plaso-rubanetra/plaso/formatters/rubanetra.py

423 lines
20 KiB
Python
Raw Normal View History

2020-04-06 16:48:34 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2014 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains formatters for the parsed Rubanetra events. Additionally, a Java Instant formatter was defined
as well."""
from plaso.formatters import interface
__author__ = 'Stefan Swerk (stefan_rubanetra@swerk.priv.at)'
class RubanetraBaseActivityFormatter(interface.ConditionalEventFormatter):
""" Formatter for a Rubanetra BaseActivity """
DATA_TYPE = 'java:rubanetra:base_activity'
SOURCE_SHORT = 'LOG'
SOURCE_LONG = 'at.jku.fim.rubanetra.BaseActivity'
FORMAT_STRING_PIECES = [
u'activityType: \'{activity_type}\'',
u'firstTimestamp: \'{first_timestamp}\'',
u'lastTimestamp: \'{last_timestamp}\'',
u'description: \'{description}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'compoundFrameNumbers: \'{compound_frame_number_list}\'',
u'isReplaced: \'{replaced}\'',
u'optionalFields: \'{optional_field_dict}\'']
class RubanetraPcapActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:pcap_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.PcapActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES \
+ [u'totalSize: \'{pcap_total_size}\'',
u'frameNumber: \'{pcap_frame_number}\'',
u'wireLength: \'{pcap_packet_wirelen}\'',
u'headerCount: \'{pcap_header_count}\'']
class RubanetraHttpRequestActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_request_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpRequestActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'serverAddress: \'{server_address}\'',
u'clientAddress: \'{client_address}\'',
u'httpVersion: \'{http_version}\'',
u'httpMethod: \'{http_method}\'',
u'httpQueryString: \'{http_query_string}\'',
u'httpQueryParameters: \'{http_query_parameters}\'',
u'httpRequestHeader: \'{http_request_header_dict}\'',
u'url: \'{url}\'',
u'originalHttpHeader: \'{orig_http_header}\'',
u'contentType: \'{content_type}\'',
u'isResponse: \'{is_response}\'',
u'JNetPcapHttpString: \'{jnetpcap_http_string}\'']
class RubanetraHttpResponseActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_response_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpResponseActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'httpVersion: \'{http_version}\'',
u'httpStatusCode: \'{response_status_code}\'',
u'httpStatusLine: \'{response_status_line}\'',
u'httpResponseHeader: \'{response_header_dict}\'',
u'originalHttpHeader: \'{orig_http_header}\'',
u'contentType: \'{content_type}\'',
u'JNetPcapHttpString: \'{jnetpcap_http_string}\'']
class RubanetraDnsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dns_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DnsActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'questionRecords: \'{question_record_list}\'',
u'answerRecords: \'{answer_record_list}\'',
u'authorityRecords: \'{authority_record_list}\'',
u'additionalRecords: \'{additional_record_list}\'',
u'dnsMessageHeader: \'{dns_message_header}\'',
u'isResponse: \'{is_response_bool}\'']
class RubanetraHttpImageActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:http_image_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.HttpImageActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'imageType: \'{image_type}\'',
u'imagePath: \'{image_path}\'']
class RubanetraArpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:arp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.ArpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'hardwareType: \'{hardware_type}\'',
u'protocolType: \'{protocol_type}\'',
u'hardwareAddressLength: \'{hardware_address_length}\'',
u'protocolAddressLength: \'{protocol_address_length}\'',
u'senderHardwareAddress: \'{sender_mac_address}\'',
u'targetHardwareAddress: \'{target_mac_address}\'',
u'senderProtocolAddress: \'{sender_protocol_address}\'',
u'targetProtocolAddress: \'{target_protocol_address}\'',
u'JNetPcapArpString: \'{jnetpcap_arp}\'']
class RubanetraDhcpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dhcp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DhcpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'dhcpMessage: \'{dhcp_message}\'']
class RubanetraEthernetActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ethernet_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.EthernetActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourceMacAddress: \'{source_mac_address}\'',
