James / hach1yon
b0e4247857
Feature/#440 refactoring #395 ( #464 )
2022-03-26 16:11:11 +09:00
DustInDark
7c7a86f7c9
Fixed Clippy Warnings ( #451 )
...
* fixed clippy warn
* fixed cargo clippy warnging
* fixed clippy warngings in clippy ver 0.1.59
* fixed clippy warnings clippy::unnecessary_to_owned
2022-03-17 08:43:48 +09:00
kazuminn
d49d6f6210
aliasキーがない場合もEvent.EventDataを自動で走査する ( #442 )
...
* add no event key
* support not-register-alias search
* added checking EventData when key do not match in alias #290
- added checking key in Event.EventData, if key is not exist in eventkey_alias.txt.
* cargo fmt
* fixed panic when filter files does not exists
* fixed errorlog format when filter config files does not exist
Co-authored-by: DustInDark <nextsasasa@gmail.com >
2022-03-11 13:24:43 +09:00
DustInDark
bb1f5f619d
Fix/fix clippy warn ( #434 )
...
- Fixed following Clippy Warnings(previous warning count: 671 -> after: 4)
- clippy::needless_return
- clippy::println_empty_string
- clippy::redundant_field_names
- clippy::single_char_pattern
- clippy::len_zero
- clippy::iter_nth_zero
- clippy::bool_comparison
- clippy::question_mark
- clippy::needless_collect
- clippy::unnecessary_unwrap
- clippy::ptr_arg
- clippy::needless_collect
- clippy::needless_borrow
- clippy::new_without_default
- clippy::assign_op_pattern
- clippy::bool_assert_comparison
- clippy::into_iter_on_ref
- clippy::deref_addrof
- clippy::while_let_on_iterator
- clippy::match_like_matches_macro
- clippy::or_fun_call
- clippy::useless_conversion
- clippy::let_and_return
- clippy::redundant_clone
- clippy::redundant_closure
- clippy::cmp_owned
- clippy::upper_case_acronyms
- clippy::map_identity
- clippy::unused_io_amount
- clippy::assertions_on_constants
- clippy::op_ref
- clippy::useless_vec
- clippy::vec_init_then_push
- clippy::useless_format
- clippy::bind_instead_of_map
- clippy::bool_comparison
- clippy::clone_on_copy
- clippy::too_many_arguments
- clippy::module_inception
- fixed clippy::needless_lifetimes
- fixed clippy::borrowed_box (Thanks for helping by hach1yon!)
2022-03-07 08:38:05 +09:00
DustInDark
92c472d451
Hotfix/moved rule configs to hayabusa rules repo#409 ( #414 )
...
* fixed target config path #409
* fixed target config file path in test #409
* fixed rules target #409
* Documentation fix, deleted unneeded config files
* added workflow
* changed submodule option
* fixed worksflow to ref submodule
* fixed gitmodules
* fixed workflow
* check code insert
* added update submodules command
* test rules update
* removed test runs
* fixed error
Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com >
2022-02-26 18:19:19 +09:00
DustInDark
58017e971f
fixed detection lack when tab and enter control character in event record#395 ( #396 )
...
* fixed no detected bug when enter and tab control character in record data #395
* added remove \r \n \t character in utils.rs
* added call of utils.rs function in selectionnodes.rs
* added tests #395
* changed space control character function args #395
* fixed test due to function args changes #395
* changed replace method using regex #395
* changed regex by record_data_filter.txt #395
* added record_data_filter.txt #395
* fixed test #395
* added record_data_filter
- add Properties regex
- add ScriptBlockText regex
- add Payload regex
2022-02-17 05:07:15 +09:00
DustInDark
3097ff2ac3
added process case of no exist config files #347
2021-12-24 08:48:38 +09:00
Yamato Security
a023ba46a6
Usage menu update ( #302 )
...
