Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved speed to v2 #847

Merged
merged 24 commits into from
Dec 25, 2022
Merged

Improved speed to v2 #847

merged 24 commits into from
Dec 25, 2022

Conversation

hitenkoku
Copy link
Collaborator

@hitenkoku hitenkoku commented Dec 23, 2022
edited
Loading

What Changed

  • removed unnecessary collect process to improve speed, from v2

Evidence

Analyzed evtx files that total size is 6.1GB

prev this pr (main) 
>.\main.exe csv-timeline -d ..\all-evtx\ -o main.csv --debug -q

...

Start time: 2022/12/24 07:16

Analyzing event files: 1858
Total file size: 6.1 GB

Loading detections rules. Please wait.

Excluded rules: 15
Noisy rules: 7 (Disabled)

Experimental rules: 1951 (59.50%)
Stable rules: 218 (6.65%)
Test rules: 1110 (33.85%)

Hayabusa rules: 145
Sigma rules: 3134
Total enabled detection rules: 3279

1858 / 1858 [=============================================================================================================================================================================] 100.00 %

Analysis finished. Please wait while the results are being saved.

Rule Authors:

...

Results Summary:

Events with hits / Total events: 1,593,652 / 4,817,181 (Data reduction: 3,223,529 events (66.92%))

Total | Unique detections: 1,625,936 | 142
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 12,057 (0.74%) | 20 (14.08%)
Total | Unique medium detections: 9,955 (0.61%) | 34 (23.94%)
Total | Unique low detections: 1,053,425 (64.79%) | 38 (26.76%)
Total | Unique informational detections: 550,499 (33.86%) | 50 (35.21%)

Dates with most total detections:
critical: n/a, high: 2022-09-18 (4,441), medium: 2022-02-08 (4,793), low: 2022-09-18 (911,662), informational: 2022-03-02 (206,158)

Top 5 computers with most unique detections:
critical: n/a
high: evtx-PC (8), Agamemnon (8), DESKTOP-6D0DBMB (8), DESKTOP-A8CALR3 (6), WIN-FPV0DSIC9O6.sigma.fr (4)
medium: Agamemnon (21), DESKTOP-6D0DBMB (18), DESKTOP-A8CALR3 (16), evtx-PC (10), WIN-FPV0DSIC9O6 (9)
low: DESKTOP-6D0DBMB (22), Agamemnon (19), DESKTOP-A8CALR3 (15), evtx-PC (12), WIN-FPV0DSIC9O6.sigma.fr (10)
informational: DESKTOP-6D0DBMB (37), DESKTOP-A8CALR3 (36), WIN-TKC15D7KHUR (34), Agamemnon (31), WIN-FPV0DSIC9O6.sigma.fr (31)

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                        Top high alerts:                                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                         File Creation Date Changed to Another Year (10,490)            │
│ n/a                                         Windows Shell File Write to Suspicious Folder (991)            │
│ n/a                                         DLL Load By System Process From Suspicious Locations (406)     │
│ n/a                                         Proc Exec (Non-Exe Filetype) (45)                              │
│ n/a                                         SysmonEnte Usage (33)                                          │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                          Top low alerts:                                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Raw Access Read (8,544)                     Proc Access (1,020,252)                                        │
│ Proc Injection (673)                        Possible Timestomping (31,784)                                 │
│ Process Ran With High Privilege (191)       Creation of an Executable by an Executable (411)               │
│ Use Short Name Path in Command Line (133)   Modified Rule in Windows Firewall with Advanced Security (254) │
│ Potentially Malicious PwSh (127)            Modification of IE Registry Settings (231)                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ File Created (422,037)                      Pipe Created (9,044)                                           │
│ File Deleted (53,696)                       Net Conn (8,755)                                               │
│ Proc Exec (18,780)                          DNS Query (5,108)                                              │
│ Pipe Conn (17,062)                          WMI Provider Started (681)                                     │
│ Proc Terminated (12,388)                    Suspicious Load of Advapi31.dll (420)                          │
╰───────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯

Saved file: main.csv (574.7 MB)
Elapsed time: 00:07:34.361
Rule Parse Processing Time: 00:00:02.311
Analysis Processing Time: 00:07:20.648
Output Processing Time: 00:00:11.400

