From 9110801b0d30279ba7dec208fd03baae9e12cf60 Mon Sep 17 00:00:00 2001 From: Kazuminn Date: Tue, 29 Sep 2020 15:14:37 +0900 Subject: [PATCH 1/3] add 7040,104 and refactor --- src/detections/application.rs | 4 ++-- src/detections/detection.rs | 2 +- src/detections/system.rs | 44 ++++++++++++++++++++++++++++++++++- 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/src/detections/application.rs b/src/detections/application.rs index 0ba374a3..921a841b 100644 --- a/src/detections/application.rs +++ b/src/detections/application.rs @@ -18,11 +18,11 @@ impl Application { event_data: HashMap, ) { if event_id == "2" { - &self.emet(system, event_data); + &self.emet(system); } } - fn emet(&mut self, system: &event::System, event_data: HashMap) { + fn emet(&mut self, system: &event::System) { match &system.provider.name { Some(name) => { if (name != "EMET") { diff --git a/src/detections/detection.rs b/src/detections/detection.rs index 81431af3..15976c05 100644 --- a/src/detections/detection.rs +++ b/src/detections/detection.rs @@ -41,7 +41,7 @@ impl Detection { if channel == "Security" { &security.detection(event_id, &event.system, event_data); } else if channel == "System" { - &system.detection(); + &system.detection(event_id, &event.system, event_data); } else if channel == "Application" { &application.detection(event_id, &event.system, event_data); } else { diff --git a/src/detections/system.rs b/src/detections/system.rs index 3c5b6401..6399d3f4 100644 --- a/src/detections/system.rs +++ b/src/detections/system.rs @@ -1,3 +1,6 @@ +use crate::models::event; +use std::collections::HashMap; + pub struct System {} impl System { @@ -5,5 +8,44 @@ impl System { System {} } - pub fn detection(&self) {} + pub fn detection( + &mut self, + event_id: String, + system: &event::System, + event_data: HashMap, + ) { + if event_id == "104" { + &self.system_log_clear(); + } else if event_id == "7040" { + &self.windows_event_log(event_data); + } + } + + fn system_log_clear(&mut self) { + println!("Message : System Log Clear"); + println!("Results : The System log was cleared."); + } + + fn windows_event_log(&mut self, event_data: HashMap) { + match event_data.get("param1") { + Some(_data) => { + if _data == "Windows Event Log" { + println!("Service name : {}", _data); + match event_data.get("param2") { + Some(_data) => { + if _data == "disabled" { + println!("Message : Event Log Service Stopped"); + println!("Results : Selective event log manipulation may follow this event."); + } else if _data == "auto start" { + println!("Message : Event Log Service Started"); + println!("Results : Selective event log manipulation may precede this event."); + } + } + None => (), + } + } + } + None => (), + } + } } From 70934014a3fecd178e0178169b5e772cd7cadb22 Mon Sep 17 00:00:00 2001 From: Kazuminn Date: Tue, 29 Sep 2020 15:20:44 +0900 Subject: [PATCH 2/3] refactor --- src/detections/system.rs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/detections/system.rs b/src/detections/system.rs index 6399d3f4..fdcea53c 100644 --- a/src/detections/system.rs +++ b/src/detections/system.rs @@ -28,15 +28,15 @@ impl System { fn windows_event_log(&mut self, event_data: HashMap) { match event_data.get("param1") { - Some(_data) => { - if _data == "Windows Event Log" { - println!("Service name : {}", _data); + Some(_param1) => { + if _param1 == "Windows Event Log" { + println!("Service name : {}", _param1); match event_data.get("param2") { - Some(_data) => { - if _data == "disabled" { + Some(_param2) => { + if _param2 == "disabled" { println!("Message : Event Log Service Stopped"); println!("Results : Selective event log manipulation may follow this event."); - } else if _data == "auto start" { + } else if _param2 == "auto start" { println!("Message : Event Log Service Started"); println!("Results : Selective event log manipulation may precede this event."); } From 057163a5a6393df4d152653c5846af2d93cc0098 Mon Sep 17 00:00:00 2001 From: Kazuminn Date: Tue, 29 Sep 2020 18:27:57 +0900 Subject: [PATCH 3/3] refactor --- src/detections/system.rs | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/src/detections/system.rs b/src/detections/system.rs index fdcea53c..c4eedb27 100644 --- a/src/detections/system.rs +++ b/src/detections/system.rs @@ -27,25 +27,23 @@ impl System { } fn windows_event_log(&mut self, event_data: HashMap) { - match event_data.get("param1") { - Some(_param1) => { - if _param1 == "Windows Event Log" { - println!("Service name : {}", _param1); - match event_data.get("param2") { - Some(_param2) => { - if _param2 == "disabled" { - println!("Message : Event Log Service Stopped"); - println!("Results : Selective event log manipulation may follow this event."); - } else if _param2 == "auto start" { - println!("Message : Event Log Service Started"); - println!("Results : Selective event log manipulation may precede this event."); - } - } - None => (), + if let Some(_param1) = event_data.get("param1") { + if _param1 == "Windows Event Log" { + println!("Service name : {}", _param1); + if let Some(_param2) = event_data.get("param2") { + if _param2 == "disabled" { + println!("Message : Event Log Service Stopped"); + println!( + "Results : Selective event log manipulation may follow this event." + ); + } else if _param2 == "auto start" { + println!("Message : Event Log Service Started"); + println!( + "Results : Selective event log manipulation may precede this event." + ); } } } - None => (), } } }