Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed json fields get moved over #1146

Merged
merged 38 commits into from
Sep 21, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
72bc568
fix(afterfact): fixed wrong field name separate processing #1145
hitenkoku Jul 29, 2023
77ee339
fix(afterfact): fixed comma separate field data processing in json-ti…
hitenkoku Jul 29, 2023
0df9a85
fix(afterfact): fixed field wrong separate processing in "Final resul…
hitenkoku Jul 29, 2023
fba4422
docs(CHANGELOG): added #1145
hitenkoku Jul 29, 2023
9035e75
feat(afterfact): fixed jq error to output file #1145
hitenkoku Jul 30, 2023
4b5a6c4
Merge branch 'main' into 1145-json-fields-get-moved-over
hitenkoku Aug 1, 2023
a3bd812
fix(afterfact): fixed ScriptBlockText gets put inside ScriptBlockId f…
hitenkoku Aug 1, 2023
3b4146f
fix(afterfact): fixed wrong separate in ScriptBlockText field #1145
hitenkoku Aug 2, 2023
e1558c1
fix(afterfact): fixed wrong field separate to cmd option in json-time…
hitenkoku Aug 2, 2023
b02cfac
fix(afterfact): fixed wrong field separate #1145
hitenkoku Aug 2, 2023
593af2d
fix(afterfact): reverted json field name extract length condition and…
hitenkoku Aug 3, 2023
73579cd
fix(afterfact): modified extract json key condition #1145
hitenkoku Aug 3, 2023
8f7d913
fix(afterfact): fixed key extract condition to exclude string include…
hitenkoku Aug 3, 2023
7e2b1a1
Merge branch 'main' into 1145-json-fields-get-moved-over
hitenkoku Aug 16, 2023
b6f0de6
fix(afterfact): fixed cmdline moved over #1145
hitenkoku Aug 16, 2023
6f3690d
fix(afterfact): fixed json parse error #1145
hitenkoku Aug 22, 2023
4f09f30
Merge branch 'main' of https://github.com/Yamato-Security/hayabusa in…
hitenkoku Sep 1, 2023
cb60c1d
feat: refactoring JSON output processing #1145
hitenkoku Sep 2, 2023
45bcde5
test: fixed test due to code refactoring #1145
hitenkoku Sep 2, 2023
6ba9c97
refactor(configs): refactoring in pivotkeywordslist
hitenkoku Sep 2, 2023
364b544
refactor(afterfact): to remove unused vec processing to output value …
hitenkoku Sep 2, 2023
29f36d0
Revert "refactor(afterfact): to remove unused vec processing to outpu…
hitenkoku Sep 2, 2023
7b0684c
fix(message): fixed error by test #1145
hitenkoku Sep 2, 2023
e54b76d
Merge branch 'main' into 1145-json-fields-get-moved-over
hitenkoku Sep 2, 2023
3ba54f6
refactor(afterfact): fixed cargo clippy error
hitenkoku Sep 2, 2023
6890b47
Merge branch '1145-json-fields-get-moved-over' into refactorer#1145
hitenkoku Sep 2, 2023
0266489
fix(message): fixed processing of removing special character #1145
hitenkoku Sep 3, 2023
4d208b0
fix(message): fixed porcessing of removing newline character #1145
hitenkoku Sep 3, 2023
0b7f228
fix(message): fixed unmatched details key #1145
hitenkoku Sep 4, 2023
274a733
style(message): cargo fmt
hitenkoku Sep 4, 2023
b44109c
UI(message): rearranged Details and ExtraFieldInfo keys slpabetically…
hitenkoku Sep 4, 2023
7de9af7
fix(afterfact): added details key is none case #1145
hitenkoku Sep 5, 2023
4a93008
fix(afterfact/message): fixed Details field output misprocessing #1145
hitenkoku Sep 13, 2023
b530aed
style: fixed cargo clippy error
hitenkoku Sep 13, 2023
77776ce
Merge pull request #1173 from Yamato-Security/refactorer#1145
YamatoSecurity Sep 16, 2023
9e5d24b
Merge branch 'main' into 1145-json-fields-get-moved-over
hitenkoku Sep 16, 2023
bd8f82c
build(Cargo.lock): cargo update
hitenkoku Sep 16, 2023
39ec59a
build(Cargo): updated hayabusa-evtx crate
hitenkoku Sep 16, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG-Japanese.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@

- `metrics`と`logon-summary`コマンドのレコード数の表示が`csv-timeline`のコマンドでのレコード数の表示と異なっている状態を修正した。 (#1105) (@hitenkoku)
- パスの代わりにルールIDでルール数を数えるように変更した。 (#1113) (@hitenkoku)
- JSON出力で`CommandLine`フィールド内で誤ったフィールドの分割が行われてしまう問題を修正した。 (#1145) (@hitenkoku)

**その他:**

Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@

- The total number of records being displayed in the `metrics` and `logon-summary` commands differed from the `csv-timeline` command. (#1105) (@hitenkoku)
- Changed rule count by rule ID instead of path. (#1113) (@hitenkoku)
- Fixed a problem with incorrect field splitting in the `CommandLine` field in JSON output. (#1145) (@hitenkoku)

**Other:**

Expand Down
20 changes: 18 additions & 2 deletions src/afterfact.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1462,7 +1462,11 @@ pub fn output_json_str(
let mut tmp_stock = vec![];
let mut space_split_contents = detail_contents.split(' ');
while let Some(sp) = space_split_contents.next() {
if !sp.contains('\\') && sp.ends_with(':') && sp.len() > 2 {
if !sp.contains('\\')
&& !sp.starts_with('-')
&& sp.ends_with(':')
&& sp.len() > 2
{
key_index_stock.push(sp.replace(':', ""));
if sp == "Payload:" {
stocked_value.push(vec![]);
Expand All @@ -1474,6 +1478,12 @@ pub fn output_json_str(
stocked_value.push(tmp_stock);
tmp_stock = vec![];
}
} else if sp.ends_with(';') && sp.len() < 5 {
let last_key = key_index_stock.pop().unwrap_or_default();
let mut last_stocked_value =
stocked_value.pop().unwrap_or_default();
last_stocked_value.push(format!("{last_key}: {sp}"));
stocked_value.push(last_stocked_value);
} else {
tmp_stock.push(sp.to_owned());
}
Expand Down Expand Up @@ -1513,7 +1523,13 @@ pub fn output_json_str(
key_index_stock[key_idx].as_str()
};
if !output_value_stock.is_empty() {
output_value_stock.push_str(" | ");
let separate_chr =
if key_index_stock[key_idx].starts_with("ScriptBlock") {
" | "
} else {
": "
};
output_value_stock.push_str(separate_chr);
}
output_value_stock.push_str(&value.join(" "));
//1つまえのキーの段階で以降にvalueの配列で区切りとなる空の配列が存在しているかを確認する
Expand Down