def _CreateTestEventTags(self): """Creates the event tags for testing. Returns: A list of event tags (instances of EventTag). """ event_tags = [] event_tag = event.EventTag() event_tag.store_index = 0 event_tag.store_number = 1 event_tag.comment = u'My comment' event_tags.append(event_tag) event_tag = event.EventTag() event_tag.store_index = 1 event_tag.store_number = 1 event_tag.AddLabel(u'Malware') event_tags.append(event_tag) event_tag = event.EventTag() event_tag.store_number = 1 event_tag.store_index = 2 event_tag.comment = u'This is interesting' event_tag.AddLabels([u'Malware', u'Benign']) event_tags.append(event_tag) event_tag = event.EventTag() event_tag.store_index = 1 event_tag.store_number = 1 event_tag.AddLabel(u'Interesting') event_tags.append(event_tag) return event_tags
def _ConvertDictToEventTag(self, json_dict): """Converts a JSON dict into an event tag object. The dictionary of the JSON serialized objects consists of: { '__type__': 'EventTag' ... } Here '__type__' indicates the object base type. In this case this should be 'EventTag'. The rest of the elements of the dictionary make up the event tag object properties. Args: json_dict: a dictionary of the JSON serialized objects. Returns: An event tag (instance of EventTag). """ event_tag = event.EventTag() for key, value in iter(json_dict.items()): setattr(event_tag, key, value) return event_tag
def testWriteEventBody(self): """Tests the WriteEventBody function.""" formatters_manager.FormattersManager.RegisterFormatter( L2TTestEventFormatter) event_tag = event.EventTag() event_tag.uuid = self._event_object.uuid event_tag.AddLabels([u'Malware', u'Printed']) self._event_object.tag = event_tag self._formatter.WriteEventBody(self._event_object) expected_event_body = ( b'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,' b'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session ' b'closed for user root),Reporter <CRON> PID: 8442 ' b'(pam_unix(cron:session): session closed for user root),' b'2,log/syslog.1,-,Malware Printed,' b'-,my_number: 123 some_additional_foo: True \n') event_body = self._output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(b','), 16) formatters_manager.FormattersManager.DeregisterFormatter( L2TTestEventFormatter)
def ExamineEvent(self, analysis_mediator, event_object, **kwargs): """Analyzes an EventObject and tags it according to rules in the tag file. Args: analysis_mediator: The analysis mediator object (instance of AnalysisMediator). event_object: The event object (instance of EventObject) to examine. """ if self._tag_rules is None: if self._autodetect_tag_file_attempt: # There's nothing to tag with, and we've already tried to find a good # tag file, so there's nothing we can do with this event (or any other). return if not self._AttemptAutoDetectTagFile(analysis_mediator): logging.info( u'No tag definition file specified, and plaso was not ' u'able to autoselect a tagging file. As no definitions ' u'were specified, no events will be tagged.') return matched_tags = [] for tag, my_filters in self._tag_rules.iteritems(): for my_filter in my_filters: if my_filter.Match(event_object): matched_tags.append(tag) break if not matched_tags: return event_tag = event.EventTag() event_tag.event_uuid = getattr(event_object, u'uuid') event_tag.comment = u'Tag applied by tagging analysis plugin.' event_tag.tags = matched_tags logging.debug(u'Tagging event: {0!s}'.format(event_tag.event_uuid)) self._tags.append(event_tag)
def ReadSerializedDict(cls, json_dict): """Reads an event tag from serialized dict form. Args: json_dict: a dictionary of the JSON serialized objects. Returns: An event tag (instance of EventTag). """ if not json_dict: return event_tag = event.EventTag() for key, value in iter(json_dict.items()): if value is None: continue # Note that "_tags" is the name for "labels" prior to version # 1.4.1-20160131 if key == u'_tags': key = u'labels' if key == u'labels': event_tag.AddLabels(value) else: setattr(event_tag, key, value) return event_tag
