From 1dadd1dd9d1d01507c86616d7f6e07cd80ac41cb Mon Sep 17 00:00:00 2001 From: DustInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 2 Feb 2024 00:56:41 +0900 Subject: [PATCH 1/5] fix(configs): added required option filter in search command #1257 --- src/detections/configs.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index d7c2b3666..c5da43c92 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -951,6 +951,7 @@ pub struct DefaultProfileOption { } #[derive(Args, Clone, Debug)] +#[clap(group(ArgGroup::new("search_input_filtering").args(["keywords", "regex"]).required(true)))] pub struct SearchOption { #[clap(flatten)] pub common_options: CommonOptions, From b1d49988414e14ad1f11c5921f14a0296e4d101c Mon Sep 17 00:00:00 2001 From: DustInDark <2350416+hitenkoku@users.noreply.github.com> Date: Fri, 2 Feb 2024 01:06:06 +0900 Subject: [PATCH 2/5] fix(configs): added conflict command filter in multiple row and json/jsonl output #1257 --- src/detections/configs.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index c5da43c92..93422cd07 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1065,11 +1065,11 @@ pub struct SearchOption { pub clobber: bool, /// Save the search results in JSON format (ex: -J -o results.json) - #[arg(help_heading = Some("Output"), short = 'J', long = "JSON-output", conflicts_with = "jsonl_output", requires = "output", display_order = 100)] + #[arg(help_heading = Some("Output"), short = 'J', long = "JSON-output", conflicts_with_all = ["jsonl_output", "multiline"], requires = "output", display_order = 100)] pub json_output: bool, /// Save the search results in JSONL format (ex: -L -o results.jsonl) - #[arg(help_heading = Some("Output"), short = 'L', long = "JSONL-output", conflicts_with = "jsonl_output", requires = "output", display_order = 100)] + #[arg(help_heading = Some("Output"), short = 'L', long = "JSONL-output", conflicts_with_all = ["jsonl_output", "multiline"], requires = "output", display_order = 100)] pub jsonl_output: bool, /// Output timestamp in European time format (ex: 22-02-2022 22:00:00.123 +02:00) From 0641f34924636c4098cbb37f3e57bf0ef6f32f69 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 2 Feb 2024 08:13:38 +0900 Subject: [PATCH 3/5] update help msg --- README.md | 2 +- src/detections/configs.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 131e036a3..098676aa5 100644 --- a/README.md +++ b/README.md @@ -774,7 +774,7 @@ Filtering: Output: -J, --JSON-output Save the search results in JSON format (ex: -J -o results.json) -L, --JSONL-output Save the search results in JSONL format (ex: -L -o results.jsonl) - -M, --multiline Output event field information in multiple rows + -M, --multiline Output event field information in multiple rows for CSV output -o, --output Save the search results in CSV format (ex: search.csv) General Options: diff --git a/src/detections/configs.rs b/src/detections/configs.rs index 93422cd07..92a71b8ae 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1056,7 +1056,7 @@ pub struct SearchOption { #[arg(help_heading = Some("Display Settings"), short = 'v', long, display_order = 480)] pub verbose: bool, - /// Output event field information in multiple rows + /// Output event field information in multiple rows for CSV output #[arg(help_heading = Some("Output"), short = 'M', long="multiline", display_order = 390)] pub multiline: bool, From 68c51c7b1b7d7f27e143491e14303d6eed04c134 Mon Sep 17 00:00:00 2001 From: DustInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 3 Feb 2024 23:07:44 +0900 Subject: [PATCH 4/5] feat(main): skipped loading detection rules when running to command which is no need to load rule #1263 --- src/main.rs | 70 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 46 insertions(+), 24 deletions(-) diff --git a/src/main.rs b/src/main.rs index 652860394..7064a47fd 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1282,9 +1282,6 @@ impl App { } else { stored_static.include_status.insert("*".into()); } - println!