plaso-rubanetra/plaso/formatters/symantec.py
2020-04-06 18:48:34 +02:00

198 lines
7.0 KiB
Python

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""This file contains a formatter for Symantec logs."""
from plaso.lib import errors
from plaso.formatters import interface
__author__ = 'David Nides (david.nides@gmail.com)'
class SymantecFormatter(interface.ConditionalEventFormatter):
"""Define the formatting for Symantec events."""
DATA_TYPE = 'av:symantec:scanlog'
EVENT_NAMES = {
'1': 'GL_EVENT_IS_ALERT',
'2': 'GL_EVENT_SCAN_STOP',
'3': 'GL_EVENT_SCAN_START',
'4': 'GL_EVENT_PATTERN_UPDATE',
'5': 'GL_EVENT_INFECTION',
'6': 'GL_EVENT_FILE_NOT_OPEN',
'7': 'GL_EVENT_LOAD_PATTERN',
'8': 'GL_STD_MESSAGE_INFO',
'9': 'GL_STD_MESSAGE_ERROR',
'10': 'GL_EVENT_CHECKSUM',
'11': 'GL_EVENT_TRAP',
'12': 'GL_EVENT_CONFIG_CHANGE',
'13': 'GL_EVENT_SHUTDOWN',
'14': 'GL_EVENT_STARTUP',
'16': 'GL_EVENT_PATTERN_DOWNLOAD',
'17': 'GL_EVENT_TOO_MANY_VIRUSES',
'18': 'GL_EVENT_FWD_TO_QSERVER',
'19': 'GL_EVENT_SCANDLVR',
'20': 'GL_EVENT_BACKUP',
'21': 'GL_EVENT_SCAN_ABORT',
'22': 'GL_EVENT_RTS_LOAD_ERROR',
'23': 'GL_EVENT_RTS_LOAD',
'24': 'GL_EVENT_RTS_UNLOAD',
'25': 'GL_EVENT_REMOVE_CLIENT',
'26': 'GL_EVENT_SCAN_DELAYED',
'27': 'GL_EVENT_SCAN_RESTART',
'28': 'GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER',
'29': 'GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER',
'30': 'GL_EVENT_LICENSE_WARNING',
'31': 'GL_EVENT_LICENSE_ERROR',
'32': 'GL_EVENT_LICENSE_GRACE',
'33': 'GL_EVENT_UNAUTHORIZED_COMM',
'34': 'GL_EVENT_LOG_FWD_THRD_ERR',
'35': 'GL_EVENT_LICENSE_INSTALLED',
'36': 'GL_EVENT_LICENSE_ALLOCATED',
'37': 'GL_EVENT_LICENSE_OK',
'38': 'GL_EVENT_LICENSE_DEALLOCATED',
'39': 'GL_EVENT_BAD_DEFS_ROLLBACK',
'40': 'GL_EVENT_BAD_DEFS_UNPROTECTED',
'41': 'GL_EVENT_SAV_PROVIDER_PARSING_ERROR',
'42': 'GL_EVENT_RTS_ERROR',
'43': 'GL_EVENT_COMPLIANCE_FAIL',
'44': 'GL_EVENT_COMPLIANCE_SUCCESS',
'45': 'GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION',
'46': 'GL_EVENT_ANOMALY_START',
'47': 'GL_EVENT_DETECTION_ACTION_TAKEN',
'48': 'GL_EVENT_REMEDIATION_ACTION_PENDING',
'49': 'GL_EVENT_REMEDIATION_ACTION_FAILED',
'50': 'GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL',
'51': 'GL_EVENT_ANOMALY_FINISH',
'52': 'GL_EVENT_COMMS_LOGIN_FAILED',
'53': 'GL_EVENT_COMMS_LOGIN_SUCCESS',
'54': 'GL_EVENT_COMMS_UNAUTHORIZED_COMM',
'55': 'GL_EVENT_CLIENT_INSTALL_AV',
'56': 'GL_EVENT_CLIENT_INSTALL_FW',
'57': 'GL_EVENT_CLIENT_UNINSTALL',
'58': 'GL_EVENT_CLIENT_UNINSTALL_ROLLBACK',
'59': 'GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE',
'60': 'GL_EVENT_COMMS_SERVER_CERT_ISSUE',
'61': 'GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE',
'62': 'GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED',
'63': 'GL_EVENT_CLIENT_CHECKIN',
'64': 'GL_EVENT_CLIENT_NO_CHECKIN',
'65': 'GL_EVENT_SCAN_SUSPENDED',
'66': 'GL_EVENT_SCAN_RESUMED',
'67': 'GL_EVENT_SCAN_DURATION_INSUFFICIENT',
