def _ParseRecordLogline(self, parser_mediator, structure):
"""Parses a logline record structure and produces events.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
log entry.
"""
time_zone = parser_mediator.timezone
time_elements_structure = self._GetValueFromStructure(
structure, 'start_time')
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_structure)
# Setupapi logs stores date and time values in local time.
date_time.is_local_time = True
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(
time_elements_structure))
return
event_data = SetupapiLogEventData()
event_data.entry_type = self._GetValueFromStructure(
structure, 'entry_type')
event_data.entry_status = 'START'
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_START, time_zone=time_zone)
# Create event for the start of the setupapi section
parser_mediator.ProduceEventWithEventData(event, event_data)
event_data.entry_status = self._GetValueFromStructure(
structure, 'entry_status')
time_elements_structure = self._GetValueFromStructure(
structure, 'end_time')
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_structure)
date_time.is_local_time = True
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(
time_elements_structure))
return
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_END, time_zone=time_zone)
# Create event for the end of the setupapi section
parser_mediator.ProduceEventWithEventData(event, event_data)
def testGetDate(self):
"""Tests the GetDate function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
date_tuple = time_elements_object.GetDate()
self.assertEqual(date_tuple, (2010, 8, 12))
time_elements_object = time_elements.TimeElementsInMilliseconds()
date_tuple = time_elements_object.GetDate()
self.assertEqual(date_tuple, (None, None, None))
def testCopyToDateTimeString(self):
"""Tests the CopyToDateTimeString function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
date_time_string = time_elements_object.CopyToDateTimeString()
self.assertEqual(date_time_string, '2010-08-12 20:06:31.429')
time_elements_object = time_elements.TimeElementsInMilliseconds()
date_time_string = time_elements_object.CopyToDateTimeString()
self.assertIsNone(date_time_string)
def testGetTimeOfDay(self):
"""Tests the GetTimeOfDay function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
time_of_day_tuple = time_elements_object.GetTimeOfDay()
self.assertEqual(time_of_day_tuple, (20, 6, 31))
time_elements_object = time_elements.TimeElementsInMilliseconds()
time_of_day_tuple = time_elements_object.GetTimeOfDay()
self.assertEqual(time_of_day_tuple, (None, None, None))
def testGetNormalizedTimestamp(self):
"""Tests the _GetNormalizedTimestamp function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
normalized_timestamp = time_elements_object._GetNormalizedTimestamp()
self.assertEqual(normalized_timestamp,
decimal.Decimal('1281643591.429'))
time_elements_object = time_elements.TimeElementsInMilliseconds()
normalized_timestamp = time_elements_object._GetNormalizedTimestamp()
self.assertIsNone(normalized_timestamp)
def testCopyToStatTimeTuple(self):
"""Tests the CopyToStatTimeTuple function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
expected_stat_time_tuple = (1281643591, 429000)
stat_time_tuple = time_elements_object.CopyToStatTimeTuple()
self.assertEqual(stat_time_tuple, expected_stat_time_tuple)
time_elements_object = time_elements.TimeElementsInMilliseconds()
expected_stat_time_tuple = (None, None)
stat_time_tuple = time_elements_object.CopyToStatTimeTuple()
self.assertEqual(stat_time_tuple, expected_stat_time_tuple)
def testGetPlasoTimestamp(self):
"""Tests the GetPlasoTimestamp function."""
