Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Result files are not the same when running csv(json)-timeline command multiple times #1466

Closed
fukusuket opened this issue Nov 1, 2024 · 7 comments · Fixed by #1467
Closed

Result files are not the same when running csv(json)-timeline command multiple times #1466

fukusuket opened this issue Nov 1, 2024 · 7 comments · Fixed by #1467
Assignees
@fukusuket
Labels
enhancement New feature or request
Milestone
3.0 3rd Year Anni...

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented Nov 1, 2024
edited
Loading

Describe the bug
Result files are not the same when running csv(json)-timeline command multiple times :(

Step to Reproduce

  1. ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -1.csv
  2. ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -2.csv

Actual behavior
Result files are different each time.

Expected behavior
Result file is the same every time.

Environment

  • OS: macOS
  • hayabusa version: 2.18.0

Additional context
Same number of detections, just different sort order.

% wc -l 1.csv
   32215 1.csv
% wc -l 2.csv
   32215 2.csv

diff 1.csv 2.csv
32213,32214c32213,32214
< "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:rbowes/wstrzelec/bgalbraith/psmith/jwright/melliott/edygert/dmashburn/jorchilles/bgreenwood/baker/dpendolino/eskoudis/bking/Administrator/lpesce/kperryman/jkulikowski/drook/cmoody/smisenar/zmathis/mtoussain/econrad/lschifano/cfleener/celgee/thessman/bhostetler/ssims/sarmstrong/mdouglas/cdavis/jleytevidal/jlake/tbennett/gsalinas/cspizor/cragoso/sanson/ebooth ¦ IpAddress:172.16.144.128","-"
< "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:baker/edygert/dmashburn/jorchilles/bgreenwood/bking/drook/smisenar/ssims/mdouglas/jlake/cspizor/cragoso/bgalbraith ¦ IpAddress:172.16.144.128","-"
---
> "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:cragoso/bking/kperryman/jwright/baker/bhostetler/cmoody/cfleener/lpesce/psmith/jkulikowski/drook/edygert/thessman/celgee/ebooth/econrad/mtoussain/cdavis/sarmstrong/wstrzelec/bgreenwood/dmashburn/ssims/jorchilles/Administrator/sanson/gsalinas/eskoudis/melliott/lschifano/jleytevidal/mdouglas/bgalbraith/zmathis/dpendolino/tbennett/rbowes/smisenar/jlake/cspizor ¦ IpAddress:172.16.144.128","-"
> "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:baker/drook/edygert/bgreenwood/dmashburn/ssims/jorchilles/mdouglas/bgalbraith/cspizor/smisenar/bking/jlake/cragoso ¦ IpAddress:172.16.144.128","-"

% diff 1.json 2.json
815105c815105
<         "TargetUserName": "kperryman/cmoody/jkulikowski/jorchilles/ssims/thessman/rbowes/sarmstrong/wstrzelec/edygert/drook/cragoso/gsalinas/mdouglas/bgreenwood/mtoussain/bhostetler/celgee/jwright/sanson/ebooth/smisenar/dpendolino/econrad/Administrator/zmathis/cspizor/eskoudis/lschifano/jlake/tbennett/bgalbraith/psmith/jleytevidal/baker/cfleener/melliott/dmashburn/bking/cdavis/lpesce",
---
>         "TargetUserName": "gsalinas/cmoody/lschifano/eskoudis/sarmstrong/edygert/thessman/jkulikowski/jleytevidal/bgreenwood/bking/celgee/tbennett/cspizor/bgalbraith/jwright/Administrator/mtoussain/melliott/baker/cfleener/lpesce/dmashburn/cragoso/sanson/ebooth/econrad/cdavis/zmathis/kperryman/rbowes/wstrzelec/ssims/psmith/smisenar/bhostetler/jlake/mdouglas/dpendolino/drook/jorchilles",
815120c815120
<         "TargetUserName": "ssims/jorchilles/cragoso/edygert/drook/mdouglas/bgreenwood/smisenar/cspizor/jlake/bgalbraith/baker/dmashburn/bking",
---
>         "TargetUserName": "edygert/bgreenwood/bking/cspizor/bgalbraith/baker/dmashburn/cragoso/ssims/smisenar/jlake/mdouglas/drook/jorchilles",

Until recently, there was no diff, so the library update may have changed the behavior? 🤔
スクリーンショット 2024-11-02 8 50 48
@fukusuket fukusuket added the bug Something isn't working label Nov 1, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 2, 2024
edited
Loading

The only difference seems to be the count rules.