u'destinationMacAddress: \'{destination_mac_address}\'',
u'ethernetType: \'{ethernet_type}\'',
u'ethernetTypeEnum: \'{ethernet_type_enum}\'',
u'JNetPcapEthernetString: \'{jnetpcap_ethernet}\'']
class RubanetraFtpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ftp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.FtpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'ftpActivityType: \'{ftp_type}\'',
u'command: \'{command}\'',
u'reply: \'{reply}\'',
u'list: \'{list}\'']
class RubanetraIcmpv4ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:icmpv4_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Icmpv4Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'icmpSubType: \'{icmp_subtype}\'',
u'icmpPacket: \'{icmp_packet}\'',
u'icmpMessage: \'{icmp_message}\'',
u'icmpType: \'{icmp_type}\'',
u'icmpCode: \'{icmp_code}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'identifier: \'{identifier}\'',
u'sequence: \'{sequence}\'',
u'JNetPcapIcmpString: \'{jnetpcap_icmp}\'']
class RubanetraIcmpv6ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:icmpv6_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Icmpv6Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'icmpSubType: \'{icmp_subtype}\'',
u'icmpPacket: \'{icmp_packet}\'',
u'icmpMessage: \'{icmp_message}\'',
u'icmpType: \'{icmp_type}\'',
u'JNetPcapIcmpString: \'{jnetpcap_icmp}\'']
class RubanetraIpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ip_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.IpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'version: \'{version}\'',
u'protocol: \'{protocol}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'']
class RubanetraIpv4ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ipv4_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Ipv4Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'internetHeaderLength: \'{internet_header_length}\'',
u'differentiatedServicesCodePoint: \'{differentiated_services_code_point}\'',
u'totalLength: \'{total_length}\'',
u'identification: \'{identification}\'',
u'flags: \'{flags}\'',
u'fragmentOffset: \'{fragment_offset}\'',
u'timeToLive: \'{time_to_live}\'',
u'headerChecksum: \'{header_checksum}\'',
u'options: \'{options}\'',
u'JNetPcapIpv4String: \'{jnetpcap_ip4}\'']
class RubanetraIpv6ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:ipv6_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Ipv6Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'trafficClass: \'{traffic_class}\'',
u'flowLabel: \'{flow_label}\'',
u'payloadLength: \'{payload_length}\'',
u'nextHeader: \'{next_header}\'',
u'hopLimit: \'{hop_limit}\'',
u'JNetPcapIpv6String: \'{jnetpcap_ip6}\'',
u'KrakenIpv6String: \'{kraken_ip6}\'']
class RubanetraMsnActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:msn_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.MsnActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'account: \'{account}\'',
u'chat: \'{chat}\'']
class RubanetraNetbiosActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:Netbios_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.NetbiosActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'datagramPacket: \'{datagram_packet}\'',
u'namePacket: \'{name_packet}\'']
class RubanetraPop3ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:pop3_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Pop3Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'subType: \'{sub_type}\'',
u'header: \'{header}\'',
u'data: \'{data}\'',
u'command: \'{command}\'',
u'response: \'{response}\'']
class RubanetraSmtpCommandActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_command_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpCommandActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'command: \'{command}\'',
u'parameter: \'{parameter}\'']
class RubanetraSmtpReplyActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_reply_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpReplyActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'code: \'{code}\'',
u'message: \'{message}\'']
class RubanetraSmtpSendActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:smtp_send_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SmtpSendActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'header: \'{header}\'',
u'data: \'{data}\'']