* Usage menu update
* usage menuの微調整
* fixed options #302
- changed show-deprecated to enable-deprecated-rules
- changed csv-timeline to output
- change show-noisyalerts to enable-noisy-rules
* fixed option #302
- changed starttimeline to start-timeline
* fixed option #302
- changed q to quiet option
* fixed options #302
- changed endtimeline to end-timeline option
- changed threadnum to thread-number option
Co-authored-by: DustInDark <nextsasasa@gmail.com >
2021-12-19 20:03:39 +09:00
James Takai / hach1yon
cbbcb4c068
Feature/re tuning and bugfix for regexes keyword ( #293 )
...
* re-tuning
* not effective
* re-tuning
* set key
* fix bug and fix testcase.
* fmt
2021-12-18 11:13:51 +09:00
Yamato Security
d668fc9241
Regex filename change ( #291 )
...
* update rule config files and art
* regexサンプルファイルの名前変更
* fixed test error due to filename change #291
Co-authored-by: DustInDark <nextsasasa@gmail.com >
2021-12-17 21:25:55 +09:00
itiB
05076e4fec
Merge branch 'main' into feature/start_finish_time
2021-12-16 20:12:01 +09:00
James Takai / hach1yon
fd200c54b0
tuning ( #280 )
...
* remove unnecessary to_string
* remove unnecessary RWLock
* change hashmap crate
* remove unneccesarry to_string
* fmt
* remove rustc warning
* remove unnecessary to_string
* remove unnecessary comment
* remove unused functions
* remove unneccesary code.
* change compile option
* fmt
* remove unneccesarry split
* fmt
* remove unneccesary Option
2021-12-14 16:57:49 +09:00
itiB
4bb445d4f5
Add: time filter
2021-12-07 00:50:00 +09:00
itiB
e09cfb7231
Add: datetime util
2021-12-07 00:11:34 +09:00
DustInDark
ac5c5c2917
Bugfix/yml alias not found all data output#227 ( #241 )
...
* removed no use alias #227
* changed case of object type return none #227
- serde json value is object type when alias key dont exist in detected record.
* adjust serde_number_to_string function return value change #227
* adjust yml rule to change of aliaskey_alias.txt #227
* merged same regex as static
* create new struct to reduce same output in rule and keyword warn message #227
* changed output position
* removed regression warnings #227
* removed output wanring
* Fixed a possible panic when None. #227
* added parse_message test #227
* added get_serde_number_to_string tests #227
* removed unnecessary test data part in get_serde_numuber_to_string test #227
2021-12-04 11:49:38 +09:00
James Takai / hach1yon
2febaa9b73
add target event filtering. ( #242 )
2021-11-28 19:02:27 +09:00
Yamato Security
bc230f7cd5
英語修正 ( #236 )
...
* 英語修正
* cargo fmt
* fixed test assertion string data
Co-authored-by: DustInDark <nextsasasa@gmail.com >
2021-11-27 11:21:55 +09:00
DustInDark
0b85a280f0
output fix logontype and change order #197 #198 ( #217 )
...
* changed output column order #198
* added eventkey alias #197
* fixed eventid double quatation #197
* fixed eventid double quatation #197
* fixed logontype not converted #197
* fixed WorkStation and added TargetDomainName #205
* fixed typo #205
* Fixed the problem that conversion for No-String types #197
2021-11-20 11:03:28 +09:00
James
7d49b0b521
Feature/#187 change allowlist regexes filenames ( #189 )
...
* add risk level filter arguments #45
* fix default level in help #45
* add test yaml files #45
* refactoring and fix level argument usage.
* cargo fmt --all
* add risk level filter arguments #45
* fix default level in help #45
* add test yaml files #45
* refactoring and fix level argument usage.
* cargo fmt --all
* update
* change filename
* fix regexe and allowlist filename in document #187
Co-authored-by: DustInDark <nextsasasa@gmail.com >
2021-11-12 13:53:09 +09:00
James
15a28e5602
cache regex for allowlist and regexes keyword. ( #174 )
2021-11-10 03:10:03 +09:00
James
c5d5d25817
change from black to allow. ( #164 )
2021-11-09 00:41:21 +09:00
James
4a1e46e47e
Feature/#140 document ( #144 )
...
