Merge pull request #1336 from Yamato-Security/1335-allow-d-to-be-spec…

…ified-multiple-times feat: adjusted multiple directory option #1335
Yamato-Security · May 2, 2024 · 48fa7e0 · 48fa7e0
2 parents d578a89 + afe753e
commit 48fa7e0
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 13 deletions.
diff --git a/CHANGELOG-Japanese.md b/CHANGELOG-Japanese.md
@@ -10,6 +10,10 @@
     - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml)
 - デフォルトでは、適用可能なルールを持つ`.evtx`ファイルのみ読み込む。たとえば、さまざまなイベントログのディレクトリをスキャンしている場合でも、 `Channel: Security` を探すルールのみを有効にした場合、Hayabusaは`Security`以外のすべてのイベントログを無視します。ベンチマークでは、通常のスキャンで約10％、単一のルールでスキャンする場合は最大60％以上のパフォーマンス向上が得られる。チャネルに関係なくすべての`.evtx`ファイルを読み込みたい場合は、`csv-timeline` と `json-timeline` の `-a、--scan-all-evtx-files` オプションでこのフィルタリングをオフにすることができる。(#1318) (@fukusuket)
 
+**改善:**
+
+- `-d, --directory`オプションで複数のフォルダを指定できるようにした。 (#1335) (@hitenkoku)
+
 ## 2.15.0 [2024/04/20] "Sonic Release"
 
 **改善:**

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@
     - [Mimikatz Use](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml)
 - By default now, `.evtx` files that have applicable rules will be loaded. So for example, if you are scanning a directory of various event logs but only enable a rule that is looking for `Channel: Security` then Hayabusa will ignore all non-security event logs. In our benchmarks, this gives a speed benefit of around 10% with normal scans and up to 60%+ performance increase when scanning with a single rule. If you want to load all `.evtx` files regardless of channel, then you can turn off this filtering with the `-a, --scan-all-evtx-files` option in `csv-timeline` and `json-timeline`. (#1318) (@fukusuket)
 
+**Enhancements:**
+
+- You can now specify multiple directories with the `-d, --directory` option. (#1335) (@hitenkoku)
+
 ## 2.15.0 [2024/04/20] "Sonic Release"
 
 **Enhancements:**

diff --git a/src/afterfact.rs b/src/afterfact.rs
@@ -380,7 +380,9 @@ fn emit_csv_inner(
                 remove_duplicate_data,
             );
             afterfact_info.prev_message = result.1;
-            afterfact_info.prev_details_convert_map = detect_info.details_convert_map.clone();
+            afterfact_info
+                .prev_details_convert_map
+                .clone_from(&detect_info.details_convert_map);
             if afterfact_writer.display_flag {
                 write_color_buffer(
                     &afterfact_writer.disp_wtr,
@@ -404,7 +406,9 @@ fn emit_csv_inner(
                 remove_duplicate_data,
             );
             afterfact_info.prev_message = result.1;
-            afterfact_info.prev_details_convert_map = detect_info.details_convert_map.clone();
+            afterfact_info
+                .prev_details_convert_map
+                .clone_from(&detect_info.details_convert_map);
             if afterfact_writer.display_flag {
                 write_color_buffer(
                     &afterfact_writer.disp_wtr,
@@ -1806,7 +1810,7 @@ pub fn output_json_str(
             }
         }
     } else {
-        target_ext_field = detect_info.ext_field.to_owned();
+        target_ext_field.clone_from(&detect_info.ext_field);
     }
     let key_add_to_details = [
         "SrcASN",

diff --git a/src/detections/configs.rs b/src/detections/configs.rs
@@ -1607,7 +1607,7 @@ pub struct CommonOptions {
 pub struct InputOption {
     /// Directory of multiple .evtx files
     #[arg(help_heading = Some("Input"), short = 'd', long, value_name = "DIR", conflicts_with_all = ["filepath", "live_analysis"], display_order = 300)]
-    pub directory: Option<PathBuf>,
+    pub directory: Option<Vec<PathBuf>>,
 
     /// File path to one .evtx file
     #[arg(help_heading = Some("Input"), short = 'f', long = "file", value_name = "FILE", conflicts_with_all = ["directory", "live_analysis"], display_order = 320)]

diff --git a/src/detections/utils.rs b/src/detections/utils.rs
@@ -332,10 +332,10 @@ pub fn create_rec_info(
 
         if !*no_pwsh_field_extraction {
             if key == "EventID" {
-                event_id = val.clone();
+                event_id.clone_from(&val);
             }
             if key == "Channel" {
-                channel = val.clone();
+                channel.clone_from(&val);
             }
         }
         key_2_values.insert(key.to_string(), val.unwrap());

diff --git a/src/main.rs b/src/main.rs
@@ -53,7 +53,6 @@ use std::path::Path;
 use std::ptr::null_mut;
 use std::sync::Arc;
 use std::time::Duration;
-use std::u128;
 use std::{
     env,
     fs::{self, File},
@@ -784,18 +783,21 @@ impl App {
                 time_filter,
                 stored_static.borrow_mut(),
             );
-        } else if let Some(directory) = &stored_static
+        } else if let Some(directories) = &stored_static
             .output_option
             .as_ref()
             .unwrap()
             .input_args
             .directory
         {
-            let evtx_files = Self::collect_evtxfiles(
-                directory.as_os_str().to_str().unwrap(),
-                target_extensions,
-                stored_static,
-            );
+            let mut evtx_files = Vec::new();
+            for directory in directories {
+                evtx_files.extend(Self::collect_evtxfiles(
+                    directory.as_os_str().to_str().unwrap(),
+                    target_extensions,
+                    stored_static,
+                ));
+            }
             if evtx_files.is_empty() {
                 AlertMessage::alert("No .evtx files were found.").ok();
                 return;