Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(2481)

Issue 335560043: [plaso] Add parser and formatter for Trend Micro antivirus.

Can't Edit
Can't Publish+Mail
Start Review
Created:
1 week, 2 days ago by ep
Modified:
4 days, 5 hours ago
Reviewers:
onager
CC:
Joachim Metz, jberggren, romaing, kiddi, log2timeline-dev_googlegroups.com, aaronp
Visibility:
Public.

Description

[plaso] Add parser and formatter for Trend Micro antivirus.

Patch Set 1 #

Patch Set 2 : Add parser and formatter for Trend Micro antivirus. #

Total comments: 17
Unified diffs Side-by-side diffs Delta from patch set Stats (+379 lines, -9 lines) Patch
M plaso/formatters/__init__.py View 1 1 chunk +1 line, -0 lines 0 comments Download
A plaso/formatters/trendmicroav.py View 1 chunk +33 lines, -0 lines 1 comment Download
M plaso/parsers/__init__.py View 1 1 chunk +1 line, -0 lines 0 comments Download
M plaso/parsers/dsv_parser.py View 1 2 chunks +25 lines, -9 lines 1 comment Download
A plaso/parsers/trendmicroav.py View 1 1 chunk +257 lines, -0 lines 14 comments Download
A test_data/pccnt35.log View 1 chunk +3 lines, -0 lines 0 comments Download
A tests/parsers/trendmicroav.py View 1 1 chunk +59 lines, -0 lines 1 comment Download

Messages

Total messages: 4
ep
1 week, 2 days ago (2018-02-09 14:04:44 UTC) #1
ep
There are several mistakes that I would like to correct here. Please disregard until the ...
1 week, 2 days ago (2018-02-09 16:54:35 UTC) #2
ep
Code updated.
6 days, 12 hours ago (2018-02-12 09:25:14 UTC) #3
onager
4 days, 6 hours ago (2018-02-14 16:10:34 UTC) #4
https://codereview.appspot.com/335560043/diff/20001/plaso/formatters/trendmic...
File plaso/formatters/trendmicroav.py (right):

https://codereview.appspot.com/335560043/diff/20001/plaso/formatters/trendmic...
plaso/formatters/trendmicroav.py:20: '-> {action}',
Using "->" is a little weird, please use a : instead, for better consistency.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/dsv_parser.py
File plaso/parsers/dsv_parser.py (right):

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/dsv_parser....
plaso/parsers/dsv_parser.py:86: def _CreateDictReader(self, parser_mediator,
line_reader):
Please rebase this on the current master

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
File plaso/parsers/trendmicroav.py (right):

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:20: _SCAN_RESULTS = {
Please move these to the formatter.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:27: 6: "Falure (move)",
Failure

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:40: _SCAN_TYPES = {
Also in the formatter.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:57: trigger_location (str): trigger location.
Trigger location and username aren't set in init - please remove them from the
attributes, or set them in init.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:76: DELIMITER = '<;>'
+blank line after docstring

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:79: MIN_COLUMNS = None
This doesn't work, the DSVParser checks the numbers of columns match
https://github.com/log2timeline/plaso/blob/d64d622e91a892296989645de871de1679...

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:82: """Iterate over the log lines and provide a
reader for the values.
Please re-write this docstring:

1) Add a Yields: section
2) Move the format description to the class docstring
3) The single line docstring should be active "Iterates..."

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:95: values =
line.decode(self._encoding).strip().split(self.DELIMITER)
Break this down into multiple lines to make debugging easier:

eg.

try:
  line = line.decode(...)
except Unicode...

lines = line.strip(...)
values = lines.split(..)

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:96: except UnicodeDecodeError, exception:
UnicodeDecodeError as exception

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:132: else:
Remove the else, and dedent this block.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:151: The date value is an 8-character string in
the YYYYMMDD format.
Move these descriptions to the argument docstrings.

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:157: timestamp (str): Unix time in seconds since
the epoch.
timestamps isn't an argument to this function

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:178: return timelib.Timestamp.FromTimeParts(
Use dfdatetime instead, this function is on the way out:
https://codereview.appspot.com/332630043/

https://codereview.appspot.com/335560043/diff/20001/plaso/parsers/trendmicroa...
plaso/parsers/trendmicroav.py:193: kwargs['encoding'] = 'cp1252'
+docstring

https://codereview.appspot.com/335560043/diff/20001/tests/parsers/trendmicroa...
File tests/parsers/trendmicroav.py (right):

https://codereview.appspot.com/335560043/diff/20001/tests/parsers/trendmicroa...
tests/parsers/trendmicroav.py:34: expected_timestamp =
timelib.Timestamp.CopyFromString(
Please use the newer checktimestamp method.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 204d58d