'68': 'GL_EVENT_CLIENT_MOVE',
'69': 'GL_EVENT_SCAN_FAILED_ENHANCED',
'70': 'GL_EVENT_MAX_event_name',
'71': 'GL_EVENT_HEUR_THREAT_NOW_WHITELISTED',
'72': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_START',
'73': 'GL_EVENT_LOAD_ERROR_COH',
'74': 'GL_EVENT_LOAD_ERROR_SYKNAPPS',
'75': 'GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH',
'76': 'GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS',
'77': 'GL_EVENT_HEUR_THREAT_NOW_KNOWN'
}
CATEGORY_NAMES = {
'1': 'GL_CAT_INFECTION',
'2': 'GL_CAT_SUMMARY',
'3': 'GL_CAT_PATTERN',
'4': 'GL_CAT_SECURITY'
}
ACTION_1_2_NAMES = {
'1': 'Quarantine infected file',
'2': 'Rename infected file',
'3': 'Delete infected file',
'4': 'Leave alone (log only)',
'5': 'Clean virus from file',
'6': 'Clean or delete macros'
}
ACTION_0_NAMES = {
'1': 'Quarantined',
'2': 'Renamed',
'3': 'Deleted',
'4': 'Left alone',
'5': 'Cleaned',
'6': ('Cleaned or macros deleted (no longer used as of '
'Symantec AntiVirus 9.x)'),
'7': 'Saved file as...',
'8': 'Sent to Intel (AMS)',
'9': 'Moved to backup location',
'10': 'Renamed backup file',
'11': 'Undo action in Quarantine View',
'12': 'Write protected or lack of permissions - Unable to act on file',
'13': 'Backed up file'
}
# The identifier for the formatter (a regular expression)
FORMAT_STRING_SEPARATOR = u'; '
FORMAT_STRING_PIECES = [
u'Event Name: {event_map}',
u'Category Name: {category_map}',
u'Malware Name: {virus}',
u'Malware Path: {file}',
u'Action0: {action0_map}',
u'Action1: {action1_map}',
u'Action2: {action2_map}',
u'Description: {description}',
u'Scan ID: {scanid}',
u'Event Data: {event_data}',
u'Remote Machine: {remote_machine}',
u'Remote IP: {remote_machine_ip}']
FORMAT_STRING_SHORT_PIECES = [
u'{file}',
u'{virus}',
u'{action0_map}',
u'{action1_map}',
u'{action2_map}']
SOURCE_LONG = 'Symantec AV Log'
SOURCE_SHORT = 'LOG'
def GetMessages(self, event_object):
"""Returns a list of messages extracted from an event object.
Args:
event_object: The event object (EventObject) containing the event
specific data.
Returns:
A list that contains both the longer and shorter version of the message
string.
"""
if self.DATA_TYPE != event_object.data_type:
raise errors.WrongFormatter(u'Unsupported data type: {0:s}.'.format(
event_object.data_type))
if hasattr(event_object, 'event'):
event_object.event_map = self.EVENT_NAMES.get(
event_object.event, 'Unknown')
if hasattr(event_object, 'cat'):
event_object.category_map = self.CATEGORY_NAMES.get(
event_object.cat, 'Unknown')
if hasattr(event_object, 'action1'):
event_object.action1_map = self.ACTION_1_2_NAMES.get(
event_object.action1, 'Unknown')
if hasattr(event_object, 'action2'):
event_object.action2_map = self.ACTION_1_2_NAMES.get(
event_object.action2, 'Unknown')
if hasattr(event_object, 'action0'):
event_object.action0_map = self.ACTION_0_NAMES.get(
event_object.action0, 'Unknown')
return super(SymantecFormatter, self).GetMessages(event_object)