Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support cidr rule #961

Merged
merged 6 commits into from
Mar 16, 2023
Merged

feat: Support cidr rule #961

merged 6 commits into from
Mar 16, 2023

Conversation

fukusuket
Copy link
Collaborator

What Changed

Evidence

Environment

  • OS: macOS montery version 13.1
  • Hard: Macbook Air(M1, 2020) , Memory 8GB, Core 8

Test

test.yml is as follows.(no cidr match)

detection:
    selection:
        Channel: Security
        EventID: 4624
    condition: selection

then SrcIP uniq count is as follows
./hayabuse json-timeline -d ./hayabusa-sample-evtx -r test.yml -o result.json
cat result.json | jq .Details.SrcIP | sort | uniq -c

 518 "-"
  10 "10.0.2.17"
  63 "10.23.123.11"
  99 "10.23.23.9"
   1 "10.23.42.18"
   5 "10.23.42.22"
   1 "10.23.42.30"
   6 "10.23.42.38"
  67 "127.0.0.1"
   3 "172.16.66.142"
   4 "172.16.66.19"
   2 "172.16.66.25"
   5 "172.16.66.37"
   1 "192.168.1.100"
   2 "192.168.1.2"
   1 "192.168.1.200"
   4 "192.168.1.219"
   1 "192.168.111.87"
   1 "192.168.20.11"
  38 "::1"
   4 "fe80::1cae:5aa4:9d8d:106a"
   6 "fe80::7191:d555:270f:4d0b"
   4 "fe80::79bf:8ee2:433c:2567"
   5 "fe80::e50e:b89e:4718:3aa"

test.yml is as follows.(with cidr match)

detection:
    selection:
        Channel: Security
        EventID: 4624
    filter:
        IpAddress|cidr: 10.0.0.0/8
    condition: selection and filter

then SrcIP uniq count is as follows
./hayabuse json-timeline -d ./hayabusa-sample-evtx -r test.yml -o result.json
cat result.json | jq .Details.SrcIP | sort | uniq -c

  10 "10.0.2.17"
  63 "10.23.123.11"
  99 "10.23.23.9"
   1 "10.23.42.18"
   5 "10.23.42.22"
   1 "10.23.42.30"
   6 "10.23.42.38"

I confirm that the number of SrcIP matches before and after the cidr filter

I would appreciate it if you could review🙏

@fukusuket fukusuket self-assigned this Mar 15, 2023
@fukusuket fukusuket added the enhancement New feature or request label Mar 15, 2023
@fukusuket fukusuket added this to the v2.3.0 milestone Mar 15, 2023
@YamatoSecurity
Copy link
Collaborator

@fukusuket Thanks so much!
Looks good. Just one bug. When the IpAddress field does not exist, hayabusa crashes.
Test rule:

title: Test CIDR
id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a4
status: experimental
description: 
references:
author: hoge
date: 2023/01/19
tags:
logsource:
    product: windows
    service: security
detection:
    selection:
        IpAddress|cidr:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
            - 224.0.0.0/4
            - 127.0.0.0/8
    condition: selection
level: medium

When I run ./target/release/hayabusa csv-timeline -d ../hayabusa-sample-evtx -r ../hayabusa-rules/hayabusa/test.yml I get the following error:

thread 'hayabusa-thread' panicked at 'called `Option::unwrap()` on a `None` value', src/detections/rule/matchers.rs:507:43
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: JoinError::Panic(Id(5017), ...)', src/detections/detection.rs:167:41

If I change IpAddress|cidr to IpAddress, IpAddress|contains, etc.. it does not crash.
Could you check this?

@codecov
Copy link

codecov bot commented Mar 15, 2023
edited
Loading

Codecov Report

Patch coverage: 93.67% and project coverage change: +0.15 🎉

Comparison is base (c9a165b) 75.08% compared to head (f024bb8) 75.24%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #961      +/-   ##
==========================================
+ Coverage   75.08%   75.24%   +0.15%     
==========================================
  Files          24       24              
  Lines       16624    16719      +95     
==========================================
+ Hits        12482    12580      +98     
+ Misses       4142     4139       -3
Impacted Files Coverage Δ
src/detections/rule/matchers.rs 96.43% <93.67%> (+0.26%) ⬆️

... and 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

hitenkoku
hitenkoku requested changes Mar 16, 2023
View reviewed changes
Copy link
Collaborator

@hitenkoku hitenkoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fukusuket Thank you for the pull request.
Please check the following points that have been brought to our attention.

src/detections/rule/matchers.rs Outdated Show resolved Hide resolved
hitenkoku
hitenkoku reviewed Mar 16, 2023
View reviewed changes
Copy link
Collaborator

@hitenkoku hitenkoku left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check the comments added about the test cases.

src/detections/rule/matchers.rs Show resolved Hide resolved
YamatoSecurity
YamatoSecurity approved these changes Mar 16, 2023
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you!

@fukusuket
Copy link
Collaborator Author

Thank you so much for quick review and test :)
@hitenkoku I've fixed the parts you reviewed. I would appreciate it if you could check🙇

hitenkoku
hitenkoku approved these changes Mar 16, 2023
View reviewed changes
Copy link
Collaborator

@hitenkoku hitenkoku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.LGTM.

@YamatoSecurity YamatoSecurity merged commit e0e063e into main Mar 16, 2023
@fukusuket fukusuket deleted the 955-support-cidr-match branch March 16, 2023 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@hitenkoku hitenkoku hitenkoku approved these changes

Assignees

@fukusuket fukusuket

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.3.0
Development

Successfully merging this pull request may close these issues.

Support |cidr
3 participants
@fukusuket @YamatoSecurity @hitenkoku