def _CreateTestEventTags(self):
"""Creates the event tags for testing.
Returns:
A list of event tags (instances of EventTag).
"""
event_tags = []
event_tag = event.EventTag()
event_tag.store_index = 0
event_tag.store_number = 1
event_tag.comment = u'My comment'
event_tags.append(event_tag)
event_tag = event.EventTag()
event_tag.store_index = 1
event_tag.store_number = 1
event_tag.AddLabel(u'Malware')
event_tags.append(event_tag)
event_tag = event.EventTag()
event_tag.store_number = 1
event_tag.store_index = 2
event_tag.comment = u'This is interesting'
event_tag.AddLabels([u'Malware', u'Benign'])
event_tags.append(event_tag)
event_tag = event.EventTag()
event_tag.store_index = 1
event_tag.store_number = 1
event_tag.AddLabel(u'Interesting')
event_tags.append(event_tag)
return event_tags
def _ConvertDictToEventTag(self, json_dict):
"""Converts a JSON dict into an event tag object.
The dictionary of the JSON serialized objects consists of:
{
'__type__': 'EventTag'
...
}
Here '__type__' indicates the object base type. In this case this should
be 'EventTag'. The rest of the elements of the dictionary make up the
event tag object properties.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An event tag (instance of EventTag).
"""
event_tag = event.EventTag()
for key, value in iter(json_dict.items()):
setattr(event_tag, key, value)
return event_tag
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
formatters_manager.FormattersManager.RegisterFormatter(
L2TTestEventFormatter)
event_tag = event.EventTag()
event_tag.uuid = self._event_object.uuid
event_tag.AddLabels([u'Malware', u'Printed'])
self._event_object.tag = event_tag
self._formatter.WriteEventBody(self._event_object)
expected_event_body = (
b'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,'
b'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session '
b'closed for user root),Reporter <CRON> PID: 8442 '
b'(pam_unix(cron:session): session closed for user root),'
b'2,log/syslog.1,-,Malware Printed,'
b'-,my_number: 123 some_additional_foo: True \n')
event_body = self._output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(b','), 16)
formatters_manager.FormattersManager.DeregisterFormatter(
L2TTestEventFormatter)
def ExamineEvent(self, analysis_mediator, event_object, **kwargs):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
event_object: The event object (instance of EventObject) to examine.
"""
if self._tag_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(analysis_mediator):
logging.info(
u'No tag definition file specified, and plaso was not '
u'able to autoselect a tagging file. As no definitions '
u'were specified, no events will be tagged.')
return
matched_tags = []
for tag, my_filters in self._tag_rules.iteritems():
for my_filter in my_filters:
if my_filter.Match(event_object):
matched_tags.append(tag)
break
if not matched_tags:
return
event_tag = event.EventTag()
event_tag.event_uuid = getattr(event_object, u'uuid')
event_tag.comment = u'Tag applied by tagging analysis plugin.'
event_tag.tags = matched_tags
logging.debug(u'Tagging event: {0!s}'.format(event_tag.event_uuid))
self._tags.append(event_tag)
def ReadSerializedDict(cls, json_dict):
"""Reads an event tag from serialized dict form.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An event tag (instance of EventTag).
"""
if not json_dict:
return
event_tag = event.EventTag()
for key, value in iter(json_dict.items()):
if value is None:
continue
# Note that "_tags" is the name for "labels" prior to version
# 1.4.1-20160131
if key == u'_tags':
key = u'labels'
if key == u'labels':
event_tag.AddLabels(value)
else:
setattr(event_tag, key, value)
return event_tag
def testWriteSerializer(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag()
event_tag.event_uuid = self._event_uuid
event_tag.comment = u'This is a test event tag.'
event_tag._tags = [u'This is a test.', u'Also a test.']
self.assertTrue(event_tag.IsValidForSerialization())
self._TestWriteSerialized(self._serializer, event_tag, self._json_dict)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag()
event_tag.store_number = 234
event_tag.store_index = 18
event_tag.comment = u'My first comment.'
event_tag.color = u'Red'
event_tag.tags = [u'Malware', u'Common']
self._TestWriteSerialized(self._serializer, event_tag, self._proto_string)
def _CreateTag(self, event_uuid, tag_strings):
"""Creates an event tag.
