown error. maybe it's because there are multiple name of selection node." + "Unknown error. Maybe it is because there are multiple names of selection nodes." .to_string(), ); } // 0はありえないはず if sub_tokens.len() == 0 { - return Result::Err("unknown error.".to_string()); + return Result::Err("Unknown error.".to_string()); } // 1つだけ入っている場合、NOTはありえない。 if sub_tokens.len() == 1 { let operand_subtoken = sub_tokens.into_iter().next().unwrap(); if let ConditionToken::Not = operand_subtoken { - return Result::Err("illegal not was found.".to_string()); + return Result::Err("An illegal not was found.".to_string()); } return Result::Ok(operand_subtoken); @@ -380,14 +382,14 @@ impl ConditionCompiler { let second_token = sub_tokens_ite.next().unwrap(); if let ConditionToken::Not = first_token { if let ConditionToken::Not = second_token { - return Result::Err("not is continuous.".to_string()); + return Result::Err("Not is continuous.".to_string()); } else { let not_container = ConditionToken::NotContainer(vec![second_token]); return Result::Ok(not_container); } } else { return Result::Err( - "unknown error. maybe it's because there are multiple name of selection node." + "Unknown error. Maybe it is because there are multiple names of selection nodes." .to_string(), ); } @@ -450,7 +452,7 @@ impl ConditionCompiler { // NotSelectionNodeに変換 if let ConditionToken::NotContainer(sub_tokens) = token { if sub_tokens.len() > 1 { - return Result::Err("unknown error".to_string()); + return Result::Err("Unknown error".to_string()); } let select_sub_node = @@ -459,7 +461,7 @@ impl ConditionCompiler { return Result::Ok(Box::new(select_not_node)); } - return Result::Err("unknown error".to_string()); + return Result::Err("Unknown error".to_string()); } /// ConditionTokenがAndまたはOrTokenならばTrue @@ -549,7 +551,7 @@ mod tests { ); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -595,7 +597,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -642,7 +644,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1204,7 +1206,7 @@ mod tests { assert_eq!( rule_node.init(), Err(vec![ - "There are no condition node under detection.".to_string() + "There is no condition node under detection.".to_string() ]) ); } @@ -1226,7 +1228,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. An unusable character was found.".to_string()], + vec![ + "A condition parse error has occured. An unusable character was found.".to_string(), + ], ); } @@ -1247,7 +1251,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected ')'. but not found.".to_string()], + vec![ + "A condition parse error has occured. ')' was expected but not found.".to_string(), + ], ); } @@ -1268,7 +1274,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected '('. but not found.".to_string()], + vec![ + "A condition parse error has occured. '(' was expected but not found.".to_string(), + ], ); } @@ -1289,7 +1297,9 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. expected ')'. but not found.".to_string()], + vec![ + "A condition parse error has occured. ')' was expected but not found.".to_string(), + ], ); } @@ -1308,7 +1318,7 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - check_rule_parse_error(rule_str,vec!["condition parse error has occured. unknown error. maybe it\'s because there are multiple name of selection node.".to_string()]); + check_rule_parse_error(rule_str,vec!["A condition parse error has occured. Unknown error. Maybe it is because there are multiple names of selection nodes.".to_string()]); } #[test] @@ -1329,7 +1339,7 @@ mod tests { check_rule_parse_error( rule_str, vec![ - "condition parse error has occured. illegal Logical Operator(and, or) was found." + "A condition parse error has occured. An illegal logical operator(and, or) was found." .to_string(), ], ); @@ -1353,7 +1363,7 @@ mod tests { check_rule_parse_error( rule_str, vec![ - "condition parse error has occured. illegal Logical Operator(and, or) was found." + "A condition parse error has occured. An illegal logical operator(and, or) was found." .to_string(), ], ); @@ -1374,7 +1384,7 @@ mod tests { output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.' "#; - check_rule_parse_error(rule_str,vec!["condition parse error has occured. The use of logical operator(and, or) was wrong.".to_string()]); + check_rule_parse_error(rule_str,vec!["A condition parse error has occured. The use of a logical operator(and, or) was wrong.".to_string()]); } #[test] @@ -1394,7 +1404,7 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. illegal not was found.".to_string()], + vec!["A condition parse error has occured. An illegal not was found.".to_string()], ); } @@ -1415,7 +1425,7 @@ mod tests { check_rule_parse_error( rule_str, - vec!["condition parse error has occured. not is continuous.".to_string()], + vec!["A condition parse error has occured. Not is continuous.".to_string()], ); } } diff --git a/src/detections/rule/count.rs b/src/detections/rule/count.rs index 849cf951..5a65de2c 100644 --- a/src/detections/rule/count.rs +++ b/src/detections/rule/count.rs @@ -175,7 +175,7 @@ impl TimeFrameInfo { } else { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("timeframe is invalid.input value:{}", value), + format!("Timeframe is invalid. Input value:{}", value), ) .ok(); } @@ -207,7 +207,7 @@ pub fn get_sec_timeframe(timeframe: &Option) -> Option { Err(err) => { AlertMessage::alert( &mut std::io::stderr().lock(), - format!