From 726038ddb3528761f9d2a858469eae33f8717f1a Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Thu, 14 Nov 2024 00:42:15 +0900 Subject: [PATCH] fix: invalid first/last timestamp --- src/timeline/log_metrics.rs | 67 +++++++++++++++++++++++++++++++------ src/timeline/metrics.rs | 4 +-- 2 files changed, 59 insertions(+), 12 deletions(-) diff --git a/src/timeline/log_metrics.rs b/src/timeline/log_metrics.rs index ff78aa9a2..f1f54ad89 100644 --- a/src/timeline/log_metrics.rs +++ b/src/timeline/log_metrics.rs @@ -1,7 +1,8 @@ use crate::detections::configs::StoredStatic; use crate::detections::detection::EvtxRecordInfo; +use crate::detections::message::{AlertMessage, ERROR_LOG_STACK}; use crate::detections::utils; -use chrono::{DateTime, Utc}; +use chrono::{DateTime, NaiveDateTime, Utc}; use std::collections::HashSet; #[derive(Default, Debug, Clone)] @@ -22,14 +23,62 @@ impl LogMetrics { ..Default::default() } } - pub fn update( - &mut self, - records: &[EvtxRecordInfo], - stored_static: &StoredStatic, - start_time: Option>, - end_time: Option>, - ) { + pub fn update(&mut self, records: &[EvtxRecordInfo], stored_static: &StoredStatic) { for record in records { + if let Some(evttime) = utils::get_event_value( + "Event.System.TimeCreated_attributes.SystemTime", + &record.record, + &stored_static.eventkey_alias, + ) + .map(|evt_value| evt_value.to_string().replace("\\\"", "").replace('"', "")) + { + let timestamp = + match NaiveDateTime::parse_from_str(evttime.as_str(), "%Y-%m-%dT%H:%M:%S%.3fZ") + { + Ok(without_timezone_datetime) => { + Some(DateTime::::from_naive_utc_and_offset( + without_timezone_datetime, + Utc, + )) + } + Err(_) => { + match NaiveDateTime::parse_from_str( + evttime.as_str(), + "%Y-%m-%dT%H:%M:%S%.3f%:z", + ) { + Ok(splunk_json_datetime) => { + Some(DateTime::::from_naive_utc_and_offset( + splunk_json_datetime, + Utc, + )) + } + Err(e) => { + let errmsg = format!( + "Timestamp parse error.\nInput: {evttime}\nError: {e}\n" + ); + if stored_static.verbose_flag { + AlertMessage::alert(&errmsg).ok(); + } + if !stored_static.quiet_errors_flag { + ERROR_LOG_STACK + .lock() + .unwrap() + .push(format!("[ERROR] {errmsg}")); + } + None + } + } + } + }; + if let Some(timestamp) = timestamp { + if self.first_timestamp.is_none() || timestamp < self.first_timestamp.unwrap() { + self.first_timestamp = Some(timestamp); + } + if self.last_timestamp.is_none() || timestamp > self.last_timestamp.unwrap() { + self.last_timestamp = Some(timestamp); + } + } + } if let Some(computer) = utils::get_event_value("Computer", &record.record, &stored_static.eventkey_alias) { @@ -52,7 +101,5 @@ impl LogMetrics { } self.event_count += 1; } - self.first_timestamp = start_time; - self.last_timestamp = end_time; } } diff --git a/src/timeline/metrics.rs b/src/timeline/metrics.rs index ab0d4b944..e51334e6f 100644 --- a/src/timeline/metrics.rs +++ b/src/timeline/metrics.rs @@ -113,10 +113,10 @@ impl EventMetrics { .trim_matches('"'), ) }) { - existing_lm.update(records, stored_static, self.start_time, self.end_time); + existing_lm.update(records, stored_static); } else { let mut lm = LogMetrics::new(filename); - lm.update(records, stored_static, self.start_time, self.end_time); + lm.update(records, stored_static); self.stats_logfile.push(lm); } }