From c26df97fc4fef69cb6c89fafaa21c701236c1a2a Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 23:43:38 +0900 Subject: [PATCH 1/7] fixed error when output is over buffered size with color output --- src/afterfact.rs | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 7e4b9501..3c737681 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -283,20 +283,12 @@ fn emit_csv( //ヘッダーのみを出力 if plus_header { - write!(disp_wtr_buf, "{}", _get_serialized_disp_output(None)).ok(); + write_color_buffer(&disp_wtr, get_writable_color(None), &_get_serialized_disp_output(None)).ok(); plus_header = false; } - disp_wtr_buf - .set_color( - ColorSpec::new().set_fg(_get_output_color(&color_map, &detect_info.level)), - ) - .ok(); - write!( - disp_wtr_buf, - "{}", - _get_serialized_disp_output(Some(dispformat)) - ) - .ok(); + write_color_buffer( + &disp_wtr, get_writable_color(_get_output_color(&color_map, &detect_info.level)),&_get_serialized_disp_output(Some(dispformat)) + ).ok(); } else { // csv output format wtr.serialize(CsvFormat { @@ -354,7 +346,6 @@ fn emit_csv( } } if displayflag { - disp_wtr.print(&disp_wtr_buf)?; println!(); } else { wtr.flush()?; From a706c5fcbc46b43479574a13971abf1964d5a849 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sat, 25 Jun 2022 23:51:32 +0900 Subject: [PATCH 2/7] cargo fmt --- src/afterfact.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 3c737681..4d966ac5 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -283,12 +283,20 @@ fn emit_csv( //ヘッダーのみを出力 if plus_header { - write_color_buffer(&disp_wtr, get_writable_color(None), &_get_serialized_disp_output(None)).ok(); + write_color_buffer( + &disp_wtr, + get_writable_color(None), + &_get_serialized_disp_output(None), + ) + .ok(); plus_header = false; } write_color_buffer( - &disp_wtr, get_writable_color(_get_output_color(&color_map, &detect_info.level)),&_get_serialized_disp_output(Some(dispformat)) - ).ok(); + &disp_wtr, + get_writable_color(_get_output_color(&color_map, &detect_info.level)), + &_get_serialized_disp_output(Some(dispformat)), + ) + .ok(); } else { // csv output format wtr.serialize(CsvFormat { From 68276292bcec30357c1872fe9674a6cf26fcc008 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 26 Jun 2022 00:21:07 +0900 Subject: [PATCH 3/7] to remove unnecessary newline in display output --- src/afterfact.rs | 11 ++++++++-- src/detections/detection.rs | 3 +++ src/detections/print.rs | 2 ++ src/detections/utils.rs | 7 +++++- src/main.rs | 44 ++++++++++++++++++++++++++++++++----- src/options/level_tuning.rs | 2 ++ 6 files changed, 61 insertions(+), 8 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 4d966ac5..1d699a60 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -287,6 +287,7 @@ fn emit_csv( &disp_wtr, get_writable_color(None), &_get_serialized_disp_output(None), + true, ) .ok(); plus_header = false; @@ -295,6 +296,7 @@ fn emit_csv( &disp_wtr, get_writable_color(_get_output_color(&color_map, &detect_info.level)), &_get_serialized_disp_output(Some(dispformat)), + false, ) .ok(); } else { @@ -383,6 +385,7 @@ fn emit_csv( &disp_wtr, get_writable_color(Some(Color::Green)), "Results Summary:", + true, ) .ok(); @@ -406,6 +409,7 @@ fn emit_csv( &disp_wtr, get_writable_color(None), &format!("Total events: {}", all_record_cnt), + true, ) .ok(); write_color_buffer( @@ -415,6 +419,7 @@ fn emit_csv( "Data reduction: {} events ({:.2}%)", reducted_record_cnt, reducted_percent ), + true, ) .ok(); println!(); @@ -471,7 +476,7 @@ fn _get_serialized_disp_output(dispformat: Option) -> String { if configs::CONFIG.read().unwrap().args.full_data { titles.push("RecordInformation"); } - return format!("{}\n", titles.join("|")); + return titles.join("|").to_string(); } let mut disp_serializer = csv::WriterBuilder::new() .double_quote(false) @@ -521,8 +526,9 @@ fn _print_unique_results( "{} {}: {}", head_word, tail_word, - counts_by_level.iter().sum::() + counts_by_level.iter().sum::(), ), + true, ) .ok(); @@ -538,6 +544,7 @@ fn _print_unique_results( &BufferWriter::stdout(ColorChoice::Always), _get_output_color(color_map, level_name), &output_raw_str, + true, ) .ok(); } diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 597fce32..a507c2dc 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -394,6 +394,7 @@ impl Detection { &BufferWriter::stdout(ColorChoice::Always), Some(Color::Red), &format!("Rule parsing errors: {}", err_rc), + true, ) .ok(); } @@ -421,6 +422,7 @@ impl Detection { rate, deprecated_flag ), + true, ) .ok(); } @@ -434,6 +436,7 @@ impl Detection { &BufferWriter::stdout(ColorChoice::Always), None, &format!