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429))
expected_micro_posix_number_of_seconds = 1281643591429000
micro_posix_number_of_seconds = time_elements_object.GetPlasoTimestamp()
self.assertEqual(
micro_posix_number_of_seconds, expected_micro_posix_number_of_seconds)
time_elements_object = time_elements.TimeElementsInMilliseconds()
micro_posix_number_of_seconds = time_elements_object.GetPlasoTimestamp()
self.assertIsNone(micro_posix_number_of_seconds)
def testCopyFromDateTimeString(self):
"""Tests the CopyFromDateTimeString function."""
time_elements_object = time_elements.TimeElementsInMilliseconds()
expected_time_elements_tuple = (2010, 8, 12, 0, 0, 0)
expected_number_of_seconds = 1281571200
time_elements_object.CopyFromDateTimeString('2010-08-12')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 0)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromDateTimeString('2010-08-12 21:06:31')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 0)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromDateTimeString(
'2010-08-12 21:06:31.546875')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 546)
expected_time_elements_tuple = (2010, 8, 12, 22, 6, 31)
expected_number_of_seconds = 1281650791
time_elements_object.CopyFromDateTimeString(
'2010-08-12 21:06:31.546875-01:00')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 546)
expected_time_elements_tuple = (2010, 8, 12, 20, 6, 31)
expected_number_of_seconds = 1281643591
time_elements_object.CopyFromDateTimeString(
'2010-08-12 21:06:31.546875+01:00')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 546)
expected_time_elements_tuple = (1601, 1, 2, 0, 0, 0)
expected_number_of_seconds = -11644387200
time_elements_object.CopyFromDateTimeString('1601-01-02 00:00:00')
self.assertEqual(time_elements_object._time_elements_tuple,
expected_time_elements_tuple)
self.assertEqual(time_elements_object._number_of_seconds,
expected_number_of_seconds)
self.assertEqual(time_elements_object.milliseconds, 0)
def _ParseRecordLogline(self, parser_mediator, structure):
"""Parses a logline record structure and produces events.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds()
try:
datetime_iso8601 = self._GetISO8601String(structure.date_time)
date_time.CopyFromStringISO8601(datetime_iso8601)
except ValueError:
parser_mediator.ProduceExtractionError(
'invalid date time value: {0!s}'.format(structure.date_time))
return
event_data = GoogleDriveSyncLogEventData()
event_data.log_level = structure.log_level
event_data.pid = structure.pid
event_data.thread = structure.thread
event_data.source_code = structure.source_code
# Replace newlines with spaces in structure.message to preserve output.
event_data.message = structure.message.replace('\n', ' ')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
def VerifyStructure(self, parser_mediator, lines):
"""Verify that this file is a SkyDrive log file.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
lines (str): one or more lines from the text file.
Returns:
bool: True if this is the correct parser, False otherwise.
"""
try:
structure = self._SDF_HEADER.parseString(lines)
except pyparsing.ParseException:
logger.debug('Not a SkyDrive log file')
return False
try:
dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=structure.header_date_time)
except ValueError:
logger.debug(
'Not a SkyDrive log file, invalid date and time: {0!s}'.format(
structure.header_date_time))
return False
return True
def _ParseHeader(self, parser_mediator, structure):
"""Parse header lines and store appropriate attributes.
['Logging started.', 'Version=', '17.0.2011.0627',
[2013, 7, 25], 16, 3, 23, 291, 'StartLocalTime', '<details>']
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=structure.header_date_time)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(structure.header_date_time))
return
event_data = SkyDriveLogEventData()
# TODO: refactor detail to individual event data attributes.
event_data.detail = '{0:s} {1:s} {2:s} {3:s} {4:s}'.format(
structure.log_start, structure.version_string,
structure.version_number, structure.local_time_string,
structure.details)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
def VerifyStructure(self, parser_mediator, lines):
"""Verify that this file is a Google Drive Sync log file.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
lines (str): one or more lines from the text file.
Returns:
bool: True if this is the correct parser, False otherwise.
"""
try:
structure = self._GDS_LINE.parseString(lines)
except pyparsing.ParseException as exception:
logger.debug(
'Not a Google Drive Sync log file: {0!s}'.format(exception))
return False
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds()
date_time_string = self._GetValueFromStructure(structure, 'date_time')
try:
datetime_iso8601 = self._GetISO8601String(date_time_string)
date_time.CopyFromStringISO8601(datetime_iso8601)
except ValueError as exception:
logger.debug(
('Not a Google Drive Sync log file, invalid date/time: {0!s} '
'with error: {1!s}').format(date_time_string, exception))
return False
return True
def VerifyStructure(self, parser_mediator, line):
"""Verify that this file is a SkyDrive old log file.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
line (str): line from a text file.
