CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' into feature/463

Browse Source
This commit is contained in:
garigariganzy
2022-09-26 23:51:49 +09:00
parent cf427e9695 ebe89905b5
commit d670743cbe
19 changed files with 153 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.github/workflows/rust.yml vendored
View File

@@ -10,19 +10,47 @@ env:
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
info:
- {
os: "ubuntu-latest",
target: "x86_64-unknown-linux-gnu",
cross: false,
}
- {
os: "ubuntu-latest",
target: "x86_64-unknown-linux-musl",
cross: true,
}
- { os: "macOS-latest", target: "x86_64-apple-darwin", cross: false }
- { os: "macOS-latest", target: "aarch64-apple-darwin", cross: false }
- {
os: "windows-latest",
target: "x86_64-pc-windows-msvc",
cross: false,
}
- {
os: "windows-latest",
target: "i686-pc-windows-msvc",
cross: false,
}
runs-on: ${{ matrix.info.os }}
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
- uses: actions-rs/toolchain@v1
- name: Set up Rust toolchain
if: ${{ steps.skip_check.outputs.should_skip != 'true' }}
uses: dtolnay/rust-toolchain@88e7c2e1da2693cf72d58fce9416206818e61dea # https://github.com/dtolnay/rust-toolchain/commit/88e7c2e1da2693cf72d58fce9416206818e61dea
with:
toolchain: stable
profile: minimal
components: rustfmt
override: true
components: rustfmt, clippy
target: ${{ matrix.info.target }}
- name: Enable Rust cache
if: ${{ steps.skip_check.outputs.should_skip != 'true' }}
uses: Swatinem/rust-cache@cb2cf0cc7c5198d3364b9630e2c3d457f160790c # 1.4.0
- name: Fmt Check
run: cargo fmt -- --check
- name: Prepare Clippy
@@ -32,8 +60,17 @@ jobs:
with:
args: --all-targets -- -D warnings
token: ${{ secrets.GITHUB_TOKEN }}
- name: Build
run: cargo build --verbose
- name: Build tests
if: ${{ steps.skip_check.outputs.should_skip != 'true' }}
uses: ClementTsang/cargo-action@v0.0.2
with:
command: test
args: --no-run --locked ${{ matrix.features }} --target=${{ matrix.info.target }}
use-cross: ${{ matrix.info.cross }}
cross-version: 0.2.4
env:
RUST_BACKTRACE: full
- name: Run tests
run: cargo test --verbose
env:
RUST_TEST_THREADS: 1
run: cargo test --verbose

10
CHANGELOG-Japanese.md
View File

@@ -1,5 +1,15 @@
# 変更点
## 1.x.x [2022/XX/XX]
**新機能:**
**改善:**
- EventID解析のオプションをmetricsオプションに変更した。(旧: -s -> 新: -M) (#706) (@hitenkoku)
**バグ修正:**
## v1.6.0 [2022/09/16]
**新機能:**

11
CHANGELOG.md
View File

@@ -1,5 +1,16 @@
# Changes
## 1.x.x [2022/XX/XX]
**New Features:**
**Enhancements:**
- Changed Event ID Statistics option to Event ID Metrics option. (`-s, --statistics` -> `-M, --metrics`) (#706) (@hitenkoku)
(Note: `statistics_event_info.txt` was changed to `event_id_info.txt`.)
**Bug Fixes:**
## v1.6.0 [2022/09/16]
**New Features:**

