From 257bd5624a866ca2d55b1f35fc6da0aea341d3d7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Mon, 21 Oct 2024 22:05:54 -0400 Subject: [PATCH] test: add allowlist/regexes rule test files --- src/detections/rule/matchers.rs | 10 +++++----- src/detections/utils.rs | 4 ++-- .../regex/allowlist_legitimate_services.txt | 2 ++ .../regex/detectlist_suspicous_services.txt | 16 ++++++++++++++++ 4 files changed, 25 insertions(+), 7 deletions(-) create mode 100644 test_files/config/regex/allowlist_legitimate_services.txt create mode 100644 test_files/config/regex/detectlist_suspicous_services.txt diff --git a/src/detections/rule/matchers.rs b/src/detections/rule/matchers.rs index 9886fc204..e43528af3 100644 --- a/src/detections/rule/matchers.rs +++ b/src/detections/rule/matchers.rs @@ -1106,8 +1106,8 @@ mod tests { - ホスト アプリケーション ImagePath: min_length: 1234321 - regexes: rules/config/regex/detectlist_suspicous_services.txt - allowlist: rules/config/regex/allowlist_legitimate_services.txt + regexes: test_files/config/regex/detectlist_suspicous_services.txt + allowlist: test_files/config/regex/allowlist_legitimate_services.txt falsepositives: - unknown level: medium @@ -1588,7 +1588,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: rules/config/regex/allowlist_legitimate_services.txt + - allowlist: test_files/config/regex/allowlist_legitimate_services.txt details: 'command=%CommandLine%' "#; @@ -1612,7 +1612,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: rules/config/regex/allowlist_legitimate_services.txt + - allowlist: test_files/config/regex/allowlist_legitimate_services.txt details: 'command=%CommandLine%' "#; @@ -1636,7 +1636,7 @@ mod tests { selection: EventID: 4103 Channel: - - allowlist: rules/config/regex/allowlist_legitimate_services.txt + - allowlist: test_files/config/regex/allowlist_legitimate_services.txt details: 'command=%CommandLine%' "#; diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 09e7acc39..9199aba90 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -897,7 +897,7 @@ mod tests { #[test] fn test_check_regex() { let regexes: Vec = - utils::read_txt("rules/config/regex/detectlist_suspicous_services.txt") + utils::read_txt("test_files/config/regex/detectlist_suspicous_services.txt") .unwrap() .iter() .map(|regex_str| Regex::new(regex_str).unwrap()) @@ -913,7 +913,7 @@ mod tests { fn test_check_allowlist() { let commandline = "\"C:\\Program Files\\Google\\Update\\GoogleUpdate.exe\""; let allowlist: Vec = - utils::read_txt("rules/config/regex/allowlist_legitimate_services.txt") + utils::read_txt("test_files/config/regex/allowlist_legitimate_services.txt") .unwrap() .iter() .map(|allow_str| Regex::new(allow_str).unwrap()) diff --git a/test_files/config/regex/allowlist_legitimate_services.txt b/test_files/config/regex/allowlist_legitimate_services.txt new file mode 100644 index 000000000..4a160ef08 --- /dev/null +++ b/test_files/config/regex/allowlist_legitimate_services.txt @@ -0,0 +1,2 @@ +^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe" +^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe" diff --git a/test_files/config/regex/detectlist_suspicous_services.txt b/test_files/config/regex/detectlist_suspicous_services.txt new file mode 100644 index 000000000..1d8f1570f --- /dev/null +++ b/test_files/config/regex/detectlist_suspicous_services.txt @@ -0,0 +1,16 @@ +^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$ +powershell.*FromBase64String.*IO.Compression.GzipStream +DownloadString\(.http +.*(?i)mimikatz.* +.*(?i)mimidvr.* +Invoke-Mimikatz.ps +PowerSploit.*ps1 +[a-zA-Z0-9/+=]{500} +.*(?i)powershell.* +.*(?i)cmd.* +\\csc\.exe +\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline +\\cvtres\.exe.* +\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp +^[a-zA-Z]{22}$ +^[a-zA-Z]{16}$ \ No newline at end of file