class RubanetraSnmpv1ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:snmpv1_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Snmpv1Activity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'pdu: \'{pdu}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraSnmpv2ActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:snmpv2_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.Snmpv2Activity'
FORMAT_STRING_PIECES = RubanetraSnmpv1ActivityFormatter.FORMAT_STRING_PIECES
class RubanetraTcpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:tcp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TcpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourcePort: \'{source_port}\'',
u'destinationPort: \'{destination_port}\'',
u'sequenceNumber: \'{sequence_number}\'',
u'acknowledgeNumber: \'{acknowledge_number}\'',
u'relativeSequenceNumber: \'{relative_sequence_number}\'',
u'relativeAcknowledgeNumber: \'{relative_acknowledge_number}\'',
u'dataOffset: \'{data_offset}\'',
u'controlBits: \'{control_bits}\'',
u'windowSize: \'{window_size}\'',
u'checksum: \'{checksum}\'',
u'urgentPointer: \'{urgent_pointer}\'',
u'tcpLength: \'{tcp_length}\'',
u'options: \'{options}\'',
u'padding: \'{padding}\'',
u'syn: \'{syn}\'',
u'ack: \'{ack}\'',
u'psh: \'{psh}\'',
u'fin: \'{fin}\'',
u'rst: \'{rst}\'',
u'urg: \'{urg}\'',
u'direction: \'{direction}\'',
u'clientState: \'{client_state}\'',
u'serverState: \'{server_state}\'',
u'JNetPcapTcpString: \'{jnetpcap_tcp}\'',
u'sourceAddress: \'{source_address}\'',
u'destinationAddress: \'{destination_address}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraTelnetActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:telnet_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TelnetActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'subType: \'{sub_type}\'',
u'command: \'{command}\'',
u'option: \'{option}\'',
u'ansiMode: \'{ansi_mode}\'',
u'arguments: \'{arguments}\'',
u'text: \'{text}\'',
u'title: \'{title}\'']
class RubanetraTlsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:tls_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.TlsActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientToServerTraffic: \'{client_to_server_traffic}\'',
u'serverToClientTraffic: \'{server_to_client_traffic}\'']
class RubanetraUdpActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:udp_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.UdpActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourcePort: \'{source_port}\'',
u'destinationPort: \'{destination_port}\'',
u'length: \'{length}\'',
u'checksum: \'{checksum}\'',
u'JNetPcapUdpString: \'{jnetpcap_udp}\'',
u'sourceSocketAddress: \'{source_socket_address}\'',
u'destinationSocketAddress: \'{destination_socket_address}\'']
class RubanetraOpenSSHActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:open_ssh_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.OpenSSHActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientToServerTraffic: \'{client_to_server_traffic}\'',
u'serverToClientTraffic: \'{server_to_client_traffic}\'']
class RubanetraDropboxTlsActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:dropbox_tls_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.DropboxActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientAddress: \'{client_address}\'',
u'serverAddress: \'{server_address}\'']
class RubanetraSpiderOakActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:spideroak_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SpiderOakActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'clientAddress: \'{client_address}\'',
u'serverAddress: \'{server_address}\'']
class RubanetraSkypePayloadActivityFormatter(RubanetraBaseActivityFormatter):
DATA_TYPE = 'java:rubanetra:skype_payload_activity'
SOURCE_LONG = 'at.jku.fim.rubanetra.SkypePayloadActivity'
FORMAT_STRING_PIECES = RubanetraBaseActivityFormatter.FORMAT_STRING_PIECES + \
[u'sourceObjectId: \'{source_object_id}\'',
u'destinationObjectId: \'{destination_object_id}\'',
u'sourceHost: \'{source_host}\'',
u'destinationHost: \'{destination_host}\'']
class JavaInstantFormatter(interface.EventFormatter):
""" Formatter for a Java Instant """
DATA_TYPE = 'java:time:Instant'
SOURCE_SHORT = 'JAVA'
SOURCE_LONG = 'java.time.Instant'
FORMAT_STRING = (
u'epoch_seconds: \'{instant_epoch_seconds}, nano: \'{instant_nano}\'')
FORMAT_STRING_SHORT = (u'{instant_epoch_seconds}.{instant_nano}\'')