CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changed output field to details field in yaml data oftest case

Browse Source
This commit is contained in:
DustInDark
2021-12-23 08:59:41 +09:00
parent 55da18c06d
commit f2445ae093
5 changed files with 98 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
src/detections/rule/condition_parser.rs
View File

@@ -556,7 +556,7 @@ mod tests {
Channel: 'System'
EventID: 7040
param1: 'Windows Event Log'
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let record_json_str = r#"
@@ -600,7 +600,7 @@ mod tests {
Channel: 'System'
EventID: 7041
param1: 'Windows Event Log'
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let record_json_str = r#"
@@ -646,7 +646,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -666,7 +666,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -686,7 +686,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -706,7 +706,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -726,7 +726,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -746,7 +746,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 and selection2 and selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -765,7 +765,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -784,7 +784,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -803,7 +803,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -822,7 +822,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -841,7 +841,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -860,7 +860,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -879,7 +879,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -898,7 +898,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection1 or selection2 or selection3
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -913,7 +913,7 @@ mod tests {
selection1:
Channel: 'Systemn'
condition: not selection1
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -928,7 +928,7 @@ mod tests {
selection1:
Channel: 'System'
condition: not selection1
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -947,7 +947,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection2 and (selection2 or selection3)
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -966,7 +966,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection2 and (selection2 and selection3)
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -985,7 +985,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection2 and (((selection2 or selection3)))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -1004,7 +1004,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: selection2 and ((((selection2 and selection3))))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -1023,7 +1023,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: (selection2 and selection1) and not ((selection2 and selection3))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -1042,7 +1042,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: (selection2 and selection1) and not (not(selection2 and selection3))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -1061,7 +1061,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: (selection2 and selection1) and (selection2 or selection3)
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -1080,7 +1080,7 @@ mod tests {
selection3:
param1: 'Windows Event Logn'
condition: (selection2 and selection1) and (selection2 and selection3)
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -1101,7 +1101,7 @@ mod tests {
selection4:
param2: 'auto start'
condition: (selection1 and (selection2 and ( selection3 and selection4 )))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -1122,7 +1122,7 @@ mod tests {
selection4:
param2: 'auto start'
condition: (selection1 and (selection2 and ( selection3 and selection4 )))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -1143,7 +1143,7 @@ mod tests {
selection4:
param2: 'auto start'
condition: (selection1 and (selection2 and ( selection3 or selection4 )))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, true);
@@ -1164,7 +1164,7 @@ mod tests {
selection4:
param2: 'auto startn'
condition: (selection1 and (selection2 and ( selection3 or selection4 )))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_select(rule_str, SIMPLE_RECORD_STR, false);
@@ -1181,7 +1181,7 @@ mod tests {
EventID: 7041
selection2:
param1: 'Windows Event Log'
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter();
@@ -1207,7 +1207,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection-1 and selection2
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1230,7 +1230,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 and ((selection2)
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1253,7 +1253,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 and (selection2))
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1276,7 +1276,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 and )selection2(
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1299,7 +1299,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 selection2
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(rule_str,vec!["A condition parse error has occured. Unknown error. Maybe it is because there are multiple names of selection nodes.".to_string()]);
@@ -1317,7 +1317,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: and selection1 or selection2
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1341,7 +1341,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 or selection2 or
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1365,7 +1365,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 or or selection2
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(rule_str,vec!["A condition parse error has occured. The use of a logical operator(and, or) was wrong.".to_string()]);
@@ -1383,7 +1383,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 or ( not )
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(
@@ -1404,7 +1404,7 @@ mod tests {
selection2:
param1: 'Windows Event Log'
condition: selection1 or ( not not )
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
check_rule_parse_error(

18
src/detections/rule/count.rs
View File

@@ -590,7 +590,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3 | count() >= 1
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
expected_count.insert("_".to_owned(), 2);
@@ -642,7 +642,7 @@ mod tests {
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3 | count() >= 1
timeframe: 15m
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
expected_count.insert("_".to_owned(), 2);
@@ -682,7 +682,7 @@ mod tests {
selection3:
param1: 'Windows Event Log'
condition: selection1 and selection2 and selection3 | count(Channel) >= 1
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
expected_count.insert("_".to_owned(), 1);
@@ -729,7 +729,7 @@ mod tests {
selection1:
param1: 'Windows Event Log'
condition: selection1 | count(EventID) by Channel >= 1
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
@@ -787,7 +787,7 @@ mod tests {
Channel: 'System'
condition: selection1 | count(EventID) by param1 >= 1
timeframe: 1h
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
expected_count.insert("Windows Event Log".to_owned(), 1);
@@ -840,7 +840,7 @@ mod tests {
Channel: 'System'
condition: selection1 | count(EventID) >= 2
timeframe: 1h
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter();
let test = rule_yaml.next().unwrap();
@@ -897,7 +897,7 @@ mod tests {
param1: 'Windows Event Log'
condition: selection1 | count(EventID) by Channel >= 2
timeframe: 30m
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let mut expected_count = HashMap::new();
@@ -947,7 +947,7 @@ mod tests {
param1: 'Windows Event Log'
condition: selection1 | count(EventID) by Channel >= 1
timeframe: 1h
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let default_time = Utc.ymd(1977, 1, 1).and_hms(0, 0, 0);
@@ -1584,7 +1584,7 @@ mod tests {
param1: 'Windows Event Log'
condition: selection1 | ${COUNT}
timeframe: ${TIME_FRAME}
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
return template
.replace("${COUNT}", count)

