From c6b2879eb5316d3113c7568436fc1d582048ee41 Mon Sep 17 00:00:00 2001
From: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 20 Apr 2022 10:16:25 +0900
Subject: [PATCH 1/3] change path

---
 README-Japanese.md        | 6 +++---
 README.md                 | 6 +++---
 config/level_tuning.txt   | 7 -------
 src/detections/configs.rs | 2 +-
 src/main.rs               | 4 ++--
 5 files changed, 9 insertions(+), 16 deletions(-)
 delete mode 100644 config/level_tuning.txt

diff --git a/README-Japanese.md b/README-Japanese.md
index be8d893b..c0816daa 100644
--- a/README-Japanese.md
+++ b/README-Japanese.md
@@ -320,7 +320,7 @@ USAGE:
     -s --statistics 'イベント ID の統計情報を表示する。'
     -q --quiet 'Quietモード。起動バナーを表示しない。'
     -Q --quiet-errors 'Quiet errorsモード。エラーログを保存しない。'
-    --level-tuning <LEVEL_TUNING_FILE> 'ルールlevelのチューニング [default: ./config/level_tuning.txt]'
+    --level-tuning <LEVEL_TUNING_FILE> 'ルールlevelのチューニング [default: ./rules/config/level_tuning.txt]'
     -p --pivot-keywords-list 'ピボットキーワードの一覧作成。'
     --contributors 'コントリビュータの一覧表示。'
 ```
@@ -560,10 +560,10 @@ Hayabusaルールは、Windowsのイベントログ解析専用に設計され
 ## 検知レベルのlevelチューニング
 
 Hayabusaルール、Sigmaルールはそれぞれの作者が検知した際のリスクレベルを決めています。
-ユーザが独自のリスクレベルに設定するには`./config/level_tuning.txt`に変換情報を書き、`hayabusa.exe --level-tuning`を実行することでルールファイルが書き換えられます。
+ユーザが独自のリスクレベルに設定するには`./rules/config/level_tuning.txt`に変換情報を書き、`hayabusa.exe --level-tuning`を実行することでルールファイルが書き換えられます。
 ルールファイルが直接書き換えられることに注意して使用してください。
 
-`./config/level_tuning.txt`の例:
+`./rules/config/level_tuning.txt`の例:
 ```
 id,new_level
 00000000-0000-0000-0000-000000000000,informational # sample level tuning line
diff --git a/README.md b/README.md
index 07a69398..0ed57fe9 100644
--- a/README.md
+++ b/README.md
@@ -313,7 +313,7 @@ USAGE:
     -s --statistics 'Prints statistics of event IDs.'
     -q --quiet 'Quiet mode. Do not display the launch banner.'
     -Q --quiet-errors 'Quiet errors mode. Do not save error logs.'
-    --level-tuning <LEVEL_TUNING_FILE> 'Tune the rule level [default: ./config/level_tuning.txt]'
+    --level-tuning <LEVEL_TUNING_FILE> 'Tune the rule level [default: ./rules/config/level_tuning.txt]'
     -p --pivot-keywords-list 'Create a list of pivot keywords.'
     --contributors 'Prints the list of contributors.'
 ```
@@ -552,10 +552,10 @@ You can also add a rule ID to `rules/config/noisy_rules.txt` in order to ignore
 
 Hayabusa and Sigma rule authors will determine the risk level of the alert when writing their rules.
 However, the actual risk level will differ between environments.
-You can tune the risk level of the rules by adding them to `./config/level_tuning.txt` and executing `hayabusa.exe --level-tuning` which will update the `level` line in the rule file.
+You can tune the risk level of the rules by adding them to `./rules/config/level_tuning.txt` and executing `hayabusa.exe --level-tuning` which will update the `level` line in the rule file.
 Please note that the rule file will be updated directly.
 
-`./config/level_tuning.txt` sample line:
+`./rules/config/level_tuning.txt` sample line:
 
 ```
 id,new_level
diff --git a/config/level_tuning.txt b/config/level_tuning.txt
deleted file mode 100644
index 5e3051b3..00000000
--- a/config/level_tuning.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-id,new_level
-00000000-0000-0000-0000-000000000000,informational # sample level tuning line
-fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c,medium # "Encoded FromBase64String". Originally critical.
-61a7697c-cb79-42a8-a2ff-5f0cdfae0130,high # "CobaltStrike Service Installations in Registry". Originally critical.
-36803969-5421-41ec-b92f-8500f79c23b0,low # "Detects persistence registry keys". Originally critical. Changed to low due to a high possibility of false positives.
-06d71506-7beb-4f22-8888-e2e5e2ca7fd8,medium # "Mimikatz Use". Originally critical. Rule creates tons of false positives so lowered to medium.
-dae8171c-5ec6-4396-b210-8466585b53e9,medium # "SCM Database Privileged Operation"
\ No newline at end of file
diff --git a/src/detections/configs.rs b/src/detections/configs.rs
index f336aa1e..eff22a24 100644
--- a/src/detections/configs.rs
+++ b/src/detections/configs.rs
@@ -102,7 +102,7 @@ fn build_app<'a>() -> ArgMatches<'a> {
         .arg(
             // TODO: When update claps to 3.x, these can write in usage texts...
             Arg::from_usage("--level-tuning=[LEVEL_TUNING_FILE] 'Adjust rule level.'")
-                .default_value("./config/level_tuning.txt"),
+                .default_value("./rules/config/level_tuning.txt"),
         )
         .usage(usages)
         .args_from_usage(usages)
diff --git a/src/main.rs b/src/main.rs
index dc3fdf9d..5b7d6abd 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -235,7 +235,7 @@ impl App {
                 .unwrap()
                 .args
                 .value_of("level-tuning")
-                .unwrap_or("./config/level_tuning.txt")
+                .unwrap_or("./rules/config/level_tuning.txt")
                 .to_string();
 
             if Path::new(&level_tuning_config_path).exists() {
@@ -253,7 +253,7 @@ impl App {
             } else {
                 AlertMessage::alert(
                     &mut BufWriter::new(std::io::stderr().lock()),
-                    "Need rule_levels.txt file to use --level-tuning option [default: ./config/level_tuning.txt]",
+                    "Need rule_levels.txt file to use --level-tuning option [default: ./rules/config/level_tuning.txt]",
                 )
                 .ok();
             }