81
Cargo.lock generated
View File

@@ -193,9 +193,9 @@ dependencies = [
[[package]]
name = "clap"
version = "3.2.21"
version = "3.2.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ed5341b2301a26ab80be5cbdced622e80ed808483c52e45e3310a877d3b37d7"
checksum = "86447ad904c7fb335a790c9d7fe3d0d971dc523b8ccd1561a520de9a85302750"
dependencies = [
"atty",
"bitflags",
@@ -720,7 +720,7 @@ dependencies = [
[[package]]
name = "hayabusa"
version = "1.6.0"
version = "1.7.0-dev"
dependencies = [
"base64",
"bytesize",
@@ -860,14 +860,13 @@ dependencies = [
[[package]]
name = "iana-time-zone"
version = "0.1.48"
version = "0.1.50"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "237a0714f28b1ee39ccec0770ccb544eb02c9ef2c82bb096230eefcffa6468b0"
checksum = "fd911b35d940d2bd0bea0f9100068e5b97b51a1cbe13d13382f132e0365257a0"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"js-sys",
"once_cell",
"wasm-bindgen",
"winapi",
]
@@ -892,18 +891,6 @@ dependencies = [
"hashbrown",
]
[[package]]
name = "indicatif"
version = "0.16.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2d207dc617c7a380ab07ff572a6e52fa202a2a8f355860ac9c38e23f8196be1b"
dependencies = [
"console",
"lazy_static",
"number_prefix",
"regex",
]
[[package]]
name = "indoc"
version = "1.0.7"
@@ -936,9 +923,9 @@ dependencies = [
[[package]]
name = "itertools"
version = "0.10.4"
version = "0.10.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d8bf247779e67a9082a4790b45e71ac7cfd1321331a5c856a74a9faebdab78d0"
checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
dependencies = [
"either",
]
@@ -978,9 +965,9 @@ dependencies = [
[[package]]
name = "jobserver"
version = "0.1.24"
version = "0.1.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "af25a77299a7f711a01975c35a6a424eb6862092cc2d6c72c4ed6cbc56dfc1fa"
checksum = "068b1ee6743e4d11fb9c6a1e6064b3693a1b600e7f5f5988047d98b3dc9fb90b"
dependencies = [
"libc",
]
@@ -996,19 +983,17 @@ dependencies = [
[[package]]
name = "krapslog"
version = "0.4.0"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70d4d54b2c8b875b6692487e5269cb66f12cd51af11fe1807f135ad0d6b771de"
checksum = "6a5e504b81adacf85c2e9e5c4e419a9e657a2a8ff4c5153f8586bfdd8b3083ab"
dependencies = [
"anyhow",
"atty",
"chrono",
"clap",
"file-chunker",
"indicatif",
"memmap2",
"num_cpus",
"progress-streams",
"rayon",
"regex",
"tempfile",
@@ -1023,9 +1008,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]]
name = "libc"
version = "0.2.132"
version = "0.2.133"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8371e4e5341c3a96db127eb2465ac681ced4c433e01dd0e938adbef26ba93ba5"
checksum = "c0f80d65747a3e43d1596c7c5492d95d5edddaabd45a7fcdb02b95f644164966"
[[package]]
name = "libgit2-sys"
@@ -1081,9 +1066,9 @@ checksum = "d4d2456c373231a208ad294c33dc5bff30051eafd954cd4caae83a712b12854d"
[[package]]
name = "lock_api"
version = "0.4.8"
version = "0.4.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f80bf5aacaf25cbfc8210d1cfb718f2bf3b11c4c54e5afe36c236853a8ec390"
checksum = "435011366fe56583b16cf956f9df0095b405b82d76425bc8981c0e22e60ec4df"
dependencies = [
"autocfg",
"scopeguard",
@@ -1208,17 +1193,11 @@ dependencies = [
"libc",
]
[[package]]
name = "number_prefix"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "830b246a0e5f20af87141b25c173cd1b609bd7779a4617d6ec582abaf90870f3"
[[package]]
name = "once_cell"
version = "1.14.0"
version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f7254b99e31cad77da24b08ebf628882739a608578bb1bcdfc1f9c21260d7c0"
checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1"
[[package]]
name = "openssl"
@@ -1399,12 +1378,6 @@ dependencies = [
"unicode-ident",
]
[[package]]
name = "progress-streams"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e965d96c8162c607b0cd8d66047ad3c9fd35273c134d994327882c6e47f986a7"
[[package]]
name = "pulldown-cmark"
version = "0.9.2"
@@ -1578,9 +1551,9 @@ dependencies = [
[[package]]
name = "rustix"
version = "0.35.9"
version = "0.35.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72c825b8aa8010eb9ee99b75f05e10180b9278d161583034d7574c9d617aeada"
checksum = "af895b90e5c071badc3136fc10ff0bcfc98747eadbaf43ed8f214e07ba8f8477"
dependencies = [
"bitflags",
"errno",
@@ -1643,18 +1616,18 @@ checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
[[package]]
name = "serde"
version = "1.0.144"
version = "1.0.145"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0f747710de3dcd43b88c9168773254e809d8ddbdf9653b84e2554ab219f17860"
checksum = "728eb6351430bccb993660dfffc5a72f91ccc1295abaa8ce19b27ebe4f75568b"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.144"
version = "1.0.145"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94ed3a816fb1d101812f83e789f888322c34e291f894f19590dc310963e87a00"
checksum = "81fa1584d3d1bcacd84c277a0dfe21f5b0f6accf4a23d04d4c6d61f1af522b4c"
dependencies = [
"proc-macro2",
"quote",
@@ -1850,9 +1823,9 @@ dependencies = [
[[package]]
name = "syn"
version = "1.0.99"
version = "1.0.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "58dbef6ec655055e20b86b15a8cc6d439cca19b667537ac6a1369572d151ab13"
checksum = "52205623b1b0f064a4e71182c3b18ae902267282930c6d5462c91b859668426e"
dependencies = [
"proc-macro2",
"quote",
@@ -2108,9 +2081,9 @@ checksum = "dcc811dc4066ac62f84f11307873c4850cb653bfa9b1719cee2bd2204a4bc5dd"
[[package]]
name = "unicode-normalization"
version = "0.1.21"
version = "0.1.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "854cbdc4f7bc6ae19c820d44abdc3277ac3e1b2b93db20a636825d9322fb60e6"
checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
dependencies = [
"tinyvec",
]

