Merge pull request #1267 from Yamato-Security/1263-skip-loading-detec…

…tion-rules-when-running-search Skipped loading detection rules when running `search`, `logon-summary`, `eid-metrics`, and `computer-metrics`
Yamato-Security · Feb 3, 2024 · 8c2a859 · 8c2a859
2 parents 290d317 + 57c9509
commit 8c2a859
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 24 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -13,6 +13,7 @@
 - `json-timeline`コマンドの標準出力でJSONフォーマットを出力するように修正した。 (#1197) (@hitenkoku)
 - JSON入力でデータが配列内にある場合に解析できるようにした。 (#1248) (@hitenkoku)
 - 古いターミナルでも正しく表示されるように、また読みやすくするために、`‖`区切り文字を`·`区切り文字に変更した。(#1258) (@YamatoSecurity)
+-  ルールをロードする必要のないコマンドを実行した場合、検出ルールのロードをスキップするようにした。 (#1263) (@hitenkoku)
 
 **バグ修正:**
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - The `json-timeline` command now outputs in JSON format when outputting to the terminal. (#1197) (@hitenkoku)
 - Added support for parsing JSON input when the data is inside an array. (#1248) (@hitenkoku)
 - Changed the `‖` separator into a `·` separator to make it easier to read and render properly on older terminals. (#1258) (@YamatoSecurity)
+- Skiped loading detection rules when running to command which is no need to load rule. (#1263) (@hitenkoku)
 
 **Bug Fixes:**
 

diff --git a/src/main.rs b/src/main.rs
@@ -1282,9 +1282,6 @@ impl App {
         } else {
             stored_static.include_status.insert("*".into());
         }
-        println!();
-        println!("Loading detection rules. Please wait.");
-        println!();
 
         if stored_static.html_report_flag {
             let mut output_data = Nested::<String>::new();
@@ -1317,28 +1314,53 @@ impl App {
             .min_level
             .to_uppercase();
 
-        let rule_files = detection::Detection::parse_rule_files(
-            &level,
-            &target_level,
-            &stored_static.output_option.as_ref().unwrap().rules,
-            &filter::exclude_ids(stored_static),
-            stored_static,
-        );
-        CHECKPOINT
-            .lock()
-            .as_mut()
-            .unwrap()
-            .rap_check_point("Rule Parse Processing Time");
-        let unused_rules_option = stored_static.logon_summary_flag
+        println!();
+        if !(stored_static.logon_summary_flag
             || stored_static.search_flag
-            || stored_static.computer_metrics_flag
-            || stored_static.metrics_flag;
-        if !unused_rules_option && rule_files.is_empty() {
-            AlertMessage::alert(
-                "No rules were loaded. Please download the latest rules with the update-rules command.\r\n",
-            )
-            .ok();
-            return;
+            || stored_static.metrics_flag
+            || stored_static.computer_metrics_flag)
+        {
+            println!("Loading detection rules. Please wait.");
+        } else if stored_static.logon_summary_flag {
+            println!("Currently analyzing Logon Summary. Please wait.");
+        } else if stored_static.search_flag {
+            println!("Currently searching. Please wait.");
+        } else if stored_static.metrics_flag {
+            println!("Currently analyzing Event ID Metrics. Please wait.");
+        } else if stored_static.computer_metrics_flag {
+            println!("Currently analyzing Compute Metrics. Please wait.");
+        }
+        println!();
+
+        let mut rule_files = vec![];
+        if !(stored_static.logon_summary_flag
+            || stored_static.search_flag
+            || stored_static.metrics_flag
+            || stored_static.computer_metrics_flag)
+        {
+            rule_files = detection::Detection::parse_rule_files(
+                &level,
+                &target_level,
+                &stored_static.output_option.as_ref().unwrap().rules,
+                &filter::exclude_ids(stored_static),
+                stored_static,
+            );
+            CHECKPOINT
+                .lock()
+                .as_mut()
+                .unwrap()
+                .rap_check_point("Rule Parse Processing Time");
+            let unused_rules_option = stored_static.logon_summary_flag
+                || stored_static.search_flag
+                || stored_static.computer_metrics_flag
+                || stored_static.metrics_flag;
+            if !unused_rules_option && rule_files.is_empty() {
+                AlertMessage::alert(
+                        "No rules were loaded. Please download the latest rules with the update-rules command.\r\n",
+                    )
+                    .ok();
+                return;
+            }
         }
 
         let template =