Args:
event_uuid: The UUID of the event that should be tagged.
tag_strings: A list of strings that the event should be tagged with.
"""
event_tag = event.EventTag()
event_tag.event_uuid = event_uuid
event_tag.comment = u'Tag applied by {0:s} analysis plugin'.format(
self.NAME)
event_tag.tags = tag_strings
return event_tag
def setUp(self):
"""Makes preparations before running an individual test."""
self._event_tag = event.EventTag(comment=u'My first comment.')
self._event_tag.store_number = 234
self._event_tag.store_index = 18
self._event_tag.AddLabels([u'Malware', u'Common'])
self._event_tag_dict = {
u'comment': u'My first comment.',
u'labels': [u'Malware', u'Common'],
u'store_index': 18,
u'store_number': 234,
}
def _CreateTag(self, event_uuid, labels):
"""Creates an event tag.
Args:
event_uuid: The UUID of the event that should be tagged.
labels: A list of strings that contains the labels.
"""
event_tag = event.EventTag()
event_tag.comment = (u'Tag applied by {0:s} analysis plugin'.format(
self.NAME))
event_tag.event_uuid = event_uuid
event_tag.AddLabels(labels)
return event_tag
def testWriteSerialized(self):
"""Test the write serialized functionality."""
event_tag = event.EventTag()
event_tag.store_number = 234
event_tag.store_index = 18
event_tag.comment = u'My first comment.'
event_tag.color = u'Red'
event_tag.tags = [u'Malware', u'Common']
serializer = protobuf_serializer.ProtobufEventTagSerializer
proto_string = serializer.WriteSerialized(event_tag)
self.assertEqual(proto_string, self._proto_string)
def setUp(self):
"""Makes preparations before running an individual test."""
plaso_timestamp = timelib.Timestamp()
self._event_timestamp = plaso_timestamp.CopyFromString(
u'2012-06-27 18:17:01+00:00')
self._event_object = TimesketchTestEvent(self._event_timestamp)
self._event_tag = event.EventTag()
self._event_tag.uuid = self._event_object.uuid
self._event_tag.tags = [u'Test tag']
self._event_object.tag = self._event_tag
output_mediator = self._CreateOutputMediator()
self._timesketch_output = timesketch_out.TimesketchOutputModule(
output_mediator)
def setUp(self):
"""Sets up the objects needed for this test."""
plaso_timestamp = timelib.Timestamp()
self._event_timestamp = plaso_timestamp.CopyFromString(
u'2012-06-27 18:17:01+00:00')
self._event_object = TimesketchTestEvent(self._event_timestamp)
self._event_tag = event.EventTag()
self._event_tag.uuid = self._event_object.uuid
self._event_tag.tags = [u'Test tag']
self._event_object.tag = self._event_tag
output_mediator = self._CreateOutputMediator()
self._timesketch_output = timesketch_out.TimesketchOutputModule(
output_mediator)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag(
comment=self._comment, event_uuid=self._event_uuid)
event_tag.AddLabels(self._labels)
self.assertTrue(event_tag.IsValidForSerialization())
analysis_report = event.AnalysisReport(u'chrome_extension_test')
analysis_report.report_dict = self._report_dict
analysis_report.text = self._report_text
analysis_report.time_compiled = 1431978243000000
analysis_report.SetTags([event_tag])
self._TestWriteSerialized(
self._serializer, analysis_report, self._json_dict)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = event.EventTag()
event_tag.event_uuid = u'403818f93dce467bac497ef0f263fde8'
event_tag.comment = u'This is a test event tag.'
event_tag._tags = [u'This is a test.', u'Also a test.']
self.assertTrue(event_tag.IsValidForSerialization())
analysis_report = event.AnalysisReport(u'chrome_extension_test')
analysis_report.report_dict = self._report_dict
analysis_report.text = self._report_text
analysis_report.time_compiled = 1431978243000000
analysis_report.SetTags([event_tag])
self._TestWriteSerialized(self._serializer, analysis_report,
self._json_dict)
def ReadSerialized(cls, json_string):
"""Reads an event tag from serialized form.
