From 5e26a9ccbb12d8f6985e14ac1fa86f91cf442279 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 21 Oct 2023 13:00:07 +0900 Subject: [PATCH 1/4] feat(configs): added include_tag and exclude_tag in pivot-keywords-list command #1195 --- src/detections/configs.rs | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index dc030812b..a3b4b5eff 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1196,6 +1196,14 @@ pub struct PivotKeywordOption { #[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS...", requires="no_wizard", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] pub exclude_status: Option>, + /// Only load rules with specific tags (ex: attack.execution,attack.discovery) + #[arg(help_heading = Some("Filtering"), long = "include-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "exclude_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 353)] + pub include_tag: Option>, + + /// Do not load rules with specific tags (ex: sysmon) + #[arg(help_heading = Some("Filtering"), long = "exclude-tag", value_name = "TAG...", requires="no_wizard", conflicts_with = "include_tag", use_value_delimiter = true, value_delimiter = ',', display_order = 316)] + pub exclude_tag: Option>, + /// Minimum level for rules to load (default: informational) #[arg( help_heading = Some("Filtering"), @@ -2145,8 +2153,8 @@ fn extract_output_options(config: &Config) -> Option { enable_unsupported_rules: option.enable_unsupported_rules, clobber: option.clobber, proven_rules: false, - include_tag: None, - exclude_tag: None, + include_tag: option.include_tag.clone(), + exclude_tag: option.exclude_tag.clone(), include_category: None, exclude_category: None, include_eid: option.include_eid.clone(), @@ -2154,7 +2162,7 @@ fn extract_output_options(config: &Config) -> Option { no_field: false, remove_duplicate_data: false, remove_duplicate_detections: false, - no_wizard: true, + no_wizard: option.no_wizard, }), Action::EidMetrics(option) => Some(OutputOption { input_args: option.input_args.clone(), @@ -2939,6 +2947,8 @@ mod tests { include_eid: None, exclude_eid: None, no_wizard: true, + include_tag: None, + exclude_tag: None, })), debug: false, })); From 9a71c03bcc7172e597b56932e49339f189dfc09d Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 21 Oct 2023 13:08:46 +0900 Subject: [PATCH 2/4] docs(CHANGELOG): added #1195 --- CHANGELOG-Japanese.md | 2 ++ CHANGELOG.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 78c674cc4..e34ba41cd 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -5,6 +5,8 @@ **改善:** - 初心者のユーザのために有効にしたいルールを選択するようにスキャンウィザードを追加した。`-w, --no-wizard`オプションを追加すると、従来の形式でHayabusaを実行できる。(すべてのイベントとアラートをスキャンし、オプションを手動でカスタマイズする) (#1188) (@hitenkoku) +- `pivot-keywords-list`コマンドに`--include-tag`オプションを追加し、指定した`tags`フィールドを持つルールのみをロードするようにした。(#1195) (@hitenkoku) +- `pivot-keywords-list`コマンドに`--exclude-tag`オプションを追加し、指定した`tags`フィールドを持つルールをロードしないようにした。(#1195) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 636635b0f..5a6fb114c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ **Enhancements:** - Added a scan wizard to help new users choose which rules they want to enable. Add the `-w, --no-wizard` option to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku) +- Added the `--include-tag` option to `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku) +- Added the `--exclude-tag` option to `pivot-keywords-list` commands to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku) **Bug Fixes:** From c940b461524b09a4a19ae8c26e0a336ceda68d1e Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sun, 22 Oct 2023 14:17:23 +0900 Subject: [PATCH 3/4] fix(main): fixed rule unload bug with no-wizard option #1195 --- src/main.rs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/main.rs b/src/main.rs index 14e5a4b9f..85beda96b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1073,10 +1073,12 @@ impl App { Some(exclude_tags.to_owned()); } } - println!(); - println!("Loading detection rules. Please wait."); - println!(); + } else { + stored_static.include_status.insert("*".into()); } + println!(); + println!("Loading detection rules. Please wait."); + println!(); if stored_static.html_report_flag { let mut output_data = Nested::::new(); From af1af31ffe56cdd260ef0654a9c3b13d1a337126 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sun, 22 Oct 2023 14:31:04 +0900 Subject: [PATCH 4/4] update changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a6fb114c..e879ed5d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,8 @@ **Enhancements:** - Added a scan wizard to help new users choose which rules they want to enable. Add the `-w, --no-wizard` option to run Hayabusa in the traditional way. (Scan for all events and alerts, and customize options manually.) (#1188) (@hitenkoku) -- Added the `--include-tag` option to `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku) -- Added the `--exclude-tag` option to `pivot-keywords-list` commands to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku) +- Added the `--include-tag` option to the `pivot-keywords-list` command to only load rules with the specified `tags` field. (#1195) (@hitenkoku) +- Added the `--exclude-tag` option to the `pivot-keywords-list` command to exclude rules with specific `tags` from being loaded. (#1195) (@hitenkoku) **Bug Fixes:**