Left: | ||
Right: |
LEFT | RIGHT |
---|---|
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """The Trend Micro AV Logs file event formatter.""" | 2 """The Trend Micro AV Logs file event formatter.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 from plaso.formatters import interface | 6 from plaso.formatters import interface |
7 from plaso.formatters import manager | 7 from plaso.formatters import manager |
8 from plaso.lib import errors | |
9 | |
10 | |
11 SCAN_RESULTS = { | |
12 0: "Success (clean)", | |
13 1: "Success (move)", | |
14 2: "Success (delete)", | |
15 3: "Success (rename)", | |
16 4: "Pass > Deny access", | |
17 5: "Failure (clean)", | |
18 6: "Failure (move)", | |
19 7: "Failure (delete)", | |
20 8: "Failure (rename)", | |
21 10: "Failure (clean), moved", | |
22 11: "Failure (clean), deleted", | |
23 12: "Failure (clean), renamed", | |
24 13: "Pass > Deny access", | |
25 14: "Failure (clean), move also failed", | |
26 15: "Failure (clean), delete also failed", | |
27 16: "Failure (clean), rename also failed", | |
28 25: "Passed a potential security risk" | |
29 } | |
30 | |
31 SCAN_TYPES = { | |
32 0: "Manual scan", | |
33 1: "Real-time scan", | |
34 2: "Scheduled scan", | |
35 3: "Scan Now scan", | |
36 4: "DCS scan" | |
37 } | |
8 | 38 |
9 | 39 |
10 class OfficeScanVirusDetectionLogEventFormatter( | 40 class OfficeScanVirusDetectionLogEventFormatter( |
11 interface.ConditionalEventFormatter): | 41 interface.ConditionalEventFormatter): |
12 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" | 42 """Formatter for a Trend Micro Office Scan Virus Detection Log event.""" |
13 | 43 |
14 DATA_TYPE = 'av:trendmicro:scan' | 44 DATA_TYPE = 'av:trendmicro:scan' |
15 | 45 |
16 FORMAT_STRING_PIECES = [ | 46 FORMAT_STRING_PIECES = [ |
17 'Path: {path}', | 47 'Path: {path}', |
18 'File name: {filename}', | 48 'File name: {filename}', |
19 '{threat}', | 49 '{threat}', |
20 '-> {action}', | 50 ': {action}', |
onager
2018/02/14 16:10:33
Using "->" is a little weird, please use a : inste
ep
2018/03/05 16:13:59
Done.
| |
21 '({scan_type})'] | 51 '({scan_type})'] |
22 | 52 |
23 FORMAT_STRING_SHORT_PIECES = [ | 53 FORMAT_STRING_SHORT_PIECES = [ |
24 '{path}', | 54 '{path}', |
25 '{filename}', | 55 '{filename}', |
26 '{action}'] | 56 '{action}'] |
27 | 57 |
28 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' | 58 SOURCE_LONG = 'Trend Micro Office Scan Virus Detection Log' |
29 SOURCE_SHORT = 'LOG' | 59 SOURCE_SHORT = 'LOG' |
30 | 60 |
61 # VALUE_FORMATTERS contains formatting functions for event values that are | |
62 # not ready for human consumption. | |
63 # These functions replace the integer codes for scan types and scan results | |
64 # (a.k.a. actions) with human-readable strings. | |
65 VALUE_FORMATTERS = { | |
66 'scan_type': lambda scan_type: SCAN_TYPES[scan_type], | |
67 'action': lambda action: SCAN_RESULTS[action], | |
68 } | |
69 | |
70 def GetMessages(self, unused_formatter_mediator, event): | |
71 """Determines the formatted message strings for an event object. | |
72 | |
73 If any event values have a matching formatting function in VALUE_FORMATTERS, | |
74 they are run through that function; then the dictionary is passed to the | |
75 superclass's formatting method. | |
76 | |
77 Args: | |
78 unused_formatter_mediator (FormatterMediator): not used. | |
79 event (EventObject): event. | |
80 | |
81 Returns: | |
82 tuple(str, str): formatted message string and short message string. | |
83 | |
84 Raises: | |
85 WrongFormatter: if the event object cannot be formatted by the formatter. | |
86 """ | |
87 if self.DATA_TYPE != event.data_type: | |
88 raise errors.WrongFormatter( | |
89 'Unsupported data type: {0:s}.'.format(event.data_type)) | |
90 | |
91 event_values = event.CopyToDict() | |
92 | |
93 for formattable_value_name, formatter in self.VALUE_FORMATTERS.items(): | |
94 if formattable_value_name in event_values: | |
95 value = event_values[formattable_value_name] | |
96 event_values[formattable_value_name] = formatter(value) | |
97 | |
98 return self._ConditionalFormatMessages(event_values) | |
99 | |
31 | 100 |
32 manager.FormattersManager.RegisterFormatter( | 101 manager.FormattersManager.RegisterFormatter( |
33 OfficeScanVirusDetectionLogEventFormatter) | 102 OfficeScanVirusDetectionLogEventFormatter) |
LEFT | RIGHT |