reduce output mitre attack detail tachnique No. by config file (#483)

* reduced mitre attck tag output by config file #477 * prepared 1.2.0 version toml * added test files and mitre attck strategy tag file #477 * fixed cargo.toml version * updated cargo.lock * output tag english update * cargo fmt Co-authored-by: Tanaka Zakku <[email protected]>
Yamato-Security · Apr 6, 2022 · d6efb51 · d6efb51
1 parent a5bf79c
commit d6efb51
Show file tree

Hide file tree

Showing 6 changed files with 70 additions and 12 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "hayabusa"
-version = "1.1.0"
+version = "1.2.0"
 authors = ["Yamato Security @SecurityYamato"]
 edition = "2021"
 

diff --git a/config/output_tag.txt b/config/output_tag.txt
@@ -0,0 +1,15 @@
+tag_full_str,tag_output_str
+attack.reconnaissance,Recon
+attack.resource_development,ResDev
+attack.initial_access,InitAccess
+attack.execution,Exec
+attack.persistence,Persis
+attack.privilege_escalation,PrivEsc
+attack.defense_evasion,Evas
+attack.credential_access,CredAccess
+attack.discovery,Disc
+attack.lateral_movement,LatMov
+attack.collection,Collect
+attack.command_and_control,C2
+attack.exfiltration,Exfil
+attack.impact,Impact
diff --git a/src/detections/detection.rs b/src/detections/detection.rs
@@ -9,6 +9,7 @@ use crate::detections::print::MESSAGES;
 use crate::detections::print::PIVOT_KEYWORD_LIST_FLAG;
 use crate::detections::print::QUIET_ERRORS_FLAG;
 use crate::detections::print::STATISTICS_FLAG;
+use crate::detections::print::TAGS_CONFIG;
 use crate::detections::rule;
 use crate::detections::rule::AggResult;
 use crate::detections::rule::RuleNode;
@@ -200,7 +201,8 @@ impl Detection {
             .as_vec()
             .unwrap_or(&Vec::default())
             .iter()
-            .map(|info| info.as_str().unwrap_or("").replace("attack.", ""))
+            .filter_map(|info| TAGS_CONFIG.get(info.as_str().unwrap_or(&String::default())))
+            .map(|str| str.to_owned())
             .collect();
         MESSAGES.lock().unwrap().insert(
             &record_info.record,
@@ -218,7 +220,7 @@ impl Detection {
                 .unwrap_or_else(|| "-".to_owned()),
                 alert: rule.yaml["title"].as_str().unwrap_or("").to_string(),
                 detail: String::default(),
-                tag_info: tag_info.join(" : "),
+                tag_info: tag_info.join(" | "),
             },
         );
     }

diff --git a/src/detections/print.rs b/src/detections/print.rs
@@ -53,6 +53,8 @@ lazy_static! {
         .unwrap()
         .args
         .is_present("statistics");
+    pub static ref TAGS_CONFIG: HashMap<String, String> =
+        Message::create_tags_config("config/output_tag.txt");
     pub static ref PIVOT_KEYWORD_LIST_FLAG: bool = configs::CONFIG
         .read()
         .unwrap()
@@ -72,6 +74,33 @@ impl Message {
         Message { map: messages }
     }
 
+    /// ファイルパスで記載されたtagでのフル名、表示の際に置き換えられる文字列のHashMapを作成する関数。tagではこのHashMapのキーに対応しない出力は出力しないものとする
+    /// ex. attack.impact,Impact
+    pub fn create_tags_config(path: &str) -> HashMap<String, String> {
+        let read_result = utils::read_csv(path);
+        if read_result.is_err() {
+            AlertMessage::alert(
+                &mut BufWriter::new(std::io::stderr().lock()),
+                read_result.as_ref().unwrap_err(),
+            )
+            .ok();
+            return HashMap::default();
+        }
+        let mut ret: HashMap<String, String> = HashMap::new();
+        read_result.unwrap().into_iter().for_each(|line| {
+            if line.len() != 2 {
+                return;
+            }
+
+            let empty = &"".to_string();
+            let tag_full_str = line.get(0).unwrap_or(empty).trim();
+            let tag_replace_str = line.get(1).unwrap_or(empty).trim();
+
+            ret.insert(tag_full_str.to_owned(), tag_replace_str.to_owned());
+        });
+        ret
+    }
+
     /// メッセージの設定を行う関数。aggcondition対応のためrecordではなく出力をする対象時間がDatetime形式での入力としている
     pub fn insert_message(&mut self, detect_info: DetectInfo, event_time: DateTime<Utc>) {
         if let Some(v) = self.map.get_mut(&event_time) {
@@ -222,6 +251,7 @@ impl AlertMessage {
 mod tests {
     use crate::detections::print::DetectInfo;
     use crate::detections::print::{AlertMessage, Message};
+    use hashbrown::HashMap;
     use serde_json::Value;
     use std::io::BufWriter;
 
@@ -466,4 +496,18 @@ mod tests {
             expected,
         );
     }
+    #[test]
+    /// output_tag.txtの読み込みテスト
+    fn test_load_output_tag() {
+        let actual = Message::create_tags_config("test_files/config/output_tag.txt");
+        let expected: HashMap<String, String> = HashMap::from([
+            ("attack.impact".to_string(), "Impact".to_string()),
+            ("xxx".to_string(), "yyy".to_string()),
+        ]);
+
+        assert_eq!(actual.len(), expected.len());
+        for (k, v) in expected.iter() {
+            assert!(actual.get(k).unwrap_or(&String::default()) == v);
+        }
+    }
 }
diff --git a/test_files/config/output_tag.txt b/test_files/config/output_tag.txt
@@ -0,0 +1,3 @@
+tag_full_str,tag_output_str
+attack.impact,Impact
+xxx,yyy