2
Cargo.toml
View File

@@ -1,6 +1,6 @@
[package]
name = "hayabusa"
version = "1.6.0"
version = "1.7.0-dev"
authors = ["Yamato Security @SecurityYamato"]
edition = "2021"

9
README-Japanese.md
View File

@@ -370,7 +370,7 @@ macOSの環境設定から「セキュリティとプライバシー」を開き
* `--level-tuning`: アラート`level`のカスタムチューニング
* `-L, --logon-summary`: ログオンイベントのサマリを出力する。
* `-P, --pivot-keywords-list`: ピボットする不審なキーワードのリスト作成。
* `-s, --statistics`: イベントIDに基づくイベントの合計と割合の集計を出力する。
* `-M, --metrics`: イベントIDに基づくイベントの合計と割合の集計を出力する。
* `--set-default-profile`: デフォルトプロファイルを変更する。
* `-u, --update`: GitHubの[hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules)リポジトリにある最新のルールに同期させる。
@@ -418,8 +418,8 @@ OTHER-ACTIONS:
--contributors コントリビュータの一覧表示
-L, --logon-summary 成功と失敗したログオン情報の要約を出力する
--level-tuning [<FILE>] ルールlevelのチューニング (デフォルト: ./rules/config/level_tuning.txt)
-M, --metrics イベントIDの統計情報を表示する
-p, --pivot-keywords-list ピボットキーワードの一覧作成
-s, --statistics イベントIDの統計情報を表示する
--set-default-profile <PROFILE> デフォルトの出力コンフィグを設定する
-u, --update-rules rulesフォルダをhayabusa-rulesのgithubリポジトリの最新版に更新する
@@ -509,12 +509,13 @@ hayabusa-1.6.0-win-x64.exe -l -m critical -p -o keywords
* イベントIDの統計情報を出力する:
```bash
hayabusa-1.6.0-win-x64.exe -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -f Security.evtx -M
```
* ログオンサマリを出力する:
```bash
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -M
```
* 詳細なメッセージを出力する(処理に時間がかかるファイル、パースエラー等を特定するのに便利):

