From f5717005b0c57313072ebbe9a773dbdc02908699 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 2 May 2024 21:02:06 +0900 Subject: [PATCH 1/4] feat: adjusted multiple directory option #1335 --- src/detections/configs.rs | 2 +- src/main.rs | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/detections/configs.rs b/src/detections/configs.rs index cd2d77220..28525aaba 100644 --- a/src/detections/configs.rs +++ b/src/detections/configs.rs @@ -1607,7 +1607,7 @@ pub struct CommonOptions { pub struct InputOption { /// Directory of multiple .evtx files #[arg(help_heading = Some("Input"), short = 'd', long, value_name = "DIR", conflicts_with_all = ["filepath", "live_analysis"], display_order = 300)] - pub directory: Option, + pub directory: Option>, /// File path to one .evtx file #[arg(help_heading = Some("Input"), short = 'f', long = "file", value_name = "FILE", conflicts_with_all = ["directory", "live_analysis"], display_order = 320)] diff --git a/src/main.rs b/src/main.rs index 01ebd9ede..b04735640 100644 --- a/src/main.rs +++ b/src/main.rs @@ -784,18 +784,21 @@ impl App { time_filter, stored_static.borrow_mut(), ); - } else if let Some(directory) = &stored_static + } else if let Some(directories) = &stored_static .output_option .as_ref() .unwrap() .input_args .directory { - let evtx_files = Self::collect_evtxfiles( - directory.as_os_str().to_str().unwrap(), - target_extensions, - stored_static, - ); + let mut evtx_files = Vec::new(); + for directory in directories { + evtx_files.extend(Self::collect_evtxfiles( + directory.as_os_str().to_str().unwrap(), + target_extensions, + stored_static, + )); + } if evtx_files.is_empty() { AlertMessage::alert("No .evtx files were found.").ok(); return; From e9e2034d52cb37ba14a3b693f66fc6e853aaaf59 Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 2 May 2024 21:56:32 +0900 Subject: [PATCH 2/4] docs(CHANGELOG): added #1335 --- CHANGELOG-Japanese.md | 4 ++++ CHANGELOG.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index 95e93a022..ae6d3e14b 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -10,6 +10,10 @@ - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml) - デフォルトでは、適用可能なルールを持つ`.evtx`ファイルのみ読み込む。たとえば、さまざまなイベントログのディレクトリをスキャンしている場合でも、 `Channel: Security` を探すルールのみを有効にした場合、Hayabusaは`Security`以外のすべてのイベントログを無視します。ベンチマークでは、通常のスキャンで約10%、単一のルールでスキャンする場合は最大60%以上のパフォーマンス向上が得られる。チャネルに関係なくすべての`.evtx`ファイルを読み込みたい場合は、`csv-timeline` と `json-timeline` の `-a、--scan-all-evtx-files` オプションでこのフィルタリングをオフにすることができる。(#1318) (@fukusuket) +**改善:** + +- `directory`オプションで複数のフォルダを指定できるようにした。 (#1335) (@hitenkoku) + ## 2.15.0 [2024/04/20] "Sonic Release" **改善:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d26c6466..f7bc7f915 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,10 @@ - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml) - By default now, `.evtx` files that have applicable rules will be loaded. So for example, if you are scanning a directory of various event logs but only enable a rule that is looking for `Channel: Security` then Hayabusa will ignore all non-security event logs. In our benchmarks, this gives a speed benefit of around 10% with normal scans and up to 60%+ performance increase when scanning with a single rule. If you want to load all `.evtx` files regardless of channel, then you can turn off this filtering with the `-a, --scan-all-evtx-files` option in `csv-timeline` and `json-timeline`. (#1318) (@fukusuket) +**Enhancements:** + +- Adjusted multiple specifiy `directory` option. (#1335) (@hitenkoku) + ## 2.15.0 [2024/04/20] "Sonic Release" **Enhancements:** From c0ac07f743c82ff24c0bb185e7cad3fc8aa25a4f Mon Sep 17 00:00:00 2001 From: DastInDark <2350416+hitenkoku@users.noreply.github.com> Date: Thu, 2 May 2024 22:41:39 +0900 Subject: [PATCH 3/4] chore: fixed clippy lint warning #1335 --- src/afterfact.rs | 10 +++++++--- src/detections/utils.rs | 4 ++-- src/main.rs | 1 - 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/afterfact.rs b/src/afterfact.rs index 1cdd3d463..d8efaf5f7 100644 --- a/src/afterfact.rs +++ b/src/afterfact.rs @@ -380,7 +380,9 @@ fn emit_csv_inner( remove_duplicate_data, ); afterfact_info.prev_message = result.1; - afterfact_info.prev_details_convert_map = detect_info.details_convert_map.clone(); + afterfact_info + .prev_details_convert_map + .clone_from(&detect_info.details_convert_map); if afterfact_writer.display_flag { write_color_buffer( &afterfact_writer.disp_wtr, @@ -404,7 +406,9 @@ fn emit_csv_inner( remove_duplicate_data, ); afterfact_info.prev_message = result.1; - afterfact_info.prev_details_convert_map = detect_info.details_convert_map.clone(); + afterfact_info + .prev_details_convert_map + .clone_from(&detect_info.details_convert_map); if afterfact_writer.display_flag { write_color_buffer( &afterfact_writer.disp_wtr, @@ -1806,7 +1810,7 @@ pub fn output_json_str( } } } else { - target_ext_field = detect_info.ext_field.to_owned(); + target_ext_field.clone_from(&detect_info.ext_field); } let key_add_to_details = [ "SrcASN", diff --git a/src/detections/utils.rs b/src/detections/utils.rs index 5b44a8b1c..6d93c2241 100644 --- a/src/detections/utils.rs +++ b/src/detections/utils.rs @@ -332,10 +332,10 @@ pub fn create_rec_info( if !*no_pwsh_field_extraction { if key == "EventID" { - event_id = val.clone(); + event_id.clone_from(&val); } if key == "Channel" { - channel = val.clone(); + channel.clone_from(&val); } } key_2_values.insert(key.to_string(), val.unwrap()); diff --git a/src/main.rs b/src/main.rs index b04735640..aba878ef2 100644 --- a/src/main.rs +++ b/src/main.rs @@ -53,7 +53,6 @@ use std::path::Path; use std::ptr::null_mut; use std::sync::Arc; use std::time::Duration; -use std::u128; use std::{ env, fs::{self, File}, From afe753e5252ac5f309b7d5b90708c601f5e53fda Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 3 May 2024 08:01:07 +0900 Subject: [PATCH 4/4] update changelog --- CHANGELOG-Japanese.md | 2 +- CHANGELOG.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md index ae6d3e14b..4d6bb5a7b 100644 --- a/CHANGELOG-Japanese.md +++ b/CHANGELOG-Japanese.md @@ -12,7 +12,7 @@ **改善:** -- `directory`オプションで複数のフォルダを指定できるようにした。 (#1335) (@hitenkoku) +- `-d, --directory`オプションで複数のフォルダを指定できるようにした。 (#1335) (@hitenkoku) ## 2.15.0 [2024/04/20] "Sonic Release" diff --git a/CHANGELOG.md b/CHANGELOG.md index f7bc7f915..7109a3d9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ **Enhancements:** -- Adjusted multiple specifiy `directory` option. (#1335) (@hitenkoku) +- You can now specify multiple directories with the `-d, --directory` option. (#1335) (@hitenkoku) ## 2.15.0 [2024/04/20] "Sonic Release"