Merge pull request #1522 from Yamato-Security/1512-extract-base64-cmd

feat: `extract-base64` cmd

.github/workflows/timeline-diff.yml

@@ -29,8 +29,8 @@ jobs:
       - name: Run on dev branch
         run: |
           cargo run --release -- update-rules -q
-          cargo run --release -- csv-timeline -t 1 -d ./hayabusa-sample-evtx -o dev.csv -p super-verbose -q -w -D -n -u -s
-          cargo run --release -- json-timeline -t 1 -d ./hayabusa-sample-evtx -o dev.jsonl -L -p super-verbose -q -w -D -n -u -s
+          cargo run --release -- csv-timeline -d ./hayabusa-sample-evtx -o dev.csv -p super-verbose -q -w -D -n -u -s
+          cargo run --release -- json-timeline -d ./hayabusa-sample-evtx -o dev.jsonl -L -p super-verbose -q -w -D -n -u -s
 
       - name: Run on dev branch(encoded_rules)
         run: |
@@ -41,8 +41,8 @@ jobs:
           curl -O https://raw.githubusercontent.com/Yamato-Security/hayabusa-encoded-rules/refs/heads/main/encoded_rules.yml
           curl -O https://raw.githubusercontent.com/Yamato-Security/hayabusa-encoded-rules/refs/heads/main/rules_config_files.txt
           ./hayabusa update-rules -q
-          ./hayabusa csv-timeline -t 1 -d ./hayabusa-sample-evtx -o dev-encoded.csv -p super-verbose -q -w -D -n -u -s
-          ./hayabusa json-timeline -t 1 -d ./hayabusa-sample-evtx -o dev-encoded.jsonl -L -p super-verbose -q -w -D -n -u -s
+          ./hayabusa csv-timeline -d ./hayabusa-sample-evtx -o dev-encoded.csv -p super-verbose -q -w -D -n -u -s
+          ./hayabusa json-timeline -d ./hayabusa-sample-evtx -o dev-encoded.jsonl -L -p super-verbose -q -w -D -n -u -s
           mv ../config ./
           mv ../rules ./
           mv encoded_rules.yml ../
@@ -52,8 +52,8 @@ jobs:
         run: |
           git checkout main
           cargo run --release -- update-rules -q
-          cargo run --release -- csv-timeline -t 1 -d ./hayabusa-sample-evtx -o main.csv -p super-verbose -q -w -D -n -u
-          cargo run --release -- json-timeline -t 1 -d ./hayabusa-sample-evtx -o main.jsonl -L -p super-verbose -q -w -D -n -u
+          cargo run --release -- csv-timeline -d ./hayabusa-sample-evtx -o main.csv -p super-verbose -q -w -D -n -u -s
+          cargo run --release -- json-timeline -d ./hayabusa-sample-evtx -o main.jsonl -L -p super-verbose -q -w -D -n -u -s
 
       - name: Run on main branch(encoded_rules)
         run: |
@@ -64,8 +64,8 @@ jobs:
           curl -O https://raw.githubusercontent.com/Yamato-Security/hayabusa-encoded-rules/refs/heads/main/rules_config_files.txt
           cp target/release/hayabusa .
           ./hayabusa update-rules -q
-          ./hayabusa csv-timeline -t 1 -d ./hayabusa-sample-evtx -o main-encoded.csv -p super-verbose -q -w -D -n -u
-          ./hayabusa json-timeline -t 1 -d ./hayabusa-sample-evtx -o main-encoded.jsonl -L -p super-verbose -q -w -D -n -u
+          ./hayabusa csv-timeline -d ./hayabusa-sample-evtx -o main-encoded.csv -p super-verbose -q -w -D -n -u -s
+          ./hayabusa json-timeline -d ./hayabusa-sample-evtx -o main-encoded.jsonl -L -p super-verbose -q -w -D -n -u -s
           rm -rf encoded_rules.yml rules_config_files.txt hayabusa
 
       - name: Check CSV Timeline diff

CHANGELOG-Japanese.md

@@ -2,6 +2,10 @@
 
 ## x.x.x [xxxx/xx/xx]
 
+**新機能:**
+
+Base64文字列を抽出して、デコードする`extract-base64`コマンドを追加した。(#1512) (@fukusuket)
+
 **バグ修正:**
 
 - レコードIDが出力されるとき、`csv-timeline`によるソートが完璧に行われなかった。 (#1519) (@fukusuket)

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## x.x.x [xxxx/xx/xx]
 
+**New Features:**
+
+New `extract-base64` command to extract and decode base64 strings from events. (#1512) (@fukusuket)
+
 **Bug Fixes:**
 
 - Sorting with `csv-timeline` was not done perfectly when record IDs were outputted. (#1519) (@fukusuket)

Cargo.toml

@@ -29,6 +29,7 @@ hex = "0.4.*"
 horrorshow = "0.8.*"
 indexmap = "2.*"
 indicatif = "*"
+infer = "*"
 itertools = "*"
 krapslog = "0.6"
 lazy_static = "1.5.*"
@@ -52,6 +53,8 @@ ureq = "*"
 wildmatch = "2.*"
 yaml-rust2 = "0.9"
 rust-embed={version = "8.5.0", features = ["include-exclude", "debug-embed"]}
+encoding_rs = "0.8.35"
+walkdir = "2.5.0"
 
 [profile.dev]
 debug-assertions = false