12
README.md
View File

@@ -170,7 +170,7 @@ You can learn how to import CSV files into Timesketch [here](doc/TimesketchImpor
* Threat hunting based on IoC signatures written in easy to read/create/edit YML based hayabusa rules.
* Sigma rule support to convert sigma rules to hayabusa rules.
* Currently it supports the most sigma rules compared to other similar tools and even supports count rules and new aggregators such as `|equalsfield`.
* Event log statistics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
* Event ID metrics. (Useful for getting a picture of what types of events there are and for tuning your log settings.)
* Rule tuning configuration by excluding unneeded or noisy rules.
* MITRE ATT&CK mapping of tactics.
* Rule level tuning.
@@ -361,7 +361,7 @@ You should now be able to run hayabusa.
* `--level-tuning`: Custom tune the alerts' `level`.
* `-L, --logon-summary`: Print a summary of logon events.
* `-P, --pivot-keywords-list`: Print a list of suspicious keywords to pivot on.
* `-s, --statistics`: Print metrics of the count and percentage of events based on Event ID.
* `-M, --metrics`: Print metrics of the number and percentage of events based on Event ID.
* `--set-default-profile`: Change the default profile.
* `-u, --update`: Sync the rules to the latest rules in the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) GitHub repository.
@@ -409,8 +409,8 @@ OTHER-ACTIONS:
--contributors Print the list of contributors
-L, --logon-summary Print a summary of successful and failed logons
--level-tuning [<FILE>] Tune alert levels (default: ./rules/config/level_tuning.txt)
-M, --metrics Print event ID metrics
-p, --pivot-keywords-list Create a list of pivot keywords
-s, --statistics Print statistics of event IDs
--set-default-profile <PROFILE> Set default output profile
-u, --update-rules Update to the latest rules in the hayabusa-rules github repository
@@ -497,16 +497,16 @@ hayabusa-1.6.0-win-x64.exe -l -m low
hayabusa-1.6.0-win-x64.exe -l -m critical -p -o keywords
```
* Print Event ID statistics:
* Print Event ID metrics:
```bash
hayabusa-1.6.0-win-x64.exe -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -f Security.evtx -M
```
* Print logon summary:
```bash
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -s
hayabusa-1.6.0-win-x64.exe -L -f Security.evtx -M
```
* Print verbose information (useful for determining which files take long to process, parsing errors, etc...):

2
contributors.txt
View File

@@ -2,7 +2,7 @@ Hayabusa was possible thanks to the following people (in alphabetical order):
Akira Nishikawa (@nishikawaakira): Previous lead developer, core hayabusa rule support, etc...
Fukusuke Takahashi (fukuseket): Static compiling for Windows, race condition and other bug fixes.
Garigariganzy (@garigariganzy31): Developer, event ID statistics implementation, etc...
Garigariganzy (@garigariganzy31): Developer, event ID metrics implementation, etc...
ItiB (@itiB_S144) : Core developer, sigmac hayabusa backend, rule creation, etc...
James Takai / hachiyone(@hach1yon): Current lead developer, tokio multi-threading, sigma aggregation logic, sigmac backend, rule creation, sigma count implementation etc…
Kazuminn (@k47_um1n): Core Developer

2
doc/ElasticStackImport/ElasticStackImport-English.md
View File

@@ -51,7 +51,7 @@ As shown below, click on `Advanced` and perform the following settings before cl
1. Title the `Index name` as `evtxlogs-hayabusa`.
2. Under `Index settings`, add `, "number_of_replicas": 0` so that the index health status does not turn yellow.
3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can do statistics on the rule titles and change the `EventID` type of `long` to `keyword` in order to import without errors.
3. Under `Mappings`, change the `RuleTitle` type of `text` to `keyword` so that we can calculate metrics on the rule titles and change the `EventID` type of `long` to `keyword` in order to import without errors.
4. Under `Ingest pipeline`, add `, "field": "Timestamp"` under the `remove` section. Timestamps will be displayed as `@timestamp` so this duplicate field is not needed. Also, delete the following in order to import without errors:
```
{

