LEFT | RIGHT |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """The Trend Micro AV Logs file event formatter.""" | 2 """The Trend Micro AV Logs file event formatter.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 from plaso.formatters import interface | 6 from plaso.formatters import interface |
7 from plaso.formatters import manager | 7 from plaso.formatters import manager |
| 8 from plaso.lib import errors |
| 9 |
| 10 |
| 11 SCAN_RESULTS = { |
| 12 0: "Success (clean)", |
| 13 1: "Success (move)", |
| 14 2: "Success (delete)", |
| 15 3: "Success (rename)", |
| 16 4: "Pass > Deny access", |
| 17 5: "Failure (clean)", |
| 18 6: "Failure (move)", |
| 19 7: "Failure (delete)", |
| 20 8: "Failure (rename)", |
| 21 10: "Failure (clean), moved", |
| 22 11: "Failure (clean), deleted", |
| 23 12: "Failure (clean), renamed", |
| 24 13: "Pass > Deny access", |
| 25 14: "Failure (clean), move also failed", |
| 26 15: "Failure (clean), delete also failed", |
| 27 16: "Failure (clean), rename also failed", |
| 28 25: "Passed a potential security risk" |
| 29 } |
| 30 |
| 31 SCAN_TYPES = { |
| 32 0: "Manual scan", |
| 33 1: "Real-time scan", |
| 34 2: "Scheduled scan", |
| 35 3: "Scan Now scan", |
| 36 4: "DCS scan" |
| 37 } |
| 38 |
| 39 BLOCK_MODES = { |
| 40 0: "Internal filter", |
| 41 1: "Whitelist only" |
| 42 } |
8 | 43 |
9 | 44 |
10 class OfficeScanVirusDetectionLogEventFormatter( | 45 class OfficeScanVirusDetectionLogEventFormatter( |
11 interface.ConditionalEventFormatter): | 46 interface.ConditionalEventFormatter): |
12 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" | 47 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" |
13 | 48 |
14 DATA_TYPE = 'av:trendmicro:scan' | 49 DATA_TYPE = 'av:trendmicro:scan' |
15 | 50 |
16 FORMAT_STRING_PIECES = [ | 51 FORMAT_STRING_PIECES = [ |
17 'Path: {path}', | 52 'Path: {path}', |
18 'File name: {filename}', | 53 'File name: {filename}', |
19 '{threat}', | 54 '{threat}', |
20 '-> {action}', | 55 ': {action}', |
21 '({scan_type})'] | 56 '({scan_type})'] |
22 | 57 |
23 FORMAT_STRING_SHORT_PIECES = [ | 58 FORMAT_STRING_SHORT_PIECES = [ |
24 '{path}', | 59 '{path}', |
25 '{filename}', | 60 '{filename}', |
26 '{action}'] | 61 '{action}'] |
27 | 62 |
28 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' | 63 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' |
29 SOURCE_SHORT = 'LOG' | 64 SOURCE_SHORT = 'LOG' |
30 | 65 |
| 66 # VALUE_FORMATTERS contains formatting functions for event values that are |
| 67 # not ready for human consumption. |
| 68 # These functions replace the integer codes for scan types and scan results |
| 69 # (a.k.a. actions) with human-readable strings. |
| 70 VALUE_FORMATTERS = { |
| 71 'scan_type': lambda scan_type: SCAN_TYPES[scan_type], |
| 72 'action': lambda action: SCAN_RESULTS[action], |
| 73 } |
| 74 |
| 75 def GetMessages(self, unused_formatter_mediator, event): |
| 76 """Determines the formatted message strings for an event object. |
| 77 |
| 78 If any event values have a matching formatting function in VALUE_FORMATTERS, |
| 79 they are run through that function; then the dictionary is passed to the |
| 80 superclass's formatting method. |
| 81 |
| 82 Args: |
| 83 unused_formatter_mediator (FormatterMediator): not used. |
| 84 event (EventObject): event. |
| 85 |
| 86 Returns: |
| 87 tuple(str, str): formatted message string and short message string. |
| 88 |
| 89 Raises: |
| 90 WrongFormatter: if the event object cannot be formatted by the formatter. |
| 91 """ |
| 92 if self.DATA_TYPE != event.data_type: |
| 93 raise errors.WrongFormatter( |
| 94 'Unsupported data type: {0:s}.'.format(event.data_type)) |
| 95 |
| 96 event_values = event.CopyToDict() |
| 97 for formattable_value_name, formatter in self.VALUE_FORMATTERS.items(): |
| 98 if formattable_value_name in event_values: |
| 99 value = event_values[formattable_value_name] |
| 100 event_values[formattable_value_name] = formatter(value) |
| 101 |
| 102 return self._ConditionalFormatMessages(event_values) |
| 103 |
31 | 104 |
32 class OfficeScanWebReputationLogEventFormatter( | 105 class OfficeScanWebReputationLogEventFormatter( |
33 interface.ConditionalEventFormatter): | 106 OfficeScanVirusDetectionLogEventFormatter): |
34 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" | 107 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" |
35 | 108 |
36 DATA_TYPE = 'av:trendmicro:webrep' | 109 DATA_TYPE = 'av:trendmicro:webrep' |
37 | 110 |
38 FORMAT_STRING_PIECES = [ | 111 FORMAT_STRING_PIECES = [ |
39 '{url}', | 112 '{url}', |
40 '{ip}', | 113 '{ip}', |
41 'Group: {group_name}', | 114 'Group: {group_name}', |
42 '{group_code}', | 115 '{group_code}', |
43 'Mode: {block_mode}', | 116 'Mode: {block_mode}', |
44 'Policy ID: {policy_id}', | 117 'Policy ID: {policy_id}', |
45 'Credibility rating: {cred_rating}', | 118 'Credibility rating: {cred_rating}', |
46 'Credibility score: {cred_score}', | 119 'Credibility score: {cred_score}', |
47 'Threshold value: {threshold}', | 120 'Threshold value: {threshold}', |
48 'Accessed by: {appname}'] | 121 'Accessed by: {appname}'] |
49 | 122 |
50 FORMAT_STRING_SHORT_PIECES = [ | 123 FORMAT_STRING_SHORT_PIECES = [ |
51 '{url}', | 124 '{url}', |
52 '{group_name}'] | 125 '{group_name}'] |
53 | 126 |
| 127 VALUE_FORMATTERS = { |
| 128 'block_mode': lambda block_mode: BLOCK_MODES[block_mode] |
| 129 } |
| 130 |
54 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' | 131 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' |
55 SOURCE_SHORT = 'LOG' | 132 SOURCE_SHORT = 'LOG' |
56 | 133 |
57 | 134 |
58 manager.FormattersManager.RegisterFormatter( | 135 manager.FormattersManager.RegisterFormatters([ |
59 OfficeScanVirusDetectionLogEventFormatter) | 136 OfficeScanVirusDetectionLogEventFormatter, |
60 manager.FormattersManager.RegisterFormatter( | 137 OfficeScanWebReputationLogEventFormatter]) |
61 OfficeScanWebReputationLogEventFormatter) | |
LEFT | RIGHT |