dissect.target.plugins.apps.av.mcafee
#
Module Contents#
Classes#
Base class for plugins. |
Attributes#
- dissect.target.plugins.apps.av.mcafee.McAfeeMscLogRecord#
- dissect.target.plugins.apps.av.mcafee.McAfeeMscFirewallRecord#
- dissect.target.plugins.apps.av.mcafee.re_cdata#
- dissect.target.plugins.apps.av.mcafee.re_strip_tags#
- class dissect.target.plugins.apps.av.mcafee.McAfeePlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Base class for plugins.
Plugins can optionally be namespaced by specifying the
__namespace__
class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specifiedtest
as namespace and a function calledexample
, you must call your plugin withtest.example
:A
Plugin
class has the following private class attributes:__namespace__
__record_descriptors__
With the following three being assigned in
register()
:__plugin__
__functions__
__exports__
Additionally, the methods and attributes of
Plugin
receive more private attributes by using decorators.The
export()
decorator adds the following private attributes__exported__
__output__
: Set with theexport()
decorator.__record__
: Set with theexport()
decorator.
The
internal()
decorator andInternalPlugin
set the__internal__
attribute. Finally.args()
decorator sets the__args__
attribute.- Parameters:
target – The
Target
object to load the plugin for.
- __namespace__ = 'mcafee'#
- DIRS = ['sysvol/ProgramData/McAfee/MSC/Logs', '/opt/McAfee/ens/log/tp', '/opt/McAfee/ens/log/esp']#
- LOG_FILE_PATTERN = '*.log'#
- TEMPLATE_ID_INFECTION = 102#
- MARKER_INFECTION = '%INFECTION_INFO%'#
- MARKER_SUSPICIOUS_TCP_CONNECTION = 'TCP port '#
- MARKER_SUSPICIOUS_UDP_CONNECTION = 'UDP port '#
- TABLE_LOG = 'log'#
- TABLE_FIELD = 'field'#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- get_log_files() Iterator[pathlib.Path] #
- msc() Iterator[McAfeeMscLogRecord] #
Return msc log history records from McAfee.
- Yields McAfeeMscLogRecord with the following fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. ip (net.ipadress): IP of suspicious connection (if available). tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available). udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available). threat (string): Description of the detected threat (if available). message (string): Message as reported in the user interface (might include template slots). keywords (string): Unparsed fields that might be visible in user interface. fkey (string): Foreign key for reference for further investigation.