diff --git a/src/detections/application.rs b/src/detections/application.rs index 6977ba85..7676faab 100644 --- a/src/detections/application.rs +++ b/src/detections/application.rs @@ -1,4 +1,15 @@ -pub fn detection() { +pub struct Application { + +} -} \ No newline at end of file +impl Application { + + pub fn new() -> Application { + Application{} + } + + pub fn detection(&self) { + + } +} diff --git a/src/detections/security.rs b/src/detections/security.rs index b67b720d..9e74821b 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -1,69 +1,90 @@ use std::collections::HashMap; -pub fn detection(event_id: String, event_data: HashMap, - alert_all_admin: i32, total_admin_logons: &mut i32, - admin_logons: &mut HashMap>, - multiple_admin_logons: &mut HashMap) { - - if event_id == "4672" { - se_debug_privilege(event_data, alert_all_admin, total_admin_logons, - admin_logons, multiple_admin_logons); - } +#[derive(Debug)] +pub struct Security { + alert_all_admin: i32, + total_admin_logons: i32, + admin_logons: HashMap>, + multiple_admin_logons: HashMap, } -// -// Special privileges assigned to new logon (possible admin access) -// -fn se_debug_privilege(event_data: HashMap, - alert_all_admin: i32, total_admin_logons: &mut i32, - admin_logons: &mut HashMap>, - multiple_admin_logons: &mut HashMap) { +impl Security { + pub fn new() -> Security { + Security{ + alert_all_admin: 0, + total_admin_logons: 0, + admin_logons: HashMap::new(), + multiple_admin_logons: HashMap::new(), + } + } - match event_data.get("PrivilegeList") { - Some(privileage_list) => { - match privileage_list.find("SeDebugPrivilege") { - Some(data) => { + pub fn disp(&self) { + if self.total_admin_logons > 0 { + println!("total_admin_logons:{}", self.total_admin_logons); + println!("admin_logons:{:?}", self.admin_logons); + println!("multiple_admin_logons:{:?}", self.multiple_admin_logons); + } + } - // alert_all_adminが有効であれば、標準出力して知らせる - // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 - if alert_all_admin == 1 { - println!("Logon with SeDebugPrivilege (admin access)"); - println!("Username:{}", event_data["SubjectUserName"]); - println!("Domain:{}", event_data["SubjectDomainName"]); - println!("User SID:{}", event_data["SubjectUserSid"]); - println!("Domain:{}", event_data["PrivilegeList"]); - } + pub fn detection(&mut self, event_id: String, event_data: HashMap) { + + if event_id == "4672" { + &self.se_debug_privilege(event_data); + } + } - *total_admin_logons += 1; - - // admin_logons配列にusernameが含まれているか確認 - match admin_logons.get(&event_data["SubjectUserName"]) { - Some(sid) => { - // 含まれていれば、マルチユーザが管理者としてログインしているか確認 - // マルチログオンのデータをセット - if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs - multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1); - - let mut count_hash: HashMap = HashMap::new(); - count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1); - admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash); - } - }, - None => { - // admin_logons配列にセットUserNameとSIDとカウンタをセット - let mut count_hash: HashMap = HashMap::new(); - count_hash.insert(event_data["SubjectUserSid"].to_string(), 1); - admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash); - + // + // Special privileges assigned to new logon (possible admin access) + // + fn se_debug_privilege(&mut self, event_data: HashMap) { + + match event_data.get("PrivilegeList") { + Some(privileage_list) => { + match privileage_list.find("SeDebugPrivilege") { + Some(data) => { + + // alert_all_adminが有効であれば、標準出力して知らせる + // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 + if self.alert_all_admin == 1 { + println!("Logon with SeDebugPrivilege (admin access)"); + println!("Username:{}", event_data["SubjectUserName"]); + println!("Domain:{}", event_data["SubjectDomainName"]); + println!("User SID:{}", event_data["SubjectUserSid"]); + println!("Domain:{}", event_data["PrivilegeList"]); } - } - }, - None => (), - } - }, - None => (), + + self.total_admin_logons += 1; + + // admin_logons配列にusernameが含まれているか確認 + match self.admin_logons.get(&event_data["SubjectUserName"]) { + Some(sid) => { + // 含まれていれば、マルチユーザが管理者としてログインしているか確認 + // マルチログオンのデータをセット + if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs + self.multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1); + + let mut count_hash: HashMap = HashMap::new(); + count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1); + self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash); + } + }, + None => { + // admin_logons配列にセットUserNameとSIDとカウンタをセット + let mut count_hash: HashMap = HashMap::new(); + count_hash.insert(event_data["SubjectUserSid"].to_string(), 1); + self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash); + + } + } + }, + None => (), + } + }, + None => (), + + } } - + } diff --git a/src/detections/system.rs b/src/detections/system.rs index 6977ba85..da7b3ee5 100644 --- a/src/detections/system.rs +++ b/src/detections/system.rs @@ -1,4 +1,15 @@ -pub fn detection() { +pub struct System { + +} +impl System { + + pub fn new() -> System { + System{} + } + + pub fn detection(&self) { + + } } \ No newline at end of file diff --git a/src/main.rs b/src/main.rs index 6c6638f3..3a6dc577 100644 --- a/src/main.rs +++ b/src/main.rs @@ -5,7 +5,6 @@ use evtx::EvtxParser; use std::env; use std::process; use std::path::PathBuf; -use std::collections::HashMap; use quick_xml::de::{DeError}; use yamato_event_analyzer::models::event; use yamato_event_analyzer::detections::security; @@ -16,17 +15,16 @@ fn main() -> Result<(), DeError> { let args: Vec = env::args().collect(); let fp: PathBuf; - if args.len() > 1 { + if (args.len() > 1) { fp = PathBuf::from(args[1].to_string()); } else { fp = PathBuf::from(format!("./samples/security.evtx")); } - let alert_all_admin = 0; - let mut total_admin_logons = 0; - let mut admin_logons: HashMap> = HashMap::new(); - let mut multiple_admin_logons: HashMap = HashMap::new(); + let mut security = security::Security::new(); + let mut system = system::System::new(); + let mut application = application::Application::new(); let mut parser = match EvtxParser::from_path(fp) { Ok(pointer) => pointer, Err(e) => { @@ -41,17 +39,13 @@ fn main() -> Result<(), DeError> { let event: event::Evtx = quick_xml::de::from_str(&r.data)?; let event_id = event.System.EventID.to_string(); - // ログがSecurity.evtxなら if event.System.Channel == "Security" { let event_data = event.parse_event_data(); - security::detection(event_id, - event_data, alert_all_admin, &mut total_admin_logons, - &mut admin_logons, &mut multiple_admin_logons - ); + &security.detection(event_id, event_data); } else if event.System.Channel == "System" { - system::detection(); + &system.detection(); } else if event.System.Channel == "Application" { - application::detection(); + &application.detection(); } }, Err(e) => eprintln!("{}", e), @@ -59,13 +53,9 @@ fn main() -> Result<(), DeError> { } //////////////////////////// - // 表示 別ファイルでやりたい + // 表示 //////////////////////////// - if total_admin_logons > 0 { - println!("total_admin_logons:{}", total_admin_logons); - println!("admin_logons:{:?}", admin_logons); - println!("multiple_admin_logons:{:?}", multiple_admin_logons); - } + security.disp(); Ok(()) }