Skip to content

Commit

Permalink
Feature RustyBlue detections-detection (#19)
Browse files Browse the repository at this point in the history 
* imprement RustyBlue feture_detections/detection project #1

* RustyBlue feture_detections/detection project #2

* RustyBlue feture_detections/detection project #3 event_id 修正
  • Loading branch information
@fuku-j
fuku-j authored May 6, 2021
1 parent dab2d4f commit 244ba4a
Showing 1 changed file with 47 additions and 12 deletions.
59 changes: 47 additions & 12 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ pub struct Detection {
timeline_list: BTreeMap<String, String>,
}

#[derive(Debug)]
struct ExampleCopyTraitImpl {
n: std::string::String,
}

impl Detection {
pub fn new() -> Detection {
Detection {
Expand All @@ -41,29 +46,59 @@ impl Detection {
match quick_xml::de::from_str(&r.data) {
Ok(event) => {
let event: event::Evtx = event;

let event_id = event.system.event_id.to_string();
let channel = event.system.channel.to_string();
let event_data = event.parse_event_data();

&common.detection(&event.system, &event_data);
if channel == "Security" {
&security.detection(
event_id,
&event.system,
&event.user_data,
event_data,
);
match event_id.as_str() {
"4688" | "4672" | "4720" | "4728" | "4732" | "4756"
| "4625" | "4673" | "4674" | "4648" | "1102" => {
&security.detection(
event_id,
&event.system,
&event.user_data,
event_data,
);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else if channel == "System" {
&system.detection(event_id, &event.system, event_data);
match event_id.as_str() {
"7030" | "7036" | "7045" | "7040" | "104" => {
&system.detection(event_id, &event.system, event_data);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else if channel == "Application" {
&application.detection(event_id, &event.system, event_data);
match event_id.as_str() {
"2" => {
&application.detection(event_id, &event.system, event_data);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else if channel == "Microsoft-Windows-PowerShell/Operational" {
&powershell.detection(event_id, &event.system, event_data);
match event_id.as_str() {
"4103" | "4104" => {
&powershell.detection(event_id, &event.system, event_data);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else if channel == "Microsoft-Windows-Sysmon/Operational" {
&sysmon.detection(event_id, &event.system, event_data);
match event_id.as_str() {
"1" | "7" => {
&sysmon.detection(event_id, &event.system, event_data);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else if channel == "Microsoft-Windows-AppLocker/EXE and DLL" {
&applocker.detection(event_id, &event.system, event_data);
match event_id.as_str() {
"8003" | "8004" | "8006" | "8007" => {
&applocker.detection(event_id, &event.system, event_data);
}
_ => println!("Not Match is Event ID Num:{}", event_id),
}
} else {
//&other.detection();
}
Expand Down

0 comments on commit 244ba4a

Please sign in to comment.