def ExamineEvent(self, mediator, event):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
mediator (AnalysisMediator): mediates interactions between analysis
plugins and other components, such as storage and dfvfs.
event (EventObject): event to examine.
"""
if self._tag_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(mediator):
logging.info(
u'No tag definition file specified, and plaso was not able to '
u'autoselect a tagging file. As no definitions were specified, '
u'no events will be tagged.')
return
try:
matched_labels = efilter_api.apply(self._tag_rules, vars=event)
except efilter_errors.EfilterTypeError as exception:
logging.warning(u'Unable to apply efilter query with error: {0:s}'.format(
exception))
matched_labels = None
if not matched_labels:
return
labels = list(efilter_api.getvalues(matched_labels))
event_tag = self._CreateEventTag(event, self._EVENT_TAG_COMMENT, labels)
mediator.ProduceEventTag(event_tag)
def ExamineEvent(self, mediator, event):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
mediator (AnalysisMediator): mediates interactions between analysis
plugins and other components, such as storage and dfvfs.
event (EventObject): event to examine.
"""
if self._tag_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(mediator):
logging.info(
u'No tag definition file specified, and plaso was not able to '
u'autoselect a tagging file. As no definitions were specified, '
u'no events will be tagged.')
return
try:
matched_labels = efilter_api.apply(self._tag_rules, vars=event)
except efilter_errors.EfilterTypeError as exception:
logging.warning(
u'Unable to apply efilter query with error: {0:s}'.format(
exception))
matched_labels = None
if not matched_labels:
return
labels = list(efilter_api.getvalues(matched_labels))
event_tag = self._CreateEventTag(event, self._EVENT_TAG_COMMENT,
labels)
mediator.ProduceEventTag(event_tag)
def ExamineEvent(self, analysis_mediator, event_object, **kwargs):
"""Analyzes an EventObject and tags it according to rules in the tag file.
Args:
analysis_mediator: The analysis mediator object (instance of
AnalysisMediator).
event_object: The event object (instance of EventObject) to examine.
"""
if self._tag_rules is None:
if self._autodetect_tag_file_attempt:
# There's nothing to tag with, and we've already tried to find a good
# tag file, so there's nothing we can do with this event (or any other).
return
if not self._AttemptAutoDetectTagFile(analysis_mediator):
logging.info(
u'No tag definition file specified, and plaso was not able to '
u'autoselect a tagging file. As no definitions were specified, '
u'no events will be tagged.')
return
matched_labels = efilter_api.apply(self._tag_rules, vars=event_object)
if not matched_labels:
return
event_uuid = getattr(event_object, u'uuid')
event_tag = events.EventTag(
comment=u'Tag applied by tagging analysis plugin.',
event_uuid=event_uuid)
for label in efilter_api.getvalues(matched_labels):
event_tag.AddLabel(label)
logging.debug(u'Tagging event: {0!s}'.format(event_uuid))
self._tags.append(event_tag)
def main():
for description, query in QUERIES:
print("# %s\n%s" % (description, query))
# We can find out what the EFILTER query will return by using the type
# inference system. If it is a repeated value, we can render it in
# multiple rows.
result_type = api.infer(query,
replacements=[CATALOG_PATH],
libs=("stdcore", "stdio"))
print("# Return type will be %s." % (result_type.__name__,))
# api.apply will give us the actual result of running the query, which
# should be of the type we got above.
results = api.apply(query,
replacements=[CATALOG_PATH],
allow_io=True,
# We provide the top level variables in a 'vars'
# argument. To bind 'parsec2ly' to the function of
# the same name, we have to also wrap it in the
# EFILTER user_func. This prevents EFILTER from
# accidentally calling regular Python functions.
vars={"parsec2ly": api.user_func(parsec2ly)})
# Because we don't know the cardinality of the query in 'query' we can
# use 'getvalues' to always receive an iterator of results. This is just
# a convenience function.
for n, result in enumerate(api.getvalues(results)):
print("%d - %r" % (n + 1, result))
print("\n\n")
def main():
for description, query in QUERIES:
print("# %s\n%s" % (description, query))
# api.apply will give us the actual result of running the query, which
# should be of the type we got above.
results = api.apply(query,
replacements=[CATALOG_PATH],
allow_io=True,
# We provide the top level variables in a 'vars'
# argument. To bind 'parsec2ly' to the function of
# the same name, we have to also wrap it in the
# EFILTER user_func. This prevents EFILTER from
# accidentally calling regular Python functions.
vars={"parsec2ly": api.user_func(parsec2ly)})
# Because we don't know the cardinality of the query in 'query' we can
# use 'getvalues' to always receive an iterator of results. This is just
# a convenience function.
for n, result in enumerate(api.getvalues(results)):
print("%d - %r" % (n + 1, result))
print("\n\n")