def testWriteSerializer(self): """Tests the WriteSerialized function.""" event_tag = event.EventTag() event_tag.event_uuid = self._event_uuid event_tag.comment = u'This is a test event tag.' event_tag._tags = [u'This is a test.', u'Also a test.'] self.assertTrue(event_tag.IsValidForSerialization()) self._TestWriteSerialized(self._serializer, event_tag, self._json_dict)
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_tag = event.EventTag() event_tag.store_number = 234 event_tag.store_index = 18 event_tag.comment = u'My first comment.' event_tag.color = u'Red' event_tag.tags = [u'Malware', u'Common'] self._TestWriteSerialized(self._serializer, event_tag, self._proto_string)
def _CreateTag(self, event_uuid, tag_strings): """Creates an event tag. Args: event_uuid: The UUID of the event that should be tagged. tag_strings: A list of strings that the event should be tagged with. """ event_tag = event.EventTag() event_tag.event_uuid = event_uuid event_tag.comment = u'Tag applied by {0:s} analysis plugin'.format( self.NAME) event_tag.tags = tag_strings return event_tag
def setUp(self): """Makes preparations before running an individual test.""" self._event_tag = event.EventTag(comment=u'My first comment.') self._event_tag.store_number = 234 self._event_tag.store_index = 18 self._event_tag.AddLabels([u'Malware', u'Common']) self._event_tag_dict = { u'comment': u'My first comment.', u'labels': [u'Malware', u'Common'], u'store_index': 18, u'store_number': 234, }
def _CreateTag(self, event_uuid, labels): """Creates an event tag. Args: event_uuid: The UUID of the event that should be tagged. labels: A list of strings that contains the labels. """ event_tag = event.EventTag() event_tag.comment = (u'Tag applied by {0:s} analysis plugin'.format( self.NAME)) event_tag.event_uuid = event_uuid event_tag.AddLabels(labels) return event_tag
def testWriteSerialized(self): """Test the write serialized functionality.""" event_tag = event.EventTag() event_tag.store_number = 234 event_tag.store_index = 18 event_tag.comment = u'My first comment.' event_tag.color = u'Red' event_tag.tags = [u'Malware', u'Common'] serializer = protobuf_serializer.ProtobufEventTagSerializer proto_string = serializer.WriteSerialized(event_tag) self.assertEqual(proto_string, self._proto_string)
def setUp(self): """Makes preparations before running an individual test.""" plaso_timestamp = timelib.Timestamp() self._event_timestamp = plaso_timestamp.CopyFromString( u'2012-06-27 18:17:01+00:00') self._event_object = TimesketchTestEvent(self._event_timestamp) self._event_tag = event.EventTag() self._event_tag.uuid = self._event_object.uuid self._event_tag.tags = [u'Test tag'] self._event_object.tag = self._event_tag output_mediator = self._CreateOutputMediator() self._timesketch_output = timesketch_out.TimesketchOutputModule( output_mediator)
def setUp(self): """Sets up the objects needed for this test.""" plaso_timestamp = timelib.Timestamp() self._event_timestamp = plaso_timestamp.CopyFromString( u'2012-06-27 18:17:01+00:00') self._event_object = TimesketchTestEvent(self._event_timestamp) self._event_tag = event.EventTag() self._event_tag.uuid = self._event_object.uuid self._event_tag.tags = [u'Test tag'] self._event_object.tag = self._event_tag output_mediator = self._CreateOutputMediator() self._timesketch_output = timesketch_out.TimesketchOutputModule( output_mediator)
