def ExamineEvent(self, mediator, event): """Analyzes an EventObject and tags it according to rules in the tag file. Args: mediator (AnalysisMediator): mediates interactions between analysis plugins and other components, such as storage and dfvfs. event (EventObject): event to examine. """ if self._tag_rules is None: if self._autodetect_tag_file_attempt: # There's nothing to tag with, and we've already tried to find a good # tag file, so there's nothing we can do with this event (or any other). return if not self._AttemptAutoDetectTagFile(mediator): logging.info( u'No tag definition file specified, and plaso was not able to ' u'autoselect a tagging file. As no definitions were specified, ' u'no events will be tagged.') return try: matched_labels = efilter_api.apply(self._tag_rules, vars=event) except efilter_errors.EfilterTypeError as exception: logging.warning(u'Unable to apply efilter query with error: {0:s}'.format( exception)) matched_labels = None if not matched_labels: return labels = list(efilter_api.getvalues(matched_labels)) event_tag = self._CreateEventTag(event, self._EVENT_TAG_COMMENT, labels) mediator.ProduceEventTag(event_tag)
def ExamineEvent(self, mediator, event): """Analyzes an EventObject and tags it according to rules in the tag file. Args: mediator (AnalysisMediator): mediates interactions between analysis plugins and other components, such as storage and dfvfs. event (EventObject): event to examine. """ if self._tag_rules is None: if self._autodetect_tag_file_attempt: # There's nothing to tag with, and we've already tried to find a good # tag file, so there's nothing we can do with this event (or any other). return if not self._AttemptAutoDetectTagFile(mediator): logging.info( u'No tag definition file specified, and plaso was not able to ' u'autoselect a tagging file. As no definitions were specified, ' u'no events will be tagged.') return try: matched_labels = efilter_api.apply(self._tag_rules, vars=event) except efilter_errors.EfilterTypeError as exception: logging.warning( u'Unable to apply efilter query with error: {0:s}'.format( exception)) matched_labels = None if not matched_labels: return labels = list(efilter_api.getvalues(matched_labels)) event_tag = self._CreateEventTag(event, self._EVENT_TAG_COMMENT, labels) mediator.ProduceEventTag(event_tag)
def ExamineEvent(self, analysis_mediator, event_object, **kwargs): """Analyzes an EventObject and tags it according to rules in the tag file. Args: analysis_mediator: The analysis mediator object (instance of AnalysisMediator). event_object: The event object (instance of EventObject) to examine. """ if self._tag_rules is None: if self._autodetect_tag_file_attempt: # There's nothing to tag with, and we've already tried to find a good # tag file, so there's nothing we can do with this event (or any other). return if not self._AttemptAutoDetectTagFile(analysis_mediator): logging.info( u'No tag definition file specified, and plaso was not able to ' u'autoselect a tagging file. As no definitions were specified, ' u'no events will be tagged.') return matched_labels = efilter_api.apply(self._tag_rules, vars=event_object) if not matched_labels: return event_uuid = getattr(event_object, u'uuid') event_tag = events.EventTag( comment=u'Tag applied by tagging analysis plugin.', event_uuid=event_uuid) for label in efilter_api.getvalues(matched_labels): event_tag.AddLabel(label) logging.debug(u'Tagging event: {0!s}'.format(event_uuid)) self._tags.append(event_tag)
def main(): for description, query in QUERIES: print("# %s\n%s" % (description, query)) # We can find out what the EFILTER query will return by using the type # inference system. If it is a repeated value, we can render it in # multiple rows. result_type = api.infer(query, replacements=[CATALOG_PATH], libs=("stdcore", "stdio")) print("# Return type will be %s." % (result_type.__name__,)) # api.apply will give us the actual result of running the query, which # should be of the type we got above. results = api.apply(query, replacements=[CATALOG_PATH], allow_io=True, # We provide the top level variables in a 'vars' # argument. To bind 'parsec2ly' to the function of # the same name, we have to also wrap it in the # EFILTER user_func. This prevents EFILTER from # accidentally calling regular Python functions. vars={"parsec2ly": api.user_func(parsec2ly)}) # Because we don't know the cardinality of the query in 'query' we can # use 'getvalues' to always receive an iterator of results. This is just # a convenience function. for n, result in enumerate(api.getvalues(results)): print("%d - %r" % (n + 1, result)) print("\n\n")
def main(): for description, query in QUERIES: print("# %s\n%s" % (description, query)) # api.apply will give us the actual result of running the query, which # should be of the type we got above. results = api.apply(query, replacements=[CATALOG_PATH], allow_io=True, # We provide the top level variables in a 'vars' # argument. To bind 'parsec2ly' to the function of # the same name, we have to also wrap it in the # EFILTER user_func. This prevents EFILTER from # accidentally calling regular Python functions. vars={"parsec2ly": api.user_func(parsec2ly)}) # Because we don't know the cardinality of the query in 'query' we can # use 'getvalues' to always receive an iterator of results. This is just # a convenience function. for n, result in enumerate(api.getvalues(results)): print("%d - %r" % (n + 1, result)) print("\n\n")