Skip to content

Commit

Permalink
feat: add --enable-all-rules/--scan-all-evtx-files options
Browse files Browse the repository at this point in the history
  • Loading branch information
@fukusuket
fukusuket committed Apr 29, 2024
1 parent df3fa96 commit 36d3991
Show file tree
Hide file tree
Showing 13 changed files with 117 additions and 1 deletion.
28 changes: 28 additions & 0 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2295,6 +2295,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -2386,6 +2388,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2631,6 +2635,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
Expand Down Expand Up @@ -2732,6 +2738,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2961,6 +2969,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
Expand Down Expand Up @@ -3052,6 +3062,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3292,6 +3304,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()),
Expand Down Expand Up @@ -3383,6 +3397,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3696,6 +3712,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_multiple_data_in_details.json").to_path_buf()),
Expand Down Expand Up @@ -3788,6 +3806,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -4046,6 +4066,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
Expand Down Expand Up @@ -4138,6 +4160,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -4321,6 +4345,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
Expand Down Expand Up @@ -4413,6 +4439,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down
40 changes: 40 additions & 0 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ pub struct StoredStatic {
pub enable_recover_records: bool,
pub timeline_offset: Option<String>,
pub is_low_memory: bool,
pub enable_all_rules: bool,
pub scan_all_evtx_files: bool,
}
impl StoredStatic {
/// main.rsでパースした情報からデータを格納する関数
Expand Down Expand Up @@ -562,6 +564,16 @@ impl StoredStatic {
Some(Action::JsonTimeline(opt)) => opt.output_options.low_memory_mode,
_ => false,
};
let enable_all_rules = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.enable_all_rules,
Some(Action::JsonTimeline(opt)) => opt.output_options.enable_all_rules,
_ => false,
};
let scan_all_evtx_files = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt.output_options.scan_all_evtx_files,
Some(Action::JsonTimeline(opt)) => opt.output_options.scan_all_evtx_files,
_ => false,
};
let mut ret = StoredStatic {
config: input_config.as_ref().unwrap().to_owned(),
config_path: config_path.to_path_buf(),
Expand Down Expand Up @@ -678,6 +690,8 @@ impl StoredStatic {
timeline_offset,
include_status,
is_low_memory,
enable_all_rules,
scan_all_evtx_files,
};
ret.profiles = load_profile(
check_setting_path(
Expand Down Expand Up @@ -1563,6 +1577,14 @@ pub struct OutputOption {
/// Scan with the minimal amount of memory by not sorting events
#[arg(help_heading = Some("General Options"), short='s', long = "low-memory-mode", display_order = 380)]
pub low_memory_mode: bool,

/// Enable all rules
#[arg(help_heading = Some("Filtering"), long = "enable-all-rules", display_order = 300)]
pub enable_all_rules: bool,

/// Scan all evtx files
#[arg(help_heading = Some("Filtering"), long = "scan-all-evtx-files", display_order = 470)]
pub scan_all_evtx_files: bool,
}

#[derive(Copy, Args, Clone, Debug)]
Expand Down Expand Up @@ -2248,6 +2270,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: option.no_wizard,
include_status: option.include_status.clone(),
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::EidMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2289,6 +2313,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::LogonSummary(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2330,6 +2356,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::ComputerMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2380,6 +2408,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::Search(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2430,6 +2460,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::SetDefaultProfile(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2486,6 +2518,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
Action::UpdateRules(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2542,6 +2576,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
}),
_ => None,
}
Expand Down Expand Up @@ -2795,6 +2831,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2871,6 +2909,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
10 changes: 10 additions & 0 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1290,6 +1290,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -1552,6 +1554,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1689,6 +1693,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1821,6 +1827,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1969,6 +1977,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/condition_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/count.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -637,6 +637,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/matchers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/selectionnodes.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -577,6 +577,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/utils.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1076,6 +1076,8 @@ mod tests {
no_wizard: true,
include_status: None,
low_memory_mode: false,
enable_all_rules: false,
scan_all_evtx_files: false,
},
geo_ip: None,
output: None,
Expand Down
Loading

0 comments on commit 36d3991

Please sign in to comment.