diff --git a/src/detections/application.rs b/src/detections/application.rs index e69de29b..6977ba85 100644 --- a/src/detections/application.rs +++ b/src/detections/application.rs @@ -0,0 +1,4 @@ + +pub fn detection() { + +} \ No newline at end of file diff --git a/src/detections/security.rs b/src/detections/security.rs index 0ae62d26..b67b720d 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -1,9 +1,20 @@ use std::collections::HashMap; +pub fn detection(event_id: String, event_data: HashMap, + alert_all_admin: i32, total_admin_logons: &mut i32, + admin_logons: &mut HashMap>, + multiple_admin_logons: &mut HashMap) { + + if event_id == "4672" { + se_debug_privilege(event_data, alert_all_admin, total_admin_logons, + admin_logons, multiple_admin_logons); + } +} + // // Special privileges assigned to new logon (possible admin access) // -pub fn se_debug_privilege(event_data: HashMap, +fn se_debug_privilege(event_data: HashMap, alert_all_admin: i32, total_admin_logons: &mut i32, admin_logons: &mut HashMap>, multiple_admin_logons: &mut HashMap) { @@ -15,7 +26,7 @@ pub fn se_debug_privilege(event_data: HashMap, // alert_all_adminが有効であれば、標準出力して知らせる // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 - if (alert_all_admin == 1) { + if alert_all_admin == 1 { println!("Logon with SeDebugPrivilege (admin access)"); println!("Username:{}", event_data["SubjectUserName"]); println!("Domain:{}", event_data["SubjectDomainName"]); @@ -30,7 +41,7 @@ pub fn se_debug_privilege(event_data: HashMap, Some(sid) => { // 含まれていれば、マルチユーザが管理者としてログインしているか確認 // マルチログオンのデータをセット - if (event_data["SubjectUserName"] != event_data["SubjectUserSid"]) { // One username with multiple admin logon SIDs + if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1); let mut count_hash: HashMap = HashMap::new(); diff --git a/src/detections/system.rs b/src/detections/system.rs index e69de29b..6977ba85 100644 --- a/src/detections/system.rs +++ b/src/detections/system.rs @@ -0,0 +1,4 @@ + +pub fn detection() { + +} \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index cc5fbf28..6c6638f3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -9,12 +9,14 @@ use std::collections::HashMap; use quick_xml::de::{DeError}; use yamato_event_analyzer::models::event; use yamato_event_analyzer::detections::security; +use yamato_event_analyzer::detections::system; +use yamato_event_analyzer::detections::application; fn main() -> Result<(), DeError> { let args: Vec = env::args().collect(); let fp: PathBuf; - if (args.len() > 1) { + if args.len() > 1 { fp = PathBuf::from(args[1].to_string()); } else { fp = PathBuf::from(format!("./samples/security.evtx")); @@ -37,20 +39,29 @@ fn main() -> Result<(), DeError> { match record { Ok(r) => { let event: event::Evtx = quick_xml::de::from_str(&r.data)?; + let event_id = event.System.EventID.to_string(); + // ログがSecurity.evtxなら - if (event.System.Channel == "Security") { - if (event.System.EventID == "4672") { - let event_data = event.parse_event_data(); - security::se_debug_privilege(event_data, alert_all_admin, &mut total_admin_logons, - &mut admin_logons, &mut multiple_admin_logons); - } + if event.System.Channel == "Security" { + let event_data = event.parse_event_data(); + security::detection(event_id, + event_data, alert_all_admin, &mut total_admin_logons, + &mut admin_logons, &mut multiple_admin_logons + ); + } else if event.System.Channel == "System" { + system::detection(); + } else if event.System.Channel == "Application" { + application::detection(); } }, Err(e) => eprintln!("{}", e), } } - if (total_admin_logons > 0) { + //////////////////////////// + // 表示 別ファイルでやりたい + //////////////////////////// + if total_admin_logons > 0 { println!("total_admin_logons:{}", total_admin_logons); println!("admin_logons:{:?}", admin_logons); println!("multiple_admin_logons:{:?}", multiple_admin_logons);