2
rules

Submodule rules updated: fa75078de6...2b0f88d1c0

12
src/detections/configs.rs
View File

@@ -188,9 +188,9 @@ pub struct Config {
#[clap(help_heading = Some("ADVANCED"), short, long = "thread-number", value_name = "NUMBER")]
pub thread_number: Option<usize>,
/// Print statistics of event IDs
#[clap(help_heading = Some("OTHER-ACTIONS"), short, long)]
pub statistics: bool,
/// Print event ID metrics
#[clap(help_heading = Some("OTHER-ACTIONS"), short='M', long)]
pub metrics: bool,
/// Print a summary of successful and failed logons
#[clap(help_heading = Some("OTHER-ACTIONS"), short = 'L', long = "logon-summary")]
@@ -266,11 +266,11 @@ impl ConfigReader<'_> {
args: parse.clone(),
headless_help: String::default(),
event_timeline_config: load_eventcode_info(
utils::check_setting_path(&parse.config, "statistics_event_info.txt", false)
utils::check_setting_path(&parse.config, "event_id_info.txt", false)
.unwrap_or_else(|| {
utils::check_setting_path(
&CURRENT_EXE_PATH.to_path_buf(),
"rules/config/statistics_event_info.txt",
"rules/config/event_id_info.txt",
true,
)
.unwrap()
@@ -581,7 +581,7 @@ fn load_eventcode_info(path: &str) -> EventInfoConfig {
return config;
}
// statistics_event_infoが読み込めなかったらエラーで終了とする。
// event_id_info.txtが読み込めなかったらエラーで終了とする。
read_result.unwrap().into_iter().for_each(|line| {
if line.len() != 2 {
return;

8
src/detections/detection.rs
View File

@@ -14,7 +14,7 @@ use crate::detections::message::DetectInfo;
use crate::detections::message::ERROR_LOG_STACK;
use crate::detections::message::{CH_CONFIG, DEFAULT_DETAILS, TAGS_CONFIG};
use crate::detections::message::{
LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG, STATISTICS_FLAG,
LOGONSUMMARY_FLAG, METRICS_FLAG, PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG,
};
use crate::detections::pivot::insert_pivot_keyword;
use crate::detections::rule;
@@ -364,7 +364,7 @@ impl Detection {
}
let detect_info = DetectInfo {
rulepath: (&rule.rulepath).to_owned(),
rulepath: rule.rulepath.to_owned(),
ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(),
level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
computername: record_info.record["Event"]["System"]["Computer"]
@@ -495,7 +495,7 @@ impl Detection {
}
let detect_info = DetectInfo {
rulepath: (&rule.rulepath).to_owned(),
rulepath: rule.rulepath.to_owned(),
ruletitle: rule.yaml["title"].as_str().unwrap_or("-").to_string(),
level: LEVEL_ABBR.get(&level).unwrap_or(&level).to_string(),
computername: "-".to_owned(),
@@ -599,7 +599,7 @@ impl Detection {
st_rc: &HashMap<String, u128>,
err_rc: &u128,
) {
if *STATISTICS_FLAG {
if *METRICS_FLAG {
return;
}
let mut sorted_ld_rc: Vec<(&String, &u128)> = ld_rc.iter().collect();

