Fixed alert creation while importing rules + FSAuditEvent Image enric…

…hment
0xrawsec · Sep 28, 2021 · 63d7a08 · 63d7a08
1 parent 80cd862
commit 63d7a08
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 28 deletions.
diff --git a/event/event.go b/event/event.go
@@ -98,6 +98,22 @@ func (e *EdrEvent) GetBool(p engine.XPath) (b bool, ok bool) {
  return
 }
 
+// SetIfOr set value if cond == true
+func (e *EdrEvent) SetIf(p engine.XPath, value interface{}, cond bool) (err error) {
+ if cond {
+ return e.Set(p, value)
+ }
+ return nil
+}
+
+// SetIfOr set value if cond == true or other
+func (e *EdrEvent) SetIfOr(p engine.XPath, value interface{}, cond bool, other interface{}) (err error) {
+ if cond {
+ return e.Set(p, value)
+ }
+ return e.Set(p, other)
+}
+
 func (e *EdrEvent) Set(p engine.XPath, i interface{}) (err error) {
  switch {
  case p.StartsWith(eventDataPath):

diff --git a/hids/config.go b/hids/config.go
@@ -46,6 +46,12 @@ type RulesConfig struct {
  UpdateInterval time.Duration `toml:"update-interval" comment:"Update interval at which rules should be pulled from manager\n NB: only applies if a manager server is configured"`
 }
 
+func (c *RulesConfig) RulesPaths() (path, sha256Path string) {
+ path = filepath.Join(c.RulesDB, "database.gen")
+ sha256Path = fmt.Sprintf("%s.sha256", path)
+ return
+}
+
 // AuditConfig holds Windows audit configuration
 type AuditConfig struct {
  Enable bool `toml:"enable" comment:"Enable following Audit Policies or not"`

diff --git a/hids/hids.go b/hids/hids.go
@@ -286,7 +286,7 @@ func (h *HIDS) updateEngine(force bool) error {
 func (h *HIDS) needsRulesUpdate() bool {
  var err error
  var oldSha256, sha256 string
- _, rulesSha256Path := h.RulesPaths()
+ _, rulesSha256Path := h.config.RulesConfig.RulesPaths()
 
  if h.forwarder.Local {
  return false
@@ -338,7 +338,7 @@ func (h *HIDS) needsContainerUpdate(remoteCont string) bool {
 func (h *HIDS) fetchRulesFromManager() (err error) {
  var rules, sha256 string
 
- rulePath, sha256Path := h.RulesPaths()
+ rulePath, sha256Path := h.config.RulesConfig.RulesPaths()
 
  // if we are not connected to a manager we return
  if h.config.FwdConfig.Local {
@@ -858,11 +858,11 @@ func (h *HIDS) Report() (r Report) {
 }
 
 // RulesPaths returns the path used by WHIDS to save gene rules
-func (h *HIDS) RulesPaths() (path, sha256Path string) {
+/*func (h *HIDS) RulesPaths() (path, sha256Path string) {
  path = filepath.Join(h.config.RulesConfig.RulesDB, "database.gen")
  sha256Path = fmt.Sprintf("%s.sha256", path)
  return
-}
+}*/
 
 // Run starts the WHIDS engine and waits channel listening is stopped
 func (h *HIDS) Run() {

diff --git a/hids/hookdefs.go b/hids/hookdefs.go
@@ -451,18 +451,15 @@ func hookSelfGUID(h *HIDS, e *event.EdrEvent) {
 func hookFileSystemAudit(h *HIDS, e *event.EdrEvent) {
  e.Set(pathSysmonCommandLine, "?")
  e.Set(pathSysmonProcessGUID, nullGUID)
+ e.Set(pathSysmonImage, "?")
  e.Set(pathImageHashes, "?")
  if pid, ok := e.GetInt(pathFSAuditProcessId); ok {
  if pt := h.processTracker.GetByPID(pid); pt != nil {
- if pt.CommandLine != "" {
- e.Set(pathSysmonCommandLine, pt.CommandLine)
- }
- if pt.hashes != "" {
- e.Set(pathImageHashes, pt.hashes)
- }
- if pt.ProcessGUID != "" {
- e.Set(pathSysmonProcessGUID, pt.ProcessGUID)
- }
+
+ e.SetIf(pathSysmonImage, pt.Image, pt.Image != "")
+ e.SetIf(pathSysmonCommandLine, pt.CommandLine, pt.CommandLine != "")
+ e.SetIf(pathImageHashes, pt.hashes, pt.hashes != "")
+ e.SetIf(pathSysmonProcessGUID, pt.ProcessGUID, pt.ProcessGUID != "")
 
  if obj, ok := e.GetString(pathFSAuditObjectName); ok {
  if fsutil.IsFile(obj) {

diff --git a/tools/whids/main.go b/tools/whids/main.go
@@ -134,7 +134,6 @@ var (
  flagPrintAll bool
  flagDebug bool
  flagVersion bool
- flagService bool
  flagProfile bool
  flagRestore bool
  flagAutologger bool
@@ -367,7 +366,7 @@ func main() {
 
  hidsConf, err := hids.LoadsHIDSConfig(config)
  if err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed to load configuration: %s", err))
+ log.Abort(exitFail, fmt.Sprintf("Failed to load configuration: %s", err))
  }
 
  if flagRestore {
@@ -380,32 +379,28 @@ func main() {
  // in order not to write logs into file
  // TODO: add a stream handler to log facility
  hidsConf.Logfile = ""
- hostIDS, err = hids.NewHIDS(&hidsConf)
- if err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed create HIDS: %s", err))
- }
  log.Infof("Importing rules from %s", importRules)
- hostIDS.Engine = engine.NewEngine(false)
- hostIDS.Engine.SetDumpRaw(true)
+ eng := engine.NewEngine(false)
+ eng.SetDumpRaw(true)
 
- if err := hostIDS.Engine.LoadDirectory(importRules); err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed to import rules: %s", err))
+ if err := eng.LoadDirectory(importRules); err != nil {
+ log.Abort(exitFail, fmt.Sprintf("Failed to import rules: %s", err))
  }
 
- prules, psha256 := hostIDS.RulesPaths()
+ prules, psha256 := hidsConf.RulesConfig.RulesPaths()
  rules := new(bytes.Buffer)
- for rule := range hostIDS.Engine.GetRawRule(".*") {
+ for rule := range eng.GetRawRule(".*") {
  if _, err := rules.Write([]byte(rule + "\n")); err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed to import rules: %s", err))
+ log.Abort(exitFail, fmt.Sprintf("Failed to import rules: %s", err))
  }
  }
 
  if err := ioutil.WriteFile(prules, rules.Bytes(), utils.DefaultPerms); err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed to import rules: %s", err))
+ log.Abort(exitFail, fmt.Sprintf("Failed to import rules: %s", err))
  }
 
  if err := ioutil.WriteFile(psha256, []byte(data.Sha256(rules.Bytes())), utils.DefaultPerms); err != nil {
- log.Abort(exitFail, fmt.Errorf("Failed to import rules: %s", err))
+ log.Abort(exitFail, fmt.Sprintf("Failed to import rules: %s", err))
  }
 
  log.Infof("IMPORT SUCCESSFUL: %s", prules)