Skip to content

Commit

Permalink
Merge pull request #1191 from Yamato-Security/1188-ask-the-user-which…
Browse files Browse the repository at this point in the history 
…-sigma-rules-they-want-to-enable-by-default-1

added prompt that the user which sigma rules they want to enable by default
  • Loading branch information
@hitenkoku
hitenkoku authored Oct 22, 2023
2 parents da093e4 + a2971d3 commit 13589b7
Show file tree
Hide file tree
Showing 17 changed files with 264 additions and 82 deletions.
4 changes: 3 additions & 1 deletion CHANGELOG-Japanese.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@

**改善:**

xxx
- 初心者のユーザのために有効にしたいルールを選択するようにスキャンウィザードを追加した。`-w, --no-wizard`オプションを追加すると、従来の形式でHayabusaを実行できる。(すべてのイベントとアラートをスキャンし、オプションを手動でカスタマイズする) (#1188) (@hitenkoku)
- `pivot-keywords-list`コマンドに`--include-tag`オプションを追加し、指定した`tags`フィールドを持つルールのみをロードするようにした。(#1195) (@hitenkoku)
- `pivot-keywords-list`コマンドに`--exclude-tag`オプションを追加し、指定した`tags`フィールドを持つルールをロードしないようにした。(#1195) (@hitenkoku)

**バグ修正:**

Expand Down
4 changes: 3 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@

**Enhancements:**

xxx
- Added a scan wizard to help new users choose which rules they want to enable. Add the `-w, --no-wizard` option to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku)
- Added the `--include-tag` option to the `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku)
- Added the `--exclude-tag` option to the `pivot-keywords-list` command to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku)

**Bug Fixes:**

Expand Down
1 change: 1 addition & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ aho-corasick = "*"
memchr = "2.*"
num = "0.4.0"
indexmap = "2.*"
dialoguer = "*"

[profile.dev]
debug = 0
Expand Down
17 changes: 15 additions & 2 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -629,7 +629,7 @@ fn emit_csv<W: std::io::Write>(
)
),
"Results Summary {#results_summary}",
stored_static.html_report_flag,
&stored_static.html_report_flag,
);
}
if tl_start_end_time.1.is_some() {
Expand All @@ -643,7 +643,7 @@ fn emit_csv<W: std::io::Write>(
)
),
"Results Summary {#results_summary}",
stored_static.html_report_flag,
&stored_static.html_report_flag,
);
println!();
}
Expand Down Expand Up @@ -1903,6 +1903,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1991,6 +1992,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2229,6 +2231,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
Expand Down Expand Up @@ -2319,6 +2322,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2543,6 +2547,7 @@ mod tests {
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
Expand Down Expand Up @@ -2631,6 +2636,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2866,6 +2872,7 @@ mod tests {
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()),
Expand Down Expand Up @@ -2954,6 +2961,7 @@ mod tests {
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3274,6 +3282,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let data: Vec<(CompactString, Profile)> = vec![
(
Expand Down Expand Up @@ -3412,6 +3421,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
Expand Down Expand Up @@ -3499,6 +3509,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3675,6 +3686,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
Expand Down Expand Up @@ -3762,6 +3774,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down
46 changes: 40 additions & 6 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ pub struct StoredStatic {
pub exclude_computer: HashSet<CompactString>,
pub include_eid: HashSet<CompactString>,
pub exclude_eid: HashSet<CompactString>,
pub include_status: HashSet<CompactString>, // 読み込み対象ルールのステータスのセット。*はすべてのステータスを読み込む
pub field_data_map: Option<FieldDataMap>,
pub enable_recover_records: bool,
pub timeline_offset: Option<String>,
Expand Down Expand Up @@ -630,6 +631,7 @@ impl StoredStatic {
field_data_map,
enable_recover_records,
timeline_offset,
include_status: HashSet::new(),
};
ret.profiles = load_profile(
check_setting_path(
Expand Down Expand Up @@ -1191,9 +1193,17 @@ pub struct PivotKeywordOption {
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_tag: Option<Vec<String>>,

/// Do not load rules with specific tags (ex: sysmon)
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_tag: Option<Vec<String>>,

/// Minimum level for rules to load (default: informational)
#[arg(
help_heading = Some("Filtering"),
Expand All @@ -1202,6 +1212,7 @@ pub struct PivotKeywordOption {
default_value = "informational",
hide_default_value = true,
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "exact_level",
display_order = 390
)]
Expand All @@ -1213,6 +1224,7 @@ pub struct PivotKeywordOption {
short = 'e',
long = "exact-level",
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "min_level",
display_order = 313
)]
Expand Down Expand Up @@ -1248,6 +1260,10 @@ pub struct PivotKeywordOption {
/// Overwrite files when saving
#[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
pub clobber: bool,

/// Do not ask questions. Scan for all events and alerts.
#[arg(help_heading = Some("General Options"), short = 'w', long = "no-wizard", display_order = 400)]
pub no_wizard: bool,
}

#[derive(Args, Clone, Debug)]
Expand Down Expand Up @@ -1329,11 +1345,11 @@ pub struct OutputOption {
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_tag: Option<Vec<String>>,

/// Only load rules with specified logsource categories (ex: process_creation,pipe_created)
Expand All @@ -1350,6 +1366,7 @@ pub struct OutputOption {
short = 'm',
long = "min-level",
default_value = "informational",
requires="no_wizard",
hide_default_value = true,
value_name = "LEVEL",
display_order = 390,
Expand All @@ -1362,6 +1379,7 @@ pub struct OutputOption {
short = 'e',
long = "exact-level",
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "min-level",
display_order = 313
)]
Expand All @@ -1388,7 +1406,7 @@ pub struct OutputOption {
pub proven_rules: bool,

/// Do not load rules with specific tags (ex: sysmon)
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_tag: Option<Vec<String>>,

/// Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)
Expand Down Expand Up @@ -1474,6 +1492,10 @@ pub struct OutputOption {
/// Remove duplicate detections (default: disabled)
#[arg(help_heading = Some("Output"), short = 'X', long = "remove-duplicate-detections", display_order = 441)]
pub remove_duplicate_detections: bool,

/// Do not ask questions. Scan for all events and alerts.
#[arg(help_heading = Some("General Options"), short = 'w', long = "no-wizard", display_order = 400)]
pub no_wizard: bool,
}

#[derive(Copy, Args, Clone, Debug)]
Expand Down Expand Up @@ -2131,15 +2153,16 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: option.enable_unsupported_rules,
clobber: option.clobber,
proven_rules: false,
include_tag: None,
exclude_tag: None,
include_tag: option.include_tag.clone(),
exclude_tag: option.exclude_tag.clone(),
include_category: None,
exclude_category: None,
include_eid: option.include_eid.clone(),
exclude_eid: option.exclude_eid.clone(),
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: option.no_wizard,
}),
Action::EidMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2177,6 +2200,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::LogonSummary(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2214,6 +2238,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::ComputerMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2260,6 +2285,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::Search(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2306,6 +2332,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::SetDefaultProfile(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2358,6 +2385,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::UpdateRules(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2410,6 +2438,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
_ => None,
}
Expand Down Expand Up @@ -2658,6 +2687,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2729,6 +2759,7 @@ mod tests {
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2915,6 +2946,9 @@ mod tests {
eid_filter: false,
include_eid: None,
exclude_eid: None,
no_wizard: true,
include_tag: None,
exclude_tag: None,
})),
debug: false,
}));
Expand Down
Loading

0 comments on commit 13589b7

Please sign in to comment.