CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/fix count() (#327)

Browse Source
This commit is contained in:
James Takai / hach1yon
2021-12-22 09:10:28 +09:00
committed by GitHub
parent 2e37e17300
commit ea685fb75a
5 changed files with 820 additions and 442 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/detections/detection.rs
View File

@@ -131,7 +131,11 @@ impl Detection {
return self; return self;
} }
pub fn add_aggcondition_msg(&self) { pub fn add_aggcondition_msges(self, rt: &Runtime) {
return rt.block_on(self.add_aggcondition_msg());
}
async fn add_aggcondition_msg(&self) {
for rule in &self.rules { for rule in &self.rules {
if !rule.has_agg_condition() { if !rule.has_agg_condition() {
continue; continue;

6
src/detections/rule/aggregation_parser.rs
View File

@@ -23,7 +23,7 @@ pub struct AggregationParseInfo {
pub _field_name: Option<String>, // countの括弧に囲まれた部分の文字 pub _field_name: Option<String>, // countの括弧に囲まれた部分の文字
pub _by_field_name: Option<String>, // count() by の後に指定される文字列 pub _by_field_name: Option<String>, // count() by の後に指定される文字列
pub _cmp_op: AggregationConditionToken, // (必須)<とか>とか何が指定されたのか pub _cmp_op: AggregationConditionToken, // (必須)<とか>とか何が指定されたのか
pub _cmp_num: i32, // (必須)<とか>とかの後にある数値 pub _cmp_num: i64, // (必須)<とか>とかの後にある数値
} }
#[derive(Debug)] #[derive(Debug)]
@@ -202,7 +202,7 @@ impl AggegationConditionCompiler {
let token = token_ite.next().unwrap_or(AggregationConditionToken::SPACE); let token = token_ite.next().unwrap_or(AggregationConditionToken::SPACE);
let cmp_number = if let AggregationConditionToken::KEYWORD(number) = token { let cmp_number = if let AggregationConditionToken::KEYWORD(number) = token {
let number: Result<i32, _> = number.parse(); let number: Result<i64, _> = number.parse();
if number.is_err() { if number.is_err() {
// 比較演算子の後に数値が無い。 // 比較演算子の後に数値が無い。
return Result::Err("The compare operator needs a number like '> 3'.".to_string()); return Result::Err("The compare operator needs a number like '> 3'.".to_string());
@@ -460,7 +460,7 @@ mod tests {
); );
} }
fn check_aggregation_condition_ope(expr: String, cmp_num: i32) -> AggregationConditionToken { fn check_aggregation_condition_ope(expr: String, cmp_num: i64) -> AggregationConditionToken {
let compiler = AggegationConditionCompiler::new(); let compiler = AggegationConditionCompiler::new();
let result = compiler.compile(expr); let result = compiler.compile(expr);

1246
src/detections/rule/count.rs
View File

File diff suppressed because it is too large Load Diff

4
src/detections/rule/mod.rs
View File

@@ -303,7 +303,7 @@ impl DetectionNode {
/// countなどのaggregationの結果を出力する構造体 /// countなどのaggregationの結果を出力する構造体
pub struct AggResult { pub struct AggResult {
/// countなどの値 /// countなどの値
pub data: i32, pub data: i64,
/// count byで指定された条件のレコード内での値 /// count byで指定された条件のレコード内での値
pub key: String, pub key: String,
/// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる /// countの括弧内指定された項目の検知されたレコード内での値の配列。括弧内で指定がなかった場合は長さ0の配列となる
@@ -316,7 +316,7 @@ pub struct AggResult {
impl AggResult { impl AggResult {
pub fn new( pub fn new(
data: i32, data: i64,
key: String, key: String,
field_values: Vec<String>, field_values: Vec<String>,
start_timedate: DateTime<Utc>, start_timedate: DateTime<Utc>,

2
src/main.rs
View File

@@ -170,6 +170,7 @@ impl App {
detection = self.analysis_file(evtx_file, detection); detection = self.analysis_file(evtx_file, detection);
pb.inc(); pb.inc();
} }
detection.add_aggcondition_msges(&self.rt);
after_fact(); after_fact();
} }
@@ -236,7 +237,6 @@ impl App {
detection = detection.start(&self.rt, records_per_detect); detection = detection.start(&self.rt, records_per_detect);
} }
detection.add_aggcondition_msg();
tl.tm_stats_dsp_msg(); tl.tm_stats_dsp_msg();
return detection; return detection;