Returns:
bool: True if the line is in the expected format, False if not.
"""
try:
structure = self._LINE.parseString(line)
except pyparsing.ParseException:
logger.debug('Not a SkyDrive old log file')
return False
day_of_month, month, year, hours, minutes, seconds, milliseconds = (
structure.date_time)
time_elements_tuple = (
year, month, day_of_month, hours, minutes, seconds, milliseconds)
try:
dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
logger.debug(
'Not a SkyDrive old log file, invalid date and time: {0!s}'.format(
structure.date_time))
return False
return True
def testInitialize(self):
"""Tests the initialization function."""
time_elements_object = time_elements.TimeElements()
self.assertIsNotNone(time_elements_object)
expected_time_elements_tuple = (2010, 8, 12, 20, 6, 31)
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 546))
self.assertIsNotNone(time_elements_object)
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(time_elements_object._milliseconds, 546)
with self.assertRaises(ValueError):
time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 13, 12, 20, 6, 31))
with self.assertRaises(ValueError):
time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 13, 12, 20, 6, 31, 1001))
def ParseRecord(self, parser_mediator, key, structure):
"""Parse the record and return an SCCM log event object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
key (str): name of the parsed structure.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
Raises:
ParseError: when the structure type is unknown.
"""
if key not in ('log_entry', 'log_entry_at_end', 'log_entry_offset',
'log_entry_offset_at_end'):
raise errors.ParseError(
'Unable to parse record, unknown structure: {0:s}'.format(key))
try:
date_time_string = self._GetISO8601String(structure)
except ValueError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to determine date time string with error: {0!s}'.
format(exception))
fraction_of_second = self._GetValueFromStructure(
structure, 'fraction_of_second')
fraction_of_second_length = len(fraction_of_second)
if fraction_of_second_length == 3:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds()
elif fraction_of_second_length in (6, 7):
date_time = dfdatetime_time_elements.TimeElementsInMicroseconds()
try:
date_time.CopyFromStringISO8601(date_time_string)
except ValueError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to parse date time value: {0:s} with error: {1!s}'.
format(date_time_string, exception))
return
event_data = SCCMLogEventData()
event_data.component = self._GetValueFromStructure(
structure, 'component')
# TODO: pass line number to offset or remove.
event_data.offset = 0
event_data.text = self._GetValueFromStructure(structure, 'text')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def VerifyStructure(self, parser_mediator, line):
"""Verify that this file is a Mac Wifi log file.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
line (str): line from a text file.
Returns:
bool: True if the line is in the expected format, False if not.
"""
self._last_month = 0
self._year_use = parser_mediator.GetEstimatedYear()
key = 'header'
try:
structure = self._MAC_WIFI_HEADER.parseString(line)
except pyparsing.ParseException:
structure = None
if not structure:
key = 'turned_over_header'
try:
structure = self._MAC_WIFI_TURNED_OVER_HEADER.parseString(line)
except pyparsing.ParseException:
structure = None
if not structure:
logger.debug('Not a Mac Wifi log file')
return False
time_elements_tuple = self._GetTimeElementsTuple(key, structure)
try:
dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
logger.debug(
'Not a Mac Wifi log file, invalid date and time: {0!s}'.format(
structure.date_time))
return False
self._last_month = time_elements_tuple[1]
return True
def _ParseLine(self, parser_mediator, structure):
"""Parses a logline and store appropriate attributes.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
time_elements_tuple = self._GetValueFromStructure(
structure, 'date_time')
