dissect.target 3.8.dev38__py3-none-any.whl → 3.8.dev40__py3-none-any.whl

dissect/target/loaders/velociraptor.py

@@ -53,4 +53,13 @@ class VelociraptorLoader(DirLoader):
 
     def map(self, target: Target) -> None:
         os_type, dirs = find_fs_directories(self.path)
-        map_dirs(target, dirs, os_type)
+        if os_type == OperatingSystem.WINDOWS:
+            # Velociraptor doesn't have the correct filenames for several files, like $J
+            map_dirs(
+                target,
+                dirs,
+                os_type,
+                usnjrnl_path="$Extend/$UsnJrnl%3A$J",
+            )
+        else:
+            map_dirs(target, dirs, os_type)

dissect/target/plugins/apps/av/mcafee.py

@@ -0,0 +1,141 @@
+import ipaddress
+import re
+from collections import defaultdict
+from pathlib import Path
+from typing import Iterator
+
+from dissect.sql import SQLite3
+from dissect.util.ts import from_unix
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, export
+
+McAfeeMscLogRecord = TargetRecordDescriptor(
+    "application/av/mcafee/msc/log",
+    [
+        ("datetime", "ts"),
+        ("string", "threat"),
+        ("string", "message"),
+        ("string", "keywords"),
+        ("string", "fkey"),
+    ],
+)
+
+McAfeeMscFirewallRecord = TargetRecordDescriptor(
+    "application/av/mcafee/msc/firewall",
+    [
+        ("datetime", "ts"),
+        ("net.ipaddress", "ip"),
+        ("uint16", "port"),
+        ("string", "protocol"),
+        ("string", "message"),
+        ("string", "keywords"),
+        ("string", "fkey"),
+    ],
+)
+
+re_cdata = re.compile(r"<!\[CDATA\[(.*?)\]\]>", flags=re.M)
+re_strip_tags = re.compile(r"<[^!][^>]*>")
+
+
+class McAfeePlugin(Plugin):
+    __namespace__ = "mcafee"
+
+    DIRS = [
+        "sysvol/ProgramData/McAfee/MSC/Logs",  # Windows
+        "/opt/McAfee/ens/log/tp",  # Linux/Mac according to docs
+        "/opt/McAfee/ens/log/esp",  # Linux/Mac according to docs
+    ]
+    LOG_FILE_PATTERN = "*.log"
+    TEMPLATE_ID_INFECTION = 102
+    MARKER_INFECTION = "%INFECTION_INFO%"
+    MARKER_SUSPICIOUS_TCP_CONNECTION = "TCP port "
+    MARKER_SUSPICIOUS_UDP_CONNECTION = "UDP port "
+    TABLE_LOG = "log"
+    TABLE_FIELD = "field"
+
+    def check_compatible(self) -> bool:
+        if not self.get_log_files():
+            raise UnsupportedPluginError("No McAfee Log files found")
+
+    def get_log_files(self) -> Iterator[Path]:
+        for path in self.DIRS:
+            yield from self.target.fs.path(path).glob(self.LOG_FILE_PATTERN)
+
+    def _clean_message(self, message: str) -> str:
+        return re.sub(re_strip_tags, "", (" ".join(re.findall(re_cdata, message))))
+
+    @export(record=McAfeeMscLogRecord)
+    def msc(self) -> Iterator[McAfeeMscLogRecord]:
+        """Return msc log history records from McAfee.
+
+        Yields McAfeeMscLogRecord with the following fields:
+            hostname (string): The target hostname.
+            domain (string): The target domain.
+            ts (datetime): timestamp.
+            ip (net.ipadress): IP of suspicious connection (if available).
+            tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available).
+            udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available).
+            threat (string): Description of the detected threat (if available).
+            message (string): Message as reported in the user interface (might include template slots).
+            keywords (string): Unparsed fields that might be visible in user interface.
+            fkey (string): Foreign key for reference for further investigation.
+        """
+
+        len_marker = len(self.MARKER_SUSPICIOUS_UDP_CONNECTION)
+
+        for log_file in self.get_log_files():
+            with log_file.open() as open_log:
+                database = SQLite3(open_log)
+                fields = defaultdict(dict)
+                fields_table = database.table(self.TABLE_FIELD)
+
+                for field in fields_table.rows():
+                    fields[field.fkey][field.field_id] = field.data
+                log_table = database.table(self.TABLE_LOG)
+
+                for entry in log_table.rows():
+                    fkey = entry.fkey
+                    log_fields = fields[fkey]
+                    ip = None
+                    protocol = None
+                    port = None
+                    threat = None
+
+                    for key, log_field in log_fields.items():
+                        try:
+                            ipaddress.ip_address(log_field)
+                            ip = log_field
+                            continue
+                        except ValueError:
+                            pass
+
+                        if log_field.startswith(
+                            (self.MARKER_SUSPICIOUS_TCP_CONNECTION, self.MARKER_SUSPICIOUS_UDP_CONNECTION)
+                        ):
+                            port = int(log_field[len_marker:])
+                            protocol = log_field[:3]
+                            continue
+
+                        if key == self.TEMPLATE_ID_INFECTION and entry.details_info.find(self.MARKER_INFECTION) > -1:
+                            threat = log_field
+
+                    if threat:
+                        yield McAfeeMscLogRecord(
+                            ts=from_unix(entry.date),
+                            threat=threat,
+                            message=self._clean_message(entry.details_info),
+                            keywords=",".join(log_fields.values()),
+                            fkey=entry.fkey,
+                        )
+                    else:
+                        yield McAfeeMscFirewallRecord(
+                            ts=from_unix(entry.date),
+                            ip=ip,
+                            protocol=protocol,
+                            port=port,
+                            message=self._clean_message(entry.details_info),
+                            keywords=",".join(log_fields.values()),
+                            fkey=entry.fkey,
+                        )

