OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """An extension of the objectfilter to provide plaso specific options.""" | 2 """An extension of the objectfilter to provide plaso specific options.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 import datetime | 6 import datetime |
7 import logging | 7 import logging |
8 import re | 8 import re |
9 | 9 |
10 from plaso.formatters import manager as formatters_manager | 10 from plaso.formatters import manager as formatters_manager |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
72 if attr == '__all__': | 72 if attr == '__all__': |
73 ret = [] | 73 ret = [] |
74 for key, value in self._dict_translated.items(): | 74 for key, value in self._dict_translated.items(): |
75 ret.append('{}:{}'.format(key, value)) | 75 ret.append('{}:{}'.format(key, value)) |
76 return ' '.join(ret) | 76 return ' '.join(ret) |
77 | 77 |
78 test = self._StripKey(attr) | 78 test = self._StripKey(attr) |
79 if test in self._dict_translated: | 79 if test in self._dict_translated: |
80 return self._dict_translated.get(test) | 80 return self._dict_translated.get(test) |
81 | 81 |
| 82 return None |
| 83 |
82 | 84 |
83 class PlasoValueExpander(objectfilter.AttributeValueExpander): | 85 class PlasoValueExpander(objectfilter.AttributeValueExpander): |
84 """An expander that gives values based on object attribute names.""" | 86 """An expander that gives values based on object attribute names.""" |
85 | 87 |
86 def _GetMessage(self, event_object): | 88 def _GetMessage(self, event_object): |
87 """Returns a properly formatted message string. | 89 """Returns a properly formatted message string. |
88 | 90 |
89 Args: | 91 Args: |
90 event_object: the event object (instance od EventObject). | 92 event_object: the event object (instance od EventObject). |
91 | 93 |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
139 # Check if this is a source_short request. | 141 # Check if this is a source_short request. |
140 if attr_name in ('source', 'source_short'): | 142 if attr_name in ('source', 'source_short'): |
141 source_short, _ = self._GetSources(obj) | 143 source_short, _ = self._GetSources(obj) |
142 return source_short | 144 return source_short |
143 | 145 |
144 # Check if this is a source_long request. | 146 # Check if this is a source_long request. |
145 if attr_name in ('source_long', 'sourcetype'): | 147 if attr_name in ('source_long', 'sourcetype'): |
146 _, source_long = self._GetSources(obj) | 148 _, source_long = self._GetSources(obj) |
147 return source_long | 149 return source_long |
148 | 150 |
| 151 return None |
| 152 |
149 def _GetAttributeName(self, path): | 153 def _GetAttributeName(self, path): |
150 return path[0].lower() | 154 return path[0].lower() |
151 | 155 |
152 | 156 |
153 class PlasoExpression(objectfilter.BasicExpression): | 157 class PlasoExpression(objectfilter.BasicExpression): |
154 """A Plaso specific expression.""" | 158 """A Plaso specific expression.""" |
155 # A simple dictionary used to swap attributes so other names can be used | 159 # A simple dictionary used to swap attributes so other names can be used |
156 # to reference some core attributes (implementation specific). | 160 # to reference some core attributes (implementation specific). |
157 swap_source = { | 161 swap_source = { |
158 'date': 'timestamp', | 162 'date': 'timestamp', |
(...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
365 @classmethod | 369 @classmethod |
366 def GetTimeRange(cls): | 370 def GetTimeRange(cls): |
367 """Return the first and last timestamp of filter range.""" | 371 """Return the first and last timestamp of filter range.""" |
368 first = getattr(cls, '_lower', 0) | 372 first = getattr(cls, '_lower', 0) |
369 last = getattr(cls, '_upper', cls.MAX_INT64) | 373 last = getattr(cls, '_upper', cls.MAX_INT64) |
370 | 374 |
371 if first < last: | 375 if first < last: |
372 return first, last | 376 return first, last |
373 | 377 |
374 return last, first | 378 return last, first |
OLD | NEW |