# TODO: what if time elements tuple is None.
# TODO: Verify if date and time value is locale dependent.
month, day_of_month, year, hours, minutes, seconds, milliseconds = (
time_elements_tuple)
year += 2000
time_elements_tuple = (year, month, day_of_month, hours, minutes,
seconds, milliseconds)
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(time_elements_tuple))
return
# Replace newlines with spaces in structure.detail to preserve output.
# TODO: refactor detail to individual event data attributes.
detail = self._GetValueFromStructure(structure, 'detail')
if detail:
detail = detail.replace('\n', ' ')
event_data = SkyDriveLogEventData()
event_data.detail = detail
event_data.log_level = self._GetValueFromStructure(
structure, 'log_level')
event_data.module = self._GetValueFromStructure(structure, 'module')
event_data.source_code = self._GetValueFromStructure(
structure, 'source_code')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
def testCopyFromStringTuple(self):
"""Tests the CopyFromStringTuple function."""
time_elements_object = time_elements.TimeElementsInMilliseconds()
expected_time_elements_tuple = (2010, 8, 12, 20, 6, 31)
time_elements_object.CopyFromStringTuple(
time_elements_tuple=(u'2010', u'8', u'12', u'20', u'6', u'31', u'546'))
self.assertIsNotNone(time_elements_object)
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(time_elements_object._milliseconds, 546)
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringTuple(
time_elements_tuple=(u'2010', u'8', u'12', u'20', u'6', u'31'))
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringTuple(
time_elements_tuple=(u'2010', u'8', u'12', u'20', u'6', u'31', u'9S'))
def _GetTimeElements(self, time_structure):
"""Builds time elements from a setupapi time_stamp field.
Args:
time_structure (pyparsing.ParseResults): structure of tokens derived from
a setupapi time_stamp field.
Returns:
dfdatetime.TimeElements: date and time extracted from the value or None
if the structure does not represent a valid date and time value.
"""
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_structure)
# Setupapi logs store date and time values in local time.
date_time.is_local_time = True
return date_time
except ValueError:
return None
def _ParseLogline(self, parser_mediator, structure):
"""Parse a logline and store appropriate attributes.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
time_elements_tuple = self._GetValueFromStructure(
structure, 'date_time')
# TODO: what if time elements tuple is None.
# TODO: Verify if date and time value is locale dependent.
month, day_of_month, year, hours, minutes, seconds, milliseconds = (
time_elements_tuple)
time_elements_tuple = (year, month, day_of_month, hours, minutes,
seconds, milliseconds)
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(time_elements_tuple))
return
event_data = SkyDriveOldLogEventData()
event_data.log_level = self._GetValueFromStructure(
structure, 'log_level')
event_data.offset = self.offset
event_data.source_code = self._GetValueFromStructure(
structure, 'source_code')
event_data.text = self._GetValueFromStructure(structure, 'text')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
self._last_date_time = date_time
self._last_event_data = event_data
def _ParseLogLine(self, parser_mediator, key, structure):
"""Parse a single log line and produce an event object.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
key (str): name of the parsed structure.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
time_elements_tuple = self._GetTimeElementsTuple(key, structure)
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(time_elements_tuple))
return
self._last_month = time_elements_tuple[1]
function = self._GetValueFromStructure(structure, 'function')
if function:
# Due to the use of CharsNotIn the function value can contain leading
# or trailing whitespace.
function = function.strip()
event_data = MacWifiLogEventData()
event_data.agent = self._GetValueFromStructure(structure, 'agent')
event_data.function = function
event_data.text = self._GetValueFromStructure(structure, 'text')
if key == 'known_function_logline':
event_data.action = self._GetAction(event_data.function,
event_data.text)
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_ADDED)
parser_mediator.ProduceEventWithEventData(event, event_data)
def VerifyStructure(self, parser_mediator, lines):
"""Verify that this file is a Windows Setupapi log file.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
lines (str): one or more lines from the text file.
Returns:
bool: True if this is the correct parser, False otherwise.
