Merge branch 'main' into 1071-make-sure-the-tables-fit-on-a-120-chara…

…cter-terminal

CHANGELOG-Japanese.md

@@ -13,6 +13,8 @@
 - 標準出力とHTML出力にプロファイル名を出力する機能を追加した。 (#1055) (@hitenkoku)
 - HTML出力のルールアラートにルール作者名を表示するように修正した。 (#1065) (@hitenkoku)
 - 端末サイズが小さくてもテーブルが壊れないように、テーブル幅を短くした。 (#1071) (@hitenkoku)
+- `csv-timeline`、`json-timeline`、`metrics`、`logon-summary`、`search`コマンドに対して、出力ファイルを上書きするための`-C, --clobber`オプションを追加した。 (#1063) (@YamatoSecurity, @hitenkoku)
+- HTML内にCSSと画像を組み込んだ。 (#1078) (@hitenkoku, 提案者: @joswr1ght)
 
 **バグ修正:**
 

CHANGELOG.md

@@ -13,6 +13,8 @@
 - The output profile name is now outputted to standard output and in the HTML report. (#1055) (@hitenkoku)
 - Added rule author names next to rule alerts in the HTML report. (#1065) (@hitenkoku)
 - Made the table width shorter to prevent tables breaking in smaller terminal sizes. (#1071) (@hitenkoku)
+- Added the `-C, --clobber` option to overwrite existing output files in `csv-timeline`, `json-timeline`, `metrics`, `logon-summary`, and `search` commands. (#1063) (@YamatoSecurity, @hitenkoku)
+- Made the HTML report portable by embedding the images and inlining CSS. (#1078) (@hitenkoku, thanks for the suggestion from @joswr1ght)
 
 **Bug Fixes:**
 

src/afterfact.rs

@@ -1712,6 +1712,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
@@ -1785,6 +1786,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             };
             let ch = mock_ch_filter
                 .get(&CompactString::from("security"))
@@ -2003,6 +2005,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_multiline.csv").to_path_buf()),
@@ -2078,6 +2081,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             };
             let ch = mock_ch_filter
                 .get(&CompactString::from("security"))
@@ -2294,6 +2298,7 @@ mod tests {
                 json_input: false,
             },
             enable_unsupported_rules: false,
+            clobber: false,
         };
         let data: Vec<(CompactString, Profile)> = vec![
             (
@@ -2416,6 +2421,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_json.json").to_path_buf()),
@@ -2488,6 +2494,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             };
             let ch = mock_ch_filter
                 .get(&CompactString::from("security"))
@@ -2644,6 +2651,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv_jsonl.jsonl").to_path_buf()),
@@ -2716,6 +2724,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             };
             let ch = mock_ch_filter
                 .get(&CompactString::from("security"))

src/detections/configs.rs

@@ -268,6 +268,7 @@ impl StoredStatic {
             Some(Action::Metrics(opt)) => opt.output.as_ref(),
             Some(Action::PivotKeywordsList(opt)) => opt.output.as_ref(),
             Some(Action::LogonSummary(opt)) => opt.output.as_ref(),
+            Some(Action::Search(opt)) => opt.output.as_ref(),
             _ => None,
         };
         let general_ch_abbr = create_output_filter_config(
@@ -772,6 +773,10 @@ pub struct SearchOption {
     /// Output event field information in multiple rows
     #[arg(help_heading = Some("Output"), short = 'M', long="multiline", display_order = 390)]
     pub multiline: bool,
+
+    /// Overwrite results files
+    #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
+    pub clobber: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -852,6 +857,10 @@ pub struct MetricsOption {
     /// Output time in UTC format (default: local time)
     #[arg(help_heading = Some("Time Format"), short = 'U', long = "UTC", display_order = 210)]
     pub utc: bool,
+
+    /// Overwrite results files
+    #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
+    pub clobber: bool,
 }
 
 #[derive(Args, Clone, Debug)]
@@ -928,7 +937,7 @@ pub struct LogonSummaryOption {
     #[clap(flatten)]
     pub input_args: InputOption,
 
-    /// Save the Logon summary in CSV format (ex: logon-summary.csv)
+    /// Save the logon summary to 2 CSV files. Specify the base filename. (ex: -o logon-summary)
     #[arg(help_heading = Some("Output"), short = 'o', long, value_name = "FILE", display_order = 410)]
     pub output: Option<PathBuf>,
 
@@ -965,6 +974,10 @@ pub struct LogonSummaryOption {
     /// Output time in UTC format (default: local time)
     #[arg(help_heading = Some("Time Format"), short = 'U', long = "UTC", display_order = 210)]
     pub utc: bool,
+
+    /// Overwrite results files
+    #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
+    pub clobber: bool,
 }
 
