def ExamineEvent(self, mediator, event):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
mediator (AnalysisMediator): mediates interactions between analysis
plugins and other components, such as storage and dfvfs.
event (EventObject): event to examine.
"""
if self._tagging_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(mediator):
logger.info(
'No tag definition file specified, and plaso was not able to '
'autoselect a tagging file. As no definitions were specified, '
'no events will be tagged.')
return
matched_label_names = []
for label_name, filter_objects in iter(self._tagging_rules.items()):
for filter_object in filter_objects:
if filter_object.Match(event):
matched_label_names.append(label_name)
break
if matched_label_names:
event_tag = self._CreateEventTag(
event, self._EVENT_TAG_COMMENT, matched_label_names)
mediator.ProduceEventTag(event_tag)
self._number_of_event_tags += 1
def _LogProgressUpdateIfReasonable(self):
"""Prints a progress update if enough time has passed."""
next_log_time = (
self._time_of_last_status_log +
self.SECONDS_BETWEEN_STATUS_LOG_MESSAGES)
current_time = time.time()
if current_time < next_log_time:
return
completion_time = time.ctime(current_time + self.EstimateTimeRemaining())
log_message = (
'{0:s} hash analysis plugin running. {1:d} hashes in queue, '
'estimated completion time {2:s}.'.format(
self.NAME, self.hash_queue.qsize(), completion_time))
logger.info(log_message)
self._time_of_last_status_log = current_time
def _LogProgressUpdateIfReasonable(self):
"""Prints a progress update if enough time has passed."""
next_log_time = (
self._time_of_last_status_log +
self.SECONDS_BETWEEN_STATUS_LOG_MESSAGES)
current_time = time.time()
if current_time < next_log_time:
return
completion_time = time.ctime(current_time + self.EstimateTimeRemaining())
log_message = (
'{0:s} hash analysis plugin running. {1:d} hashes in queue, '
'estimated completion time {2:s}.'.format(
self.NAME, self.hash_queue.qsize(), completion_time))
logger.info(log_message)
self._time_of_last_status_log = current_time
def _AttemptAutoDetectTagFile(self, analysis_mediator):
"""Detects which tag file is most appropriate.
Args:
analysis_mediator (AnalysisMediator): analysis mediator.
Returns:
bool: True if a tag file is autodetected.
"""
self._autodetect_tag_file_attempt = True
if not analysis_mediator.data_location:
return False
operating_system = analysis_mediator.operating_system.lower()
filename = self._OS_TAG_FILES.get(operating_system, None)
if not filename:
return False
logger.info('Using auto detected tag file: {0:s}'.format(filename))
tag_file_path = os.path.join(analysis_mediator.data_location, filename)
self.SetAndLoadTagFile(tag_file_path)
return True
def _AttemptAutoDetectTagFile(self, analysis_mediator):
"""Detects which tag file is most appropriate.
Args:
analysis_mediator (AnalysisMediator): analysis mediator.
Returns:
bool: True if a tag file is autodetected.
"""
self._autodetect_tag_file_attempt = True
if not analysis_mediator.data_location:
return False
operating_system = analysis_mediator.operating_system.lower()
filename = self._OS_TAG_FILES.get(operating_system, None)
if not filename:
return False
logger.info('Using auto detected tag file: {0:s}'.format(filename))
tag_file_path = os.path.join(analysis_mediator.data_location, filename)
self.SetAndLoadTagFile(tag_file_path)
return True
def ExamineEvent(self, mediator, event):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
mediator (AnalysisMediator): mediates interactions between analysis
plugins and other components, such as storage and dfvfs.
event (EventObject): event to examine.
"""
if self._tag_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(mediator):
logger.info(
'No tag definition file specified, and plaso was not able to '
'autoselect a tagging file. As no definitions were specified, '
'no events will be tagged.')
return
try:
matched_labels = efilter_api.apply(self._tag_rules, vars=event)
except efilter_errors.EfilterTypeError as exception:
logger.warning(
'Unable to apply efilter query with error: {0!s}'.format(
exception))
matched_labels = None
if not matched_labels:
return
labels = list(efilter_api.getvalues(matched_labels))
event_tag = self._CreateEventTag(event, self._EVENT_TAG_COMMENT,
labels)
mediator.ProduceEventTag(event_tag)
self._number_of_event_tags += 1
def ExamineEvent(self, mediator, event, event_data):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
mediator (AnalysisMediator): mediates interactions between analysis
plugins and other components, such as storage and dfvfs.
event (EventObject): event to examine.
event_data (EventData): event data.
"""
if self._tagging_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(mediator):
logger.info(
'No tag definition file specified, and plaso was not able to '
'autoselect a tagging file. As no definitions were specified, '
'no events will be tagged.')
return
matched_label_names = []
for label_name, filter_objects in iter(self._tagging_rules.items()):
for filter_object in filter_objects:
# Note that tagging events based on existing labels is currently
# not supported.
if filter_object.Match(event, event_data, None):
matched_label_names.append(label_name)
break
if matched_label_names:
event_tag = self._CreateEventTag(
event, self._EVENT_TAG_COMMENT, matched_label_names)
mediator.ProduceEventTag(event_tag)
self._number_of_event_tags += 1