{dissect.target-3.8.dev38.dist-info → dissect.target-3.8.dev40.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.8.dev38
+Version: 3.8.dev40
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.8.dev38.dist-info → dissect.target-3.8.dev40.dist-info}/RECORD

@@ -72,12 +72,13 @@ dissect/target/loaders/tar.py,sha256=55chcbh9CDTczSmSPJ3O1FrfpXaZTTPL28Oqih8rPOA
 dissect/target/loaders/target.py,sha256=mfkNz586eHb1PuzbwrvRPf9CcoPDLm5wPGFT1_rMH5s,662
 dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
 dissect/target/loaders/vbox.py,sha256=bOxsUiJ0IKx2GETs12FJkYChXBVatSkvWdLmhR5XPZc,691
-dissect/target/loaders/velociraptor.py,sha256=rfZXTDm3eSgz29n1GOOswArdRsOf2ctJmSHb8RvCRQ0,2240
+dissect/target/loaders/velociraptor.py,sha256=X-nks-V1QpuEfzDgI0_MPu_Fi--a4BEL6g8dDn_3lHU,2555
 dissect/target/loaders/vma.py,sha256=sWjkQrdq3zAJyckInhvJVsVfihoU4wLM25RMT8L2KWo,519
 dissect/target/loaders/vmx.py,sha256=By8AmbBmVd3U13oIZs9_0mVV3tpWNPoJBLmHZXqs1GE,740
 dissect/target/loaders/xva.py,sha256=66rsZGPwrLOaHtzou5oicYuOdIWQOeKtvvXsGm89dqg,544
 dissect/target/plugins/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+dissect/target/plugins/apps/av/mcafee.py,sha256=GkMLeprZo5mNqH-Ic1bml8tjoau_10vm7HDmE9nHF5Y,5403
 dissect/target/plugins/apps/av/trendmicro.py,sha256=v1Gf2CjZVwtr1xOJjHOEiMtfngMkIc84lITgOHXtjB4,4649
 dissect/target/plugins/apps/containers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/containers/docker.py,sha256=Tro1bR4Mvub3lZlsfIocgr8Is3R7kS-g9iztA9jzObs,6289
@@ -252,10 +253,10 @@ dissect/target/volumes/bde.py,sha256=gYGg5yF9MNARwNzEkrEfZmKkxyZW4rhLkpdnPJCbhGk
 dissect/target/volumes/disk.py,sha256=95grSsPt1BLVpKwTclwQYzPFGKTkFFqapIk0RoGWf38,968
 dissect/target/volumes/lvm.py,sha256=zXAfszxNR6tOGrKAtAa_E-JhjI-sXQyR4VYLXD-kqCw,1616
 dissect/target/volumes/vmfs.py,sha256=mlAJ8278tYaoRjk1u6tFFlCaDQUrVu5ZZE4ikiFvxi8,1707
-dissect.target-3.8.dev38.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.8.dev38.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.8.dev38.dist-info/METADATA,sha256=ew1Pz3eT-39Um5bKsvAjLbzcwhskP19Dw_2AqAabVZA,9752
-dissect.target-3.8.dev38.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
-dissect.target-3.8.dev38.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.8.dev38.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.8.dev38.dist-info/RECORD,,
+dissect.target-3.8.dev40.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.8.dev40.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.8.dev40.dist-info/METADATA,sha256=6qDgBpgS4hDq07AxHuGwssySQBk0doDOKqPsjtADqx4,9752
+dissect.target-3.8.dev40.dist-info/WHEEL,sha256=pkctZYzUS4AYVn6dJ-7367OJZivF2e8RA9b_ZBjif18,92
+dissect.target-3.8.dev40.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.8.dev40.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.8.dev40.dist-info/RECORD,,