* update
* fix regexes and whitelist
* underconstructing
* fix
* update
* add pic
* update
* update
* update
* fix
2021-10-22 00:43:40 +09:00
itiB
65b714b81b
rule.rsを分割する ( #121 )
...
* Refact: split code for matcher from rule.rs
* Reafact: combine multiple declared functions
* Refact: split code for SelectionNode from rule.rs
* Refact: mv test code for SelectionNode from rule.rs
* Refact: mv condition's code from rule.rs
* Refact: mv aggregation's code from condition_parser.rs
* Refact: use relationships
* cargo fmt --all
* remove unnecessary matcher
Co-authored-by: HajimeTakai <takai.wa.hajime@gmail.com >
2021-07-08 01:41:59 +09:00
James
2f24dc775f
Feature/filter record by eventid#94 ( #95 )
...
* add function to get event id from rootnode.
* refactoring #76
* maybe fix bug.
* before test
* fix source files.
* cargo fmt --all
* add threadnum parameter
2021-05-06 20:58:43 +09:00
nishikawaakira
7b0357b120
Feature/changeSingleton#53,#65 ( #67 )
...
* change from singleton to global variable
* issue #65
* #65 test mode implemented
* cargo fmt --all
2021-03-19 04:46:52 +09:00
ichiichi11
712f090919
rule file implemented.
2020-11-22 14:42:10 +09:00
ichiichi11
1adcb8c44b
refactoring
2020-11-22 12:12:05 +09:00
akiranishikawa
b183e61596
add regexes and whitelist functions
2020-11-20 16:32:40 +09:00
kazuminn
73fa8090f0
指摘されたところ
2020-11-02 16:15:44 +09:00
kazuminn
1fcf025a06
fix decode's optional
2020-10-31 22:36:52 +09:00
kazuminn
e7a75ff780
add
2020-10-24 18:08:11 +09:00
kazuminn
f8484bf3bf
Merge branch 'master' into feature/#11
2020-10-13 13:45:09 +09:00
akiranishikawa
4ac372e883
test修正
2020-10-13 05:31:06 +09:00
ichiichi11
03a4e973c5
refactoring: change function name
2020-10-12 16:12:55 +09:00
ichiichi11
261676574a
create configs
2020-10-11 23:40:08 +09:00
akiranishikawa
850caa8a53
powershellの解析、Check-Commandの修正
2020-10-11 14:47:39 +09:00
itiB
5f5251a4a4
Fix: solve thread
2020-10-09 02:13:04 +09:00
itiB
c12090227e
Fix: <utils.rs-check_command()> get rdr by reference
2020-10-09 02:04:31 +09:00
Kazuminn
9cab0bb343
add comment
2020-10-04 17:15:08 +09:00
Kazuminn
3e3f7bc51e
fix :コメントで指摘されたところ
2020-10-04 17:07:09 +09:00
Kazuminn
e3631abeb3
add test : white listとマッチする時は、すぐにreturnする
2020-10-04 16:13:26 +09:00
Kazuminn
7242dfbc1b
refactor
2020-10-03 20:07:45 +09:00
Kazuminn
6d57923ff2
refactor
2020-10-03 20:04:21 +09:00
Kazuminn
61049ce9a8
refactor
2020-10-03 19:52:04 +09:00
Kazuminn
d5fba5e54b
fix test
2020-10-03 19:40:40 +09:00
Kazuminn
fb4ee59dee
refactor
2020-10-03 17:58:43 +09:00
Kazuminn
5071aa0783
all test passed
2020-10-03 17:55:08 +09:00
Kazuminn
927df3f32a
check_regex test ok
2020-10-03 17:34:37 +09:00
Kazuminn
6d8e0a61d2
test 2 pass
2020-10-03 16:52:39 +09:00
Kazuminn
bb2d4bc537
add check_command()
2020-10-03 13:06:25 +09:00
