Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: added wild card and exact search in filter option #1240 #1249

Merged
merged 8 commits into from
Jan 23, 2024
Merged

feat: added wild card and exact search in filter option #1240 #1249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
08ac11e
feat: added wild card and exact search in filter option #1240
hitenkoku Jan 11, 2024
4d26156
docs(CHANGELOG): added next version changelog template
hitenkoku Jan 11, 2024
44dcddd
chore(Cargo): set next milestone version
hitenkoku Jan 11, 2024
224940c
docs(CHANGELOG): added #1240
hitenkoku Jan 11, 2024
da6a877
Merge branch 'main' into 1240-make-search-commands-filter-option-an-e…
hitenkoku Jan 11, 2024
43a5262
Merge branch 'main' into 1240-make-search-commands-filter-option-an-e…
YamatoSecurity Jan 14, 2024
cb451f7
update required rust ver
YamatoSecurity Jan 19, 2024
304f475
update displayed version
YamatoSecurity Jan 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions CHANGELOG-Japanese.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,20 @@

## 2.13.0 [2024/XX/XX] "XXX Release"

**New Features:**
**新機能:**

- XXX

**Enhancements:**
**改善:**

- `search` コマンドのフィルタオプションを完全一致にするようにした。加えてフィルタオプションはワイルドカード対応をするようにした。 (#1240) (@hitenkoku)
- `update-rules`コマンドを実行したときに、検知ルールが変更された場合にルール名を出力するようにした。以前は`modified:`フィールドを更新したルールだけが表示されていた。(#1243) (@hitenkoku)

**Bug Fixes:**
**バグ修正:**

- XXX

**Other:**
**その他:**

- XXX

Expand Down
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

**Enhancements:**

- Adjusted the `search` command's Filter option to be an exact match and support wildcard characters. (#1240) (@hitenkoku)
- Any time there is a change in a detection rule, it will be displayed when running the `update-rules` command. Previously, only rules that updated their `modified:` field would be displayed. (#1243) (@hitenkoku)

**Bug Fixes:**
Expand All @@ -18,7 +19,7 @@

- XXX

## 2.12.0 [2023/12/24] "SECCON Christmas Release"
## 2.12.0 [2023/12/23] "SECCON Christmas Release"

**Enhancements:**

Expand Down
7 changes: 7 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ version = "2.13.0-dev"
repository = "https://github.com/Yamato-Security/hayabusa"
authors = ["Yamato Security @SecurityYamato"]
edition = "2021"
rust-version = "1.74.1"
rust-version = "1.75.0"
include = ["src/**/*", "LICENSE.txt", "README.md", "CHANGELOG.md"]

[dependencies]
Expand Down Expand Up @@ -53,6 +53,7 @@ memchr = "2.*"
num = "0.4.0"
indexmap = "2.*"
dialoguer = "*"
wildmatch = "2.*"

[profile.dev]
debug = 0
Expand Down
22 changes: 11 additions & 11 deletions src/detections/configs.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -737,7 +737,7 @@ fn check_thread_number(config: &Config) -> Option<usize> {
pub enum Action {
#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline <INPUT> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe csv-timeline <INPUT> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 290
Expand All @@ -747,7 +747,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline <INPUT> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe json-timeline <INPUT> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 360
Expand All @@ -757,7 +757,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary <INPUT> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe logon-summary <INPUT> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 383
Expand All @@ -767,7 +767,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics <INPUT> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe eid-metrics <INPUT> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 310
Expand All @@ -777,7 +777,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list <INPUT> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe pivot-keywords-list <INPUT> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 420
Expand All @@ -787,7 +787,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <INPUT> <--keywords \"<KEYWORDS>\" OR --regex \"<REGEX>\"> [OPTIONS]\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe search <INPUT> <--keywords \"<KEYWORDS>\" OR --regex \"<REGEX>\"> [OPTIONS]\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 450
Expand All @@ -797,7 +797,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 470
Expand All @@ -807,7 +807,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 380
Expand All @@ -817,7 +817,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 451
Expand All @@ -835,7 +835,7 @@ pub enum Action {

