plaso.filters package¶
Submodules¶
plaso.filters.dynamic_filter module¶
The dynamic event object filter.
-
class
plaso.filters.dynamic_filter.
DynamicFilter
[source]¶ Bases:
plaso.filters.event_filter.EventObjectFilter
Event filter that supports selective output fields.
This filter is essentially the same as the event object filter except it wraps it in a selection of which fields should be included by an output module that supports selective fields, e.g.
SELECT field_a, field_b WHERE attribute contains ‘text’Will use the event object filter “attribute contains ‘text’” and at the same time indicate to the appropriate output module that the user wants only the fields field_a and field_b to be used in the output.
-
CompileFilter
(filter_expression)[source]¶ Compiles the filter expression.
The filter expression contains an object filter expression extended with selective field selection.
Parameters: filter_expression (str) – filter expression. Raises: WrongPlugin
– if the filter could not be compiled.
-
fields
¶ list[str] – output fields.
-
limit
¶ int – row limit.
-
separator
¶ str – output field separator.
-
-
class
plaso.filters.dynamic_filter.
SelectiveLexer
(data='')[source]¶ Bases:
plaso.lib.lexer.Lexer
Selective filter lexer implementation.
The selective (or dynamic) filter allow to construct filter expressions like:
SELECT field_a, field_b WHERE attribute contains ‘text’-
SetFields
(match, **unused_kwargs)[source]¶ Sets the output fields.
The output fields is the part of the filter expression directly following the SELECT statement.
Parameters: match (re.MatchObject) – a match that contains the output field names.
-
SetFilter
(match, **unused_kwargs)[source]¶ Set the filter query.
The filter query is the part of the filter expression directly following the WHERE statement.
Parameters: match (re.MatchObject) – a match that contains the filter query.
-
SetLimit
(match, **unused_kwargs)[source]¶ Sets the row limit.
Parameters: match (re.MatchObject) – a match that contains the row limit.
-
SetSeparator
(match, **unused_kwargs)[source]¶ Sets the output field separator.
Parameters: match (re.MatchObject) – a match contains the output field separate. Note that only the first character is used.
-
tokens
= [<plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>, <plaso.lib.lexer.Token object>]¶
-
plaso.filters.event_filter module¶
The event filter.
-
class
plaso.filters.event_filter.
EventObjectFilter
[source]¶ Bases:
plaso.filters.interface.FilterObject
Event filter.
-
CompileFilter
(filter_expression)[source]¶ Compiles the filter expression.
The filter expression contains an object filter expression.
Parameters: filter_expression (str) – filter expression. Raises: WrongPlugin
– if the filter could not be compiled.
-
Match
(event)[source]¶ Determines if an event matches the filter.
Parameters: event (EventObject) – an event. Returns: True if the event matches the filter. Return type: bool
-
plaso.filters.file_entry module¶
File entry filters.
-
class
plaso.filters.file_entry.
DateTimeFileEntryFilter
[source]¶ Bases:
plaso.filters.file_entry.FileEntryFilter
Date and time-based file entry filter.
-
AddDateTimeRange
(time_value, start_time_string=None, end_time_string=None)[source]¶ Adds a date time filter range.
The time strings are formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and timezone offset are optional. The default timezone is UTC.
Parameters: - time_value (str) – time value, such as, atime, ctime, crtime, dtime, bkup and mtime.
- start_time_string (str) – start date and time value string.
- end_time_string (str) – end date and time value string.
Raises: ValueError
– If the filter is badly formed.
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: - True if the file entry matches the filter, False if not or
- None if the filter does not apply.
Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.filters.file_entry.
ExtensionsFileEntryFilter
(extensions)[source]¶ Bases:
plaso.filters.file_entry.FileEntryFilter
Extensions-based file entry filter.
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: - True if the file entry matches the filter, False if not or
- None if the filter does not apply.
Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.filters.file_entry.
FileEntryFilter
[source]¶ Bases:
object
File entry filter interface.
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: - True if the file entry matches the filter, False if not or
- None if the filter does not apply.
Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.filters.file_entry.
FileEntryFilterCollection
[source]¶ Bases:
object
Collection of file entry filters.
-
AddFilter
(file_entry_filter)[source]¶ Adds a file entry filter to the collection.
Parameters: file_entry_filter (FileEntryFilter) – file entry filter.
-
HasFilters
()[source]¶ Determines if filters are defined.
Returns: True if filters are defined. Return type: bool
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter collection.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: - True if the file entry matches one of the filters. If no filters
- are provided or applicable the result will be True.
Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.filters.file_entry.
NamesFileEntryFilter
(names)[source]¶ Bases:
plaso.filters.file_entry.FileEntryFilter
Names-based file entry filter.
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: True if the file entry matches the filter. Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
-
class
plaso.filters.file_entry.
SignaturesFileEntryFilter
(specification_store, signature_identifiers)[source]¶ Bases:
plaso.filters.file_entry.FileEntryFilter
Signature-based file entry filter.
-
Matches
(file_entry)[source]¶ Compares the file entry against the filter.
Parameters: file_entry (dfvfs.FileEntry) – file entry to compare. Returns: - True if the file entry matches the filter, False if not or
- None if the filter does not apply.
Return type: bool
-
Print
(output_writer)[source]¶ Prints a human readable version of the filter.
Parameters: output_writer (CLIOutputWriter) – output writer.
