diff --git a/Cargo.lock b/Cargo.lock index 065978892..54540434c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -462,9 +462,9 @@ dependencies = [ [[package]] name = "csv" -version = "1.2.2" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "626ae34994d3d8d668f4269922248239db4ae42d538b14c398b74a52208e8086" +checksum = "ac574ff4d437a7b5ad237ef331c17ccca63c46479e5b5453eb8e10bb99a759fe" dependencies = [ "csv-core", "itoa", @@ -1040,7 +1040,7 @@ dependencies = [ "chrono", "clap 4.4.11", "file-chunker", - "memmap2 0.9.0", + "memmap2 0.9.2", "num_cpus", "rayon", "regex", @@ -1168,9 +1168,9 @@ dependencies = [ [[package]] name = "memmap2" -version = "0.9.0" +version = "0.9.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "deaba38d7abf1d4cca21cc89e932e542ba2b9258664d2a9ef0e61512039c9375" +checksum = "39a69c7c189ae418f83003da62820aca28d15a07725ce51fb924999335d622ff" dependencies = [ "libc", ] @@ -1944,18 +1944,18 @@ checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d" [[package]] name = "thiserror" -version = "1.0.50" +version = "1.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" +checksum = "f11c217e1416d6f036b870f14e0413d480dbf28edbee1f877abaf0206af43bb7" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.50" +version = "1.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "266b2e40bc00e5a6c09c3584011e08b06f123c00362c92b975ba9843aaaa14b8" +checksum = "01742297787513b79cf8e29d1056ede1313e2420b7b3b15d0a768b4921f549df" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 109975691..dc8a7e9e2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ serde = { version = "1.*", features = ["derive"] } serde_json = { version = "1.0"} serde_derive = "1.*" regex = "1" -csv = "1.2.*" +csv = "1.3.*" base64 = "*" flate2 = "1.*" lazy_static = "1.4.*" diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 72ff85ecd..05a4675b3 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1109,6 +1109,7 @@ pub struct UpdateOption { default_value = "./rules", hide_default_value = true, value_name = "DIR/FILE", + requires = "no_wizard", display_order = 440 )] pub rules: PathBuf, @@ -1194,23 +1195,23 @@ pub struct PivotKeywordOption { pub common_options: CommonOptions, /// Enable rules with a status of deprecated - #[arg(help_heading = Some("Filtering"), short = 'D', long = "enable-deprecated-rules", display_order = 310)] + #[arg(help_heading = Some("Filtering"), short = 'D', long = "enable-deprecated-rules", requires = "no_wizard", display_order = 310)] pub enable_deprecated_rules: bool, /// Enable rules with a status of unsupported - #[arg(help_heading = Some("Filtering"), short = 'u', long = "enable-unsupported-rules", display_order = 312)] + #[arg(help_heading = Some("Filtering"), short = 'u', long = "enable-unsupported-rules", requires = "no_wizard", display_order = 312)] pub enable_unsupported_rules: bool, /// Do not load rules according to status (ex: experimental) (ex: stable,test) - #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] + #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] pub exclude_status: Option>, /// Only load rules with specific tags (ex: attack.execution,attack.discovery) - #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)] + #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)] pub include_tag: Option>, /// Do not load rules with specific tags (ex: sysmon) - #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] + #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] pub exclude_tag: Option>, /// Minimum level for rules to load (default: informational) @@ -1221,7 +1222,7 @@ pub struct PivotKeywordOption { default_value = "informational", hide_default_value = true, value_name = "LEVEL", - requires="no_wizard", + requires = "no_wizard", conflicts_with = "exact_level", display_order = 390 )] @@ -1233,14 +1234,14 @@ pub struct PivotKeywordOption { short = 'e', long = "exact-level", value_name = "LEVEL", - requires="no_wizard", + requires = "no_wizard", conflicts_with = "min_level", display_order = 313 )] pub exact_level: Option, /// Enable rules set to noisy (./rules/config/noisy_rules.txt) - #[arg(help_heading = Some("Filtering"), short = 'n', long = "enable-noisy-rules", display_order = 311)] + #[arg(help_heading = Some("Filtering"), short = 'n', long = "enable-noisy-rules", requires = "no_wizard", display_order = 311)] pub enable_noisy_rules: bool, /// End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") @@ -1346,27 +1347,27 @@ pub struct OutputOption { pub common_options: CommonOptions, /// Enable rules with a status of deprecated - #[arg(help_heading = Some("Filtering"), short = 'D', long = "enable-deprecated-rules", display_order = 310)] + #[arg(help_heading = Some("Filtering"), short = 'D', long = "enable-deprecated-rules", requires = "no_wizard", display_order = 310)] pub enable_deprecated_rules: bool, /// Enable rules with a status of unsupported - #[arg(help_heading = Some("Filtering"), short = 'u', long = "enable-unsupported-rules", display_order = 312)] + #[arg(help_heading = Some("Filtering"), short = 'u', long = "enable-unsupported-rules", requires = "no_wizard", display_order = 312)] pub enable_unsupported_rules: bool, /// Do not load rules according to status (ex: experimental) (ex: stable,test) - #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] + #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] pub exclude_status: Option>, /// Only load rules with specific tags (ex: attack.execution,attack.discovery) - #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)] + #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)] pub include_tag: Option>, /// Only load rules with specified logsource categories (ex: process_creation,pipe_created) - #[arg(help_heading = Some("Filtering"), long = "include-category", value_name = "CATEGORY...", conflicts_with = "exclude-category", use_value_delimiter = true, value_delimiter = ',', display_order = 351)] + #[arg(help_heading = Some("Filtering"), long = "include-category", value_name = "CATEGORY...", conflicts_with = "exclude-category", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 351)] pub include_category: Option>, /// Do not load rules with specified logsource categories (ex: process_creation,pipe_created) - #[arg(help_heading = Some("Filtering"), long = "exclude-category", value_name = "CATEGORY...", conflicts_with = "include_category",use_value_delimiter = true, value_delimiter = ',', display_order = 314)] + #[arg(help_heading = Some("Filtering"), long = "exclude-category", value_name = "CATEGORY...", conflicts_with = "include_category", requires = "no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 314)] pub exclude_category: Option>, /// Minimum level for rules to load (default: informational) @@ -1375,7 +1376,7 @@ pub struct OutputOption { short = 'm', long = "min-level", default_value = "informational", - requires="no_wizard", + requires = "no_wizard", hide_default_value = true, value_name = "LEVEL", display_order = 390, @@ -1388,14 +1389,14 @@ pub struct OutputOption { short = 'e', long = "exact-level", value_name = "LEVEL", - requires="no_wizard", + requires = "no_wizard", conflicts_with = "min-level", display_order = 313 )] pub exact_level: Option, /// Enable rules set to noisy (./rules/config/noisy_rules.txt) - #[arg(help_heading = Some("Filtering"), short = 'n', long = "enable-noisy-rules", display_order = 311)] + #[arg(help_heading = Some("Filtering"), short = 'n', long = "enable-noisy-rules", requires = "no_wizard", display_order = 311)] pub enable_noisy_rules: bool, /// End time of the event logs to load (ex: "2022-02-22 23:59:59 +09:00") @@ -1415,7 +1416,7 @@ pub struct OutputOption { pub proven_rules: bool, /// Do not load rules with specific tags (ex: sysmon) - #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] + #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires = "no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] pub exclude_tag: Option>, /// Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688) @@ -1469,6 +1470,7 @@ pub struct OutputOption { default_value = "./rules", hide_default_value = true, value_name = "DIR/FILE", + requires = "no_wizard", display_order = 440 )] pub rules: PathBuf,