設計変更

2020-09-20 06:04:03 +09:00
parent 5d2a4b4d4c
commit d3b368b680
4 changed files with 112 additions and 79 deletions
--- a/src/detections/application.rs
+++ b/src/detections/application.rs
@@ -1,4 +1,15 @@

-pub fn detection() {
+pub struct Application {
    
 }
+
+impl Application {
+
+    pub fn new() -> Application {
+        Application{}
+    }
+
+    pub fn detection(&self) {
+
+    }
+}
--- a/src/detections/security.rs
+++ b/src/detections/security.rs
@@ -1,23 +1,42 @@
 use std::collections::HashMap;

-pub fn detection(event_id: String, event_data: HashMap<String, String>,
-    alert_all_admin: i32, total_admin_logons: &mut i32,
-    admin_logons: &mut HashMap<String, HashMap<String, i32>>, 
-    multiple_admin_logons: &mut HashMap<String, i32>) {
+#[derive(Debug)]
+pub struct Security {
+    alert_all_admin: i32,
+    total_admin_logons: i32,
+    admin_logons: HashMap<String, HashMap<String, i32>>,
+    multiple_admin_logons: HashMap<String, i32>,
+}
+
+impl Security {
+    pub fn new() -> Security {
+        Security{
+            alert_all_admin: 0,
+            total_admin_logons: 0,
+            admin_logons: HashMap::new(),
+            multiple_admin_logons: HashMap::new(),
+        }
+    }
+
+    pub fn disp(&self) {
+        if self.total_admin_logons > 0 {
+            println!("total_admin_logons:{}", self.total_admin_logons);
+            println!("admin_logons:{:?}", self.admin_logons);
+            println!("multiple_admin_logons:{:?}", self.multiple_admin_logons);
+        }
+    }
+
+    pub fn detection(&mut self, event_id: String, event_data: HashMap<String, String>) {
    
        if event_id == "4672" {
-        se_debug_privilege(event_data, alert_all_admin, total_admin_logons,
-            admin_logons, multiple_admin_logons);
+            &self.se_debug_privilege(event_data);
        }
    }

    //
    // Special privileges assigned to new logon (possible admin access)
    //
-fn se_debug_privilege(event_data: HashMap<String, String>,
-    alert_all_admin: i32, total_admin_logons: &mut i32,
-    admin_logons: &mut HashMap<String, HashMap<String, i32>>, 
-    multiple_admin_logons: &mut HashMap<String, i32>) {
+    fn se_debug_privilege(&mut self, event_data: HashMap<String, String>) {
    
        match event_data.get("PrivilegeList") {
            Some(privileage_list) => {
@@ -26,7 +45,7 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
    
                        // alert_all_adminが有効であれば、標準出力して知らせる
                        // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。
-                    if alert_all_admin == 1 {
+                        if self.alert_all_admin == 1 {
                            println!("Logon with SeDebugPrivilege (admin access)");
                            println!("Username:{}", event_data["SubjectUserName"]);
                            println!("Domain:{}", event_data["SubjectDomainName"]);
@@ -34,26 +53,26 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
                            println!("Domain:{}", event_data["PrivilegeList"]);
                        }
    
-                    *total_admin_logons += 1;
+                        self.total_admin_logons += 1;
    
                        // admin_logons配列にusernameが含まれているか確認
-                    match admin_logons.get(&event_data["SubjectUserName"]) {
+                        match self.admin_logons.get(&event_data["SubjectUserName"]) {
                            Some(sid) => {
                                // 含まれていれば、マルチユーザが管理者としてログインしているか確認
                                // マルチログオンのデータをセット
                                if event_data["SubjectUserName"] != event_data["SubjectUserSid"] { // One username with multiple admin logon SIDs 
-                                multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
+                                    self.multiple_admin_logons.insert(event_data["SubjectUserName"].to_string(),1);
                                    
                                    let mut count_hash: HashMap<String, i32> = HashMap::new();
                                    count_hash.insert(event_data["SubjectUserSid"].to_string(), sid[&event_data["SubjectUserSid"]] + 1);
-                                admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
+                                    self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
                                }
                            },
                            None => {
                                // admin_logons配列にセットUserNameとSIDとカウンタをセット
                                let mut count_hash: HashMap<String, i32> = HashMap::new();
                                count_hash.insert(event_data["SubjectUserSid"].to_string(), 1);
-                            admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
+                                self.admin_logons.insert(event_data["SubjectUserName"].to_string(), count_hash);
                                
                            }
                        }
@@ -67,3 +86,5 @@ fn se_debug_privilege(event_data: HashMap<String, String>,
        
    }

+}
+
--- a/src/detections/system.rs
+++ b/src/detections/system.rs
@@ -1,4 +1,15 @@

-pub fn detection() {
+pub struct System {
    
 }
+
+impl System {
+
+    pub fn new() -> System {
+        System{}
+    }
+
+    pub fn detection(&self) {
+
+    }
+}
--- a/src/main.rs
+++ b/src/main.rs
@@ -5,7 +5,6 @@ use evtx::EvtxParser;
 use std::env;
 use std::process;
 use std::path::PathBuf;
-use std::collections::HashMap;
 use quick_xml::de::{DeError};
 use yamato_event_analyzer::models::event;
 use yamato_event_analyzer::detections::security;
@@ -16,17 +15,16 @@ fn main() -> Result<(), DeError> {

    let args: Vec<String> = env::args().collect();
    let fp: PathBuf;
-    if args.len() > 1 {
+    if (args.len() > 1) {
        fp = PathBuf::from(args[1].to_string());
    } else {
        fp = PathBuf::from(format!("./samples/security.evtx"));
    }
    
-    let alert_all_admin = 0;
-    let mut total_admin_logons = 0;
-    let mut admin_logons: HashMap<String, HashMap<String, i32>> = HashMap::new();
-    let mut multiple_admin_logons: HashMap<String, i32> = HashMap::new();
    
+    let mut security = security::Security::new();
+    let mut system = system::System::new();
+    let mut application = application::Application::new();
    let mut parser = match EvtxParser::from_path(fp) {
        Ok(pointer) => pointer,
        Err(e) => {
@@ -41,17 +39,13 @@ fn main() -> Result<(), DeError> {
                let event: event::Evtx = quick_xml::de::from_str(&r.data)?;
                let event_id = event.System.EventID.to_string();

-                // ログがSecurity.evtxなら
                if event.System.Channel == "Security" {
                    let event_data = event.parse_event_data();
-                    security::detection(event_id, 
-                        event_data, alert_all_admin, &mut total_admin_logons,
-                        &mut admin_logons, &mut multiple_admin_logons
-                    );
+                    &security.detection(event_id, event_data);
                } else if event.System.Channel == "System" {
-                    system::detection();
+                    &system.detection();
                } else if event.System.Channel == "Application" {
-                    application::detection();
+                    &application.detection();
                }
            },
            Err(e) => eprintln!("{}", e),
@@ -59,13 +53,9 @@ fn main() -> Result<(), DeError> {
    }

    ////////////////////////////
-    // 表示　別ファイルでやりたい
+    // 表示
    ////////////////////////////
-    if total_admin_logons > 0 {
-        println!("total_admin_logons:{}", total_admin_logons);
-        println!("admin_logons:{:?}", admin_logons);
-        println!("multiple_admin_logons:{:?}", multiple_admin_logons);
-    }
+    security.disp();

    Ok(())
 }