Skip to content

Commit

Permalink
Merge pull request #1495 from Yamato-Security/1494-log-metrics-invali…
Browse files Browse the repository at this point in the history 
…d-timestamp

fix: invalid first/last timestamp in `log-metrics` command
  • Loading branch information
@YamatoSecurity
YamatoSecurity authored Nov 13, 2024
2 parents 899851a + 726038d commit c7d0a7d
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 12 deletions.
67 changes: 57 additions & 10 deletions src/timeline/log_metrics.rs
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
use crate::detections::configs::StoredStatic;
use crate::detections::detection::EvtxRecordInfo;
use crate::detections::message::{AlertMessage, ERROR_LOG_STACK};
use crate::detections::utils;
use chrono::{DateTime, Utc};
use chrono::{DateTime, NaiveDateTime, Utc};
use std::collections::HashSet;

#[derive(Default, Debug, Clone)]
Expand All @@ -22,14 +23,62 @@ impl LogMetrics {
..Default::default()
}
}
pub fn update(
&mut self,
records: &[EvtxRecordInfo],
stored_static: &StoredStatic,
start_time: Option<DateTime<Utc>>,
end_time: Option<DateTime<Utc>>,
) {
pub fn update(&mut self, records: &[EvtxRecordInfo], stored_static: &StoredStatic) {
for record in records {
if let Some(evttime) = utils::get_event_value(
"Event.System.TimeCreated_attributes.SystemTime",
&record.record,
&stored_static.eventkey_alias,
)
.map(|evt_value| evt_value.to_string().replace("\\\"", "").replace('"', ""))
{
let timestamp =
match NaiveDateTime::parse_from_str(evttime.as_str(), "%Y-%m-%dT%H:%M:%S%.3fZ")
{
Ok(without_timezone_datetime) => {
Some(DateTime::<Utc>::from_naive_utc_and_offset(
without_timezone_datetime,
Utc,
))
}
Err(_) => {
match NaiveDateTime::parse_from_str(
evttime.as_str(),
"%Y-%m-%dT%H:%M:%S%.3f%:z",
) {
Ok(splunk_json_datetime) => {
Some(DateTime::<Utc>::from_naive_utc_and_offset(
splunk_json_datetime,
Utc,
))
}
Err(e) => {
let errmsg = format!(
"Timestamp parse error.\nInput: {evttime}\nError: {e}\n"
);
if stored_static.verbose_flag {
AlertMessage::alert(&errmsg).ok();
}
if !stored_static.quiet_errors_flag {
ERROR_LOG_STACK
.lock()
.unwrap()
.push(format!("[ERROR] {errmsg}"));
}
None
}
}
}
};
if let Some(timestamp) = timestamp {
if self.first_timestamp.is_none() || timestamp < self.first_timestamp.unwrap() {
self.first_timestamp = Some(timestamp);
}
if self.last_timestamp.is_none() || timestamp > self.last_timestamp.unwrap() {
self.last_timestamp = Some(timestamp);
}
}
}
if let Some(computer) =
utils::get_event_value("Computer", &record.record, &stored_static.eventkey_alias)
{
Expand All @@ -52,7 +101,5 @@ impl LogMetrics {
}
self.event_count += 1;
}
self.first_timestamp = start_time;
self.last_timestamp = end_time;
}
}
4 changes: 2 additions & 2 deletions src/timeline/metrics.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,10 +113,10 @@ impl EventMetrics {
.trim_matches('"'),
)
}) {
existing_lm.update(records, stored_static, self.start_time, self.end_time);
existing_lm.update(records, stored_static);
} else {
let mut lm = LogMetrics::new(filename);
lm.update(records, stored_static, self.start_time, self.end_time);
lm.update(records, stored_static);
self.stats_logfile.push(lm);
}
}
Expand Down

0 comments on commit c7d0a7d

Please sign in to comment.