diff --git a/src/detections/common.rs b/src/detections/common.rs new file mode 100644 index 00000000..895580a4 --- /dev/null +++ b/src/detections/common.rs @@ -0,0 +1,48 @@ +use std::collections::HashMap; +use crate::models::event; + +#[derive(Debug)] +pub struct Common { + record_id: u64, + date: String, + record_id_list : HashMap, +} + +impl Common { + pub fn new() -> Common { + Common { + record_id: 0, + date: "".to_string(), + record_id_list: HashMap::new(), + } + } + + pub fn disp(&self) { + for (record_id, date) in self.record_id_list.iter() { + println!("date:{:?} record-id: {:?}", date, record_id); + } + } + + pub fn detection(&mut self, system: &event::System, event_data: &HashMap) { + + &self.check_record_id(system); + + } + + + // + // Record IDがシーケンスになっているかチェック + // + fn check_record_id(&mut self, system: &event::System) { + + let event_record_id: u64 = system.event_record_id.parse().unwrap(); + if self.record_id > 0 && event_record_id - self.record_id > 1 { + self.record_id_list.insert(self.record_id.to_string() + " - " + &system.event_record_id.to_string(), + self.date.to_string() + " - " + &system.time_created.system_time.to_string()); + } + self.record_id = event_record_id; + self.date = system.time_created.system_time.to_string(); + } + +} + diff --git a/src/detections/mod.rs b/src/detections/mod.rs index 61e0a586..b272ea61 100644 --- a/src/detections/mod.rs +++ b/src/detections/mod.rs @@ -1,3 +1,4 @@ +pub mod common; pub mod security; pub mod system; pub mod application; diff --git a/src/detections/security.rs b/src/detections/security.rs index 9e74821b..8d55dfa3 100644 --- a/src/detections/security.rs +++ b/src/detections/security.rs @@ -1,4 +1,5 @@ use std::collections::HashMap; +use crate::models::event; #[derive(Debug)] pub struct Security { @@ -26,7 +27,7 @@ impl Security { } } - pub fn detection(&mut self, event_id: String, event_data: HashMap) { + pub fn detection(&mut self, event_id: String, system: &event::System, event_data: HashMap) { if event_id == "4672" { &self.se_debug_privilege(event_data); @@ -41,7 +42,7 @@ impl Security { match event_data.get("PrivilegeList") { Some(privileage_list) => { match privileage_list.find("SeDebugPrivilege") { - Some(data) => { + Some(_data) => { // alert_all_adminが有効であれば、標準出力して知らせる // DeepBlueCLIでは必ず0になっていて、基本的には表示されない。 diff --git a/src/main.rs b/src/main.rs index 3a6dc577..f4b98429 100644 --- a/src/main.rs +++ b/src/main.rs @@ -7,6 +7,7 @@ use std::process; use std::path::PathBuf; use quick_xml::de::{DeError}; use yamato_event_analyzer::models::event; +use yamato_event_analyzer::detections::common; use yamato_event_analyzer::detections::security; use yamato_event_analyzer::detections::system; use yamato_event_analyzer::detections::application; @@ -15,13 +16,13 @@ fn main() -> Result<(), DeError> { let args: Vec = env::args().collect(); let fp: PathBuf; - if (args.len() > 1) { + if args.len() > 1 { fp = PathBuf::from(args[1].to_string()); } else { fp = PathBuf::from(format!("./samples/security.evtx")); } - + let mut common = common::Common::new(); let mut security = security::Security::new(); let mut system = system::System::new(); let mut application = application::Application::new(); @@ -37,15 +38,18 @@ fn main() -> Result<(), DeError> { match record { Ok(r) => { let event: event::Evtx = quick_xml::de::from_str(&r.data)?; - let event_id = event.System.EventID.to_string(); - - if event.System.Channel == "Security" { - let event_data = event.parse_event_data(); - &security.detection(event_id, event_data); - } else if event.System.Channel == "System" { + let event_id = event.system.event_id.to_string(); + let channel = event.system.channel.to_string(); + let event_data = event.parse_event_data(); + &common.detection(&event.system, &event_data); + if channel == "Security" { + &security.detection(event_id, &event.system, event_data); + } else if channel == "System" { &system.detection(); - } else if event.System.Channel == "Application" { + } else if channel == "Application" { &application.detection(); + } else { + //&other.detection(); } }, Err(e) => eprintln!