-
plaso.filters.filter_list module¶
List of object-filters.
-
class
plaso.filters.filter_list.
ObjectFilterList
[source]¶ Bases:
plaso.filters.interface.FilterObject
A list of object-filters with additional metadata.
-
CompileFilter
(filter_expression)[source]¶ Compiles the filter expression.
The filter expression contains the name of a YAML file.
Parameters: filter_expression (str) – filter expression. Raises: WrongPlugin
– if the filter could not be compiled.
-
Match
(event)[source]¶ Determines if an event object matches the filter.
Parameters: event (EventObject) – event. Returns: True if the filter matched. Return type: bool
-
plaso.filters.interface module¶
Filter interface.
-
class
plaso.filters.interface.
FilterObject
[source]¶ Bases:
object
Filter object interface.
-
CompileFilter
(filter_expression)[source]¶ Compiles the filter expression.
Parameters: filter_expression (str) – filter expression. Raises: WrongPlugin
– if the filter could not be compiled.
-
Match
(event)[source]¶ Determines if an event matches the filter.
Parameters: event (EventObject) – event. Returns: True if the there is a match. Return type: bool
-
fields
¶ list[str] – name of the fields.
-
filter_expression
¶ object – compiled filter expression or None.
-
filter_name
¶ str – name of the filter.
-
limit
¶ int – row limit.
-
separator
¶ str – output field separator.
-
plaso.filters.manager module¶
This file contains the event filters manager class.
-
class
plaso.filters.manager.
FiltersManager
[source]¶ Bases:
object
Filters manager.
-
classmethod
DeregisterFilter
(filter_class)[source]¶ Deregisters a filter class.
The filter classes are identified based on their lower case filter name.
Parameters: filter_class (type) – class object of the filter. Raises: KeyError
– if filter class is not set for the corresponding filter name.
-
classmethod
GetFilterObject
(filter_expression)[source]¶ Creates instances of specific filters.
Parameters: filter_expression (str) – filter expression. Returns: - the first filter found matching the filter string or
- None if no corresponding filter is available.
Return type: FilterObject
-
classmethod
GetFilterObjects
()[source]¶ Creates instances of the available filters.
Returns: available filters. Return type: list[FilterObject]
-
classmethod
RegisterFilter
(filter_class)[source]¶ Registers a filter class.
The filter classes are identified based on their lower case filter name.
Parameters: filter_class (type) – class object of the filter. Raises: KeyError
– if filter class is already set for the corresponding filter name.
-
classmethod
RegisterFilters
(filter_classes)[source]¶ Registers filter classes.
The filter classes are identified based on their lower case filter name.
Parameters: filter_classes (list[type]) – class objects of the filters. Raises: KeyError
– if filter class is already set for the corresponding filter name.
-
classmethod
plaso.filters.path_filter module¶
A scan tree-based path filter implementation.
The scan tree is a tree based on multiple paths that contains the path segments per node. The most significant path segment is at the root and therefore compared first. More information can be found here: https://github.com/libyal/libsigscan/wiki/Internals #scanning-tree-based-signature-scanning
The scan tree is used in the filter to filter provided paths.
-
class
plaso.filters.path_filter.
PathFilterScanTree
(paths, case_sensitive=True, path_segment_separator='/')[source]¶ Bases:
object
Class that implements a path filter scan tree.
-
CheckPath
(path, path_segment_separator=None)[source]¶ Checks if a path matches the scan tree-based path filter.
Parameters: - path – a string containing the path.
- path_segment_separator – optional string containing the path segment separator. None defaults to the path segment separator that was set when the path filter scan tree was initialized.
Returns: A boolean indicating if the path matches the filter.
-
-
class
plaso.filters.path_filter.
PathFilterScanTreeNode
(path_segment_index)[source]¶ Bases:
object
Class that implements a path filter scan tree node.
The path filter scan tree node defines the path segments for a specific path segment index to filter. Each path segment will point to a scan object that indicates the next part of the path filter. A default value indicates the scan object to use next when there was no match.
-
default_value
¶ the default scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.
-
parent
¶ the parent path filter scan tree node or None.
-
path_segment_index
¶ an integer containing the path segment index represented by the node.
-
AddPathSegment
(path_segment, scan_object)[source]¶ Adds a path segment.
Parameters: - path_segment – a string containing the path segment.
- scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.
Raises: ValueError
– if the node already contains a scan object for the path segment.
-
GetScanObject
(path_segment)[source]¶ Retrieves the scan object for a specific path segment.
Parameters: path_segment – a string containing the path segment. Returns: A scan object, which can be a scan tree sub node (instance of PathFilterScanTreeNode), a path or the default value.
-
SetDefaultValue
(scan_object)[source]¶ Sets the default (non-match) value.
Parameters: scan_object – a scan object, either a scan tree sub node (instance of PathFilterScanTreeNode) or a string containing a path.
Raises: TypeError
– if the scan object is of an unsupported type.ValueError
– if the default value is already set.
-
ToDebugString
(indentation_level=1)[source]¶ Converts the path filter scan tree node into a debug string.
Parameters: indentation_level – an integer containing the text indentation level. Returns: A string containing a debug representation of the path filter scan tree node.
-
path_segments
¶ A list of strings containing the path segments.
-
Module contents¶
This file imports Python modules that register filters.