Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added prompt that the user which sigma rules they want to enable by default #1191

Merged
merged 30 commits into from
Oct 22, 2023
Merged

added prompt that the user which sigma rules they want to enable by default #1191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
ede9f3d
build(Cargo): added dialoguer to add interactive prompt #1188
hitenkoku Oct 18, 2023
393b4ef
feat(configs,yaml): added specified status store to choice status by …
hitenkoku Oct 18, 2023
c1e2234
feat: added prompt to ask the user which sigma rules they want to ena…
hitenkoku Oct 18, 2023
018216c
test: adapted test to add no_ask_flag option #1188
hitenkoku Oct 18, 2023
8a10286
Merge branch 'main' into 1188-ask-the-user-which-sigma-rules-they-wan…
hitenkoku Oct 18, 2023
f1facca
docs(CHANGELOG): added #1188
hitenkoku Oct 18, 2023
30be22b
UI(configs): fixed no-asking option category #1188
hitenkoku Oct 18, 2023
a14ddc1
style: fixed clippy error
hitenkoku Oct 18, 2023
2a78cd6
fix(main): fixed level settings is disabled by selected menu #1188
hitenkoku Oct 19, 2023
df6e009
UI(main): modified newline position after prompt #1188
hitenkoku Oct 19, 2023
0dd6c11
update changelog
YamatoSecurity Oct 19, 2023
cfad7d8
update changelog
YamatoSecurity Oct 20, 2023
0d2c431
update wording
YamatoSecurity Oct 20, 2023
82a39a3
fix(main): fixed wrong processing of Emerging Threats and Threat Hunt…
hitenkoku Oct 20, 2023
5225290
UI(configs): modified no-asking option to no-wizard option
hitenkoku Oct 20, 2023
16e8201
fix(main): the status of testing is incorrect and test is correct #1188
hitenkoku Oct 20, 2023
eab295a
fix(yaml): fixed wrong include_status rule filter condition #1188
hitenkoku Oct 20, 2023
624f21b
fix(main): fixed rule load error in unused rules command #1188
hitenkoku Oct 20, 2023
4d010ea
test(yaml): added include_status in test to load rules #1188
hitenkoku Oct 20, 2023
d8138bf
refactor: modified no_ask_flag to no_wizard to be same option name #1188
hitenkoku Oct 20, 2023
dac57ae
feat(configs): added requires field with no-wizard option to some opt…
hitenkoku Oct 20, 2023
d76fa8f
test(configs): added no_wizard opton of PivotKeywordsList in test #1188
hitenkoku Oct 20, 2023
5e26a9c
feat(configs): added include_tag and exclude_tag in pivot-keywords-li…
hitenkoku Oct 21, 2023
9a71c03
docs(CHANGELOG): added #1195
hitenkoku Oct 21, 2023
a2e2987
fix(main): fixed no load rule when user choose all event and alert ru…
hitenkoku Oct 21, 2023
fba5471
fix(yaml): fixed loaded rule count by filtering level #1188
hitenkoku Oct 21, 2023
5319ade
Merge branch '1188-ask-the-user-which-sigma-rules-they-want-to-enable…
hitenkoku Oct 22, 2023
c940b46
fix(main): fixed rule unload bug with no-wizard option #1195
hitenkoku Oct 22, 2023
af1af31
update changelog
YamatoSecurity Oct 22, 2023
a2971d3
Merge pull request #1196 from Yamato-Security/add-include-and-exclude…
hitenkoku Oct 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion CHANGELOG-Japanese.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@

**改善:**

xxx
- 初心者のユーザのために有効にしたいルールを選択するようにスキャンウィザードを追加した。`-w, --no-wizard`オプションを追加すると、従来の形式でHayabusaを実行できる。(すべてのイベントとアラートをスキャンし、オプションを手動でカスタマイズする) (#1188) (@hitenkoku)
- `pivot-keywords-list`コマンドに`--include-tag`オプションを追加し、指定した`tags`フィールドを持つルールのみをロードするようにした。(#1195) (@hitenkoku)
- `pivot-keywords-list`コマンドに`--exclude-tag`オプションを追加し、指定した`tags`フィールドを持つルールをロードしないようにした。(#1195) (@hitenkoku)

**バグ修正:**

Expand Down
4 changes: 3 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@

**Enhancements:**

xxx
- Added a scan wizard to help new users choose which rules they want to enable. Add the `-w, --no-wizard` option to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku)
- Added the `--include-tag` option to the `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku)
- Added the `--exclude-tag` option to the `pivot-keywords-list` command to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku)

**Bug Fixes:**

Expand Down
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ aho-corasick = "*"
memchr = "2.*"
num = "0.4.0"
indexmap = "2.*"
dialoguer = "*"

[profile.dev]
debug = 0
Expand Down
17 changes: 15 additions & 2 deletions src/afterfact.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -629,7 +629,7 @@
)
),
"Results Summary {#results_summary}",
stored_static.html_report_flag,
&stored_static.html_report_flag,

Check warning on line 632 in src/afterfact.rs

View check run for this annotation

Codecov / codecov/patch

src/afterfact.rs#L632 

Added line #L632 was not covered by tests
);
}
if tl_start_end_time.1.is_some() {
Expand All @@ -643,7 +643,7 @@
)
),
"Results Summary {#results_summary}",
stored_static.html_report_flag,
&stored_static.html_report_flag,