"""
try:
structure = self._SETUPAPI_LINE.parseString(lines)
except pyparsing.ParseException as exception:
logger.debug(
'Not a Windows Setupapi log file: {0!s}'.format(exception))
return False
time_elements_structure = self._GetValueFromStructure(
structure, 'start_time')
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_structure)
except ValueError as exception:
logger.debug(
('Not a Windows Setupapi log file, invalid date/time: {0!s} '
'with error: {1!s}').format(time_elements_structure,
exception))
return False
if not date_time:
logger.debug(
('Not a Windows Setupapi log file, '
'invalid date/time: {0!s}').format(time_elements_structure))
return False
return True
def _ParseLine(self, parser_mediator, structure):
"""Parses a logline and store appropriate attributes.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
structure (pyparsing.ParseResults): structure of tokens derived from
a line of a text file.
"""
# TODO: Verify if date and time value is locale dependent.
month, day_of_month, year, hours, minutes, seconds, milliseconds = (
structure.date_time)
year += 2000
time_elements_tuple = (year, month, day_of_month, hours, minutes,
seconds, milliseconds)
try:
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
time_elements_tuple=time_elements_tuple)
except ValueError:
parser_mediator.ProduceExtractionError(
u'invalid date time value: {0!s}'.format(structure.date_time))
return
event_data = SkyDriveLogEventData()
# Replace newlines with spaces in structure.detail to preserve output.
# TODO: refactor detail to individual event data attributes.
event_data.detail = structure.detail.replace(u'\n', u' ')
event_data.log_level = structure.log_level
event_data.module = structure.module
event_data.source_code = structure.source_code
event = time_events.DateTimeValuesEvent(
date_time, eventdata.EventTimestamp.ADDED_TIME)
parser_mediator.ProduceEventWithEventData(event, event_data)
def testCopyFromStringISO8601(self):
"""Tests the CopyFromStringISO8601 function."""
time_elements_object = time_elements.TimeElementsInMilliseconds()
expected_time_elements_tuple = (2010, 8, 12, 0, 0, 0, 0)
expected_number_of_seconds = 1281571200
time_elements_object.CopyFromStringISO8601(u'2010-08-12')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31, 0)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromStringISO8601(u'2010-08-12T21:06:31')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31, 0)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromStringISO8601(u'2010-08-12T21:06:31Z')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31, 546)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromStringISO8601(u'2010-08-12T21:06:31.546875')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 21, 6, 31, 546)
expected_number_of_seconds = 1281647191
time_elements_object.CopyFromStringISO8601(u'2010-08-12T21:06:31,546875')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 22, 6, 31, 546)
expected_number_of_seconds = 1281650791
time_elements_object.CopyFromStringISO8601(
u'2010-08-12T21:06:31.546875-01:00')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
expected_time_elements_tuple = (2010, 8, 12, 20, 6, 31, 546)
expected_number_of_seconds = 1281643591
time_elements_object.CopyFromStringISO8601(
u'2010-08-12T21:06:31.546875+01:00')
self.assertEqual(
time_elements_object._time_elements_tuple, expected_time_elements_tuple)
self.assertEqual(
time_elements_object._number_of_seconds, expected_number_of_seconds)
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(None)
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(
u'2010-08-12 21:06:31.546875+01:00')
# Valid ISO 8601 notations currently not supported.
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(u'2016-W33')
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(u'2016-W33-3')
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(u'--08-17')
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(u'2016-230')
with self.assertRaises(ValueError):
time_elements_object.CopyFromStringISO8601(u'2010-08-12T21:06:31.5')
def ParseRecord(self, parser_mediator, key, structure):
"""Parses a matching entry.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
key (str): name of the parsed structure.
structure (pyparsing.ParseResults): elements parsed from the file.
Raises:
ParseError: when the structure type is unknown.
