Skip to content

Commit

Permalink
Merge pull request #1123 from Yamato-Security/1119-category-filtering
Browse files Browse the repository at this point in the history 
added category filtering
  • Loading branch information
@hitenkoku
hitenkoku authored Jul 4, 2023
2 parents b2f9d36 + 1936276 commit d71c2b9
Show file tree
Hide file tree
Showing 17 changed files with 274 additions and 7 deletions.
1 change: 1 addition & 0 deletions CHANGELOG-Japanese.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
**新機能:**

- `csv-timeline`コマンドに`-R, --remove-duplicate-data`オプションを追加し、`%Details%``%AllFieldInfo%``%ExtraFieldInfo%`列の重複フィールドデータを`DUP`という文字列に変換し、ファイルサイズの削減を行う。(#1056) (@hitenkoku)
- `csv-timeline``json-timeline`コマンドに`--include-category``--exclude-category`オプションを追加した。`include-category`は、指定された`category`フィールドのルールのみをロードする。`--exclude-category`は、指定された`category`フィールドを持つルールをロードしない。 (#1119) (@hitenkoku)

**改善:**

Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
**New Features:**

- Added the `-R, --remove-duplicate-data` option in the `csv-timeline` command to replace duplicate field data with the string `DUP` in the `%Details%`, `%AllFieldInfo%`, `%ExtraFieldInfo%` columns to reduce file size. (#1056) (@hitenkoku)
- Added `--include-category` and `--exclude-category` options to `csv-timeline` and `json-timeline` commands. When using `--include-category`, only rules with the specified `category` field will be loaded. `--exclude-category` will exclude rules from being loaded based on `category`. (#1119) (@hitenkoku)

**Enhancements:**

Expand Down
22 changes: 22 additions & 0 deletions src/afterfact.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1809,6 +1809,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1885,6 +1887,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2108,6 +2112,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
Expand Down Expand Up @@ -2186,6 +2192,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2395,6 +2403,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_remove_duplicate.csv").to_path_buf()),
Expand Down Expand Up @@ -2471,6 +2481,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -2702,6 +2714,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let data: Vec<(CompactString, Profile)> = vec![
(
Expand Down Expand Up @@ -2827,6 +2841,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
Expand Down Expand Up @@ -2901,6 +2917,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down Expand Up @@ -3061,6 +3079,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
Expand Down Expand Up @@ -3135,6 +3155,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
};
let ch = mock_ch_filter
.get(&CompactString::from("security"))
Expand Down
24 changes: 22 additions & 2 deletions src/detections/configs.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -896,7 +896,7 @@ pub struct PivotKeywordOption {
pub enable_unsupported_rules: bool,

/// Ignore rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 315)]
pub exclude_status: Option<Vec<String>>,

/// Minimum level for rules (default: informational)
Expand Down Expand Up @@ -1014,13 +1014,21 @@ pub struct OutputOption {
pub enable_unsupported_rules: bool,

/// Ignore rules according to status (ex: experimental) (ex: stable,test)
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
#[arg(help_heading = Some("Filtering"), long = "exclude-status", value_name = "STATUS", use_value_delimiter = true, value_delimiter = ',', display_order = 315)]
pub exclude_status: Option<Vec<String>>,

/// Only load rules with specific tags (ex: attack.execution,attack.discovery)
#[arg(help_heading = Some("Filtering"), long = "tags", value_name = "TAGS", use_value_delimiter = true, value_delimiter = ',', display_order = 460)]
pub tags: Option<Vec<String>>,

/// Only load rules with certain logsource categories (ex: process_creation,pipe_created)
#[arg(help_heading = Some("Filtering"), long = "include-category", value_name = "CATEGORY", conflicts_with = "exclude-category", use_value_delimiter = true, value_delimiter = ',', display_order = 351)]
pub include_category: Option<Vec<String>>,

/// Do not load rules with certain logsource categories (ex: process_creation,pipe_created)
#[arg(help_heading = Some("Filtering"), long = "exclude-category", value_name = "CATEGORY", conflicts_with = "include_category",use_value_delimiter = true, value_delimiter = ',', display_order = 314)]
pub exclude_category: Option<Vec<String>>,

/// Minimum level for rules (default: informational)
#[arg(
help_heading = Some("Filtering"),
Expand Down Expand Up @@ -1544,6 +1552,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: option.enable_unsupported_rules,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
}),
Action::Metrics(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -1572,6 +1582,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: false,
clobber: option.clobber,
tags: None,
include_category: None,
exclude_category: None,
}),
Action::LogonSummary(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -1600,6 +1612,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: false,
clobber: option.clobber,
tags: None,
include_category: None,
exclude_category: None,
}),
Action::Search(option) => Some(OutputOption {
input_args: option.input_args.clone(),
Expand Down Expand Up @@ -1635,6 +1649,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: false,
clobber: option.clobber,
tags: None,
include_category: None,
exclude_category: None,
}),
Action::SetDefaultProfile(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -1674,6 +1690,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
}),
Action::UpdateRules(option) => Some(OutputOption {
input_args: InputOption {
Expand Down Expand Up @@ -1713,6 +1731,8 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
enable_unsupported_rules: true,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
}),
_ => None,
}
Expand Down
10 changes: 10 additions & 0 deletions src/detections/detection.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1204,6 +1204,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -1452,6 +1454,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1573,6 +1577,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1690,6 +1696,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down Expand Up @@ -1820,6 +1828,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/condition_parser.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -595,6 +595,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/count.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -619,6 +619,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/matchers.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -858,6 +858,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,6 +439,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/rule/selectionnodes.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -559,6 +559,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
2 changes: 2 additions & 0 deletions src/detections/utils.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -977,6 +977,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down
10 changes: 10 additions & 0 deletions src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1574,6 +1574,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -1723,6 +1725,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("overwrite.csv").to_path_buf()),
Expand Down Expand Up @@ -1793,6 +1797,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: true,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("overwrite.csv").to_path_buf()),
Expand Down Expand Up @@ -1861,6 +1867,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("overwrite.json").to_path_buf()),
Expand Down Expand Up @@ -1930,6 +1938,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: true,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: Some(Path::new("overwrite.json").to_path_buf()),
Expand Down
8 changes: 8 additions & 0 deletions src/options/htmlreport.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -336,6 +338,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
geo_ip: None,
output: None,
Expand Down Expand Up @@ -390,6 +394,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
jsonl_timeline: false,
geo_ip: None,
Expand Down Expand Up @@ -440,6 +446,8 @@ mod tests {
enable_unsupported_rules: false,
clobber: false,
tags: None,
include_category: None,
exclude_category: None,
},
jsonl_timeline: false,
geo_ip: None,
Expand Down
Loading

0 comments on commit d71c2b9

Please sign in to comment.