(); - println!("Loading detection rules. Please wait."); - println!(); if stored_static.html_report_flag { let mut output_data = Nested::::new(); @@ -1317,28 +1314,53 @@ impl App { .min_level .to_uppercase(); - let rule_files = detection::Detection::parse_rule_files( - &level, - &target_level, - &stored_static.output_option.as_ref().unwrap().rules, - &filter::exclude_ids(stored_static), - stored_static, - ); - CHECKPOINT - .lock() - .as_mut() - .unwrap() - .rap_check_point("Rule Parse Processing Time"); - let unused_rules_option = stored_static.logon_summary_flag + println!(); + if !(stored_static.logon_summary_flag || stored_static.search_flag - || stored_static.computer_metrics_flag - || stored_static.metrics_flag; - if !unused_rules_option && rule_files.is_empty() { - AlertMessage::alert( - "No rules were loaded. Please download the latest rules with the update-rules command.\r\n", - ) - .ok(); - return; + || stored_static.metrics_flag + || stored_static.computer_metrics_flag) + { + println!("Loading detection rules. Please wait."); + } else if stored_static.logon_summary_flag { + println!("Currently analyzing Logon Summary. Please wait."); + } else if stored_static.search_flag { + println!("Currently searching. Please wait."); + } else if stored_static.metrics_flag { + println!("Currently analyzing Event ID Metrics. Please wait."); + } else if stored_static.computer_metrics_flag { + println!("Currently analyzing Compute Metrics. Please wait."); + } + println!(); + + let mut rule_files = vec![]; + if !(stored_static.logon_summary_flag + || stored_static.search_flag + || stored_static.metrics_flag + || stored_static.computer_metrics_flag) + { + rule_files = detection::Detection::parse_rule_files( + &level, + &target_level, + &stored_static.output_option.as_ref().unwrap().rules, + &filter::exclude_ids(stored_static), + stored_static, + ); + CHECKPOINT + .lock() + .as_mut() + .unwrap() + .rap_check_point("Rule Parse Processing Time"); + let unused_rules_option = stored_static.logon_summary_flag + || stored_static.search_flag + || stored_static.computer_metrics_flag + || stored_static.metrics_flag; + if !unused_rules_option && rule_files.is_empty() { + AlertMessage::alert( + "No rules were loaded. Please download the latest rules with the update-rules command.\r\n", + ) + .ok(); + return; + } } let template = From 57c9509426faf4ccee5e5b759c9495e9af1b11a4 Mon Sep 17 00:00:00 2001 From: DustInDark <2350416+hitenkoku@users.noreply.github.com> Date: Sat, 3 Feb 2024 23:10:32 +0900 Subject: [PATCH 5/5] docs(CHANGELOG): added #1263 --- CHANGELOG-Japanese.md | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index c006dea9d..e2ff1617d 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -13,6 +13,7 @@ - `json-timeline`コマンドの標準出力でJSONフォーマットを出力するように修正した。 (#1197) (@hitenkoku) - JSON入力でデータが配列内にある場合に解析できるようにした。 (#1248) (@hitenkoku) - 古いターミナルでも正しく表示されるように、また読みやすくするために、`‖`区切り文字を`·`区切り文字に変更した。(#1258) (@YamatoSecurity) +- ルールをロードする必要のないコマンドを実行した場合、検出ルールのロードをスキップするようにした。 (#1263) (@hitenkoku) **バグ修正:** diff --git a/CHANGELOG.md b/CHANGELOG.md index d98cda746..1d174c8e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - The `json-timeline` command now outputs in JSON format when outputting to the terminal. (#1197) (@hitenkoku) - Added support for parsing JSON input when the data is inside an array. (#1248) (@hitenkoku) - Changed the `‖` separator into a `·` separator to make it easier to read and render properly on older terminals. (#1258) (@YamatoSecurity) +- Skiped loading detection rules when running to command which is no need to load rule. (#1263) (@hitenkoku) **Bug Fixes:**