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_tag = event.EventTag( comment=self._comment, event_uuid=self._event_uuid) event_tag.AddLabels(self._labels) self.assertTrue(event_tag.IsValidForSerialization()) analysis_report = event.AnalysisReport(u'chrome_extension_test') analysis_report.report_dict = self._report_dict analysis_report.text = self._report_text analysis_report.time_compiled = 1431978243000000 analysis_report.SetTags([event_tag]) self._TestWriteSerialized( self._serializer, analysis_report, self._json_dict)
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_tag = event.EventTag() event_tag.event_uuid = u'403818f93dce467bac497ef0f263fde8' event_tag.comment = u'This is a test event tag.' event_tag._tags = [u'This is a test.', u'Also a test.'] self.assertTrue(event_tag.IsValidForSerialization()) analysis_report = event.AnalysisReport(u'chrome_extension_test') analysis_report.report_dict = self._report_dict analysis_report.text = self._report_text analysis_report.time_compiled = 1431978243000000 analysis_report.SetTags([event_tag]) self._TestWriteSerialized(self._serializer, analysis_report, self._json_dict)
def ReadSerialized(cls, json_string): """Reads an event tag from serialized form. Args: json_string: a JSON string containing the serialized form. Returns: An event tag (instance of EventTag). """ if not json_string: return event_tag = event.EventTag() json_attributes = json.loads(json_string) for key, value in iter(json_attributes.items()): setattr(event_tag, key, value) return event_tag
def ReadSerializedObject(cls, proto): """Reads an event tag from serialized form. Args: proto: a protobuf object containing the serialized form (instance of plaso_storage_pb2.EventTag). Returns: An event tag (instance of EventTag). """ event_tag = event.EventTag() for proto_attribute, attribute_value in proto.ListFields(): if proto_attribute.name == u'tags': event_tag._tags = [] for proto_tag in proto.tags: event_tag._tags.append(proto_tag.value) else: setattr(event_tag, proto_attribute.name, attribute_value) return event_tag
def Run(self): """Iterates through a Plaso Store file, tagging events according to the tagging input file specified on the command line. It writes the tagging information to the Plaso Store file.""" pre_obj = event.PreprocessObject() pre_obj.collection_information = {} pre_obj.collection_information['file_processed'] = self.target_filename pre_obj.collection_information['method'] = u'Applying tags.' pre_obj.collection_information['tag_file'] = self.tag_input pre_obj.collection_information['tagging_engine'] = u'plasm' if not self._quiet: sys.stdout.write(u'Applying tags...\n') with SetupStorage(self.target_filename, pre_obj) as store: tags = ParseTaggingFile(self.tag_input) num_tags = 0 event_tags = [] for event_object in EventObjectGenerator(store, self._quiet): matched_tags = [] for tag, my_filters in tags.iteritems(): for my_filter in my_filters: if my_filter.Match(event_object): matched_tags.append(tag) # Don't want to evaluate other tags once a tag is discovered. break if len(matched_tags) > 0: event_tag = event.EventTag() event_tag.store_number = getattr(event_object, 'store_number') event_tag.store_index = getattr(event_object, 'store_index') event_tag.comment = u'Tag applied by PLASM tagging engine' event_tag.tags = matched_tags event_tags.append(event_tag) num_tags += 1 store.StoreTagging(event_tags) if not self._quiet: sys.stdout.write(u'DONE (applied {} tags)\n'.format(num_tags))
