diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index f41e53bf5..adae80362 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -8,6 +8,7 @@ **改善:** +- `search` コマンドのフィルタオプションを完全一致にするようにした。加えてフィルタオプションはワイルドカード対応をするようにした。 (#1240) (@hitenkoku) - `update-rules`コマンドを実行したときに、検知ルールが変更された場合にルール名を出力するようにした。以前は`modified:`フィールドを更新したルールだけが表示されていた。(#1243) (@hitenkoku) - `json-timeline`コマンドの標準出力でJSONフォーマットを出力するように修正した。 (#1197) (@hitenkoku) - JSON入力でデータが配列内にある場合に解析できるようにした。 (#1248) (@hitenkoku) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fdc6300a..629d990ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ **Enhancements:** +- Adjusted the `search` command's Filter option to be an exact match and support wildcard characters. (#1240) (@hitenkoku) - Any time there is a change in a detection rule, it will be displayed when running the `update-rules` command. Previously, only rules that updated their `modified:` field would be displayed. (#1243) (@hitenkoku) - The `json-timeline` command now outputs in JSON format when outputting to the terminal. (#1197) (@hitenkoku) - Added support for parsing JSON input when the data is inside an array. (#1248) (@hitenkoku) @@ -20,7 +21,7 @@ - XXX -## 2.12.0 [2023/12/24] "SECCON Christmas Release" +## 2.12.0 [2023/12/23] "SECCON Christmas Release" **Enhancements:** diff --git a/Cargo.lock b/Cargo.lock index bc78e3e4c..5aad1d618 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -833,6 +833,7 @@ dependencies = [ "terminal_size", "tokio", "ureq", + "wildmatch", "yaml-rust", ] @@ -2170,6 +2171,12 @@ version = "0.25.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10" +[[package]] +name = "wildmatch" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "495ec47bf3c1345005f40724f0269362c8556cbc43aed0526ed44cae1d35fceb" + [[package]] name = "winapi" version = "0.3.9" diff --git a/Cargo.toml b/Cargo.toml index ce980e607..9a602cf52 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,7 +4,7 @@ version = "2.13.0-dev" repository = "https://github.com/Yamato-Security/hayabusa" authors = ["Yamato Security @SecurityYamato"] edition = "2021" -rust-version = "1.74.1" +rust-version = "1.75.0" include = ["src/**/*", "LICENSE.txt", "README.md", "CHANGELOG.md"] [dependencies] @@ -53,6 +53,7 @@ memchr = "2.*" num = "0.4.0" indexmap = "2.*" dialoguer = "*" +wildmatch = "2.*" [profile.dev] debug = 0 diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 101e667dd..89495ad49 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -737,7 +737,7 @@ fn check_thread_number(config: &Config) -> Option { pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -747,7 +747,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 360 @@ -757,7 +757,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 383 @@ -767,7 +767,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 310 @@ -777,7 +777,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 420 @@ -787,7 +787,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <--keywords \"\" OR --regex \"\"> [OPTIONS]\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 450 @@ -797,7 +797,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 470 @@ -807,7 +807,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 380 @@ -817,7 +817,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 451 @@ -835,7 +835,7 @@ pub enum Action { #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}", term_width = 400, disable_help_flag = true, display_order = 290 @@ -1656,7 +1656,7 @@ pub struct ComputerMetricsOption { #[derive(Parser, Clone, Debug)] #[clap( author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)", - help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", + help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe [OPTIONS]\n hayabusa.exe help \n\n{all-args}{options}", term_width = 400, disable_help_flag = true )] diff --git a/src/timeline/search.rs b/src/timeline/search.rs index ae3300e2e..25b741c2d 100644 --- a/src/timeline/search.rs +++ b/src/timeline/search.rs @@ -18,12 +18,12 @@ use csv::{QuoteStyle, WriterBuilder}; use downcast_rs::__std::process; use hashbrown::{HashMap, HashSet}; use itertools::Itertools; -use nested::Nested; use regex::Regex; use std::fs::File; use std::io::BufWriter; use std::path::PathBuf; use termcolor::{BufferWriter, Color, ColorChoice}; +use wildmatch::WildMatch; #[derive(Debug, Clone)] pub struct EventSearch { @@ -98,7 +98,7 @@ impl EventSearch { fn filter_record( &mut self, record: &EvtxRecordInfo, - filter_rule: &HashMap>, + filter_rule: &HashMap>, eventkey_alias: &EventKeyAliasConfig, ) -> bool { filter_rule.iter().all(|(k, v)| { @@ -109,10 +109,9 @@ impl EventSearch { ) .unwrap_or_else(|| "n/a".into()) .replace(['"', '\''], ""); - // aliasでマッチした場合はaliasに登録されていないフィールドを検索する必要がないためtrueを返す if v.iter() - .all(|search_target| utils::contains_str(&alias_target_val, search_target)) + .all(|search_target| search_target.matches(&alias_target_val)) { return true; } @@ -126,7 +125,7 @@ impl EventSearch { _ => CompactString::new("-"), }; v.iter() - .all(|search_target| utils::contains_str(&allfieldinfo, search_target)) + .all(|search_target| search_target.matches(&allfieldinfo)) }) } @@ -238,7 +237,7 @@ impl EventSearch { } /// filters からフィルタリング条件を作成する関数 -fn create_filter_rule(filters: &[String]) -> HashMap> { +fn create_filter_rule(filters: &[String]) -> HashMap> { filters .iter() .fold(HashMap::new(), |mut acc, filter_condition| { @@ -250,10 +249,10 @@ fn create_filter_rule(filters: &[String]) -> HashMap> { .unwrap_or(prefix_trim_condition); let condition = trimed_condition.split(':').map(|x| x.trim()).collect_vec(); if condition.len() != 1 { - let acc_val = acc - .entry(condition[0].to_string()) - .or_insert(Nested::::new()); - acc_val.push(condition[1..].join(":")); + let acc_val = acc.entry(condition[0].to_string()).or_insert(vec![]); + condition[1..] + .iter() + .for_each(|x| acc_val.push(WildMatch::new(x))); } acc })