def _ParseFilterOptions(self, options): """Parses the filter options. Args: options: the command line arguments (instance of argparse.Namespace). Raises: BadConfigOption: if the options are invalid. """ self._filter_expression = getattr(options, u'filter', None) if self._filter_expression: self._filter_object = filters.GetFilter(self._filter_expression) if not self._filter_object: raise errors.BadConfigOption( u'Invalid filter expression: {0:s}'.format( self._filter_expression)) self._time_slice_event_time_string = getattr(options, u'slice', None) self._time_slice_duration = getattr(options, u'slice_size', 5) self._use_time_slicer = getattr(options, u'slicer', False) self._front_end.SetFilter(self._filter_object, self._filter_expression) # The slice and slicer cannot be set at the same time. if self._time_slice_event_time_string and self._use_time_slicer: raise errors.BadConfigOption( u'Time slice and slicer cannot be used at the same time.')
def _ParseTaggingFile(self, input_path): """Parses tagging input file. Parses a tagging input file and returns a dictionary of tags, where each key represents a tag and each entry is a list of plaso filters. Args: input_path: filesystem path to the tagging input file. Returns: A dictionary whose keys are tags and values are EventObjectFilter objects. """ with open(input_path, 'rb') as tag_input_file: tags = {} current_tag = u'' for line in tag_input_file: line_rstrip = line.rstrip() line_strip = line_rstrip.lstrip() if not line_strip or line_strip.startswith(u'#'): continue if not line_rstrip[0].isspace(): current_tag = line_rstrip tags[current_tag] = [] else: if not current_tag: continue compiled_filter = filters.GetFilter(line_strip) if compiled_filter: if compiled_filter not in tags[current_tag]: tags[current_tag].append(compiled_filter) else: logging.warning( u'Tag "{0:s}" contains invalid filter: {1:s}'. format(current_tag, line_strip)) return tags
def ParseOptions(self, options): """Parses the options and initializes the front-end. Args: options: the command line arguments (instance of argparse.Namespace). Raises: BadConfigOption: if the options are invalid. """ super(PsortFrontend, self).ParseOptions(options) self._output_format = getattr(options, u'output_format', None) if not self._output_format: raise errors.BadConfigOption(u'Missing output format.') if not output_manager.OutputManager.HasOutputClass(self._output_format): raise errors.BadConfigOption( u'Unsupported output format: {0:s}.'.format(self._output_format)) self._output_filename = getattr(options, u'write', None) self._filter_expression = getattr(options, u'filter', None) if self._filter_expression: self._filter_object = filters.GetFilter(self._filter_expression) if not self._filter_object: raise errors.BadConfigOption( u'Invalid filter expression: {0:s}'.format(self._filter_expression)) # Check to see if we need to create a circular buffer. if getattr(options, u'slicer', None): self._slice_size = getattr(options, u'slice_size', 5) self._filter_buffer = bufferlib.CircularBuffer(self._slice_size) self._preferred_language = getattr(options, u'preferred_language', u'en-US')
def __init__(self, pre_obj, incoming_queue, outgoing_queue): """Constructor for the browser history plugin.""" super(AnalyzeBrowserSearchPlugin, self).__init__(pre_obj, incoming_queue, outgoing_queue) self._filter_dict = {} self._counter = collections.Counter() for filter_str, call_back in self.FILTERS: filter_obj = filters.GetFilter(filter_str) call_back_obj = getattr(FilterClass, call_back, None) if filter_obj and call_back_obj: self._filter_dict[filter_obj] = (call_back, call_back_obj)
def __init__(self, incoming_queue): """Initializes the browser search analysis plugin. Args: incoming_queue: A queue that is used to listen to incoming events. """ super(BrowserSearchPlugin, self).__init__(incoming_queue) self._filter_dict = {} self._counter = collections.Counter() # Store a list of search terms in a timeline format. # The format is key = timestamp, value = (source, engine, search term). self._search_term_timeline = [] for filter_str, call_back in self.FILTERS: filter_obj = filters.GetFilter(filter_str) call_back_obj = getattr(FilterClass, call_back, None) if filter_obj and call_back_obj: self._filter_dict[filter_obj] = (call_back, call_back_obj)
def ParseOptions(self, options): """Parses the options and initializes the front-end. Args: options: the command line arguments (instance of argparse.Namespace). Raises: BadConfigOption: if the options are invalid. """ super(PsortFrontend, self).ParseOptions(options) output_format = getattr(options, 'output_format', None) if not output_format: raise errors.BadConfigOption(u'Missing output format.') self._output_module_class = output_lib.GetOutputFormatter( output_format) if not self._output_module_class: raise errors.BadConfigOption( u'Invalid output format: {0:s}.'.format(output_format)) self._output_stream = getattr(options, 'write', None) if not self._output_stream: self._output_stream = sys.stdout self._filter_expression = getattr(options, 'filter', None) if self._filter_expression: self._filter_object = filters.GetFilter(self._filter_expression) if not self._filter_object: raise errors.BadConfigOption( u'Invalid filter expression: {0:s}'.format( self._filter_expression)) # Check to see if we need to create a circular buffer. if getattr(options, 'slicer', None): self._slice_size = getattr(options, 'slice_size', 5) self._filter_buffer = bufferlib.CircularBuffer( self._slice_size)
def Main(): """Run the tool.""" arg_parser = argparse.ArgumentParser(description=( 'plaso_extract_search_history is a simple script that reads the ' 'content of a plaso storage file and tries to extract known search ' 'engine history from it')) arg_parser.add_argument('-w', '--write', metavar='FILENAME', action='store', dest='output_file', default='', help='Write results to a file.') arg_parser.add_argument('filename', action='store', metavar='STORAGE_FILE', help=('The path to the plaso storage file.')) options = arg_parser.parse_args() preferred_encoding = locale.getpreferredencoding() if preferred_encoding.lower() == 'ascii': preferred_encoding = 'utf-8' if not os.path.isfile(options.filename): raise RuntimeError(u'File {} does not exist'.format(options.filename)) results = {} result_count = {} output_filehandle = output.OutputFilehandle(preferred_encoding) if options.output_file: output_filehandle.Open(path=options.output_file) else: output_filehandle.Open(sys.stdout) # Build filters. filter_dict = {} for filter_str, call_back in FILTERS: filter_obj = filters.GetFilter(filter_str) call_back_obj = getattr(FilterClass, call_back, None) results[call_back] = [] if filter_obj and call_back_obj: filter_dict[filter_obj] = (call_back, call_back_obj) with storage.StorageFile(options.filename, read_only=True) as store: event_object = store.GetSortedEntry() while event_object: for filter_obj, call_backs in filter_dict.items(): call_back_name, call_back_object = call_backs if filter_obj.Match(event_object): url_attribute = getattr(event_object, 'url', None) if not url_attribute: continue ret_line = ScrubLine(call_back_object(url_attribute)) if not ret_line: continue if ret_line in results[call_back_name]: result_count[u'{}:{}'.format(call_back_name, ret_line)] += 1 else: results[call_back_name].append(ret_line) result_count[u'{}:{}'.format(call_back_name, ret_line)] = 1 event_object = store.GetSortedEntry() for engine_name, result_list in results.items(): results_with_count = [] for result in result_list: results_with_count.append( (result_count[u'{}:{}'.format(engine_name, result)], result)) header = u' == ENGINE: {0:s} ==\n'.format(engine_name) output_filehandle.WriteLine(header) for count, result in sorted(results_with_count, reverse=True): line = u'{} {}\n'.format(count, result) output_filehandle.WriteLine(line) output_filehandle.WriteLine('\n')