From b1eba5e039c3e33a9be437dac35b61642ee036d0 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:16:44 +0900 Subject: [PATCH 1/5] output summary numbers with commas #649 --- Cargo.lock | 28 +++++++++++++++++++++++++++- Cargo.toml | 1 + src/afterfact.rs | 13 +++++++------ 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5fc12bb5..809de233 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -49,6 +49,15 @@ version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4c527152e37cf757a3f78aae5a06fbeefdb07ccc535c980a3208ee3060dd544" +[[package]] +name = "arrayvec" +version = "0.4.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cd9fd44efafa8690358b7408d253adf110036b88f55672a933f01d616ad9b1b9" +dependencies = [ + "nodrop", +] + [[package]] name = "arrayvec" version = "0.5.2" @@ -97,7 +106,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "afa748e348ad3be8263be728124b24a24f268266f6f5d58af9d75f6a40b5c587" dependencies = [ "arrayref", - "arrayvec", + "arrayvec 0.5.2", "constant_time_eq", ] @@ -728,6 +737,7 @@ dependencies = [ "lazy_static", "linked-hash-map", "lock_api", + "num-format", "num_cpus", "openssl", "pbr", @@ -1109,6 +1119,12 @@ dependencies = [ "windows-sys", ] +[[package]] +name = "nodrop" +version = "0.1.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72ef4a56884ca558e5ddb05a1d1e7e1bfd9a68d9ed024c21704cc98872dae1bb" + [[package]] name = "num-derive" version = "0.3.3" @@ -1120,6 +1136,16 @@ dependencies = [ "syn", ] +[[package]] +name = "num-format" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bafe4179722c2894288ee77a9f044f02811c86af699344c498b0840c698a2465" +dependencies = [ + "arrayvec 0.4.12", + "itoa 0.4.8", +] + [[package]] name = "num-integer" version = "0.1.45" diff --git a/Cargo.toml b/Cargo.toml index fa6d4d7e..388881a4 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -37,6 +37,7 @@ bytesize = "1.*" hyper = "0.14.*" lock_api = "0.4.*" crossbeam-utils = "0.8.*" +num-format = "*" [build-dependencies] static_vcruntime = "2.*" diff --git a/src/afterfact.rs b/src/afterfact.rs index 6752faa1..ee22a6e9 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -14,6 +14,7 @@ use lazy_static::lazy_static; use linked_hash_map::LinkedHashMap; use hashbrown::{HashMap, HashSet}; +use num_format::{ToFormattedString, Locale}; use std::cmp::min; use std::error::Error; @@ -334,7 +335,7 @@ fn emit_csv( write_color_buffer( &disp_wtr, get_writable_color(None), - &format!("Total events: {}", all_record_cnt), + &format!("Total events: {}", all_record_cnt.to_formatted_string(&Locale::en)), true, ) .ok(); @@ -343,7 +344,7 @@ fn emit_csv( get_writable_color(None), &format!( "Data reduction: {} events ({:.2}%)", - reducted_record_cnt, reducted_percent + reducted_record_cnt.to_formatted_string(&Locale::en), reducted_percent ), true, ) @@ -440,7 +441,7 @@ fn _print_unique_results( "{} {}: {}", head_word, tail_word, - counts_by_level.iter().sum::(), + counts_by_level.iter().sum::().to_formatted_string(&Locale::en), ), true, ) @@ -452,7 +453,7 @@ fn _print_unique_results( } let output_raw_str = format!( "{} {} {}: {}", - head_word, level_name, tail_word, counts_by_level[i] + head_word, level_name, tail_word, counts_by_level[i].to_formatted_string(&Locale::en) ); write_color_buffer( &BufferWriter::stdout(ColorChoice::Always), @@ -482,7 +483,7 @@ fn _print_detection_summary_by_date( for (date, cnt) in detections_by_day { if cnt > &tmp_cnt { exist_max_data = true; - max_detect_str = format!("{} ({})", date, cnt); + max_detect_str = format!("{} ({})", date, cnt.to_formatted_string(&Locale::en)); tmp_cnt = *cnt; } } @@ -527,7 +528,7 @@ fn _print_detection_summary_by_computer( sorted_detections.sort_by(|a, b| (-a.1).cmp(&(-b.1))); for x in sorted_detections.iter().take(5) { - result_vec.push(format!("{} ({})", x.0, x.1)); + result_vec.push(format!("{} ({})", x.0, x.1.to_formatted_string(&Locale::en))); } let result_str = if result_vec.is_empty() { "n/a".to_string() From 7eca067fd55ba0ff4486a81db0becb750e7bb45c Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:20:23 +0900 Subject: [PATCH 2/5] updated changelog #649 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index b79fafdc..d9d66a78 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -10,6 +10,7 @@ - ルールのアップデート機能のルールパスの出力から./を削除した。 (#642) (@hitenkoku) - MITRE ATT&CK関連のタグとその他タグを出力するための出力用のエイリアスを追加した。 (#637) (@hitenkoku) +- 結果概要の数値をカンマをつけて見やすくした。 (#649) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index f27030c9..5f293b9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - Removed ./ from rule path when updating. (#642) (@hitenkoku) - Added new output alias for MITRE ATT&CK tags and other tags. (#637) (@hitenkoku) +- Changed output summary numbers from without commas to with commas. (#649) (@hitenkoku) **Bug Fixes:** From 20293d9b615e3959f78a8aa31487b38201c2e161 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Mon, 8 Aug 2022 23:33:56 +0900 Subject: [PATCH 3/5] cargo fmt --- src/afterfact.rs | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index ee22a6e9..7be9dec8 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -14,7 +14,7 @@ use lazy_static::lazy_static; use linked_hash_map::LinkedHashMap; use hashbrown::{HashMap, HashSet}; -use num_format::{ToFormattedString, Locale}; +use num_format::{Locale, ToFormattedString}; use std::cmp::min; use std::error::Error; @@ -335,7 +335,10 @@ fn emit_csv( write_color_buffer( &disp_wtr, get_writable_color(None), - &format!