"""
if key not in self._SUPPORTED_KEYS:
raise errors.ParseError(
'Unable to parse record, unknown structure: {0:s}'.format(key))
if key == 'quota_exceeded_line':
# skip this line
return
date_time = dfdatetime_time_elements.TimeElementsInMilliseconds()
date_time_string = self._GetValueFromStructure(structure, 'date')
try:
date_time.CopyFromStringISO8601(date_time_string)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0!s}'.format(date_time_string))
return
if key == 'execution_line':
event_data = SantaExecutionEventData()
event_data.action = self._GetValueFromStructure(
structure, 'action')
event_data.decision = self._GetValueFromStructure(
structure, 'decision')
event_data.reason = self._GetValueFromStructure(
structure, 'reason')
event_data.process_hash = self._GetValueFromStructure(
structure, 'sha256')
event_data.certificate_hash = self._GetValueFromStructure(
structure, 'cert_sha256')
event_data.certificate_common_name = self._GetValueFromStructure(
structure, 'cert_cn')
event_data.quarantine_url = self._GetValueFromStructure(
structure, 'quarantine_url')
event_data.pid = self._GetValueFromStructure(structure, 'pid')
event_data.ppid = self._GetValueFromStructure(structure, 'ppid')
event_data.uid = self._GetValueFromStructure(structure, 'uid')
event_data.user = self._GetValueFromStructure(structure, 'user')
event_data.gid = self._GetValueFromStructure(structure, 'gid')
event_data.group = self._GetValueFromStructure(structure, 'group')
event_data.mode = self._GetValueFromStructure(structure, 'mode')
event_data.process_path = self._GetValueFromStructure(
structure, 'path')
event_data.process_arguments = self._GetValueFromStructure(
structure, 'args')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_LAST_RUN)
elif key == 'file_system_event_line':
event_data = SantaFileSystemEventData()
event_data.action = self._GetValueFromStructure(
structure, 'action')
event_data.file_path = self._GetValueFromStructure(
structure, 'path')
event_data.file_new_path = self._GetValueFromStructure(
structure, 'newpath')
event_data.pid = self._GetValueFromStructure(structure, 'pid')
event_data.ppid = self._GetValueFromStructure(structure, 'ppid')
event_data.process = self._GetValueFromStructure(
structure, 'process')
event_data.process_path = self._GetValueFromStructure(
structure, 'processpath')
event_data.uid = self._GetValueFromStructure(structure, 'uid')
event_data.user = self._GetValueFromStructure(structure, 'user')
event_data.gid = self._GetValueFromStructure(structure, 'gid')
event_data.group = self._GetValueFromStructure(structure, 'group')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
elif key == 'umount_line':
event_data = SantaMountEventData()
event_data.action = self._GetValueFromStructure(
structure, 'action')
event_data.mount = self._GetValueFromStructure(structure, 'mount')
event_data.volume = self._GetValueFromStructure(
structure, 'volume')
event_data.bsd_name = self._GetValueFromStructure(
structure, 'bsd_name')
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
elif key == 'mount_line':
event_data = SantaMountEventData()
event_data.action = self._GetValueFromStructure(
structure, 'action')
event_data.mount = self._GetValueFromStructure(structure, 'mount')
event_data.volume = self._GetValueFromStructure(
structure, 'volume')
event_data.bsd_name = self._GetValueFromStructure(
structure, 'bsd_name')
event_data.fs = self._GetValueFromStructure(structure, 'fs')
event_data.model = self._GetValueFromStructure(structure, 'model')
event_data.serial = self._GetValueFromStructure(
structure, 'serial')
event_data.bus = self._GetValueFromStructure(structure, 'bus')
event_data.dmg_path = self._GetValueFromStructure(
structure, 'dmg_path')
event_data.appearance = self._GetValueFromStructure(
structure, 'appearance')
if event_data.appearance:
new_date_time = dfdatetime_time_elements.TimeElementsInMilliseconds(
)
try:
new_date_time.CopyFromStringISO8601(event_data.appearance)
new_event = time_events.DateTimeValuesEvent(
new_date_time,
definitions.TIME_DESCRIPTION_FIRST_CONNECTED)
parser_mediator.ProduceEventWithEventData(
new_event, event_data)
except ValueError:
parser_mediator.ProduceExtractionWarning(
'invalid date time value: {0:s}'.format(
event_data.appearance))
event = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)
def testConvertDateTimeValuesToJSON(self):
"""Test ConvertDateTimeValuesToJSON function."""