From 06ccf8382b34f96316e45ed86508592d4ccf6413 Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Wed, 20 Apr 2022 18:30:05 +0900
Subject: [PATCH 2/3] fixed to include noisy and exclude rules when level
 tuning #511

---
 src/filter.rs               | 12 +++++++++---
 src/main.rs                 |  4 +---
 src/options/level_tuning.rs |  5 +++--
 src/yaml.rs                 | 12 +++---------
 4 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/src/filter.rs b/src/filter.rs
index 636436f9..766f2d35 100644
--- a/src/filter.rs
+++ b/src/filter.rs
@@ -19,10 +19,16 @@ pub struct RuleExclude {
     pub no_use_rule: HashSet<String>,
 }
 
+impl RuleExclude {
+    pub fn default() -> RuleExclude {
+        RuleExclude {
+            no_use_rule: HashSet::new(),
+        }
+    }
+}
+
 pub fn exclude_ids() -> RuleExclude {
-    let mut exclude_ids = RuleExclude {
-        no_use_rule: HashSet::new(),
-    };
+    let mut exclude_ids = RuleExclude::default();
 
     if !configs::CONFIG
         .read()
diff --git a/src/main.rs b/src/main.rs
index 5b7d6abd..359465e8 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -775,9 +775,7 @@ impl App {
             .read_dir(
                 rule_folder_path,
                 "INFORMATIONAL",
-                &filter::RuleExclude {
-                    no_use_rule: HashSet::new(),
-                },
+                &filter::RuleExclude::default(),
             )
             .ok();
 
diff --git a/src/options/level_tuning.rs b/src/options/level_tuning.rs
index 9ca51d18..4aede5b8 100644
--- a/src/options/level_tuning.rs
+++ b/src/options/level_tuning.rs
@@ -1,5 +1,5 @@
 use crate::detections::{configs, utils};
-use crate::filter;
+use crate::filter::RuleExclude;
 use crate::yaml::ParseYaml;
 use std::collections::HashMap;
 use std::fs::{self, File};
@@ -45,8 +45,9 @@ impl LevelTuning {
 
         // Read Rule files
         let mut rulefile_loader = ParseYaml::new();
+        //noisy rules and exclude rules treats as update target
         let result_readdir =
-            rulefile_loader.read_dir(rules_path, "informational", &filter::exclude_ids());
+            rulefile_loader.read_dir(rules_path, "informational", &RuleExclude::default());
         if result_readdir.is_err() {
             return Result::Err(format!("{}", result_readdir.unwrap_err()));
         }
diff --git a/src/yaml.rs b/src/yaml.rs
index e16ce277..192fe41f 100644
--- a/src/yaml.rs
+++ b/src/yaml.rs
@@ -290,9 +290,7 @@ mod tests {
         AlertMessage::create_error_log(ERROR_LOG_PATH.to_string());
 
         let mut yaml = yaml::ParseYaml::new();
-        let exclude_ids = RuleExclude {
-            no_use_rule: HashSet::new(),
-        };
+        let exclude_ids = RuleExclude::default();
         let _ = &yaml.read_dir(
             "test_files/rules/yaml/1.yml",
             &String::default(),
@@ -401,9 +399,7 @@ mod tests {
 
         let mut yaml = yaml::ParseYaml::new();
         let path = Path::new("test_files/rules/yaml");
-        let exclude_ids = RuleExclude {
-            no_use_rule: HashSet::new(),
-        };
+        let exclude_ids = RuleExclude::default();
         yaml.read_dir(path, "", &exclude_ids).unwrap();
         assert_eq!(yaml.ignorerule_count, 0);
     }
@@ -411,9 +407,7 @@ mod tests {
     fn test_exclude_deprecated_rules_file() {
         let mut yaml = yaml::ParseYaml::new();
         let path = Path::new("test_files/rules/deprecated");
-        let exclude_ids = RuleExclude {
-            no_use_rule: HashSet::new(),
-        };
+        let exclude_ids = RuleExclude::default();
         yaml.read_dir(path, "", &exclude_ids).unwrap();
         assert_eq!(yaml.ignorerule_count, 1);
     }

From ca735817d4b17b84ac713cc6d0bbb095bde427de Mon Sep 17 00:00:00 2001
From: DustInDark <nextsasasa@gmail.com>
Date: Wed, 20 Apr 2022 18:32:41 +0900
Subject: [PATCH 3/3] removed comment out import

---
 src/options/level_tuning.rs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/options/level_tuning.rs b/src/options/level_tuning.rs
index 4aede5b8..c8cf6283 100644
--- a/src/options/level_tuning.rs
+++ b/src/options/level_tuning.rs
@@ -99,9 +99,6 @@ impl LevelTuning {
 #[cfg(test)]
 mod tests {
 
-    // use crate::{filter::RuleExclude, yaml};
-    // use hashbrown::HashSet;
-
     use super::*;
 
     #[test]