("{}", e), @@ -55,6 +59,7 @@ fn main() -> Result<(), DeError> { //////////////////////////// // 表示 //////////////////////////// + common.disp(); security.disp(); Ok(()) diff --git a/src/models/event.rs b/src/models/event.rs index 4e20903f..65afe514 100644 --- a/src/models/event.rs +++ b/src/models/event.rs @@ -4,55 +4,78 @@ use std::collections::HashMap; #[derive(Debug, Deserialize, PartialEq)] pub struct Data { - pub Name: Option, + #[serde(rename = "Name")] + pub name: Option, #[serde(rename = "$value")] - pub Text: Option, + pub text: Option, } #[derive(Debug, Deserialize, PartialEq)] -struct TimeCreated { - SystemTime: String, +pub struct TimeCreated { + #[serde(rename = "SystemTime")] + pub system_time: String, } #[derive(Debug, Deserialize, PartialEq)] struct Execution { - ProcessID: i32, - ThreadID: i32, + #[serde(rename = "ProcessID")] + process_id: i32, + #[serde(rename = "ThreadID")] + thread_id: i32, } #[derive(Debug, Deserialize, PartialEq)] struct Provider { - Name: Option, - Guid: Option, + #[serde(rename = "Name")] + name: Option, + #[serde(rename = "Guid")] + guid: Option, } #[derive(Debug, Deserialize, PartialEq)] pub struct System { - Provider: Provider, - pub EventID: String, - Version: Option, - Level: String, - Task: String, - Opcode: Option, - Keywords: String, - TimeCreated: TimeCreated, - EventRecordID: String, - Correlation: Option, - Execution: Option, - pub Channel: String, // Security, System, Application ...etc - Computer: String, - Security: String, + #[serde(rename = "Provider")] + provider: Provider, + #[serde(rename = "EventID")] + pub event_id: String, + #[serde(rename = "Version")] + version: Option, + #[serde(rename = "Level")] + level: String, + #[serde(rename = "Task")] + task: String, + #[serde(rename = "Opcode")] + opcode: Option, + #[serde(rename = "Keywords")] + keywords: String, + #[serde(rename = "TimeCreated")] + pub time_created: TimeCreated, + #[serde(rename = "EventRecordID")] + pub event_record_id: String, + #[serde(rename = "Correlation")] + correlation: Option, + #[serde(rename = "Execution")] + execution: Option, + #[serde(rename = "Channel")] + pub channel: String, // Security, System, Application ...etc + #[serde(rename = "Computer")] + computer: String, + #[serde(rename = "Security")] + security: String, } #[derive(Debug, Deserialize, PartialEq)] pub struct EventData { - pub Data: Option>, + #[serde(rename = "Data")] + pub data: Option>, } #[derive(Debug, Deserialize, PartialEq)] pub struct Evtx { - pub System: System, - pub EventData: Option, + #[serde(rename = "System")] + pub system: System, + #[serde(rename = "EventData")] + pub event_data: Option, } impl Evtx { @@ -62,7 +85,7 @@ impl Evtx { // fn get_string(v: &Data) -> String { - match &v.Text { + match &v.text { Some(text) => { return text.to_string(); }, @@ -73,15 +96,15 @@ impl Evtx { // // EventDataをHashMapとして取得する // - pub fn parse_event_data(self) -> HashMap { + pub fn parse_event_data(&self) -> HashMap { let mut values = HashMap::new(); - match self.EventData { + match &self.event_data { Some(event_data) => - match event_data.Data { + match &event_data.data { Some(data) => { for v in data.iter() { - match &v.Name { + match &v.name { Some(name) => { values.insert(name.to_string(), Evtx::get_string(v)); },