Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Nothing is detected when using the -J, --JSON-input option with the timeline command because of Channel filter #1343

Closed
fukusuket opened this issue May 8, 2024 · 4 comments · Fixed by #1345
Closed

[bug] Nothing is detected when using the -J, --JSON-input option with the timeline command because of Channel filter #1343

fukusuket opened this issue May 8, 2024 · 4 comments · Fixed by #1345
Assignees
@fukusuket
Labels
bug Something isn't working
Milestone
v2.16.0

Comments

@fukusuket
Copy link
Collaborator

fukusuket commented May 8, 2024
edited
Loading

Describe the bug
Nothing is detected when using the -J, --JSON-input option with the timeline command because of Channel filer #1334 :(
This issue occurs only in dev-2.16.0 version.

Step to Reproduce

  1. Download apt29_evals_day1_manual.zip and unzip.
  2. hayabusa csv-timeline -f ../apt29/apt29_evals_day1_manual_2020-05-01225525.json -J -w

Actual behavior
Nothing is detected.

Expected behavior
I expect the following behavior. It is necessary to consider which specifications to use.

  • Detect as in version 2.15.0 (disable Channel filter when -J, --JSON-input)
  • Indicate that -A, --enable-all-rules /-a, --scan-all-evtx-files option is required.
  • Just like evtx, get the Channel of the first record and filter based on it
    • Is it okay to assume that JSON has 1 channel in 1 file like evtx?

Environment

  • OS: macOS Sonoma 14.4.1
  • Hayabusa version 2.16.0-dev(Occurs only in the version currently under development)

Additional context
If you enable the -A, --enable-all-rules /-a, --scan-all-evtx-files option, it will be detected as in version 2.15.0.
@fukusuket fukusuket added the bug Something isn't working label May 8, 2024
@fukusuket fukusuket changed the title [bug] Nothing is detected when using the -J, --JSON-input option with the timeline command because of Channel filer [bug] Nothing is detected when using the -J, --JSON-input option with the timeline command because of Channel filter May 8, 2024
@fukusuket fukusuket added this to the v2.16.0 milestone May 8, 2024
@fukusuket
Copy link
Collaborator Author

@YamatoSecurity @hitenkoku
I'm thinking about which is the best expected behavior...🤔, what do you think? Personally, I think it might be better to indicate that -A, --enable-all-rules /-a, --scan-all-evtx-files option is required...? (or if you have any other ideas, please let me know🙏)

@YamatoSecurity
Copy link
Collaborator

@fukusuket I think that is a good idea. Since the JSON(L) files won't usually be separated by Channel like evtx files then I think we can solve this by just requiring -A and -a whenever -J is specified.

@fukusuket fukusuket self-assigned this May 8, 2024
@fukusuket
Copy link
Collaborator Author

@YamatoSecurity Thank you for comment! I'll Implement with the above specifications.

@fukusuket fukusuket mentioned this issue May 8, 2024
Closed
@YamatoSecurity
Copy link
Collaborator

Update: Since more options will usually confuse users, we should automatically disable the channel filter whenever the input is JSON, instead of EVTX

@fukusuket fukusuket mentioned this issue May 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fukusuket fukusuket

Labels
bug Something isn't working
Projects
None yet
Milestone
v2.16.0
2 participants
@fukusuket @YamatoSecurity