Skip to content

Commit

Permalink
Merge pull request #1280 from Yamato-Security/1193-add-include-status…
Browse files Browse the repository at this point in the history 
…-option

added `--include-status` option
  • Loading branch information
@YamatoSecurity
YamatoSecurity authored Feb 14, 2024
2 parents 0fb8690 + 3687b02 commit 75d69c0
Show file tree
Hide file tree
Showing 15 changed files with 94 additions and 14 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG-Japanese.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

**改善:**

- XXX
- 指定した`status`のルールのみを利用する`--include-status`オプションを追加した。 (#1193) (@hitenkoku)

**バグ修正:**

Expand Down
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

**Enhancements:**

- XXX
- Added `--include-status` option: You can specify rules based on their `status`. (#1193) (@hitenkoku)

**Bug Fixes:**

Expand Down
22 changes: 17 additions & 5 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2060,6 +2060,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -2151,6 +2152,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2392,6 +2394,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
Expand Down Expand Up @@ -2485,6 +2488,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2712,6 +2716,7 @@ mod tests {
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
Expand Down Expand Up @@ -2803,6 +2808,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3041,6 +3047,7 @@ mod tests {
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()),
Expand Down Expand Up @@ -3132,6 +3139,7 @@ mod tests {
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3218,7 +3226,7 @@ mod tests {
println!("message: {detect_infos:?}");
}

let expect_target = vec![
let expect_target = [
vec![
(
"Timestamp",
Expand Down Expand Up @@ -3444,6 +3452,7 @@ mod tests {
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_multiple_data_in_details.json").to_path_buf()),
Expand Down Expand Up @@ -3536,6 +3545,7 @@ mod tests {
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3597,8 +3607,7 @@ mod tests {
Profile::Computer(test_computername.into());
}

let expect_target = vec![
vec![
let expect_target = [vec![
(
"Timestamp",
CompactString::from(
Expand Down Expand Up @@ -3652,8 +3661,7 @@ mod tests {
"Tags",
CompactString::from("[\n \"".to_string() + test_attack + "\"\n ]"),
),
]
];
]];
let mut expect_str = String::default();
for (target_idx, target) in expect_target.iter().enumerate() {
let mut expect_json = "{\n".to_string();
Expand Down Expand Up @@ -3792,6 +3800,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
Expand Down Expand Up @@ -3882,6 +3891,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -4061,6 +4071,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
Expand Down Expand Up @@ -4151,6 +4162,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down
54 changes: 49 additions & 5 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,6 +530,32 @@ impl StoredStatic {
Some(Action::ComputerMetrics(opt)) => opt.input_args.timeline_offset.clone(),
_ => None,
};
let include_status: HashSet<CompactString> = match &input_config.as_ref().unwrap().action {
Some(Action::CsvTimeline(opt)) => opt
.output_options
.include_status
.as_ref()
.unwrap_or(&vec![])
.iter()
.map(|x| x.into())
.collect(),
Some(Action::JsonTimeline(opt)) => opt
.output_options
.include_status
.as_ref()
.unwrap_or(&vec![])
.iter()
.map(|x| x.into())
.collect(),
Some(Action::PivotKeywordsList(opt)) => opt
.include_status
.as_ref()
.unwrap_or(&vec![])
.iter()
.map(|x| x.into())
.collect(),
_ => HashSet::default(),
};

let mut ret = StoredStatic {
config: input_config.as_ref().unwrap().to_owned(),
Expand Down Expand Up @@ -645,7 +671,7 @@ impl StoredStatic {
no_pwsh_field_extraction: no_pwsh_field_extraction_flag,
enable_recover_records,
timeline_offset,
include_status: HashSet::new(),
include_status,
};
ret.profiles = load_profile(
check_setting_path(
Expand Down Expand Up @@ -1200,11 +1226,15 @@ pub struct PivotKeywordOption {
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", conflicts_with = "include_status",use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "include-status", value_name = "STATUS...", requires = "no_wizard", conflicts_with = "exclude_status", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 354)]
pub include_tag: Option<Vec<String>>,

/// Do not load rules with specific tags (ex: sysmon)
Expand Down Expand Up @@ -1352,11 +1382,15 @@ pub struct OutputOption {
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", conflicts_with = "include_status", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "include-status", value_name = "STATUS...", requires = "no_wizard", conflicts_with = "exclude_status", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 354)]
pub include_tag: Option<Vec<String>>,

/// Only load rules with specified logsource categories (ex: process_creation,pipe_created)
Expand Down Expand Up @@ -2180,6 +2214,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: option.no_wizard,
include_status: option.include_status.clone(),
}),
Action::EidMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2219,6 +2254,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
Action::LogonSummary(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2258,6 +2294,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
Action::ComputerMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2306,6 +2343,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
Action::Search(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2354,6 +2392,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
Action::SetDefaultProfile(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2408,6 +2447,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
Action::UpdateRules(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2462,6 +2502,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
}),
_ => None,
}
Expand Down Expand Up @@ -2713,6 +2754,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2787,6 +2829,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2980,6 +3023,7 @@ mod tests {
no_wizard: true,
include_tag: None,
exclude_tag: None,
include_status: None,
})),
debug: false,
}));
Expand Down
5 changes: 5 additions & 0 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1263,6 +1263,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -1526,6 +1527,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1663,6 +1665,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1796,6 +1799,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1942,6 +1946,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down
1 change: 1 addition & 0 deletions src/detections/rule/condition_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -507,6 +507,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down
1 change: 1 addition & 0 deletions src/detections/rule/count.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -635,6 +635,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down
1 change: 1 addition & 0 deletions src/detections/rule/matchers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -870,6 +870,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down
1 change: 1 addition & 0 deletions src/detections/rule/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down
1 change: 1 addition & 0 deletions src/detections/rule/selectionnodes.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -575,6 +575,7 @@ mod tests {
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
include_status: None,
},
geo_ip: None,
output: None,
Expand Down
Loading

0 comments on commit 75d69c0

Please sign in to comment.