Args:
json_string: a JSON string containing the serialized form.
Returns:
An event tag (instance of EventTag).
"""
if not json_string:
return
event_tag = event.EventTag()
json_attributes = json.loads(json_string)
for key, value in iter(json_attributes.items()):
setattr(event_tag, key, value)
return event_tag
def ReadSerializedObject(cls, proto):
"""Reads an event tag from serialized form.
Args:
proto: a protobuf object containing the serialized form (instance of
plaso_storage_pb2.EventTag).
Returns:
An event tag (instance of EventTag).
"""
event_tag = event.EventTag()
for proto_attribute, attribute_value in proto.ListFields():
if proto_attribute.name == u'tags':
event_tag._tags = []
for proto_tag in proto.tags:
event_tag._tags.append(proto_tag.value)
else:
setattr(event_tag, proto_attribute.name, attribute_value)
return event_tag
def Run(self):
"""Iterates through a Plaso Store file, tagging events according to the
tagging input file specified on the command line. It writes the tagging
information to the Plaso Store file."""
pre_obj = event.PreprocessObject()
pre_obj.collection_information = {}
pre_obj.collection_information['file_processed'] = self.target_filename
pre_obj.collection_information['method'] = u'Applying tags.'
pre_obj.collection_information['tag_file'] = self.tag_input
pre_obj.collection_information['tagging_engine'] = u'plasm'
if not self._quiet:
sys.stdout.write(u'Applying tags...\n')
with SetupStorage(self.target_filename, pre_obj) as store:
tags = ParseTaggingFile(self.tag_input)
num_tags = 0
event_tags = []
for event_object in EventObjectGenerator(store, self._quiet):
matched_tags = []
for tag, my_filters in tags.iteritems():
for my_filter in my_filters:
if my_filter.Match(event_object):
matched_tags.append(tag)
# Don't want to evaluate other tags once a tag is discovered.
break
if len(matched_tags) > 0:
event_tag = event.EventTag()
event_tag.store_number = getattr(event_object,
'store_number')
event_tag.store_index = getattr(event_object,
'store_index')
event_tag.comment = u'Tag applied by PLASM tagging engine'
event_tag.tags = matched_tags
event_tags.append(event_tag)
num_tags += 1
store.StoreTagging(event_tags)
if not self._quiet:
sys.stdout.write(u'DONE (applied {} tags)\n'.format(num_tags))
def testStorage(self):
"""Test the storage object."""
event_objects = []
timestamps = []
group_mock = GroupMock()
tags = []
tags_mock = []
groups = []
group_events = []
same_events = []
serializer = protobuf_serializer.ProtobufEventObjectSerializer
with TempDirectory() as dirname:
temp_file = os.path.join(dirname, 'plaso.db')
store = storage.StorageFile(temp_file)
store.AddEventObjects(self._event_objects)
# Add tagging.
tag_1 = event.EventTag()
tag_1.store_index = 0
tag_1.store_number = 1
tag_1.comment = 'My comment'
tag_1.color = 'blue'
tags_mock.append(tag_1)
tag_2 = event.EventTag()
tag_2.store_index = 1
tag_2.store_number = 1
tag_2.tags = ['Malware']
tag_2.color = 'red'
tags_mock.append(tag_2)
tag_3 = event.EventTag()
tag_3.store_number = 1
tag_3.store_index = 2
tag_3.comment = 'This is interesting'
tag_3.tags = ['Malware', 'Benign']
tag_3.color = 'red'
tags_mock.append(tag_3)
store.StoreTagging(tags_mock)