60
src/detections/rule/matchers.rs
View File

@@ -509,7 +509,7 @@ mod tests {
falsepositives:
- unknown
level: medium
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
creation_date: 2020/11/8
updated_date: 2020/11/8
"#;
@@ -692,7 +692,7 @@ mod tests {
detection:
selection:
EventID: 4103
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -723,7 +723,7 @@ mod tests {
detection:
selection:
EventID: 4103
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -753,7 +753,7 @@ mod tests {
detection:
selection:
EventID: 4103
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -784,7 +784,7 @@ mod tests {
detection:
selection:
Channel: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -815,7 +815,7 @@ mod tests {
detection:
selection:
Channel: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -845,7 +845,7 @@ mod tests {
detection:
selection:
Channel: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -875,7 +875,7 @@ mod tests {
detection:
selection:
Channel: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -906,7 +906,7 @@ mod tests {
selection:
Channel:
min_length: 10
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -937,7 +937,7 @@ mod tests {
selection:
Channel:
min_length: 10
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -968,7 +968,7 @@ mod tests {
selection:
Channel:
min_length: 10
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -999,7 +999,7 @@ mod tests {
selection:
Channel:
min_length: 10
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1030,7 +1030,7 @@ mod tests {
selection:
Channel:
min_length: 11
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1060,7 +1060,7 @@ mod tests {
detection:
selection:
Channel|re: ^Program$
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1093,7 +1093,7 @@ mod tests {
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
// JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意
@@ -1127,7 +1127,7 @@ mod tests {
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
// JSONで値としてダブルクオートを使う場合、\でエスケープが必要なのに注意
@@ -1161,7 +1161,7 @@ mod tests {
EventID: 4103
Channel:
- allowlist: ./config/regex/allowlist_legitimate_services.txt
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1193,7 +1193,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|startswith: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1235,7 +1235,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|startswith: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1277,7 +1277,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|endswith: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1319,7 +1319,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|endswith: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1361,7 +1361,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|contains: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1403,7 +1403,7 @@ mod tests {
Channel: Security
EventID: 4732
TargetUserName|contains: "Administrators"
output: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
details: 'user added to local Administrators UserName: %MemberName% SID: %MemberSid%'
"#;
let record_json_str = r#"
@@ -1443,7 +1443,7 @@ mod tests {
detection:
selection:
Channel: ホストアプリケーション
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1473,7 +1473,7 @@ mod tests {
detection:
selection:
Channel: ホスとアプリケーション
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1503,7 +1503,7 @@ mod tests {
detection:
selection:
Channel: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1591,7 +1591,7 @@ mod tests {
detection:
selection:
- 4103
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1621,7 +1621,7 @@ mod tests {
detection:
selection:
- 4104
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1653,7 +1653,7 @@ mod tests {
selection:
Channel:
value: Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -1685,7 +1685,7 @@ mod tests {
selection:
Channel:
value: Securiteen
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"

26
src/detections/rule/mod.rs
View File

@@ -356,7 +356,7 @@ mod tests {
detection:
selection:
Event.System.Computer: DESKTOP-ICHIICHI
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -386,7 +386,7 @@ mod tests {
detection:
selection:
Event.System.Computer: DESKTOP-ICHIICHIN
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -416,7 +416,7 @@ mod tests {
detection:
selection:
Channel: NOTDETECT
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -471,7 +471,7 @@ mod tests {
selection:
EventID: 4797
Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30D
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -530,7 +530,7 @@ mod tests {
selection:
EventID: 4797
Event.System.Provider_attributes.Guid: 54849625-5478-4994-A5BA-3E3B0328C30DSS
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -610,7 +610,7 @@ mod tests {
selection:
Event.EventData.Workstation: 'TEST WorkStation'
Event.EventData.TargetUserName: ichiichi11
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -654,7 +654,7 @@ mod tests {
selection:
EventID: 4103
TargetUserName: ichiichi11
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -699,7 +699,7 @@ mod tests {
selection:
EventID: 4103
TargetUserName: ichiichi12
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -746,7 +746,7 @@ mod tests {
selection:
EventID: 403
EventData|re: '[\s\S]*EngineVersion=2\.0[\s\S]*'
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -810,7 +810,7 @@ mod tests {
selection:
EventID: 403
EventData: '[\s\S]*EngineVersion=3.0[\s\S]*'
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -876,7 +876,7 @@ mod tests {
param2|startswith:
- "disa"
- "aut"
output: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
details: 'Service name : %param1%¥nMessage : Event Log Service Stopped¥nResults: Selective event log manipulation may follow this event.'
"#;
let record_json_str = r#"
@@ -918,7 +918,7 @@ mod tests {
selection:
Channel|failed: Security
EventID: 0
output: 'Rule parse test'
details: 'Rule parse test'
"#;
let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter();
let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap());
@@ -938,7 +938,7 @@ mod tests {
let rule_str = r#"
enabled: true
detection:
output: 'Rule parse test'
details: 'Rule parse test'
"#;
let mut rule_yaml = YamlLoader::load_from_str(rule_str).unwrap().into_iter();
let mut rule_node = create_rule("testpath".to_string(), rule_yaml.next().unwrap());

10
src/detections/rule/selectionnodes.rs
View File

@@ -418,7 +418,7 @@ mod tests {
selection:
Channel: Security
EventID: 4103
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -451,7 +451,7 @@ mod tests {
Channel: Security
EventID: 4103
Computer: DESKTOP-ICHIICHIN
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -483,7 +483,7 @@ mod tests {
Channel:
- PowerShell
- Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -515,7 +515,7 @@ mod tests {
Channel:
- PowerShell
- Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"
@@ -547,7 +547,7 @@ mod tests {
Channel:
- PowerShell
- Security
output: 'command=%CommandLine%'
details: 'command=%CommandLine%'
"#;
let record_json_str = r#"