CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed output error when exist difference column name and value #165

Browse Source
This commit is contained in:
DastInDark
2022-07-31 14:13:51 +09:00
parent c36e4e8e6f
commit be836d5040
2 changed files with 33 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/detections/detection.rs
View File

@@ -244,16 +244,17 @@ impl Detection {
let level = rule.yaml["level"].as_str().unwrap_or("-").to_string(); let level = rule.yaml["level"].as_str().unwrap_or("-").to_string();
let mut profile_converter: HashMap<String, String> = HashMap::new(); let mut profile_converter: HashMap<String, String> = HashMap::new();
for (k, v) in PROFILES.as_ref().unwrap().iter() { for (_k, v) in PROFILES.as_ref().unwrap().iter() {
let tmp = v.as_str(); let tmp = v.as_str();
for target_profile in PRELOAD_PROFILE_REGEX.matches(tmp).into_iter() { for target_profile in PRELOAD_PROFILE_REGEX.matches(tmp).into_iter() {
match PRELOAD_PROFILE[target_profile] { match PRELOAD_PROFILE[target_profile] {
"%Timestamp%" => { "%Timestamp%" => {
profile_converter.insert(format!("%{}%", k), format_time(&time, false)); profile_converter
.insert("%Timestamp%".to_string(), format_time(&time, false));
} }
"%Computer%" => { "%Computer%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%Computer%".to_string(),
record_info.record["Event"]["System"]["Computer"] record_info.record["Event"]["System"]["Computer"]
.to_string() .to_string()
.replace('\"', ""), .replace('\"', ""),
@@ -261,37 +262,37 @@ impl Detection {
} }
"%Channel%" => { "%Channel%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%Channel%".to_string(),
CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(), CH_CONFIG.get(ch_str).unwrap_or(ch_str).to_string(),
); );
} }
"%Level%" => { "%Level%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%Level%".to_string(),
LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(), LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
); );
} }
"%EventID%" => { "%EventID%" => {
profile_converter.insert(format!("%{}%", k), eid.to_owned()); profile_converter.insert("%EventID%".to_string(), eid.to_owned());
} }
"%MitreAttack%" => { "%MitreAttack%" => {
profile_converter.insert(format!("%{}%", k), tag_info.join(" | ")); profile_converter.insert("%MitreAttack%".to_string(), tag_info.join(" | "));
} }
"%RecordID%" => { "%RecordID%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RecordID%".to_string(),
rec_id.as_ref().unwrap_or(&"-".to_string()).to_owned(), rec_id.as_ref().unwrap_or(&"-".to_string()).to_owned(),
); );
} }
"%RuleTitle%" => { "%RuleTitle%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RuleTitle%".to_string(),
rule.yaml["title"].as_str().unwrap_or("").to_string(), rule.yaml["title"].as_str().unwrap_or("").to_string(),
); );
} }
"%RecordInformation%" => { "%RecordInformation%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RecordInformation%".to_string(),
opt_record_info opt_record_info
.as_ref() .as_ref()
.unwrap_or(&"-".to_string()) .unwrap_or(&"-".to_string())
@@ -300,7 +301,7 @@ impl Detection {
} }
"%RuleFile%" => { "%RuleFile%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RuleFile%".to_string(),
Path::new(&rule.rulepath) Path::new(&rule.rulepath)
.file_name() .file_name()
.unwrap_or_default() .unwrap_or_default()
@@ -311,7 +312,7 @@ impl Detection {
} }
"%EvtxFile%" => { "%EvtxFile%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%EvtxFile%".to_string(),
Path::new(&record_info.evtx_filepath) Path::new(&record_info.evtx_filepath)
.file_name() .file_name()
.unwrap_or_default() .unwrap_or_default()
@@ -362,49 +363,49 @@ impl Detection {
let mut profile_converter: HashMap<String, String> = HashMap::new(); let mut profile_converter: HashMap<String, String> = HashMap::new();
let level = rule.yaml["level"].as_str().unwrap_or("-").to_string(); let level = rule.yaml["level"].as_str().unwrap_or("-").to_string();
for (k, v) in PROFILES.as_ref().unwrap().iter() { for (_k, v) in PROFILES.as_ref().unwrap().iter() {
let tmp = v.as_str(); let tmp = v.as_str();
for target_profile in PRELOAD_PROFILE_REGEX.matches(tmp).into_iter() { for target_profile in PRELOAD_PROFILE_REGEX.matches(tmp).into_iter() {
match PRELOAD_PROFILE[target_profile] { match PRELOAD_PROFILE[target_profile] {
"%Timestamp%" => { "%Timestamp%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%Timestamp%".to_string(),
format_time(&agg_result.start_timedate, false), format_time(&agg_result.start_timedate, false),
); );
} }
"%Computer%" => { "%Computer%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%Computer%".to_string(), "-".to_owned());
} }
"%Channel%" => { "%Channel%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%Channel%".to_string(), "-".to_owned());
} }
"%Level%" => { "%Level%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%Level%".to_string(),
LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(), LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
); );
} }
"%EventID%" => { "%EventID%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%EventID%".to_string(), "-".to_owned());
} }
"%MitreAttack%" => { "%MitreAttack%" => {
profile_converter.insert(format!("%{}%", k), tag_info.join(" | ")); profile_converter.insert("%MitreAttack%".to_owned(), tag_info.join(" | "));
} }
"%RecordID%" => { "%RecordID%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%RecordID%".to_string(), "-".to_owned());
} }
"%RuleTitle%" => { "%RuleTitle%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RuleTitle%".to_string(),
rule.yaml["title"].as_str().unwrap_or("").to_string(), rule.yaml["title"].as_str().unwrap_or("").to_string(),
); );
} }
"%RecordInformation%" => { "%RecordInformation%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%RecordInformation%".to_string(), "-".to_owned());
} }
"%RuleFile%" => { "%RuleFile%" => {
profile_converter.insert( profile_converter.insert(
format!("%{}%", k), "%RuleFile%".to_string(),
Path::new(&rule.rulepath) Path::new(&rule.rulepath)
.file_name() .file_name()
.unwrap_or_default() .unwrap_or_default()
@@ -414,7 +415,7 @@ impl Detection {
); );
} }
"%EvtxFile%" => { "%EvtxFile%" => {
profile_converter.insert(format!("%{}%", k), "-".to_owned()); profile_converter.insert("%EvtxFile%".to_string(), "-".to_owned());
} }
_ => {} _ => {}
} }

12
src/detections/message.rs
View File

@@ -158,10 +158,14 @@ pub fn insert(
let mut tmp_converted_info: LinkedHashMap<String, String> = LinkedHashMap::new(); let mut tmp_converted_info: LinkedHashMap<String, String> = LinkedHashMap::new();
for (k, v) in &detect_info.ext_field { for (k, v) in &detect_info.ext_field {
let converted_reserve_info = convert_profile_reserved_info(v, profile_converter); let converted_reserve_info = convert_profile_reserved_info(v, profile_converter);
tmp_converted_info.insert( if v == "%RecordInformation%" {
k.to_owned(), tmp_converted_info.insert(k.to_owned(), converted_reserve_info);
parse_message(event_record, &converted_reserve_info), } else {
); tmp_converted_info.insert(
k.to_owned(),
parse_message(event_record, &converted_reserve_info),
);
}
} }
for (k, v) in tmp_converted_info { for (k, v) in tmp_converted_info {
detect_info.ext_field.insert(k, v); detect_info.ext_field.insert(k, v);