Code review: 306720043: Create analyzers subsystem, add Yara support.…

… Addresses #785 and #313
log2timeline · Jul 20, 2016 · 5563a4a · 5563a4a
1 parent e6530a9
commit 5563a4a
Show file tree

Hide file tree

Showing 51 changed files with 1,102 additions and 258 deletions.
diff --git a/config/dpkg/changelog b/config/dpkg/changelog
@@ -2,4 +2,4 @@ plaso (1.4.1-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Log2Timeline <[email protected]>  Tue, 19 Jul 2016 20:49:39 +0200
+ -- Log2Timeline <[email protected]>  Wed, 20 Jul 2016 15:46:54 +0200
diff --git a/config/linux/install_gift_and_dependencies.sh b/config/linux/install_gift_and_dependencies.sh
@@ -43,6 +43,7 @@ PLASO_DEPENDENCIES="ipython
                    python-xlsxwriter
                    python-yaml
                    python-tz
+                   python-yara
                    python-zmq"
 
 # Additional dependencies for running Plaso tests, alphabetized,

diff --git a/data/tag_windows.txt b/data/tag_windows.txt
@@ -21,7 +21,7 @@ application_removal
   data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Application-Experience' and event_identifier is 908
 
 document_open
-  data_type is 'windows:registry:key_value' AND plugin contains 'mru' AND regvalue.__all__ not contains '.exe' AND timestamp > 0
+  data_type is 'windows:registry:key_value' AND plugin contains 'mru' AND regvalue.__all__ notcontains '.exe' AND timestamp > 0
 
 login_failed
   data_type is 'windows:evtx:record' and source_name is 'Microsoft-Windows-Security-Auditing' and event_identifier is 4625

diff --git a/docs/plaso.analyzers.hashers.rst b/docs/plaso.analyzers.hashers.rst
@@ -0,0 +1,54 @@
+plaso.analyzers.hashers package
+===============================
+
+Submodules
+----------
+
+plaso.analyzers.hashers.interface module
+----------------------------------------
+
+.. automodule:: plaso.analyzers.hashers.interface
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.hashers.manager module
+--------------------------------------
+
+.. automodule:: plaso.analyzers.hashers.manager
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.hashers.md5 module
+----------------------------------
+
+.. automodule:: plaso.analyzers.hashers.md5
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.hashers.sha1 module
+-----------------------------------
+
+.. automodule:: plaso.analyzers.hashers.sha1
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.hashers.sha256 module
+-------------------------------------
+
+.. automodule:: plaso.analyzers.hashers.sha256
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
+Module contents
+---------------
+
+.. automodule:: plaso.analyzers.hashers
+    :members:
+    :undoc-members:
+    :show-inheritance:
diff --git a/docs/plaso.analyzers.rst b/docs/plaso.analyzers.rst
@@ -0,0 +1,53 @@
+plaso.analyzers package
+=======================
+
+Subpackages
+-----------
+
+.. toctree::
+
+    plaso.analyzers.hashers
+
+Submodules
+----------
+
+plaso.analyzers.hashing_analyzer module
+---------------------------------------
+
+.. automodule:: plaso.analyzers.hashing_analyzer
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.interface module
+--------------------------------
+
+.. automodule:: plaso.analyzers.interface
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.manager module
+------------------------------
+
+.. automodule:: plaso.analyzers.manager
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+plaso.analyzers.yara_analyzer module
+------------------------------------
+
+.. automodule:: plaso.analyzers.yara_analyzer
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
+
+Module contents
+---------------
+
+.. automodule:: plaso.analyzers
+    :members:
+    :undoc-members:
+    :show-inheritance:
diff --git a/docs/plaso.containers.rst b/docs/plaso.containers.rst
@@ -4,6 +4,14 @@ plaso.containers package
 Submodules
 ----------
 
+plaso.containers.analyzer_result module
+---------------------------------------
+
+.. automodule:: plaso.containers.analyzer_result
+    :members:
+    :undoc-members:
+    :show-inheritance:
+
 plaso.containers.artifacts module
 ---------------------------------
 

diff --git a/docs/plaso.rst b/docs/plaso.rst
@@ -7,13 +7,13 @@ Subpackages
 .. toctree::
 
     plaso.analysis
+    plaso.analyzers
     plaso.cli
     plaso.containers
     plaso.engine
     plaso.filters
     plaso.formatters
     plaso.frontend
-    plaso.hashers
     plaso.lib
     plaso.multi_processing
     plaso.output

diff --git a/plaso/__init__.py b/plaso/__init__.py
@@ -9,7 +9,7 @@
 __version__ = '1.4.1'
 
 VERSION_DEV = True
-VERSION_DATE = '20160719'
+VERSION_DATE = '20160720'
 
 
 def GetVersion():

diff --git a/plaso/analyzers/__init__.py b/plaso/analyzers/__init__.py
@@ -0,0 +1,4 @@
+# -*- coding: utf-8 -*-
+"""This file contains an import statement for each analyzer."""
+from plaso.analyzers import hashing_analyzer
+from plaso.analyzers import yara_analyzer
diff --git a/plaso/analyzers/hashers/__init__.py b/plaso/analyzers/hashers/__init__.py
@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+"""This file contains an import statement for each hasher."""
+from plaso.analyzers.hashers import md5
+from plaso.analyzers.hashers import sha1
+from plaso.analyzers.hashers import sha256
diff --git a/plaso/hashers/interface.py → plaso/analyzers/hashers/interface.py b/plaso/hashers/interface.py → plaso/analyzers/hashers/interface.py
@@ -1,34 +1,30 @@
 # -*- coding: utf-8 -*-
-"""This file contains a class to provide a hashing framework to Plaso.
-
-This class contains a base framework class for parsing files.
-"""
-
+"""The hasher interface."""
 import abc
 
 
 class BaseHasher(object):
-  """Class that provides the interface for hashing functionality."""
+  """Base class for objects that calculate hashes."""
 
   NAME = u'base_hasher'
-  DESCRIPTION = u''
+  DESCRIPTION = u'Calculates a digest hash over input data.'
 
   @abc.abstractmethod
   def GetBinaryDigest(self):
     """Retrieves the digest of the hash function as a binary string.
 
     Returns:
-      A binary string hash digest calculated over the data blocks passed to
-      Update().
+      bytes: binary hash digest calculated over the data blocks passed to
+          Update().
     """
 
   @abc.abstractmethod
   def GetStringDigest(self):
     """Retrieves the digest of the hash function expressed as a Unicode string.
 
     Returns:
-      A string hash digest calculated over the data blocks passed to
-      Update(). The string will consist of printable Unicode characters.
+      str: string hash digest calculated over the data blocks passed to
+          Update(). The string consists of printable Unicode characters.
     """
 
   @abc.abstractmethod
@@ -39,5 +35,5 @@ def Update(self, data):
     concatenation of the arguments.
 
     Args:
-      data: a string of data with which to update the context of the hasher.
+      data(bytes): data with which to update the context of the hasher.
     """
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@ plaso (1.4.1-1) unstable; urgency=low

		* Auto-generated

		-- Log2Timeline <[email protected]> Tue, 19 Jul 2016 20:49:39 +0200
		-- Log2Timeline <[email protected]> Wed, 20 Jul 2016 15:46:54 +0200