Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: output agg result string when all-field-info profile #1452

Merged
merged 3 commits into from
Oct 14, 2024
Merged

fix: output agg result string when all-field-info profile #1452

merged 3 commits into from
Oct 14, 2024

Conversation

fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Oct 14, 2024
edited
Loading

What Changed

Evidence

Integration-Test

All commands completed successfully.
https://github.com/Yamato-Security/hayabusa/actions/runs/11325635098

CSV timeline and JSON timeline Diff(when rule/config folder exists) ... -p super-verbose

No difference(csv/json) from main branch's results as follows.
https://github.com/Yamato-Security/hayabusa/actions/runs/11325632998

I would appreciate it if you could check it out when you have time🙏

@fukusuket fukusuket self-assigned this Oct 14, 2024
@fukusuket fukusuket added the bug Something isn't working label Oct 14, 2024
@fukusuket fukusuket added this to the 2.18.0 Sector Release milestone Oct 14, 2024
@fukusuket
Copy link
Collaborator Author

csv-timeline(-p all-field-info)

% ./hayabusa csv-timeline -d ../hayabusa-sample-evtx -w -q -C -o new.csv -p all-field-info
% ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -q -C -o old.csv -p all-field-info
% diff old.csv new.csv
32209,32211c32209,32211
< "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","-","Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx"
< "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","-","Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx"
< "2016-09-20 01:50:06.513 +09:00","PW Guessing","med","DESKTOP-M5SN04R","Sec",4625,"-","-","Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx"
---
> "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:tbennett/cfleener/econrad/kperryman/ssims/cdavis/dmashburn/cspizor/Administrator/sanson/lpesce/psmith/jorchilles/bhostetler/smisenar/jlake/jleytevidal/edygert/lschifano/celgee/zmathis/bking/dpendolino/mdouglas/cmoody/cragoso/gsalinas/bgreenwood/thessman/melliott/jwright/mtoussain/rbowes/drook/bgalbraith/baker/jkulikowski/eskoudis/sarmstrong/wstrzelec/ebooth ¦ IpAddress:172.16.144.128","Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx"
> "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:ssims/dmashburn/cspizor/jorchilles/smisenar/jlake/edygert/bking/mdouglas/cragoso/bgreenwood/drook/bgalbraith/baker ¦ IpAddress:172.16.144.128","Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx"
> "2016-09-20 01:50:06.513 +09:00","PW Guessing","med","DESKTOP-M5SN04R","Sec",4625,"-","Count:3558 ¦ IpAddress:192.168.198.149","Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml","../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx"

@fukusuket fukusuket changed the title fix: output agg result string when allfieldinfo profile fix: output agg result string when all-fieldinfo profile Oct 14, 2024
@fukusuket
Copy link
Collaborator Author

json-timeline(-p all-field-info)

% ./hayabusa json-timeline -d ../hayabusa-sample-evtx -w -q -C -o new.jsonl -L -p all-field-info
% ./hayabusa-2.18.0-mac-aarch64 json-timeline -d ../hayabusa-sample-evtx -w -q -C -o old.jsonl -L -p all-field-info
% diff old.jsonl new.jsonl
32208,32210c32208,32210
< { "Timestamp": "2019-05-01 04:27:02.847 +09:00","RuleTitle": "PW Spray","Level": "med","Computer": "DESKTOP-JR78RLP","Channel": "Sec","EventID": 4648,"RecordID": "-","RuleFile": "Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx" }
< { "Timestamp": "2019-05-01 04:32:03.525 +09:00","RuleTitle": "PW Spray","Level": "med","Computer": "DESKTOP-JR78RLP","Channel": "Sec","EventID": 4648,"RecordID": "-","RuleFile": "Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx" }
< { "Timestamp": "2016-09-20 01:50:06.513 +09:00","RuleTitle": "PW Guessing","Level": "med","Computer": "DESKTOP-M5SN04R","Channel": "Sec","EventID": 4625,"RecordID": "-","RuleFile": "Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx" }
\ No newline at end of file
---
> { "Timestamp": "2019-05-01 04:27:02.847 +09:00","RuleTitle": "PW Spray","Level": "med","Computer": "DESKTOP-JR78RLP","Channel": "Sec","EventID": 4648,"RecordID": "-","AllFieldInfo": {"Count": 41,"TargetUserName": "tbennett/cfleener/econrad/kperryman/ssims/cdavis/dmashburn/cspizor/Administrator/sanson/lpesce/psmith/jorchilles/bhostetler/smisenar/jlake/jleytevidal/edygert/lschifano/celgee/zmathis/bking/dpendolino/mdouglas/cmoody/cragoso/gsalinas/bgreenwood/thessman/melliott/jwright/mtoussain/rbowes/drook/bgalbraith/baker/jkulikowski/eskoudis/sarmstrong/wstrzelec/ebooth","IpAddress": "172.16.144.128"},"RuleFile": "Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx" }
> { "Timestamp": "2019-05-01 04:32:03.525 +09:00","RuleTitle": "PW Spray","Level": "med","Computer": "DESKTOP-JR78RLP","Channel": "Sec","EventID": 4648,"RecordID": "-","AllFieldInfo": {"Count": 14,"TargetUserName": "ssims/dmashburn/cspizor/jorchilles/smisenar/jlake/edygert/bking/mdouglas/cragoso/bgreenwood/drook/bgalbraith/baker","IpAddress": "172.16.144.128"},"RuleFile": "Sec_4648_Med_ExplicitLogon_PW-Spray_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx" }
> { "Timestamp": "2016-09-20 01:50:06.513 +09:00","RuleTitle": "PW Guessing","Level": "med","Computer": "DESKTOP-M5SN04R","Channel": "Sec","EventID": 4625,"RecordID": "-","AllFieldInfo": {"Count": 3558,"IpAddress": "192.168.198.149"},"RuleFile": "Sec_4625_Med_LogonFail_WrongPW_PW-Guessing_Cnt.yml","EvtxFile": "../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx" }
\ No newline at end of file

@fukusuket fukusuket marked this pull request as ready for review October 14, 2024 10:33
@fukusuket fukusuket changed the title fix: output agg result string when all-fieldinfo profile fix: output agg result string when all-field-info profile Oct 14, 2024
@codecov Codecov
Copy link

codecov bot commented Oct 14, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 16.66667% with 10 lines in your changes missing coverage. Please review.

Project coverage is 81.11%. Comparing base (f7398f6) to head (0b73701).
Report is 16 commits behind head on main.

Files with missing lines Patch % Lines
src/detections/message.rs 16.66% 10 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1452      +/-   ##
==========================================
- Coverage   81.17%   81.11%   -0.07%     
==========================================
  Files          28       28              
  Lines       27013    27035      +22     
==========================================
+ Hits        21928    21929       +1     
- Misses       5085     5106      +21

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@YamatoSecurity
Copy link
Collaborator

thanks so much! since it is adding clone usage I'm going to take some memory benchmarks just in case to see if there is any significant increase in memory usage.

YamatoSecurity
YamatoSecurity approved these changes Oct 14, 2024
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket I checked benchmarks and it was actually a few seconds faster and went from 2.6GB of memory to 2.5GB so LGTM! Thank you!

@YamatoSecurity YamatoSecurity merged commit 363de4b into main Oct 14, 2024
7 checks passed
@YamatoSecurity YamatoSecurity deleted the 1450-output-agg-reslut-when-profile-allfieldinfo branch October 14, 2024 22:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
2.18.0 Sector Release
Development

Successfully merging this pull request may close these issues.

Field information is not outputted when the profile is all-field-info
2 participants
@fukusuket @YamatoSecurity