Memory usage stats:
heap stats:    peak      total      freed    current       unit      count
  reserved:    6.1 GiB    6.1 GiB   56.0 MiB    6.1 GiB                        not all freed!
 committed:    4.8 GiB    6.5 GiB    1.7 GiB    4.7 GiB                        not all freed!
     reset:      0          0          0          0                            ok
   touched:  128.5 KiB   28.2 MiB   54.3 GiB  -54.2 GiB                        ok
  segments:     19        226        220          6                            not all freed!
-abandoned:      0          0          0          0                            ok
   -cached:      0          0          0          0                            ok
     pages:      0          0      741.2 Ki  -741.2 Ki                         ok
-abandoned:      0          0          0          0                            ok
 -extended:      0
 -noretire:      0
     mmaps:      0
   commits:    2.0 Ki
   threads:     32         32          0         32                            not all freed!
  searches:     0.0 avg
numa nodes:       1
   elapsed:     454.364 s
   process: user: 3090.375 s, system: 74.203 s, faults: 1217953, rss: 4.5 GiB, commit: 4.8 GiB
this pr 
 >.\pr847.exe csv-timeline -d ..\all-evtx\ -o pr847.csv --debug -q
Start time: 2022/12/24 08:21

Analyzing event files: 1858
Total file size: 6.1 GB

Loading detections rules. Please wait.

Excluded rules: 15
Noisy rules: 7 (Disabled)

Experimental rules: 1951 (59.50%)
Stable rules: 218 (6.65%)
Test rules: 1110 (33.85%)

Hayabusa rules: 145
Sigma rules: 3134
Total enabled detection rules: 3279

1858 / 1858 [===============================================================================================] 100.00 %

Analysis finished. Please wait while the results are being saved.

Rule Authors:

...

Results Summary:

Events with hits / Total events: 1,593,652 / 4,817,181 (Data reduction: 3,223,529 events (66.92%))

Total | Unique detections: 1,625,936 | 142
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 12,057 (0.74%) | 20 (14.08%)
Total | Unique medium detections: 9,955 (0.61%) | 34 (23.94%)
Total | Unique low detections: 1,053,425 (64.79%) | 38 (26.76%)
Total | Unique informational detections: 550,499 (33.86%) | 50 (35.21%)

Dates with most total detections:
critical: n/a, high: 2022-09-18 (4,441), medium: 2022-02-08 (4,793), low: 2022-09-18 (911,662), informational: 2022-03-02 (206,158)

Top 5 computers with most unique detections:
critical: n/a
high: evtx-PC (8), Agamemnon (8), DESKTOP-6D0DBMB (8), DESKTOP-A8CALR3 (6), WIN-FPV0DSIC9O6.sigma.fr (4)
medium: Agamemnon (21), DESKTOP-6D0DBMB (18), DESKTOP-A8CALR3 (16), evtx-PC (10), WIN-FPV0DSIC9O6 (9)
low: DESKTOP-6D0DBMB (22), Agamemnon (19), DESKTOP-A8CALR3 (15), evtx-PC (12), WIN-FPV0DSIC9O6.sigma.fr (10)
informational: DESKTOP-6D0DBMB (37), DESKTOP-A8CALR3 (36), WIN-TKC15D7KHUR (34), Agamemnon (31), WIN-FPV0DSIC9O6.sigma.fr (31)

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:                        Top high alerts:                                               │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                         File Creation Date Changed to Another Year (10,490)            │
│ n/a                                         Windows Shell File Write to Suspicious Folder (991)            │
│ n/a                                         DLL Load By System Process From Suspicious Locations (406)     │
│ n/a                                         Proc Exec (Non-Exe Filetype) (45)                              │
│ n/a                                         SysmonEnte Usage (33)                                          │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:                          Top low alerts:                                                │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Raw Access Read (8,544)                     Proc Access (1,020,252)                                        │
│ Proc Injection (673)                        Possible Timestomping (31,784)                                 │
│ Process Ran With High Privilege (191)       Creation of an Executable by an Executable (411)               │
│ Use Short Name Path in Command Line (133)   Modified Rule in Windows Firewall with Advanced Security (254) │
│ Potentially Malicious PwSh (127)            Modification of IE Registry Settings (231)                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                                                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ File Created (422,037)                      Pipe Created (9,044)                                           │
│ File Deleted (53,696)                       Net Conn (8,755)                                               │
│ Proc Exec (18,780)                          DNS Query (5,108)                                              │
│ Pipe Conn (17,062)                          WMI Provider Started (681)                                     │
│ Proc Terminated (12,388)                    Suspicious Load of Advapi31.dll (420)                          │
╰───────────────────────────────────────────╌────────────────────────────────────────────────────────────────╯

Saved file: pr847.csv (574.7 MB)
Elapsed time: 00:07:24.609
Rule Parse Processing Time: 00:00:01.827
Analysis Processing Time: 00:07:11.826
Output Processing Time: 00:00:10.954