("timeframe num is invalid. timeframe.{}", err), + format!("Timeframe number is invalid. timeframe.{}", err), ) .ok(); return Option::None; @@ -755,7 +755,7 @@ mod tests { let mut rule_node = create_rule("testpath".to_string(), test); let error_checker = rule_node.init(); if error_checker.is_err() { - assert!(false, "failed to init rulenode"); + assert!(false, "Failed to init rulenode"); } for record_str in records_str { match serde_json::from_str(record_str) { @@ -769,7 +769,7 @@ mod tests { assert_eq!(result, &true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 022594f5..fe778e53 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -50,7 +50,7 @@ impl LeafMatcher for MinlengthMatcher { let min_length = select_value.as_i64(); if min_length.is_none() { let errmsg = format!( - "min_length value should be Integer. [key:{}]", + "min_length value should be an integer. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -99,7 +99,7 @@ impl LeafMatcher for RegexesFileMatcher { }; if value.is_none() { let errmsg = format!( - "regexes value should be String. [key:{}]", + "regexes value should be a string. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -158,7 +158,7 @@ impl LeafMatcher for AllowlistFileMatcher { }; if value.is_none() { let errmsg = format!( - "allowlist value should be String. [key:{}]", + "allowlist value should be a string. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -253,7 +253,7 @@ impl LeafMatcher for DefaultMatcher { }; if yaml_value.is_none() { let errmsg = format!( - "unknown error occured. [key:{}]", + "An unknown error occured. [key:{}]", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -275,7 +275,7 @@ impl LeafMatcher for DefaultMatcher { }; if pipe_element.is_none() { let errmsg = format!( - "unknown pipe element was specified. key:{}", + "An unknown pipe element was specified. key:{}", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -286,7 +286,7 @@ impl LeafMatcher for DefaultMatcher { if self.pipes.len() >= 2 { // 現状では複数のパイプは対応していない let errmsg = format!( - "multiple pipe element can't be used. key:{}", + "Multiple pipe elements cannot be used. key:{}", utils::concat_selection_key(key_list) ); return Result::Err(vec![errmsg]); @@ -309,7 +309,7 @@ impl LeafMatcher for DefaultMatcher { let re_result = Regex::new(&pattern); if re_result.is_err() { let errmsg = format!( - "cannot parse regex. [regex:{}, key:{}]", + "Cannot parse regex. [regex:{}, key:{}]", pattern, utils::concat_selection_key(key_list) ); @@ -779,7 +779,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -846,7 +846,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -880,7 +880,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -913,7 +913,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -946,7 +946,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -980,7 +980,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1014,7 +1014,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1048,7 +1048,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1082,7 +1082,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1116,7 +1116,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1149,7 +1149,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1186,7 +1186,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1223,7 +1223,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1259,7 +1259,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1304,7 +1304,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1349,7 +1349,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1394,7 +1394,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1439,7 +1439,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1484,7 +1484,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1529,7 +1529,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1562,7 +1562,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1595,7 +1595,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1628,7 +1628,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1721,7 +1721,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1756,7 +1756,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1791,7 +1791,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -1826,7 +1826,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/mod.rs b/src/detections/rule/mod.rs index 11f2eda8..c4d3150d 100644 --- a/src/detections/rule/mod.rs +++ b/src/detections/rule/mod.rs @@ -144,7 +144,7 @@ impl DetectionNode { let mut keys = self.name_to_selection.keys().clone(); if keys.len() >= 2 { return Result::Err(vec![ - "There are no condition node under detection.".to_string() + "There is no condition node under detection.".to_string() ]); } @@ -191,7 +191,7 @@ impl DetectionNode { fn parse_name_to_selection(&mut self, detection_yaml: &Yaml) -> Result<(), Vec> { let detection_hash = detection_yaml.as_hash(); if detection_hash.is_none() { - return Result::Err(vec!["not found detection node".to_string()]); + return Result::Err(vec!["Detection node was not found.".to_string()]); } // selectionをパースする。 @@ -229,7 +229,7 @@ impl DetectionNode { // selectionノードが無いのはエラー if self.name_to_selection.len() == 0 { return Result::Err(vec![ - "There are no selection node under detection.".to_string() + "There is no selection node under detection.".to_string() ]); } @@ -360,7 +360,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -393,7 +393,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -426,7 +426,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -512,7 +512,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -574,7 +574,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -643,7 +643,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -690,7 +690,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -738,7 +738,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -805,7 +805,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -872,7 +872,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -921,7 +921,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -943,7 +943,7 @@ mod tests { assert_eq!( rule_node.init(), Err(vec![ - "unknown pipe element was specified. key:detection -> selection -> Channel|failed" + "An unknown pipe element was specified. key:detection -> selection -> Channel|failed" .to_string() ]) ); @@ -962,7 +962,7 @@ mod tests { assert_eq!( rule_node.init(), - Err(vec!["not found detection node".to_string()]) + Err(vec!["Detection node was not found.".to_string()]) ); } @@ -997,7 +997,7 @@ mod tests { ); } Err(_rec) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/rule/selectionnodes.rs b/src/detections/rule/selectionnodes.rs index 78dc3ea4..030d832c 100644 --- a/src/detections/rule/selectionnodes.rs +++ b/src/detections/rule/selectionnodes.rs @@ -392,7 +392,7 @@ impl SelectionNode for LeafSelectionNode { if self.select_value.is_badvalue() { return Result::Err(vec![format!( - "Cannot parse yaml file. key:{}", + "Cannot parse yml file. key:{}", utils::concat_selection_key(&match_key_list) )]); } @@ -446,7 +446,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -482,7 +482,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -517,7 +517,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -552,7 +552,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), true); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } @@ -587,7 +587,7 @@ mod tests { assert_eq!(rule_node.select(&"testpath".to_owned(), &recinfo), false); } Err(_) => { - assert!(false, "failed to parse json record."); + assert!(false, "Failed to parse json record."); } } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 59331832..1bacfe10 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -49,7 +49,7 @@ pub fn check_allowlist(target: &str, regexes: &Vec) -> bool { pub fn read_txt(filename: &str) -> Result, String> { let f = File::open(filename); if f.is_err() { - let errmsg = format!("cannot open file. [file:{}]", filename); + let errmsg = format!("Cannot open file. [file:{}]", filename); return Result::Err(errmsg); } let reader = BufReader::new(f.unwrap()); @@ -62,7 +62,7 @@ pub fn read_txt(filename: &str) -> Result, String> { } pub fn read_csv(filename: &str) -> Result>, String> { - let mut f = File::open(filename).expect("file not found!!!"); + let mut f = File::open(filename).expect("File not found!!!"); let mut contents: String = String::new(); let mut ret = vec![]; let read_res = f.read_to_string(&mut contents); diff --git a/src/main.rs b/src/main.rs index 081ff838..6b6b34c0 100644 --- a/src/main.rs +++ b/src/main.rs @@ -36,7 +36,7 @@ fn main() { if !filepath.ends_with(".evtx") { AlertMessage::alert( &mut std::io::stderr().lock(), - "--filepath is only accepted evtx file.".to_owned(), + "--filepath only accepts .evtx files.".to_owned(), ) .ok(); return; @@ -47,7 +47,7 @@ fn main() { if evtx_files.len() == 0 { AlertMessage::alert( &mut std::io::stderr().lock(), - "No exist evtx file.".to_owned(), + "No .evtx files were found.".to_owned(), ) .ok(); return; @@ -118,7 +118,7 @@ fn analysis_files(evtx_files: Vec) { .value_of("level") .unwrap_or("INFO") .to_uppercase(); - println!("Analyzing Event Files: {:?}", evtx_files.len()); + println!("Analyzing event files: {:?}", evtx_files.len()); let rule_files = detection::Detection::parse_rule_files( level, configs::CONFIG.read().unwrap().args.value_of("rules"), @@ -126,7 +126,7 @@ fn analysis_files(evtx_files: Vec) { let mut detection = detection::Detection::new(rule_files); for evtx_file in evtx_files { if configs::CONFIG.read().unwrap().args.is_present("verbose") { - println!("check target evtx FilePath: {:?}", &evtx_file); + println!("Checking target evtx FilePath: {:?}", &evtx_file); } detection = analysis_file(evtx_file, detection); } diff --git a/src/yaml.rs b/src/yaml.rs index 792d7790..b0ef5065 100644 --- a/src/yaml.rs +++ b/src/yaml.rs @@ -83,7 +83,7 @@ impl ParseYaml { AlertMessage::warn( &mut std::io::stdout().lock(), format!( - "fail to parse as yaml: {}\n{} ", + "Failed to parse yml: {}\n{} ", entry.path().display(), yaml_contents.unwrap_err() ), @@ -109,14 +109,14 @@ impl ParseYaml { return Option::None; } self.rulecounter.insert( - yaml_doc["ruletype"].as_str().unwrap_or("other").to_string(), + yaml_doc["ruletype"].as_str().unwrap_or("Other").to_string(), self.rulecounter - .get(&yaml_doc["ruletype"].as_str().unwrap_or("other").to_string()) + .get(&yaml_doc["ruletype"].as_str().unwrap_or("Other").to_string()) .unwrap_or(&0) + 1, ); if configs::CONFIG.read().unwrap().args.is_present("verbose") { - println!("Loaded yml FilePath: {}", filepath); + println!("Loaded yml file path: {}", filepath); } // 指定されたレベルより低いルールは無視する let doc_level = &yaml_doc["level"]