# Add additional tagging, second round.
tag_4 = event.EventTag()
tag_4.store_index = 1
tag_4.store_number = 1
tag_4.tags = ['Interesting']
store.StoreTagging([tag_4])
group_mock.AddGroup(
'Malicious', [(1, 1), (1, 2)], desc='Events that are malicious',
color='red', first=13349402860000000, last=13349615269295969,
cat='Malware')
store.StoreGrouping(group_mock)
store.Close()
read_store = storage.StorageFile(temp_file, read_only=True)
self.assertTrue(read_store.HasTagging())
self.assertTrue(read_store.HasGrouping())
for event_object in read_store.GetEntries(1):
event_objects.append(event_object)
timestamps.append(event_object.timestamp)
if event_object.data_type == 'windows:registry:key_value':
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.WRITTEN_TIME)
else:
self.assertEquals(event_object.timestamp_desc,
eventdata.EventTimestamp.WRITTEN_TIME)
for tag in read_store.GetTagging():
event_object = read_store.GetTaggedEvent(tag)
tags.append(event_object)
groups = list(read_store.GetGrouping())
self.assertEquals(len(groups), 1)
group_events = list(read_store.GetEventsFromGroup(groups[0]))
# Read the same events that were put in the group, just to compare
# against.
event_object = read_store.GetEventObject(1, 1)
serialized_event_object = serializer.WriteSerialized(event_object)
same_events.append(serialized_event_object)
event_object = read_store.GetEventObject(1, 2)
serialized_event_object = serializer.WriteSerialized(event_object)
same_events.append(serialized_event_object)
self.assertEquals(len(event_objects), 4)
self.assertEquals(len(tags), 4)
self.assertEquals(tags[0].timestamp, 12389344590000000)
self.assertEquals(tags[0].store_number, 1)
self.assertEquals(tags[0].store_index, 0)
self.assertEquals(tags[0].tag.comment, u'My comment')
self.assertEquals(tags[0].tag.color, u'blue')
msg, _ = eventdata.EventFormatterManager.GetMessageStrings(tags[0])
self.assertEquals(msg[0:10], u'This is a ')
self.assertEquals(tags[1].tag.tags[0], 'Malware')
msg, _ = eventdata.EventFormatterManager.GetMessageStrings(tags[1])
self.assertEquals(msg[0:15], u'[\\HKCU\\Windows\\')
self.assertEquals(tags[2].tag.comment, u'This is interesting')
self.assertEquals(tags[2].tag.tags[0], 'Malware')
self.assertEquals(tags[2].tag.tags[1], 'Benign')
self.assertEquals(tags[2].parser, 'UNKNOWN')
# Test the newly added fourth tag, which should include data from
# the first version as well.
self.assertEquals(tags[3].tag.tags[0], 'Interesting')
self.assertEquals(tags[3].tag.tags[1], 'Malware')
expected_timestamps = [
12389344590000000, 13349402860000000, 13349615269295969,
13359662069295961]
self.assertEquals(timestamps, expected_timestamps)
self.assertEquals(groups[0].name, u'Malicious')
self.assertEquals(groups[0].category, u'Malware')
self.assertEquals(groups[0].color, u'red')
self.assertEquals(groups[0].description, u'Events that are malicious')
self.assertEquals(groups[0].first_timestamp, 13349402860000000)
self.assertEquals(groups[0].last_timestamp, 13349615269295969)
self.assertEquals(len(group_events), 2)
self.assertEquals(group_events[0].timestamp, 13349402860000000)
self.assertEquals(group_events[1].timestamp, 13349615269295969L)
proto_group_events = []
for group_event in group_events:
serialized_event_object = serializer.WriteSerialized(group_event)
proto_group_events.append(serialized_event_object)
self.assertEquals(same_events, proto_group_events)