Memory usage stats:
heap stats:    peak      total      freed    current       unit      count
  reserved:    6.1 GiB    6.1 GiB   56.0 MiB    6.1 GiB                        not all freed!
 committed:    4.7 GiB    6.5 GiB    1.8 GiB    4.7 GiB                        not all freed!
     reset:      0          0          0          0                            ok
   touched:  128.5 KiB   28.7 MiB   54.3 GiB  -54.2 GiB                        ok
  segments:     19        230        224          6                            not all freed!
-abandoned:      0          0          0          0                            ok
   -cached:      0          0          0          0                            ok
     pages:      0          0      741.2 Ki  -741.2 Ki                         ok
-abandoned:      0          0          0          0                            ok
 -extended:      0
 -noretire:      0
     mmaps:      0
   commits:    2.0 Ki
   threads:     32         32          0         32                            not all freed!
  searches:     0.0 avg
numa nodes:       1
   elapsed:     444.612 s
   process: user: 3083.781 s, system: 69.156 s, faults: 1256446, rss: 4.5 GiB, commit: 4.7 GiB

@hitenkoku
to improve speed, removed unnecessary to_string call
74fe5b3
@hitenkoku
to improve performance, removed unnecessary to_string
320f5c6
@hitenkoku
to improve speed, removed unnecessary to_string
75ff713
@hitenkoku
cargo fmt
44ed4b6
@hitenkoku
to improve speed, removed unnecessary collect
1c19a28
@hitenkoku
to improve performance, changed record_info type from String to Compa…
90d179b 
…ctString
@hitenkoku
to imporve performance, removed unnecessary variable assignment
393a8cd
@hitenkoku
to improve performance, replaced if statement with match statement
57f71f6
@hitenkoku
to improve performance, removed unnecessary to_string
faac347
@hitenkoku
to improve process, removed unnecessary collect
6b5cae2
@hitenkoku
to improve performance, replaced collect with iterator
670b8bf
@hitenkoku
to improve performance removed unnecessary to_string
ba2ba2d
@hitenkoku
removed unnecessary variable assignment
8919805
@hitenkoku
removed unnecessary to_owned
2189a23
@hitenkoku
cargo fmt
76ba2ac
@hitenkoku
Merge branch 'main' into to_improve_speed_656
94aa985
@hitenkoku
fix: compile error after merge
cffdadf
@hitenkoku hitenkoku self-assigned this Dec 23, 2022
@hitenkoku hitenkoku added the enhancement New feature or request label Dec 23, 2022
@hitenkoku hitenkoku marked this pull request as ready for review December 23, 2022 23:32
@hitenkoku hitenkoku changed the title To improve speed 656 Improved speed to v2 Dec 23, 2022
@hitenkoku hitenkoku mentioned this pull request Dec 23, 2022
Merged
@YamatoSecurity
Copy link
Collaborator

@hitenkoku 結構改善して下さっていますね!ありがとうございます!
変更が多いので、時間をかけてゆっくり検証したいと思います。(年末の勉強会でバタバタしていて、年明けになりそうなので、急ぐ必要はありません。)
今日は今のmainブランチのv2をリリースしたいと思います。^^v

@fukusuket
Copy link
Collaborator

fukusuket commented Dec 24, 2022
edited
Loading

M1 Mac(メモリ8GB, 8コア)でもいつもの6.1GB evtxで以下の改善(と出力ファイルサイズの一致)を確認いたしました💪
LGTMです!!🚀

検証コマンド

 ./hayabusa-main csv-timeline -d ../all-evtx -o o.csv -p super-verbose

1回目 7秒改善

rev time
2.0.0 Elapsed time: 00:10:03.001
3c931b7 Elapsed time: 00:09:56.566

2回目 11秒改善

rev time
2.0.0 Elapsed time: 00:10:22.525
3c931b7 Elapsed time: 00:10:11.353

(Macでベンチマークを安定して取る方法は現在模索中です... 今のところWindowsほど安定させられず...)

@YamatoSecurity
Copy link
Collaborator

検証がもっと時間がかかると思いましたが、できました。LGTM! マージしましょう。
取り敢えずバージョンを2.0.1に上げました。

ベンチマークは通りです:

1.8.1: 00:08:02.760
1.9.0: 00:07:56.696
2.0.0: 00:09:10.591
2.0.1: 00:08:53.038

YamatoSecurity
YamatoSecurity approved these changes Dec 25, 2022
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@hitenkoku
Copy link
Collaborator Author

ありがとうございます。それではマージしておきます。

@hitenkoku hitenkoku merged commit 4709f1e into main Dec 25, 2022
@hitenkoku hitenkoku deleted the to_improve_speed_656 branch December 25, 2022 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@fukusuket fukusuket fukusuket approved these changes

Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hitenkoku @YamatoSecurity @fukusuket