posix_time_object = posix_time.PosixTime(timestamp=1281643591)
expected_json_dict = {
'__class_name__': 'PosixTime',
'__type__': 'DateTimeValues',
'timestamp': 1281643591
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
posix_time_object)
self.assertEqual(json_dict, expected_json_dict)
posix_time_object.is_local_time = True
expected_json_dict = {
'__class_name__': 'PosixTime',
'__type__': 'DateTimeValues',
'is_local_time': True,
'timestamp': 1281643591
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
posix_time_object)
self.assertEqual(json_dict, expected_json_dict)
never_time_object = semantic_time.Never()
expected_json_dict = {
'__class_name__': 'Never',
'__type__': 'DateTimeValues',
'string': 'Never'
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
never_time_object)
self.assertEqual(json_dict, expected_json_dict)
fat_date_time_object = fat_date_time.FATDateTime(
fat_date_time=0xa8d03d0c)
expected_json_dict = {
'__class_name__': 'FATDateTime',
'__type__': 'DateTimeValues',
'fat_date_time': 2832219404
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
fat_date_time_object)
self.assertEqual(json_dict, expected_json_dict)
golang_timestamp = bytes.fromhex('01000000000000000200000003ffff')
golang_time_object = golang_time.GolangTime(
golang_timestamp=golang_timestamp)
expected_json_dict = {
'__class_name__':
'GolangTime',
'__type__':
'DateTimeValues',
'golang_timestamp':
(b'\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x03\xff\xff'),
'time_zone_offset':
0
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
golang_time_object)
self.assertEqual(json_dict, expected_json_dict)
rfc2579_date_time_object = rfc2579_date_time.RFC2579DateTime(
rfc2579_date_time_tuple=(2010, 8, 12, 20, 6, 31, 6, '+', 2, 0))
expected_json_dict = {
'__class_name__': 'RFC2579DateTime',
'__type__': 'DateTimeValues',
'rfc2579_date_time_tuple': (2010, 8, 12, 20, 6, 31, 6),
'time_zone_offset': 120
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
rfc2579_date_time_object)
self.assertEqual(json_dict, expected_json_dict)
time_elements_object = time_elements.TimeElements(
time_elements_tuple=(2010, 8, 12, 20, 6, 31))
expected_json_dict = {
'__class_name__': 'TimeElements',
'__type__': 'DateTimeValues',
'time_elements_tuple': (2010, 8, 12, 20, 6, 31)
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
time_elements_object)
self.assertEqual(json_dict, expected_json_dict)
time_elements_object = time_elements.TimeElementsInMilliseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 546))
expected_json_dict = {
'__class_name__': 'TimeElementsInMilliseconds',
'__type__': 'DateTimeValues',
'time_elements_tuple': (2010, 8, 12, 20, 6, 31, 546)
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
time_elements_object)
self.assertEqual(json_dict, expected_json_dict)
time_elements_object = time_elements.TimeElementsInMicroseconds(
time_elements_tuple=(2010, 8, 12, 20, 6, 31, 429876))
expected_json_dict = {
'__class_name__': 'TimeElementsInMicroseconds',
'__type__': 'DateTimeValues',
'time_elements_tuple': (2010, 8, 12, 20, 6, 31, 429876)
}
json_dict = serializer.Serializer.ConvertDateTimeValuesToJSON(
time_elements_object)
self.assertEqual(json_dict, expected_json_dict)
