-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added new feature -P, --proven-rules
#1120
Conversation
Evidence
|
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1120 +/- ##
==========================================
- Coverage 82.47% 82.45% -0.02%
==========================================
Files 24 24
Lines 20820 20890 +70
==========================================
+ Hits 17171 17225 +54
- Misses 3649 3665 +16
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku @YamatoSecurity
I confirmed that the default proven_rules.txt
has fewer detection rules to load :)
I have a question about the detection result after changing proven_rules.txt
!
I expect that only 1 rule will be detected
when only 1
rule is described in proven_rules.txt
as follows,
hayabusa-2.6.0-all-platforms % cat ./rules/config/proven_rules.txt
002bdb95-0cf1-46a6-9e08-d38c128a6127
However, when comparing the detection results for hayabusa-sample-evtx
, there is no difference as shown below.
(no-p.csv
== without -P option, with-p.csv
== with -P option)
hayabusa-2.6.0-all-platforms % ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o no-p.csv -q -C
...
hayabusa-2.6.0-all-platforms % ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -o with-p.csv -q -C -P
...
hayabusa-2.6.0-all-platforms % diff no-p.csv with-p.csv
hayabusa-2.6.0-all-platforms %
Is the above expected behavior?
I would appreciate it if you could check it🙏
@fukusuket |
The I will check how it looks like when only one element is used. |
We are very sorry. There was an error in the condition when filtering the rules at ea444a8 Corrected.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku @YamatoSecurity
Thank you so much for a quick fix :)
I confirmed that only rules listed in proven_rules.txt
are loaded! LGTM!🚀
Although It the issue on the hayabusa_rule(proven_rules.txt
) side, when I checked the diff, it was as follows.
hayabusa-2.6.0-all-platforms % cat old.csv | awk -F"," '{print $5, $7}' | sort | uniq -c > old-rule-count.csv
hayabusa-2.6.0-all-platforms % cat fix.csv | awk -F"," '{print $5, $7}' | sort | uniq -c > fix-rule-count.csv
hayabusa-2.6.0-all-platforms % diff old-rule-count.csv fix-rule-count.csv
3d2
< 1 "crit" "Audit CVE Event"
291c290
< 243 "info" "Net Conn"
---
> 151 "info" "Net Conn"
302d300
< 2 "info" "RDP Denied"
462d459
< 3 "med" "Potential RDP Session Hijacking Activity"
Based on the above diff results, I think we should add the following to proven_rules.txt
, what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hitenkoku Thank you for the update! I confirmed that it is working well for me too.
@fukusuket Thank you for checking. I am currently in the process of rechecking the rules to enable. I will be sure to add the rules that you mentioned. I'll submit a PR to hayabusa-rules later to fix this. I think we can merge this for now.
@YamatoSecurity @fukusuket Thanks for your review. I will merge it. |
What Changed
-P, --proven-rules
option incsv-timeline
andjson-timeline
command. To scan only target rule ids that there are detection rules for defined in./rules/config/proven_rules.txt
.I would appreciate it if you could review when you have time.