From dce84b41854cf5a2fe97393525855aca0b0a36d4 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Thu, 9 Jun 2022 10:04:59 +0900 Subject: [PATCH] changelog readme update --- CHANGELOG.md | 2 +- Cargo.lock | 56 ++++++++++++++++++++++++++++++++++++++++++++-- README-Japanese.md | 9 -------- README.md | 11 --------- 4 files changed, 55 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ef433ee..cce74669 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ **New Features:** -- Specified field data from multi `Data` record in `details` of rules. (#487) (@hitenkoku) +- You can now specify specific fields when there are multiple fields with the same name (Ex: `Data`). In the `details` line in a rule, specify a placeholder like `%Data[1]%` to display the first `Data` field. (#487) (@hitenkoku) **Enhancements:** diff --git a/Cargo.lock b/Cargo.lock index 42cf7f6b..a37bde5c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -568,6 +568,21 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.0.1" @@ -699,6 +714,7 @@ dependencies = [ "linked-hash-map", "lock_api", "num_cpus", + "openssl", "pbr", "prettytable-rs", "quick-xml 0.23.0", @@ -1103,12 +1119,47 @@ version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7709cef83f0c1f58f666e746a08b21e0085f7440fa6a29cc194d68aac97a4225" +[[package]] +name = "openssl" +version = "0.10.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb81a6430ac911acb25fe5ac8f1d2af1b4ea8a4fdfda0f1ee4292af2e2d8eb0e" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +[[package]] +name = "openssl-src" +version = "111.20.0+1.1.1o" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92892c4f87d56e376e469ace79f1128fdaded07646ddf73aa0be4706ff712dec" +dependencies = [ + "cc", +] + [[package]] name = "openssl-sys" version = "0.9.74" @@ -1118,6 +1169,7 @@ dependencies = [ "autocfg", "cc", "libc", + "openssl-src", "pkg-config", "vcpkg", ] @@ -1801,9 +1853,9 @@ checksum = "360dfd1d6d30e05fda32ace2c8c70e9c0a9da713275777f5a4dbb8a1893930c6" [[package]] name = "tracing" -version = "0.1.34" +version = "0.1.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d0ecdcb44a79f0fe9844f0c4f33a342cbcbb5117de8001e6ba0dc2351327d09" +checksum = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" dependencies = [ "cfg-if", "pin-project-lite", diff --git a/README-Japanese.md b/README-Japanese.md index d120d2c6..545ba66e 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -497,15 +497,6 @@ Hayabusaの結果を標準出力に表示しているとき(デフォルト) * `Level`: YML検知ルールの`level`フィールドから来ています。(例:`informational`, `low`, `medium`, `high`, `critical`) デフォルトでは、すべてのレベルのアラートとイベントが出力されますが、`-m`オプションで最低のレベルを指定することができます。例えば`-m high`オプションを付けると、`high`と`critical`アラートしか出力されません。 * `Title`: YML検知ルールの`title`フィールドから来ています。 * `Details`: YML検知ルールの`details`フィールドから来ていますが、このフィールドはHayabusaルールにしかありません。このフィールドはアラートとイベントに関する追加情報を提供し、ログの``部分から有用なデータを抽出することができます。イベントキーのマッピングが間違っている場合、もしくはフィールドが存在しない場合で抽出ができなかった箇所は`n/a` (not available)と記載されます。 -以下のように`Data`レコードが複数存在するときに、複数データの中から特定の情報を取得することができます。(例: 以下のイベントデータで`....exe`を出力したい場合`%Data[1]%`をdetailsに記載してください) - -```xml - - ....exe - a - b - -``` CSVファイルとして保存する場合、以下の列が追加されます: diff --git a/README.md b/README.md index 62163cdb..1cae6011 100644 --- a/README.md +++ b/README.md @@ -497,17 +497,6 @@ When hayabusa output is being displayed to the screen (the default), it will dis * `Title`: This comes from the `title` field in the YML detection rule. * `Details`: This comes from the `details` field in the YML detection rule, however, only hayabusa rules have this field. This field gives extra information about the alert or event and can extract useful data from the `` portion of the log. For example, usernames, command line information, process information, etc... When a placeholder points to a field that does not exist or there is an incorrect alias mapping, it will be outputted as `n/a` (not available). -You can specify field data from multi `Data` record in details specified. (ex. `%Data[1]%`) -Note: If you want to output `....exe` in following eventdata, you would specify `%Data[1]%` in details. - -```xml - - ....exe - a - b - -``` - The following additional columns will be added to the output when saving to a CSV file: * `MitreAttack`: MITRE ATT&CK tactics.