#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n {usage}\n\n{all-args}",
term_width = 400,
disable_help_flag = true,
display_order = 290
Expand Down Expand Up @@ -1656,7 +1656,7 @@ pub struct ComputerMetricsOption {
#[derive(Parser, Clone, Debug)]
#[clap(
author = "Yamato Security (https://github.com/Yamato-Security/hayabusa - @SecurityYamato)",
help_template = "\nHayabusa v2.12.0 - SECCON Christmas Release\n{author-with-newline}\n{usage-heading}\n hayabusa.exe <COMMAND> [OPTIONS]\n hayabusa.exe help <COMMAND>\n\n{all-args}{options}",
help_template = "\nHayabusa v2.13.0 - Dev Build\n{author-with-newline}\n{usage-heading}\n hayabusa.exe <COMMAND> [OPTIONS]\n hayabusa.exe help <COMMAND>\n\n{all-args}{options}",
term_width = 400,
disable_help_flag = true
)]
Expand Down
19 changes: 9 additions & 10 deletions src/timeline/search.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@
use downcast_rs::__std::process;
use hashbrown::{HashMap, HashSet};
use itertools::Itertools;
use nested::Nested;
use regex::Regex;
use std::fs::File;
use std::io::BufWriter;
use std::path::PathBuf;
use termcolor::{BufferWriter, Color, ColorChoice};
use wildmatch::WildMatch;

#[derive(Debug, Clone)]
pub struct EventSearch {
Expand Down Expand Up @@ -98,7 +98,7 @@
fn filter_record(
&mut self,
record: &EvtxRecordInfo,
filter_rule: &HashMap<String, Nested<String>>,
filter_rule: &HashMap<String, Vec<WildMatch>>,

Check warning on line 101 in src/timeline/search.rs

View check run for this annotation

Codecov / codecov/patch

src/timeline/search.rs#L101 

Added line #L101 was not covered by tests
eventkey_alias: &EventKeyAliasConfig,
) -> bool {
filter_rule.iter().all(|(k, v)| {
Expand All @@ -109,10 +109,9 @@
)
.unwrap_or_else(|| "n/a".into())
.replace(['"', '\''], "");

// aliasでマッチした場合はaliasに登録されていないフィールドを検索する必要がないためtrueを返す
if v.iter()
.all(|search_target| utils::contains_str(&alias_target_val, search_target))
.all(|search_target| search_target.matches(&alias_target_val))

Check warning on line 114 in src/timeline/search.rs

View check run for this annotation

Codecov / codecov/patch

src/timeline/search.rs#L114 

Added line #L114 was not covered by tests
{
return true;
}
Expand All @@ -126,7 +125,7 @@
_ => CompactString::new("-"),
};
v.iter()
.all(|search_target| utils::contains_str(&allfieldinfo, search_target))
.all(|search_target| search_target.matches(&allfieldinfo))

Check warning on line 128 in src/timeline/search.rs

View check run for this annotation

Codecov / codecov/patch

src/timeline/search.rs#L128 

Added line #L128 was not covered by tests
})
}

Expand Down Expand Up @@ -238,7 +237,7 @@
}

/// filters からフィルタリング条件を作成する関数
fn create_filter_rule(filters: &[String]) -> HashMap<String, Nested<String>> {
fn create_filter_rule(filters: &[String]) -> HashMap<String, Vec<WildMatch>> {

Check warning on line 240 in src/timeline/search.rs

View check run for this annotation

Codecov / codecov/patch

src/timeline/search.rs#L240 

Added line #L240 was not covered by tests
filters
.iter()
.fold(HashMap::new(), |mut acc, filter_condition| {
Expand All @@ -250,10 +249,10 @@
.unwrap_or(prefix_trim_condition);
let condition = trimed_condition.split(':').map(|x| x.trim()).collect_vec();
if condition.len() != 1 {
let acc_val = acc
.entry(condition[0].to_string())
.or_insert(Nested::<String>::new());
acc_val.push(condition[1..].join(":"));
let acc_val = acc.entry(condition[0].to_string()).or_insert(vec![]);
condition[1..]
.iter()
.for_each(|x| acc_val.push(WildMatch::new(x)));

Check warning on line 255 in src/timeline/search.rs

View check run for this annotation

Codecov / codecov/patch

src/timeline/search.rs#L252-L255 

Added lines #L252 - L255 were not covered by tests
}
acc
})
Expand Down