Check warning on line 646 in src/afterfact.rs

View check run for this annotation

Codecov / codecov/patch

src/afterfact.rs#L646 

Added line #L646 was not covered by tests
);
println!();
}
Expand Down Expand Up @@ -1903,6 +1903,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1991,6 +1992,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2229,6 +2231,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
Expand Down Expand Up @@ -2319,6 +2322,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2543,6 +2547,7 @@
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
Expand Down Expand Up @@ -2631,6 +2636,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2866,6 +2872,7 @@
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.json").to_path_buf()),
Expand Down Expand Up @@ -2954,6 +2961,7 @@
no_field: false,
remove_duplicate_data: true,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3274,6 +3282,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let data: Vec<(CompactString, Profile)> = vec![
(
Expand Down Expand Up @@ -3412,6 +3421,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
Expand Down Expand Up @@ -3499,6 +3509,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3675,6 +3686,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
Expand Down Expand Up @@ -3762,6 +3774,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down
46 changes: 40 additions & 6 deletions src/detections/configs.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
pub exclude_computer: HashSet<CompactString>,
pub include_eid: HashSet<CompactString>,
pub exclude_eid: HashSet<CompactString>,
pub include_status: HashSet<CompactString>, // 読み込み対象ルールのステータスのセット。*はすべてのステータスを読み込む
pub field_data_map: Option<FieldDataMap>,
pub enable_recover_records: bool,
pub timeline_offset: Option<String>,
Expand Down Expand Up @@ -630,6 +631,7 @@
field_data_map,
enable_recover_records,
timeline_offset,
include_status: HashSet::new(),
};
ret.profiles = load_profile(
check_setting_path(
Expand Down Expand Up @@ -1191,9 +1193,17 @@
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_tag: Option<Vec<String>>,

Check warning on line 1201 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L1201 

Added line #L1201 was not covered by tests

/// Do not load rules with specific tags (ex: sysmon)
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_tag: Option<Vec<String>>,

Check warning on line 1205 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L1205 

Added line #L1205 was not covered by tests

/// Minimum level for rules to load (default: informational)
#[arg(
help_heading = Some("Filtering"),
Expand All @@ -1202,6 +1212,7 @@
default_value = "informational",
hide_default_value = true,
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "exact_level",
display_order = 390
)]
Expand All @@ -1213,6 +1224,7 @@
short = 'e',
long = "exact-level",
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "min_level",
display_order = 313
)]
Expand Down Expand Up @@ -1248,6 +1260,10 @@
/// Overwrite files when saving
#[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
pub clobber: bool,

/// Do not ask questions. Scan for all events and alerts.
#[arg(help_heading = Some("General Options"), short = 'w', long = "no-wizard", display_order = 400)]
pub no_wizard: bool,

Check warning on line 1266 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L1266 

Added line #L1266 was not covered by tests
}

#[derive(Args, Clone, Debug)]
Expand Down Expand Up @@ -1329,11 +1345,11 @@
pub enable_unsupported_rules: bool,

/// Do not load rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
#[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)]
pub include_tag: Option<Vec<String>>,

/// Only load rules with specified logsource categories (ex: process_creation,pipe_created)
Expand All @@ -1350,6 +1366,7 @@
short = 'm',
long = "min-level",
default_value = "informational",
requires="no_wizard",
hide_default_value = true,
value_name = "LEVEL",
display_order = 390,
Expand All @@ -1362,6 +1379,7 @@
short = 'e',
long = "exact-level",
value_name = "LEVEL",
requires="no_wizard",
conflicts_with = "min-level",
display_order = 313
)]
Expand All @@ -1388,7 +1406,7 @@
pub proven_rules: bool,

/// Do not load rules with specific tags (ex: sysmon)
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
#[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)]
pub exclude_tag: Option<Vec<String>>,

/// Scan only specified EIDs for faster speed (ex: 1) (ex: 1,4688)
Expand Down Expand Up @@ -1474,6 +1492,10 @@
/// Remove duplicate detections (default: disabled)
#[arg(help_heading = Some("Output"), short = 'X', long = "remove-duplicate-detections", display_order = 441)]
pub remove_duplicate_detections: bool,

/// Do not ask questions. Scan for all events and alerts.
#[arg(help_heading = Some("General Options"), short = 'w', long = "no-wizard", display_order = 400)]
pub no_wizard: bool,

Check warning on line 1498 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L1498 

Added line #L1498 was not covered by tests
}

#[derive(Copy, Args, Clone, Debug)]
Expand Down Expand Up @@ -2131,15 +2153,16 @@
enable_unsupported_rules: option.enable_unsupported_rules,
clobber: option.clobber,
proven_rules: false,
include_tag: None,
exclude_tag: None,
include_tag: option.include_tag.clone(),
exclude_tag: option.exclude_tag.clone(),
include_category: None,
exclude_category: None,
include_eid: option.include_eid.clone(),
exclude_eid: option.exclude_eid.clone(),
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: option.no_wizard,
}),
Action::EidMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2177,6 +2200,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::LogonSummary(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2214,6 +2238,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::ComputerMetrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2260,6 +2285,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::Search(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -2306,6 +2332,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
Action::SetDefaultProfile(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2358,6 +2385,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,

Check warning on line 2388 in src/detections/configs.rs

View check run for this annotation

Codecov / codecov/patch

src/detections/configs.rs#L2388 

Added line #L2388 was not covered by tests
}),
Action::UpdateRules(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -2410,6 +2438,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
}),
_ => None,
}
Expand Down Expand Up @@ -2658,6 +2687,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2729,6 +2759,7 @@
no_field: false,
remove_duplicate_data: false,
remove_duplicate_detections: false,
no_wizard: true,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -2915,6 +2946,9 @@
eid_filter: false,
include_eid: None,
exclude_eid: None,
no_wizard: true,
include_tag: None,
exclude_tag: None,
})),
debug: false,
}));
Expand Down
Loading