@YamatoSecurity
Copy link
Collaborator

I think this is because we are not sorting events anymore so the events that hayabusa sees (and outputs) are random each time. So that might be why the order of usernames is not the same. What do you think?
Are they the same when you add -s?

@fukusuket
Copy link
Collaborator Author

@YamatoSecurity
Even if I add the sort option, the result will not be the same :(

% ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -o 1.csv -C -s
% ./hayabusa-2.18.0-mac-aarch64 csv-timeline -d ../hayabusa-sample-evtx -w -o 2.csv -C -s 
% diff 1.csv 2.csv
19850c19850
< "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:edygert/rbowes/cmoody/jkulikowski/econrad/sanson/tbennett/wstrzelec/kperryman/bking/mdouglas/bgreenwood/baker/jlake/ebooth/gsalinas/cspizor/cragoso/psmith/smisenar/Administrator/jwright/dpendolino/eskoudis/jorchilles/lpesce/drook/mtoussain/melliott/dmashburn/thessman/cfleener/ssims/jleytevidal/zmathis/celgee/cdavis/sarmstrong/bhostetler/lschifano/bgalbraith ¦ IpAddress:172.16.144.128","-"
---
> "2019-05-01 04:27:02.847 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:41 ¦ TargetUserName:ssims/kperryman/dmashburn/bking/bgreenwood/bhostetler/dpendolino/jwright/jorchilles/edygert/psmith/mtoussain/celgee/jkulikowski/bgalbraith/Administrator/eskoudis/cspizor/cmoody/cfleener/mdouglas/lschifano/drook/cdavis/zmathis/rbowes/tbennett/lpesce/gsalinas/thessman/ebooth/baker/sarmstrong/melliott/wstrzelec/econrad/smisenar/jlake/cragoso/sanson/jleytevidal ¦ IpAddress:172.16.144.128","-"
20131c20131
< "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:edygert/mdouglas/baker/bking/bgreenwood/jlake/cspizor/cragoso/drook/smisenar/jorchilles/dmashburn/ssims/bgalbraith ¦ IpAddress:172.16.144.128","-"
---
> "2019-05-01 04:32:03.525 +09:00","PW Spray","med","DESKTOP-JR78RLP","Sec",4648,"-","Count:14 ¦ TargetUserName:ssims/dmashburn/bking/bgreenwood/jorchilles/edygert/bgalbraith/cspizor/mdouglas/drook/baker/smisenar/jlake/cragoso ¦ IpAddress:172.16.144.128","-"

Yes, the default is not to sort by timestamp, but the expectation is that it will be the same every time, even without the -s option! (That is the behavior until before the 2.18.0 release🤔)

@fukusuket
Copy link
Collaborator Author

(It is not a bug since it is not a stated specification, but it is better to have no differences when testing)

@fukusuket fukusuket self-assigned this Nov 2, 2024
@fukusuket fukusuket mentioned this issue Nov 2, 2024
Merged
@YamatoSecurity
Copy link
Collaborator

@fukusuket I see. That is a good point. What about sorting the count results (TargetUserName, etc..) so that they are the same?

@YamatoSecurity
Copy link
Collaborator

You read my mind! 😆 #1467
💪

@fukusuket fukusuket changed the title [bug] Result files are not the same when running csv(json)-timeline command multiple times Result files are not the same when running csv(json)-timeline command multiple times Nov 2, 2024
@fukusuket fukusuket added enhancement New feature or request and removed bug Something isn't working labels Nov 2, 2024
@fukusuket
Copy link
Collaborator Author

fukusuket commented Nov 2, 2024
edited
Loading

Removed bug tags from issues (added enhancement tags instead), as without the -s option, the spec behavior is to not sort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
3.0 3rd Year Anniversary Release
Development

Successfully merging a pull request may close this issue.

fix: sort count rule's result filed value Yamato-Security/hayabusa
2 participants
@fukusuket @YamatoSecurity