 /// Options can be set when outputting
@@ -1080,12 +1093,16 @@ pub struct OutputOption {
     pub rules: PathBuf,
 
     /// Save Results Summary details to an HTML report (ex: results.html)
-    #[arg(help_heading = Some("Output"), short = 'H', long="HTML-report", value_name = "FILE", display_order = 80)]
+    #[arg(help_heading = Some("Output"), short = 'H', long="HTML-report", value_name = "FILE", display_order = 80, requires = "output")]
     pub html_report: Option<PathBuf>,
 
     /// Do not display Results Summary (slightly faster speed)
     #[arg(help_heading = Some("Display Settings"), short = 'N', long = "no-summary", display_order = 401)]
     pub no_summary: bool,
+
+    /// Overwrite results files
+    #[arg(help_heading = Some("General Options"), short='C', long = "clobber", display_order = 290, requires = "output")]
+    pub clobber: bool,
 }
 
 #[derive(Copy, Args, Clone, Debug)]
@@ -1463,6 +1480,7 @@ fn extract_search_options(config: &Config) -> Option<SearchOption> {
             config: option.config.clone(),
             verbose: option.verbose,
             multiline: option.multiline,
+            clobber: option.clobber,
         }),
         _ => None,
     }
@@ -1498,6 +1516,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             common_options: option.common_options,
             detect_common_options: option.detect_common_options.clone(),
             enable_unsupported_rules: option.enable_unsupported_rules,
+            clobber: false,
         }),
         Action::Metrics(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1524,6 +1543,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             common_options: option.common_options,
             detect_common_options: option.detect_common_options.clone(),
             enable_unsupported_rules: false,
+            clobber: option.clobber,
         }),
         Action::LogonSummary(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1550,6 +1570,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             common_options: option.common_options,
             detect_common_options: option.detect_common_options.clone(),
             enable_unsupported_rules: false,
+            clobber: option.clobber,
         }),
         Action::Search(option) => Some(OutputOption {
             input_args: option.input_args.clone(),
@@ -1583,6 +1604,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
             },
             exact_level: None,
             enable_unsupported_rules: false,
+            clobber: option.clobber,
         }),
         Action::SetDefaultProfile(option) => Some(OutputOption {
             input_args: InputOption {
@@ -1620,6 +1642,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
                 json_input: false,
             },
             enable_unsupported_rules: false,
+            clobber: false,
         }),
         Action::UpdateRules(option) => Some(OutputOption {
             input_args: InputOption {
@@ -1657,6 +1680,7 @@ fn extract_output_options(config: &Config) -> Option<OutputOption> {
                 json_input: false,
             },
             enable_unsupported_rules: true,
+            clobber: false,
         }),
         _ => None,
     }

src/detections/detection.rs

@@ -1200,6 +1200,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,
@@ -1445,6 +1446,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
@@ -1563,6 +1565,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: Some(Path::new("test_files/mmdb").to_path_buf()),
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
@@ -1677,6 +1680,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),
@@ -1804,6 +1808,7 @@ mod tests {
                     json_input: false,
                 },
                 enable_unsupported_rules: false,
+                clobber: false,
             },
             geo_ip: None,
             output: Some(Path::new("./test_emit_csv.csv").to_path_buf()),

src/detections/rule/condition_parser.rs

@@ -593,6 +593,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,

src/detections/rule/count.rs

@@ -617,6 +617,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,

src/detections/rule/matchers.rs

@@ -856,6 +856,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,
@@ -2729,9 +2730,9 @@ mod tests {
                 '|all':
                     - 'Sysmon/Operational'
                     - 'indows\'
-            selection2: 
-                - 1 
-                - 2 
+            selection2:
+                - 1
+                - 2
             condition: selection1 and selection2
         "#;
 
@@ -2760,9 +2761,9 @@ mod tests {
                 '|all':
                     - 'Sysmon/Operational'
                     - 'false'
-            selection2: 
-                - 1 
-                - 2 
+            selection2:
+                - 1
+                - 2
             condition: selection1 and selection2
         "#;
 
@@ -2791,9 +2792,9 @@ mod tests {
                 '|all':
                     - 'Sysmon/Operational'
                     - 'false'
-            selection2: 
-                - 3 
-                - 2 
+            selection2:
+                - 3
+                - 2
             condition: selection1 and selection2
         "#;
 

src/detections/rule/mod.rs

@@ -437,6 +437,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,

src/detections/rule/selectionnodes.rs

@@ -557,6 +557,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,

src/detections/utils.rs

@@ -975,6 +975,7 @@ mod tests {
                         json_input: false,
                     },
                     enable_unsupported_rules: false,
+                    clobber: false,
                 },
                 geo_ip: None,
                 output: None,