3
src/detections/message.rs
View File

@@ -46,7 +46,7 @@ lazy_static! {
);
pub static ref QUIET_ERRORS_FLAG: bool = configs::CONFIG.read().unwrap().args.quiet_errors;
pub static ref ERROR_LOG_STACK: Mutex<Vec<String>> = Mutex::new(Vec::new());
pub static ref STATISTICS_FLAG: bool = configs::CONFIG.read().unwrap().args.statistics;
pub static ref METRICS_FLAG: bool = configs::CONFIG.read().unwrap().args.metrics;
pub static ref LOGONSUMMARY_FLAG: bool = configs::CONFIG.read().unwrap().args.logon_summary;
pub static ref TAGS_CONFIG: HashMap<String, String> = create_output_filter_config(
utils::check_setting_path(&CURRENT_EXE_PATH.to_path_buf(), "config/mitre_tactics.txt", true)
@@ -625,7 +625,6 @@ mod tests {
}
}
#[ignore]
#[test]
fn test_insert_message_race_condition() {
MESSAGES.clear();

8
src/detections/pivot.rs
View File

@@ -91,9 +91,9 @@ mod tests {
use crate::detections::pivot::PIVOT_KEYWORD;
use serde_json;
//PIVOT_KEYWORDはグローバルなので、他の関数の影響も考慮する必要がある。
#[test]
fn insert_pivot_keyword_local_ip4() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -119,6 +119,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_ip4() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -144,6 +145,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_ip_empty() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -169,6 +171,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_local_ip6() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -194,6 +197,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_level_infomational() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -219,6 +223,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_level_low() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{
@@ -244,6 +249,7 @@ mod tests {
#[test]
fn insert_pivot_keyword_level_none() {
PIVOT_KEYWORD.write().unwrap().clear();
load_pivot_keywords("test_files/config/pivot_keywords.txt");
let record_json_str = r#"
{

2
src/detections/utils.rs
View File

@@ -410,7 +410,7 @@ pub fn check_rule_config() -> Result<(), String> {
"target_event_IDs.txt",
"default_details.txt",
"level_tuning.txt",
"statistics_event_info.txt",
"event_id_info.txt",
"eventkey_alias.txt",
];
let mut not_exist_file = vec![];

12
src/main.rs
View File

@@ -11,8 +11,8 @@ use hayabusa::detections::configs::{load_pivot_keywords, TargetEventTime, TARGET
use hayabusa::detections::configs::{CONFIG, CURRENT_EXE_PATH};
use hayabusa::detections::detection::{self, EvtxRecordInfo};
use hayabusa::detections::message::{
AlertMessage, ERROR_LOG_PATH, ERROR_LOG_STACK, LOGONSUMMARY_FLAG, PIVOT_KEYWORD_LIST_FLAG,
QUIET_ERRORS_FLAG, STATISTICS_FLAG,
AlertMessage, ERROR_LOG_PATH, ERROR_LOG_STACK, LOGONSUMMARY_FLAG, METRICS_FLAG,
PIVOT_KEYWORD_LIST_FLAG, QUIET_ERRORS_FLAG,
};
use hayabusa::detections::pivot::PivotKeyword;
use hayabusa::detections::pivot::PIVOT_KEYWORD;
@@ -193,11 +193,11 @@ impl App {
return;
}
if *STATISTICS_FLAG {
if *METRICS_FLAG {
write_color_buffer(
&BufferWriter::stdout(ColorChoice::Always),
None,
"Generating Event ID Statistics",
"Generating Event ID Metrics",
true,
)
.ok();
@@ -565,7 +565,7 @@ impl App {
}
println!();
detection.add_aggcondition_msges(&self.rt);
if !(*STATISTICS_FLAG || *LOGONSUMMARY_FLAG || *PIVOT_KEYWORD_LIST_FLAG) {
if !(*METRICS_FLAG || *LOGONSUMMARY_FLAG || *PIVOT_KEYWORD_LIST_FLAG) {
after_fact(total_records);
}
}
@@ -647,7 +647,7 @@ impl App {
// timeline機能の実行
tl.start(&records_per_detect);
if !(*STATISTICS_FLAG || *LOGONSUMMARY_FLAG) {
if !(*METRICS_FLAG || *LOGONSUMMARY_FLAG) {
// ruleファイルの検知
detection = detection.start(&self.rt, records_per_detect);
}

