Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: embedded config files to binary #1370 #1385

Merged
merged 16 commits into from
Aug 14, 2024
Merged

feat: embedded config files to binary #1370 #1385

merged 16 commits into from
Aug 14, 2024

Conversation

hitenkoku
Copy link
Collaborator

What Changed

  • embedded config files in binary

@hitenkoku hitenkoku added the enhancement New feature or request label Jul 15, 2024
@hitenkoku hitenkoku self-assigned this Jul 15, 2024
@hitenkoku hitenkoku linked an issue Jul 15, 2024 that may be closed by this pull request
Embed config files in binary #1370
Closed
fukusuket
fukusuket reviewed Jul 15, 2024
View reviewed changes
Copy link
Collaborator

@fukusuket fukusuket left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku
I confirmed csv result has no diff between before/after :)
But the progress bar is output twice as follows only when run without config directory🤔 Could you please confirm this?🙏
(When there is a config directory, the progress bar is printed only once)

% ./hayabusa-new csv-timeline -d ../hayabusa-sample-evtx -o new.csv -D -n -u -w -q -C
Start time: 2024/07/15 19:06

Total event log files: 585
Total file size: 137.2 MB

Loading detection rules. Please wait.

Excluded rules: 20
Noisy rules: 12

Deprecated rules: 209 (4.72%)
Experimental rules: 566 (12.78%)
Stable rules: 253 (5.71%)
Test rules: 3,355 (75.77%)
Unsupported rules: 45 (1.02%)

Hayabusa rules: 179
Sigma rules: 4,249
Total detection rules: 4,428

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 575
Detection rules enabled after channel filter: 4,355

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 0 / 575 ⠁ [                                        ] 0%

[00:00:05] 575 / 575   [========================================] 100%

Scanning finished. Please wait while the results are being saved.

@hitenkoku
Copy link
Collaborator Author

@fukusuket Thank you for your review.
I checking your point out problem.

@hitenkoku
Copy link
Collaborator Author

@fukusuket Sorry for late fix.

I fixed follwoing problem in
62e14f7 .

Could you review it?

@hitenkoku I confirmed csv result has no diff between before/after :) But the progress bar is output twice as follows only when run without config directory🤔 Could you please confirm this?🙏 (When there is a config directory, the progress bar is printed only once)

@hitenkoku hitenkoku requested a review from fukusuket July 25, 2024 10:54
fukusuket
fukusuket approved these changes Jul 25, 2024
View reviewed changes
Copy link
Collaborator

@fukusuket fukusuket left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku
Thank you so much for fix! I confirmed #1385 (review) is fixed! LGTM!!🚀

@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks for this. I have confirmed that if I rename config to config2 it still works. However, Hayabusa does not read the config files in the config directory by default so users cannot change the config files unless they recompile the binary. This is inconvenient for those who want to customize color, profiles, etc...
And it also breaks the set-default-profile command. Ex: ./target/release/hayabusa set-default-profile -p super-verbose
Event if the default profile is changed in default_profile.yaml, Hayabusa will read from the embedded file which does not change.
Can you change it so that Hayabusa only reads the embedded file if the config directory does not exist?

@hitenkoku
Copy link
Collaborator Author

@YamatoSecurity Fixed follwing problem. Please recheck it.

@hitenkoku Thanks for this. I have confirmed that if I rename config to config2 it still works. However, Hayabusa does not read the config files in the config directory by default so users cannot change the config files unless they recompile the binary. This is inconvenient for those who want to customize color, profiles, etc... And it also breaks the set-default-profile command. Ex: ./target/release/hayabusa set-default-profile -p super-verbose Event if the default profile is changed in default_profile.yaml, Hayabusa will read from the embedded file which does not change. Can you change it so that Hayabusa only reads the embedded file if the config directory does not exist?

@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks! When i run the following it updates the config file correctly but it displays an error:

./target/release/hayabusa set-default-profile -p minimal
Successfully updated the default profile.

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Start time: 2024/07/28 16:13

Default profile cannot be set due to the absence of a config folder. Please check config folder.

Can you remove the Default profile cannot be set due to the absence of a config folder. Please check config folder. error message when there is a success?

Also, when I change the level_color.txt settings to the same colors:

level,colorcode
critical,00ff00
high,00ff00
medium,00ff00
low,00ff00

just to test, the colors do not change anymore. Can you check this?

@hitenkoku
Copy link
Collaborator Author

@YamatoSecurity Thanks for your review. I following problems. Please recheck it.

@hitenkoku Thanks! When i run the following it updates the config file correctly but it displays an error:

./target/release/hayabusa set-default-profile -p minimal
Successfully updated the default profile.

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Start time: 2024/07/28 16:13

Default profile cannot be set due to the absence of a config folder. Please check config folder.

Can you remove the Default profile cannot be set due to the absence of a config folder. Please check config folder. error message when there is a success?

Also, when I change the level_color.txt settings to the same colors:

level,colorcode
critical,00ff00
high,00ff00
medium,00ff00
low,00ff00

just to test, the colors do not change anymore. Can you check this?

@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thank you!
I checked that the error message now does not get displayed:

Successfully updated the default profile.

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Start time: 2024/07/29 19:57

However, it is easy to miss the message as it gets displayed before the logo. Can you change it to:

./target/release/hayabusa set-default-profile -p minimal

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Successfully updated the default profile.

or just

./target/release/hayabusa set-default-profile -p minimal

Successfully updated the default profile.

I changed the colors for the levels in level_color.txt to

level,colorcode
critical,00ff00
high,00ff00
medium,00ff00
low,00ff00

but the colors still do not change. Can you check this?

@YamatoSecurity
Copy link
Collaborator

The mitre_tactics.txt settings also do not seem to be read from the config file, just the embedded config file.
To test, I changed attack.credential_access,CredAccess,08. Credential Access to attack.credential_access,CredHogeAccess,08. Credential Access and searched for CredHogeAccess after running Hayabusa with the super-verbose file but it still shows up as CredAccess.

Could you please check this as well.

@hitenkoku
Copy link
Collaborator Author

@YamatoSecurity Thanks for your comment.

I fixed following point out in c12a06a.

The mitre_tactics.txt settings also do not seem to be read from the config file, just the embedded config file. To test, I changed attack.credential_access,CredAccess,08. Credential Access to attack.credential_access,CredHogeAccess,08. Credential Access and searched for CredHogeAccess after running Hayabusa with the super-verbose file but it still shows up as CredAccess.

Could you please check this as well.

I fixed following point out in 562c117.

@hitenkoku Thank you! I checked that the error message now does not get displayed:

Successfully updated the default profile.

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Start time: 2024/07/29 19:57

However, it is easy to miss the message as it gets displayed before the logo. Can you change it to:

./target/release/hayabusa set-default-profile -p minimal

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Successfully updated the default profile.

or just

./target/release/hayabusa set-default-profile -p minimal

Successfully updated the default profile.

I fixed following your point out in dbd0417.

I changed the colors for the levels in level_color.txt to

level,colorcode
critical,00ff00
high,00ff00
medium,00ff00
low,00ff00

but the colors still do not change. Can you check this?

YamatoSecurity
YamatoSecurity approved these changes Aug 14, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku I checked that everything works on my environment. Thanks so much!

@YamatoSecurity YamatoSecurity merged commit 0ff1d5a into main Aug 14, 2024
5 checks passed
@YamatoSecurity YamatoSecurity deleted the 1370-embed-config-files-in-binary branch August 14, 2024 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@fukusuket fukusuket fukusuket approved these changes

Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Embed config files in binary
3 participants
@hitenkoku @YamatoSecurity @fukusuket