Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enabled recover record option in hayabusa-evtx crate #952 #1147

Merged
merged 13 commits into from
Aug 7, 2023
Merged

enabled recover record option in hayabusa-evtx crate #952 #1147

merged 13 commits into from
Aug 7, 2023

Conversation

hitenkoku
Copy link
Collaborator

@hitenkoku hitenkoku commented Jul 30, 2023
edited
Loading

What Changed

  • enabled recover record option in hayabusa-evtx crate

Evidence

#952 (comment)

@hitenkoku hitenkoku added the enhancement New feature or request label Jul 30, 2023
@hitenkoku hitenkoku self-assigned this Jul 30, 2023
@hitenkoku hitenkoku linked an issue Jul 30, 2023 that may be closed by this pull request
Add-x, --recover-records option #952
Closed
@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks!
When running on a directory of files I get the following error:

thread 'hayabusa-thread' panicked at 'called `Option::unwrap()` on a `None` value', src/detections/rule/selectionnodes.rs:453:36
thread 'hayabusa-thread' panicked at 'called `Option::unwrap()` on a `None` value', src/detections/rule/selectionnodes.rsthread ':hayabusa-thread' panicked at 'called `Option::unwrap()` on a `None` value453', :src/detections/rule/selectionnodes.rs36:
453:36
thread 'hayabusa-thread' panicked at 'called `Option::unwrap()` on a `None` value', src/detections/rule/selectionnodes.rsthread 'thread 'hayabusa-thread:' panicked at '453hayabusa-thread:called `Option::unwrap()` on a `None` value' panicked at '36', called `Option::unwrap()` on a `None` value
src/detections/rule/selectionnodes.rs:453', src/detections/rule/selectionnodes.rs::45336:
36

@hitenkoku
Copy link
Collaborator Author

@YamatoSecurity Thanks for your comment.

I fixed error in 95af61b.

Would you check it?

@codecov
Copy link

codecov bot commented Jul 30, 2023
edited
Loading

Codecov Report

Patch coverage: 56.06% and project coverage change: -0.13% ⚠️

Comparison is base (a160864) 83.17% compared to head (a1a1e48) 83.04%.
Report is 26 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1147      +/-   ##
==========================================
- Coverage   83.17%   83.04%   -0.13%     
==========================================
  Files          26       26              
  Lines       22618    22728     +110     
==========================================
+ Hits        18812    18874      +62     
- Misses       3806     3854      +48
Files Changed Coverage Δ
src/afterfact.rs 74.67% <38.59%> (-0.62%) ⬇️
src/main.rs 68.31% <48.64%> (-0.13%) ⬇️
src/detections/configs.rs 66.64% <66.66%> (+<0.01%) ⬆️
src/detections/detection.rs 75.63% <100.00%> (+0.06%) ⬆️
src/detections/rule/condition_parser.rs 96.99% <100.00%> (+<0.01%) ⬆️
src/detections/rule/count.rs 93.60% <100.00%> (+<0.01%) ⬆️
src/detections/rule/matchers.rs 97.08% <100.00%> (+<0.01%) ⬆️
src/detections/rule/mod.rs 94.73% <100.00%> (+<0.01%) ⬆️
src/detections/rule/selectionnodes.rs 92.28% <100.00%> (+0.01%) ⬆️
src/detections/utils.rs 92.39% <100.00%> (+<0.01%) ⬆️
... and 6 more

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hitenkoku hitenkoku marked this pull request as ready for review August 5, 2023 12:14
@hitenkoku hitenkoku added this to the v2.8.0 milestone Aug 5, 2023
@YamatoSecurity
Copy link
Collaborator

@hitenkoku Thanks! I updated the haybusa-evtx crate and added a short option -x.
The previous error we had was fixed but now I get this error:

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: DeserializationError(InvalidEvtxRecordHeaderMagic { magic: [0, 0, 0, 0] })', src/main.rs:1165:43

Could you check this?

@YamatoSecurity
Copy link
Collaborator

By the way, I am not using the --recover-records option when this error happens...

YamatoSecurity
YamatoSecurity approved these changes Aug 6, 2023
View reviewed changes
Copy link
Collaborator

@YamatoSecurity YamatoSecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hitenkoku Things are working well for me now. Thank you!
@fukusuket Just in case, could you check this as well?

fukusuket
fukusuket approved these changes Aug 7, 2023
View reviewed changes
Copy link
Collaborator

@fukusuket fukusuket left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have verified that there is no difference in the results(hayabusa-sample-evtx) below! LGTM!!🚀

  • 2.7.0 : csv-timeline(json-timeline) -p super-verbose
  • This PR: csv-timeline(json-timeline) -p super-verbose
  • This PR: csv-timeline(json-timeline) -x -p super-verbose

@hitenkoku hitenkoku merged commit 5afd1d4 into main Aug 7, 2023
9 of 11 checks passed
@hitenkoku hitenkoku deleted the 952-test-on-whether-to-add-recover-records-option branch October 23, 2023 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YamatoSecurity YamatoSecurity YamatoSecurity approved these changes

@fukusuket fukusuket fukusuket approved these changes

Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.8.0
Development

Successfully merging this pull request may close these issues.

Add-x, --recover-records option
3 participants
@hitenkoku @YamatoSecurity @fukusuket