Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A typo in extraction tool prevents filter file path from being written into storage file #4935

Open
nflexfo opened this issue Dec 4, 2024 · 0 comments · May be fixed by #4936
Open

A typo in extraction tool prevents filter file path from being written into storage file #4935

nflexfo opened this issue Dec 4, 2024 · 0 comments · May be fixed by #4936

Comments

@nflexfo
Copy link

nflexfo commented Dec 4, 2024

Describe the problem:

A typo in plaso/cli/extraction_tool.py prevents filter file path from being written into storage file.

To Reproduce:

Plaso: 20241006
OS: Linux
Install: Source (github)

First run:

./scripts/log2timeline.py --filter-file l2t_filter_mft.yaml --storage-file ./plaso.sqlite /dev/null --parsers winevtx

Where l2t_filter_mft is:

description: File system metadata files (MFT).
type: include
path_separator: '\'
paths:
- '\\[$]MFT'

Then:

./scripts/pinfo.py ./plaso.sqlite --verbose

Gives:

************************** Plaso Storage Information ***************************
            Filename : dev.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
edd4910d-7e09-479a-b412-e7d7c237d67e : 2024-12-04T14:47:41.996087+00:00
--------------------------------------------------------------------------------

**************** Session: edd4910d-7e09-479a-b412-e7d7c237d67e *****************
                Start time : 2024-12-04T14:47:41.996087+00:00
           Completion time : 2024-12-04T14:47:42.992000+00:00
              Product name : plaso
           Product version : 20241006
    Command line arguments : ./scripts/log2timeline.py --filter-file
                             l2t_filter_mft.yaml --storage-file
                             ./plaso.sqlite /dev/null --parsers winevtx
  Parser filter expression : winevtx
Enabled parser and plugins : winevtx
        Preferred encoding : UTF-8
       Preferred time zone : UTC
                Debug mode : False
          Artifact filters : N/A
               Filter file : N/A
--------------------------------------------------------------------------------

Expected behavior:

The Filter file : entry should reflect the --filter-file parameter instead of printing "N/A":

************************** Plaso Storage Information ***************************
            Filename : dev.plaso
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
edd4910d-7e09-479a-b412-e7d7c237d67e : 2024-12-04T14:47:41.996087+00:00
--------------------------------------------------------------------------------

**************** Session: edd4910d-7e09-479a-b412-e7d7c237d67e *****************
                Start time : 2024-12-04T14:47:41.996087+00:00
           Completion time : 2024-12-04T14:47:42.992000+00:00
              Product name : plaso
           Product version : 20241006
    Command line arguments : ./scripts/log2timeline.py --filter-file
                             l2t_filter_mft.yaml --storage-file
                             ./plaso.sqlite /dev/null --parsers winevtx
  Parser filter expression : winevtx
Enabled parser and plugins : winevtx
        Preferred encoding : UTF-8
       Preferred time zone : UTC
                Debug mode : False
          Artifact filters : N/A
               Filter file : l2t_filter_mft.yaml
--------------------------------------------------------------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Changes in extraction tool to store filter file path (#4935) nflexfo/plaso
1 participant
@nflexfo