def testStorage(self): """Test the storage object.""" event_objects = [] timestamps = [] group_mock = GroupMock() tags = [] tags_mock = [] groups = [] group_events = [] same_events = [] serializer = protobuf_serializer.ProtobufEventObjectSerializer with TempDirectory() as dirname: temp_file = os.path.join(dirname, 'plaso.db') store = storage.StorageFile(temp_file) store.AddEventObjects(self._event_objects) # Add tagging. tag_1 = event.EventTag() tag_1.store_index = 0 tag_1.store_number = 1 tag_1.comment = 'My comment' tag_1.color = 'blue' tags_mock.append(tag_1) tag_2 = event.EventTag() tag_2.store_index = 1 tag_2.store_number = 1 tag_2.tags = ['Malware'] tag_2.color = 'red' tags_mock.append(tag_2) tag_3 = event.EventTag() tag_3.store_number = 1 tag_3.store_index = 2 tag_3.comment = 'This is interesting' tag_3.tags = ['Malware', 'Benign'] tag_3.color = 'red' tags_mock.append(tag_3) store.StoreTagging(tags_mock) # Add additional tagging, second round. tag_4 = event.EventTag() tag_4.store_index = 1 tag_4.store_number = 1 tag_4.tags = ['Interesting'] store.StoreTagging([tag_4]) group_mock.AddGroup( 'Malicious', [(1, 1), (1, 2)], desc='Events that are malicious', color='red', first=13349402860000000, last=13349615269295969, cat='Malware') store.StoreGrouping(group_mock) store.Close() read_store = storage.StorageFile(temp_file, read_only=True) self.assertTrue(read_store.HasTagging()) self.assertTrue(read_store.HasGrouping()) for event_object in read_store.GetEntries(1): event_objects.append(event_object) timestamps.append(event_object.timestamp) if event_object.data_type == 'windows:registry:key_value': self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.WRITTEN_TIME) else: self.assertEquals(event_object.timestamp_desc, eventdata.EventTimestamp.WRITTEN_TIME) for tag in read_store.GetTagging(): event_object = read_store.GetTaggedEvent(tag) tags.append(event_object) groups = list(read_store.GetGrouping()) self.assertEquals(len(groups), 1) group_events = list(read_store.GetEventsFromGroup(groups[0])) # Read the same events that were put in the group, just to compare # against. event_object = read_store.GetEventObject(1, 1) serialized_event_object = serializer.WriteSerialized(event_object) same_events.append(serialized_event_object) event_object = read_store.GetEventObject(1, 2) serialized_event_object = serializer.WriteSerialized(event_object) same_events.append(serialized_event_object) self.assertEquals(len(event_objects), 4) self.assertEquals(len(tags), 4) self.assertEquals(tags[0].timestamp, 12389344590000000) self.assertEquals(tags[0].store_number, 1) self.assertEquals(tags[0].store_index, 0) self.assertEquals(tags[0].tag.comment, u'My comment') self.assertEquals(tags[0].tag.color, u'blue') msg, _ = eventdata.EventFormatterManager.GetMessageStrings(tags[0]) self.assertEquals(msg[0:10], u'This is a ') self.assertEquals(tags[1].tag.tags[0], 'Malware') msg, _ = eventdata.EventFormatterManager.GetMessageStrings(tags[1]) self.assertEquals(msg[0:15], u'[\\HKCU\\Windows\\') self.assertEquals(tags[2].tag.comment, u'This is interesting') self.assertEquals(tags[2].tag.tags[0], 'Malware') self.assertEquals(tags[2].tag.tags[1], 'Benign') self.assertEquals(tags[2].parser, 'UNKNOWN') # Test the newly added fourth tag, which should include data from # the first version as well. self.assertEquals(tags[3].tag.tags[0], 'Interesting') self.assertEquals(tags[3].tag.tags[1], 'Malware') expected_timestamps = [ 12389344590000000, 13349402860000000, 13349615269295969, 13359662069295961] self.assertEquals(timestamps, expected_timestamps) self.assertEquals(groups[0].name, u'Malicious') self.assertEquals(groups[0].category, u'Malware') self.assertEquals(groups[0].color, u'red') self.assertEquals(groups[0].description, u'Events that are malicious') self.assertEquals(groups[0].first_timestamp, 13349402860000000) self.assertEquals(groups[0].last_timestamp, 13349615269295969) self.assertEquals(len(group_events), 2) self.assertEquals(group_events[0].timestamp, 13349402860000000) self.assertEquals(group_events[1].timestamp, 13349615269295969L) proto_group_events = [] for group_event in group_events: serialized_event_object = serializer.WriteSerialized(group_event) proto_group_events.append(serialized_event_object) self.assertEquals(same_events, proto_group_events)