("{} rules: {}", key, value), + true, ) .ok(); }); diff --git a/src/detections/print.rs b/src/detections/print.rs index a63bd91e..29b943b0 100644 --- a/src/detections/print.rs +++ b/src/detections/print.rs @@ -327,6 +327,7 @@ impl AlertMessage { &BufferWriter::stderr(ColorChoice::Always), None, &format!("[ERROR] {}", contents), + true, ) } @@ -336,6 +337,7 @@ impl AlertMessage { &BufferWriter::stderr(ColorChoice::Always), None, &format!("[WARN] {}", contents), + true, ) } } diff --git a/src/detections/utils.rs b/src/detections/utils.rs index b9f9ba4a..9f919630 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -245,10 +245,15 @@ pub fn write_color_buffer( wtr: &BufferWriter, color: Option, output_str: &str, + newline_flag: bool, ) -> io::Result<()> { let mut buf = wtr.buffer(); buf.set_color(ColorSpec::new().set_fg(color)).ok(); - writeln!(buf, "{}", output_str).ok(); + if newline_flag { + writeln!(buf, "{}", output_str).ok(); + } else { + write!(buf, "{}", output_str).ok(); + } wtr.print(&buf) } diff --git a/src/main.rs b/src/main.rs index e3c95f2e..578f7727 100644 --- a/src/main.rs +++ b/src/main.rs @@ -120,6 +120,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, "Rules updated successfully.", + true, ) .ok(); } @@ -173,6 +174,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, "Generating Event ID Statistics", + true, ) .ok(); println!(); @@ -182,6 +184,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, "Generating Logons Summary", + true, ) .ok(); println!(); @@ -265,6 +268,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, &configs::CONFIG.read().unwrap().headless_help, + true, ) .ok(); return; @@ -277,6 +281,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, &format!("Elapsed Time: {}", &analysis_duration.hhmmssxxx()), + true, ) .ok(); println!(); @@ -329,17 +334,30 @@ impl App { ) .ok(); }); - write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); + write_color_buffer( + &BufferWriter::stdout(ColorChoice::Always), + None, + &output, + true, + ) + .ok(); } else { //標準出力の場合 let output = "The following pivot keywords were found:".to_string(); - write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &output).ok(); + write_color_buffer( + &BufferWriter::stdout(ColorChoice::Always), + None, + &output, + true, + ) + .ok(); pivot_key_unions.iter().for_each(|(key, pivot_keyword)| { write_color_buffer( &BufferWriter::stdout(ColorChoice::Always), None, &create_output(String::default(), key, pivot_keyword), + true, ) .ok(); }); @@ -425,8 +443,13 @@ impl App { fn print_contributors(&self) { match fs::read_to_string("./contributors.txt") { Ok(contents) => { - write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &contents) - .ok(); + write_color_buffer( + &BufferWriter::stdout(ColorChoice::Always), + None, + &contents, + true, + ) + .ok(); } Err(err) => { AlertMessage::alert(&format!("{}", err)).ok(); @@ -445,6 +468,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, &format!("Analyzing event files: {:?}", evtx_files.len()), + true, ) .ok(); @@ -671,6 +695,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), output_color, &content, + true, ) .ok(); } @@ -687,7 +712,13 @@ impl App { None => {} Some(path) => { let content = fs::read_to_string(path).unwrap_or_default(); - write_color_buffer(&BufferWriter::stdout(ColorChoice::Always), None, &content).ok(); + write_color_buffer( + &BufferWriter::stdout(ColorChoice::Always), + None, + &content, + true, + ) + .ok(); } } } @@ -704,6 +735,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, "Attempting to git clone the hayabusa-rules repository into the rules folder.", + true, ) .ok(); // execution git clone of hayabusa-rules repository when failed open hayabusa repository. @@ -886,6 +918,7 @@ impl App { "[Updated] {} (Modified: {} | Path: {})", tmp[0], tmp[1], tmp[2] ), + true, ) .ok(); } @@ -900,6 +933,7 @@ impl App { &BufferWriter::stdout(ColorChoice::Always), None, "You currently have the latest rules.", + true, ) .ok(); Ok("You currently have the latest rules.".to_string()) diff --git a/src/options/level_tuning.rs b/src/options/level_tuning.rs index c7a7bf80..797a0b3b 100644 --- a/src/options/level_tuning.rs +++ b/src/options/level_tuning.rs @@ -62,6 +62,7 @@ impl LevelTuning { &BufferWriter::stdout(ColorChoice::Always), None, &format!("path: {}", path), + true, ) .ok(); let mut content = match fs::read_to_string(&path) { @@ -101,6 +102,7 @@ impl LevelTuning { rule["level"].as_str().unwrap(), new_level ), + true, ) .ok(); } From 53ca69b05e89d86fc162cb6a02139fd327920b60 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 26 Jun 2022 00:29:56 +0900 Subject: [PATCH 4/7] updated changelog and updated rules #603 --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- rules | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index c402f4c5..770bb154 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -16,7 +16,7 @@ **バグ修正:** -- XXX +- カラー出力で長い出力があった場合にエラーが出て終了する問題を修正した。 (#603) (@hitenkoku) ## v1.3.2 [2022/06/13] diff --git a/CHANGELOG.md b/CHANGELOG.md index c6166101..d428929d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ **Bug Fixes:** -- XXX +- Fixed output error and terminate program when long output is displayed with color. (#603) (@hitenkoku) ## v1.3.2 [2022/06/13] diff --git a/rules b/rules index 8c14d12b..2e7e8c8d 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit 8c14d12be3f2d08721eee6db7238058fdaca3ce6 +Subproject commit 2e7e8c8dd4caf18dc9dc16dfff4b7935d57f2ccc From 9d871d39739edd93f5ec221f01cd4ecc15094f96 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 26 Jun 2022 00:36:51 +0900 Subject: [PATCH 5/7] fixed clippy error --- src/afterfact.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 1d699a60..a8af6411 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -476,7 +476,7 @@ fn _get_serialized_disp_output(dispformat: Option) -> String { if configs::CONFIG.read().unwrap().args.full_data { titles.push("RecordInformation"); } - return titles.join("|").to_string(); + return titles.join("|"); } let mut disp_serializer = csv::WriterBuilder::new() .double_quote(false) From 5d058d3b89a89153efd368213be3e99fa94bdf33 Mon Sep 17 00:00:00 2001 From: DustInDark Date: Sun, 26 Jun 2022 00:50:05 +0900 Subject: [PATCH 6/7] fixed test --- src/afterfact.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index a8af6411..7ed81674 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -827,7 +827,7 @@ mod tests { let test_timestamp = Utc .datetime_from_str("1996-02-27T01:05:01Z", "%Y-%m-%dT%H:%M:%SZ") .unwrap(); - let expect_header = "Timestamp|Computer|Channel|EventID|Level|RecordID|RuleTitle|Details\n"; + let expect_header = "Timestamp|Computer|Channel|EventID|Level|RecordID|RuleTitle|Details"; let expect_tz = test_timestamp.with_timezone(&Local); let expect_no_header = expect_tz @@ -851,7 +851,7 @@ mod tests { + "|" + test_recinfo + "\n"; - assert_eq!(_get_serialized_disp_output(None,), expect_header); + assert_eq!(_get_serialized_disp_output(None), expect_header); assert_eq!( _get_serialized_disp_output(Some(DisplayFormat { timestamp: &format_time(&test_timestamp, false), From aa69a5ac765f2b876e5a0b4b7e883f351d207927 Mon Sep 17 00:00:00 2001 From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com> Date: Sun, 26 Jun 2022 07:01:55 +0900 Subject: [PATCH 7/7] update changelog --- CHANGELOG-Japanese.md | 5 +++-- CHANGELOG.md | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 770bb154..60d4996a 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -1,6 +1,6 @@ # 変更点 -## v1.4.0 [2022/XX/XX] +## v1.4.0 [2022/06/26] **新機能:** @@ -9,14 +9,15 @@ **改善:** +- ルール内に`details`フィールドがないときに、`rules/config/default_details.txt`に設定されたデフォルトの出力を行えるようにした。 (#359) (@hitenkoku) - Clap Crateパッケージの更新 (#413) (@hitenkoku) - オプションの指定がないときに、`--help`と同じ画面出力を行うように変更した。(#387) (@hitenkoku) -- ルール内に`details`フィールドがないときに、`rules/config/default_details.txt`に設定されたデフォルトの出力を行えるようにした。 (#359) (@hitenkoku) - `output` オプションで指定されファイルのサイズを出力するようにした。 (#595) (@hitenkoku) **バグ修正:** - カラー出力で長い出力があった場合にエラーが出て終了する問題を修正した。 (#603) (@hitenkoku) +- `Excluded rules`の合計で`rules/tools/sigmac/testfiles`配下のテストルールも入っていたので、無視するようにした。 (#602) (@hitenkoku) ## v1.3.2 [2022/06/13] diff --git a/CHANGELOG.md b/CHANGELOG.md index d428929d..f75d7951 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changes -## v1.4.0 [2022/XX/XX] +## v1.4.0 [2022/06/26] **New Features:** @@ -9,15 +9,15 @@ **Enhancements:** +- Added default details output based on `rules/config/default_details.txt` when no `details` field in a rule is specified. (i.e. Sigma rules) (#359) (@hitenkoku) - Updated clap crate package to version 3. (#413) (@hitnekoku) - Updated the default usage and help menu. (#387) (@hitenkoku) -- Added default details output based on `rules/config/default_details.txt` when no `details` field in a rule is specified. (i.e. Sigma rules) (#359) (@hitenkoku) - Added saved file size output when `output` is specified. (#595) (@hitenkoku) -- Ignored loading yml file in `rules/tools/sigmac/testfiles`. (#602) (@hitenkoku) **Bug Fixes:** -- Fixed output error and terminate program when long output is displayed with color. (#603) (@hitenkoku) +- Fixed output error and program termination when long output is displayed with color. (#603) (@hitenkoku) +- Ignore loading yml files in `rules/tools/sigmac/testfiles` to fix `Excluded rules` count. (#602) (@hitenkoku) ## v1.3.2 [2022/06/13]