Skip to content

fix: remove check for .git folder in YAML file processing#1729

Closed
fukusuket wants to merge 1 commit intomainfrom
1727-fix-r-option-ignore-git
Closed

fix: remove check for .git folder in YAML file processing#1729
fukusuket wants to merge 1 commit intomainfrom
1727-fix-r-option-ignore-git

Conversation

@fukusuket
Copy link
Collaborator

@fukusuket fukusuket commented Dec 15, 2025

What Changed

Evidence

Integration-Test

I’d appreciate it if you could check it when you have time🙏

@fukusuket fukusuket requested a review from Copilot December 15, 2025 10:46
@fukusuket fukusuket self-assigned this Dec 15, 2025
@fukusuket fukusuket added the bug Something isn't working label Dec 15, 2025
@fukusuket
Copy link
Collaborator Author

After fix

./target/release/hayabusa json-timeline -c ~/.git/hayabusa/rules/config -r ~/.git/hayabusa/rules/ -d ~/YamatoSecurity/data/windows/hayabusa-sample-evtx-main -w -o timeline.json

┏┓ ┏┳━━━┳┓  ┏┳━━━┳━━┓┏┓ ┏┳━━━┳━━━┓
┃┃ ┃┃┏━┓┃┗┓┏┛┃┏━┓┃┏┓┃┃┃ ┃┃┏━┓┃┏━┓┃
┃┗━┛┃┃ ┃┣┓┗┛┏┫┃ ┃┃┗┛┗┫┃ ┃┃┗━━┫┃ ┃┃
┃┏━┓┃┗━┛┃┗┓┏┛┃┗━┛┃┏━┓┃┃ ┃┣━━┓┃┗━┛┃
┃┃ ┃┃┏━┓┃ ┃┃ ┃┏━┓┃┗━┛┃┗━┛┃┗━┛┃┏━┓┃
┗┛ ┗┻┛ ┗┛ ┗┛ ┗┛ ┗┻━━━┻━━━┻━━━┻┛ ┗┛
   by Yamato Security

Getting 80% of the work done in 20% of the time~

Start time: 2025/12/15 19:47
Total event log files: 598
Total file size: 132.7 MiB

Loading detection rules. Please wait.

Excluded rules: 26
Noisy rules: 12 (Disabled)

Deprecated rules: 225 (4.99%) (Disabled)
Experimental rules: 219 (4.86%)
Stable rules: 244 (5.42%)
Test rules: 4,042 (89.72%)
Unsupported rules: 42 (0.93%) (Disabled)

Correlation rules: 3 (0.07%)
Correlation referenced rules: 3 (0.07%)

Expand rules: 10 (0.22%)
Enabled expand rules: 0 (0.00%)

Hayabusa rules: 181
Sigma rules: 4,324
Total detection rules: 4,505

Creating the channel filter. Please wait.

Evtx files loaded after channel filter: 585
Detection rules enabled after channel filter: 4,427

Output profile: standard

Scanning in progress. Please wait.

[00:00:05] 585 / 585   [========================================] 100%

Scanning finished. Please wait while the results are being saved.
                                                                                                                                                          Rule Authors:

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Florian Roth (175)                Nasreddine Bencherchali (121)     Zach Mathis (112)                  oscd.community (105)             │
│ frack113 (89)                     Tim Shelton (33)                  Daniil Yugoslavskiy (23)           Swachchhanda Shrawan Poudel (22) │
│ Jonhnathan Ribeiro (21)           Thomas Patzke (20)                Teymur Kheirkhabarov (20)          Christian Burkard (17)           │
│ Markus Neis (17)                  Timur Zinniatullin (14)           Roberto Rodriguez @Cyb3r... (14)   Tim Rauch (12)                   │
│ E.M. Anhaus (12)                  Elastic (12)                      Samir Bousseaden (11)              Roberto Rodriguez (11)           │
│ Michael Haag (11)                 Victor Sergeev (8)                Endgame) (7)                       Natalia Shornikova (7)           │
│ OTR (7)                           Ecco (6)                          David ANDRE (6)                    X__Junior (6)                    │
│ omkar72 (5)                       Endgame (5)                       Sander Wiebing (5)                 Arnim Rupp (5)                   │
│ JHasenbusch (5)                   Fukusuke Takahashi (4)            @neu5ron (4)                       Tobias Michalski (4)             │
│ Gleb Sukhodolskiy (4)             Max Altgelt (4)                   Andreas Hunkeler (4)               pH-T (3)                         │
│ Christopher Peacock @sec... (3)   Janantha Marasinghe (3)           wagga (3)                          FPT.EagleEye Team (3)            │
│ Wojciech Lesicki (3)              elhoim (3)                        Nikita Nazarov (3)                 @twjackomo (3)                   │
│ Eric Conrad (3)                   Yusuke Matsui (3)                 juju4 (3)                          Ilyas Ochkov (3)                 │
│ Anton Kutepov (3)                 Hieu Tran (3)                     FPT.EagleEye (3)                   Vasiliy Burov (3)                │
│ Daniel Bohannon (3)               Tony Lambert (2)                  Sean Metcalf (2)                   Mark Woan (2)                    │
│ Aleksey Potapov (2)               Justin C. (2)                     Chakib Gzenayi (2)                 Jakob Weinzettl (2)              │
│ Relativity (2)                    Zach Stanford @svch0st (2)        @2xxeformyshirt (2)                @dreadphones (2)                 │
│ Dimitrios Slamaris (2)            Oleg Kolesnikov @securon... (2)   Nik Seetharaman (2)                Bartlomiej Czyz (2)              │
│ Romaissa Adjailia (2)             Vadim Khrykov (2)                 Perez Diego (2)                    James Pemberton@4A616D65... (2)  │
│ Karneades (2)                     Tony Lambert) (2)                 D3F7A5105 (2)                      SOC Prime (2)                    │
│ keepwatch (2)                     Tom Ueltschi (2)                  Cyb3rEng (2)                       SCYTHE @scythe_io (2)            │
│ Yassine Oukessou (2)              Austin Songer @austinsonger (2)   Hosni Mribah (2)                   James Pemberton@4A616D6573 (2)   │
│ Mark Russinovich (2)              Modexp (2)                        Sreeman (2)                        @SBousseaden (2)                 │
│ Darkrael (2)                      Jordan Lloyd (2)                  Alexandr Yampolskyi (2)            Tom Kern (1)                     │
│ MalGamy (1)                       Fatih Sirin (1)                   David Burkett (1)                  Austin Songer (1)                │
│ @gott_cyber (1)                   Sami Ruohonen (1)                 Teymur Kheirkhabarov @He... (1)    Swisscom CSIRT (1)               │
│ Omer Faruk Celik (1)              Scott Dermott (1)                 @signalblur (1)                    @oscd_initiative (1)             │
│ Stamatis Chatzimangou (1)         Benjamin Delpy (1)                Jason Lynch (1)                    j4son (1)                        │
│ Maxim Pavlunin (1)                SBousseaden (1)                   Oddvar Moe (1)                     Zaw Min Htun (1)                 │
│ SCYTHE (1)                        Swisscom (1)                      David Strassegger (1)              Harish Segar (1)                 │
│ The DFIR Report (1)               @scythe_io (1)                    Sherif Eldeeb (1)                  EagleEye Team (1)                │
│ Margaritis Dimitrios (1)          Alec Costello (1)                 Mustafa Kaan Demir (1)             John Lambert (1)                 │
│ Open Threat Research (1)          Kutepov Anton (1)                 fuzzyf10w (1)                      vburov (1)                       │
│ alias support) (1)                Bartlomiej Czyz @bczyz1 (1)       Ali Alwashali (1)                  Subhash Popuri (1)               │
│ Ivan Dyachkov (1)                 @Joseliyo_Jstnk (1)               Sorina Ionescu (1)                 Markus Neis @Karneades (1)       │
│ Dominik Schaudel (1)              David Faiss (1)                   Liran Ravich (1)                   Joseliyo Sanchez (1)             │
│ Pushkarev Dmitry (1)              James Dickenson (1)               Chad Hudson (1)                    Mangatas Tondang (1)             │
│ Ahmed Farouk (1)                  Josh Nickels (1)                  Semanur Guneysu @semanurtg (1)     Jeff Warren (1)                  │
│ Anish Bogati (1)                  Diego Perez (1)                   CD_ROM_ (1)                        Julia Fomina (1)                 │
│ Dave Kennedy (1)                  NVISO (1)                         Nextron Systems (1)                Andreas Braathen (1)             │
│ Tuan Le (1)                       Georg Lauenstein (1)              @juju4 (1)                         ANosir (1)                       │
│ Cedric MAURUGEON (1)              rukawa (1)                        @svch0st (1)                       mdecrevoisier (1)                │
│ Dan Beavin) (1)                   James Pemberton @4A616D6573 (1)   Maxime Thiebaut (1)                Bhabesh Raj (1)                  │
│ blueteam0ps (1)                   Timon Hackenjos (1)               Furkan CALISKAN (1)                @kostastsale (1)                 │
│ Jack Croock (1)                   Matthew Green @mgreen27 (1)       Dmitriy Lifanov (1)                Joshua Wright (1)                │
│ Daniel Koifman (1)                @caliskanfurkan_ (1)              @atc_project (1)                   Matt Anderson (1)                │
│ Maxence Fossat (1)                Jose Rodriguez (1)                Christopher Peacock @Sec... (1)    KevTheHermit (1)                 │
│ Trent Liffick (1)                 Center for Threat Inform... (1)                                                                       │
╰─────────────────────────────────╌─────────────────────────────────╌──────────────────────────────────╌──────────────────────────────────╯

Results Summary:

Events with hits / Total events: 19,877 / 46,495 (Data reduction: 26,618 events (57.25%))

Total | Unique detections: 32,328 | 668
Total | Unique emergency detections: 0 (0.00%) | 0 (0.00%)
Total | Unique critical detections: 47 (0.15%) | 19 (9.58%)
Total | Unique high detections: 5,611 (17.36%) | 265 (12.13%)
Total | Unique medium detections: 2,071 (6.41%) | 239 (35.78%)
Total | Unique low detections: 6,196 (19.17%) | 81 (39.67%)
Total | Unique informational detections: 18,403 (56.93%) | 64 (2.84%)

First timestamp: 2009-07-14 13:56:45.074 +09:00
Last timestamp: 2024-11-04 22:59:32.624 +09:00

First detection: 2013-10-24 01:15:33.531 +09:00
Last detection: 2024-11-04 22:59:32.624 +09:00

Dates with most total detections:
emergency: n/a, critical: 2019-07-19 (12), high: 2016-09-20 (3,650), medium: 2019-05-19 (249), low: 2016-09-20 (3,708), informational: 2016-08-19 (2,124)

Top 5 computers with most unique detections:
emergency: n/a
critical: MSEDGEWIN10 (8), srvdefender01.offsec.lan (2), fs03vuln.offsec.lan (1), IEWIN7 (1), DESKTOP-PIU87N6 (1)
high: MSEDGEWIN10 (105), IEWIN7 (64), FS03.offsec.lan (26), IE10Win7 (23), fs03vuln.offsec.lan (23)
medium: MSEDGEWIN10 (88), IEWIN7 (58), FS03.offsec.lan (27), fs03vuln.offsec.lan (22), rootdc1.offsec.lan (21)
low: MSEDGEWIN10 (38), IEWIN7 (21), FS03.offsec.lan (19), fs03vuln.offsec.lan (16), fs01.offsec.lan (11)
informational: IEWIN7 (18), MSEDGEWIN10 (17), IE8Win7 (16), IE10Win7 (16), PC01.example.corp (15)

╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Top emergency alerts:                              Top critical alerts:                                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                Sticky Key Like Backdoor Usage - Registry (8)             │
│ n/a                                                Active Directory Replication from Non Machine Account (6) │
│ n/a                                                CobaltStrike Service Installations - System (6)           │
│ n/a                                                Defender Alert (Severe) (4)                               │
│ n/a                                                Antivirus Password Dumper Detection (3)                   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top high alerts:                                   Top medium alerts:                                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Metasploit SMB Authentication (3,562)              Potentially Malicious PwSh (235)                          │
│ Suspicious Service Path (277)                      Reg Key Value Set (Sysmon Alert) (107)                    │
│ PowerShell Scripts Installed as Services (250)     Proc Injection (104)                                      │
│ Suspicious Service Installation Script (250)       Remote Thread Creation Via PowerShell (93)                │
│ Suspicious Service Name (80)                       Remote Thread Creation In Uncommon Target Image (93)      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top low alerts:                                    Top informational alerts:                                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Logon Failure (Wrong Password) (3,580)             Proc Exec (11,173)                                        │
│ Possible LOLBIN (1,418)                            NetShare File Access (2,558)                              │
│ Non Interactive PowerShell Process Spawned (326)   PwSh Scriptblock (789)                                    │
│ Proc Access (156)                                  PwSh Pipeline Exec (680)                                  │
│ DLL Loaded (Sysmon Alert) (109)                    NetShare Access (403)                                     │
╰──────────────────────────────────────────────────╌───────────────────────────────────────────────────────────╯

Saved file: timeline.json (38.7 MiB)

Elapsed time: 00:00:06.1481

Please report any issues with Hayabusa rules to: https://github.com/Yamato-Security/hayabusa-rules/issues
Please report any false positives with Sigma rules to: https://github.com/SigmaHQ/sigma/issues
Please submit new Sigma rules with pull requests to: https://github.com/SigmaHQ/sigma/pulls

守破離 - Shu Ha Ri - Follow, break, transcend.

Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the check that ignores YAML files located within .git folders during YAML file processing, addressing issue #1727.

Key Changes

  • Removed the .git folder filtering logic from the read_dir method in the ParseYaml implementation
Comments suppressed due to low confidence (1)

src/yaml.rs:266

  • The removal of the .git folder check creates an inconsistency in the codebase. The count_rules function at lines 664-669 still contains an identical check to ignore YAML files in .git folders. Both functions have similar purposes (processing YAML files recursively) and should handle .git folders consistently. Either both functions should skip .git folders, or neither should. Consider applying the same change to count_rules for consistency.
                // ignore if tool test yml file in hayabusa-rules.
                if utils::contains_str(path_str, "rules/tools/sigmac/test_files")
                    || utils::contains_str(path_str, "rules\\tools\\sigmac\\test_files")
                {
                    return io::Result::Ok(ret);

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

-r and -c not working when running hayabusa json-timeline

2 participants