Merge pull request #1345 from Yamato-Security/1343-ignore-channel-fil…

…ter-when-J-option chg: disable `Channel` filter when `-J, --JSON-input` option
Yamato-Security · May 10, 2024 · 046fac1 · 046fac1
2 parents 963712c + 4059e0e
commit 046fac1
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -9,6 +9,7 @@
     - [Possible Hidden Shellcode](https://github.com/Yamato-Security/hayabusa-rules/blob/main/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml)
     - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml)
 - デフォルトでは、適用可能なルールを持つ`.evtx`ファイルのみ読み込む。たとえば、さまざまなイベントログのディレクトリをスキャンしている場合でも、 `Channel: Security` を探すルールのみを有効にした場合、Hayabusaは`Security`以外のすべてのイベントログを無視します。ベンチマークでは、通常のスキャンで約10％、単一のルールでスキャンする場合は最大60％以上のパフォーマンス向上が得られる。チャネルに関係なくすべての`.evtx`ファイルを読み込みたい場合は、`csv-timeline` と `json-timeline` の `-a、--scan-all-evtx-files` オプションでこのフィルタリングをオフにすることができる。(#1318) (@fukusuket)
+- 注意: チャンネルフィルタリングは .evtx ファイルにのみ適用され、`-J, --json-input`オプションを使用してイベントログをJSONファイルから読み込む際に`-A`または`-a`を指定するとエラーが発生する。(#1345) (@fukusuket)
 
 **改善:**
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
     - [Possible Hidden Shellcode](https://github.com/Yamato-Security/hayabusa-rules/blob/main/hayabusa/builtin/UnkwnChannEID_Med_PossibleHiddenShellcode.yml)
     - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml)
 - By default now, `.evtx` files that have applicable rules will be loaded. So for example, if you are scanning a directory of various event logs but only enable a rule that is looking for `Channel: Security` then Hayabusa will ignore all non-security event logs. In our benchmarks, this gives a speed benefit of around 10% with normal scans and up to 60%+ performance increase when scanning with a single rule. If you want to load all `.evtx` files regardless of channel, then you can turn off this filtering with the `-a, --scan-all-evtx-files` option in `csv-timeline` and `json-timeline`. (#1318) (@fukusuket)
+- Note: Channel filtering only works with .evtx files and you will receive an error if you try to load event logs from a JSON file with `-J, --json-input` and also specify `-A` or `-a`. (#1345) (@fukusuket)
 
 **Enhancements:**
 

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -1578,11 +1578,11 @@ pub struct OutputOption {
     #[arg(help_heading = Some("General Options"), short='s', long = "low-memory-mode", display_order = 380)]
     pub low_memory_mode: bool,
 
-    /// Enable all rules regardless of loaded evtx files
+    /// Enable all rules regardless of loaded evtx files (disable channel filter for rules)
     #[arg(help_heading = Some("Filtering"), short='A', long = "enable-all-rules", display_order = 300)]
     pub enable_all_rules: bool,
 
-    /// Scan all evtx files regardless of loaded rules
+    /// Scan all evtx files regardless of loaded rules (disable channel filter for evtx files)
     #[arg(help_heading = Some("Filtering"), short='a', long = "scan-all-evtx-files", display_order = 450)]
     pub scan_all_evtx_files: bool,
 }

diff --git a/src/main.rs b/src/main.rs
@@ -305,6 +305,13 @@ impl App {
                         return;
                     }
                 }
+                if stored_static.json_input_flag
+                    && (stored_static.scan_all_evtx_files || stored_static.enable_all_rules)
+                {
+                    AlertMessage::alert("It is not necessary to specify -A (--enable-all-rules) or -a (--scan-all-evtx-files) with -J (--JSON-input) because the default channel filter only works with EVTX files.").ok();
+                    println!();
+                    return;
+                }
                 self.analysis_start(&target_extensions, &time_filter, stored_static);
 
                 output_profile_name(&stored_static.output_option, false);
@@ -843,7 +850,7 @@ impl App {
                     .starts_with('.')
                 {
                     AlertMessage::alert(
-                        "--filepath only accepts .evtx files. Hidden files are ignored.",
+                        "-f (--filepath) only accepts .evtx files. Hidden files are ignored. If you want to input event logs in JSON format, please specify -J (--JSON-input).",
                     )
                     .ok();
                     return;
@@ -1432,7 +1439,10 @@ impl App {
                     .ok();
                 return;
             }
-            if !stored_static.scan_all_evtx_files && !stored_static.enable_all_rules {
+            if !stored_static.json_input_flag
+                && !stored_static.scan_all_evtx_files
+                && !stored_static.enable_all_rules
+            {
                 println!("Creating the channel filter. Please wait.");
                 println!();
                 let mut channel_filter = create_channel_filter(&evtx_files, &rule_files);