("Total events: {}", all_record_cnt.to_formatted_string(&Locale::en)), + &format!( + "Total events: {}", + all_record_cnt.to_formatted_string(&Locale::en) + ), true, ) .ok(); @@ -344,7 +347,8 @@ fn emit_csv( get_writable_color(None), &format!( "Data reduction: {} events ({:.2}%)", - reducted_record_cnt.to_formatted_string(&Locale::en), reducted_percent + reducted_record_cnt.to_formatted_string(&Locale::en), + reducted_percent ), true, ) @@ -441,7 +445,10 @@ fn _print_unique_results( "{} {}: {}", head_word, tail_word, - counts_by_level.iter().sum::().to_formatted_string(&Locale::en), + counts_by_level + .iter() + .sum::() + .to_formatted_string(&Locale::en), ), true, ) @@ -453,7 +460,10 @@ fn _print_unique_results( } let output_raw_str = format!( "{} {} {}: {}", - head_word, level_name, tail_word, counts_by_level[i].to_formatted_string(&Locale::en) + head_word, + level_name, + tail_word, + counts_by_level[i].to_formatted_string(&Locale::en) ); write_color_buffer( &BufferWriter::stdout(ColorChoice::Always), @@ -528,7 +538,11 @@ fn _print_detection_summary_by_computer( sorted_detections.sort_by(|a, b| (-a.1).cmp(&(-b.1))); for x in sorted_detections.iter().take(5) { - result_vec.push(format!("{} ({})", x.0, x.1.to_formatted_string(&Locale::en))); + result_vec.push(format!( + "{} ({})", + x.0, + x.1.to_formatted_string(&Locale::en) + )); } let result_str = if result_vec.is_empty() { "n/a".to_string() From 652d9411ab9549afc719251dec1a4483ddae0ba2 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 9 Aug 2022 00:57:46 +0900 Subject: [PATCH 4/5] update readme --- README-Japanese.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-Japanese.md b/README-Japanese.md index 5ad1a294..c999813d 100644 --- a/README-Japanese.md +++ b/README-Japanese.md @@ -90,7 +90,7 @@ Hayabusaは、日本の[Yamato Security](https://yamatosecurity.connpass.com/) ### スレット(脅威)ハンティングと企業向けの広範囲なDFIR Hayabusaには現在、2300以上のSigmaルールと130以上のHayabusa検知ルールがあり、定期的にルールが追加されています。 -[Velociraptor](https://docs.velociraptor.app/)の[Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/)を用いることで企業向けの広範囲なスレットハンティングだけでなくDFIR(デジタルフォレンジックとインシデントレスポンス)にも無料で利用することが可能です。この2つのオープンソースを組み合わせることで、SIEMが設定されていない環境でも実質的に遡及してSIEMを再現することができます。具体的な方法は[Eric Cupuano](https://twitter.com/eric_capuano)の[こちら](https://www.youtube.com/watch?v=Q1IoGX--814)の動画で学ぶことができます。 +[Velociraptor](https://docs.velociraptor.app/)の[Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/)を用いることで企業向けの広範囲なスレットハンティングだけでなくDFIR(デジタルフォレンジックとインシデントレスポンス)にも無料で利用することが可能です。この2つのオープンソースを組み合わせることで、SIEMが設定されていない環境でも実質的に遡及してSIEMを再現することができます。具体的な方法は[Eric Capuano](https://twitter.com/eric_capuano)の[こちら](https://www.youtube.com/watch?v=Q1IoGX--814)の動画で学ぶことができます。 最終的な目標はインシデントレスポンスや定期的なスレットハンティングのために、HayabusaエージェントをすべてのWindows端末にインストールして、中央サーバーにアラートを返す仕組みを作ることです。 ### フォレンジックタイムラインの高速生成 diff --git a/README.md b/README.md index 9928086c..4a74eb23 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre ### Threat Hunting and Enterprise-wide DFIR -Hayabusa currently has over 2400 Sigma rules and over 130 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with [Velociraptor](https://docs.velociraptor.app/)'s [Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/). By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching [Eric Cupuano](https://twitter.com/eric_capuano)'s Velociraptor walkthrough [here](https://www.youtube.com/watch?v=Q1IoGX--814). +Hayabusa currently has over 2400 Sigma rules and over 130 Hayabusa built-in detection rules with more rules being added regularly. It can be used for enterprise-wide proactive threat hunting as well as DFIR (Digital Forensics and Incident Response) for free with [Velociraptor](https://docs.velociraptor.app/)'s [Hayabusa artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/). By combining these two open-source tools, you can essentially retroactively reproduce a SIEM when there is no SIEM setup in the environment. You can learn about how to do this by watching [Eric Capuano](https://twitter.com/eric_capuano)'s Velociraptor walkthrough [here](https://www.youtube.com/watch?v=Q1IoGX--814). ### Fast Forensics Timeline Generation From 7c8780a7560908d229a27eb955b5619f1220607f Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 9 Aug 2022 00:57:54 +0900 Subject: [PATCH 5/5] ignore csv files --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index d7c5ba26..eafef81f 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,5 @@ .DS_Store test_* .env -/logs \ No newline at end of file +/logs +*.csv \ No newline at end of file