16
src/timeline/statistics.rs → src/timeline/metrics.rs
View File

@@ -1,8 +1,9 @@
use crate::detections::message::{LOGONSUMMARY_FLAG, STATISTICS_FLAG};
use crate::detections::message::{LOGONSUMMARY_FLAG, METRICS_FLAG};
use crate::detections::{detection::EvtxRecordInfo, utils};
use hashbrown::HashMap;
#[derive(Debug)]
<<<<<<< HEAD:src/timeline/statistics.rs
pub struct LogEventInfo {
pub channel: String,
pub eventid: String,
@@ -16,6 +17,9 @@ impl LogEventInfo {
#[derive(Debug)]
pub struct EventStatistics {
=======
pub struct EventMetrics {
>>>>>>> ebe89905b51b332817d753847e22758d4b511d5c:src/timeline/metrics.rs
pub total: usize,
pub filepath: String,
pub start_time: String,
@@ -26,7 +30,7 @@ pub struct EventStatistics {
/**
* Windows Event Logの統計情報を出力する
*/
impl EventStatistics {
impl EventMetrics {
pub fn new(
total: usize,
filepath: String,
@@ -34,8 +38,8 @@ impl EventStatistics {
end_time: String,
stats_list: HashMap<String, usize>,
stats_login_list: HashMap<String, [usize; 2]>,
) -> EventStatistics {
EventStatistics {
) -> EventMetrics {
EventMetrics {
total,
filepath,
start_time,
@@ -46,8 +50,8 @@ impl EventStatistics {
}
pub fn evt_stats_start(&mut self, records: &[EvtxRecordInfo]) {
// 引数でstatisticsオプションが指定されている時だけ、統計情報を出力する。
if !*STATISTICS_FLAG {
// 引数でmetricsオプションが指定されている時だけ、統計情報を出力する。
if !*METRICS_FLAG {
return;
}

2
src/timeline/mod.rs
View File

@@ -1,2 +1,2 @@
pub mod statistics;
pub mod metrics;
pub mod timelines;

12
src/timeline/timelines.rs
View File

@@ -1,13 +1,13 @@
use crate::detections::message::{LOGONSUMMARY_FLAG, STATISTICS_FLAG};
use crate::detections::message::{LOGONSUMMARY_FLAG, METRICS_FLAG};
use crate::detections::{configs::CONFIG, detection::EvtxRecordInfo};
use comfy_table::*;
use super::statistics::EventStatistics;
use super::metrics::EventMetrics;
use hashbrown::HashMap;
#[derive(Debug)]
pub struct Timeline {
pub stats: EventStatistics,
pub stats: EventMetrics,
}
impl Default for Timeline {
@@ -26,7 +26,7 @@ impl Timeline {
let statsloginlst = HashMap::new();
let statistic =
EventStatistics::new(totalcnt, filepath, starttm, endtm, statslst, statsloginlst);
EventMetrics::new(totalcnt, filepath, starttm, endtm, statslst, statsloginlst);
Timeline { stats: statistic }
}
@@ -36,7 +36,7 @@ impl Timeline {
}
pub fn tm_stats_dsp_msg(&mut self) {
if !*STATISTICS_FLAG {
if !*METRICS_FLAG {
return;
}
// 出力メッセージ作成
@@ -98,7 +98,7 @@ impl Timeline {
.event_timeline_config
.get_event_id(*event_id)
.is_some();
// statistics_event_info.txtに登録あるものは情報設定
// event_id_info.txtに登録あるものは情報設定
if conf {
// 出力メッセージ1行作成
msges.push(format!(