Visualize_Logs.objects package

Submodules

Visualize_Logs.objects.CuckooJSONReport module

class Visualize_Logs.objects.CuckooJSONReport.CuckooJSONReport(jsonreportfile=None, jsonreportdict=None, plotnetwork=True, plotfiles=True, plotfilecreates=True, plotfiledeletes=True, plotfilemoves=True, plotfilecopies=True, plotfilewrites=True, plotfilereads=True, plotregistry=True, plotregistrywrites=True, plotregistryreads=True, plotregistrydeletes=True, plotregistrycreates=True, ignorepaths=None, includepaths=None)

Bases: object

Class to hold Cuckoo-Modified JSON reports.

https://github.com/spender-sandbox/cuckoo-modified

DiGraph = None

This holds the Networkx digraph to be plotted.

IPProto = {0: 'IPPROTO_IP', 1: 'IPPROTO_ICMP', 4: 'IPPROTO_IGMP', 6: 'IPPROTO_TCP', 8: 'IPPROTO_EGP', 137: 'IPPROTO_MPLS', 12: 'IPPROTO_PUP', 17: 'IPPROTO_UDP', 132: 'IPPROTO_SCTP', 92: 'IPPROTO_MTP', 29: 'IPPROTO_IDP', 94: 'IPPROTO_BEETPH', 33: 'IPPROTO_DCCP', 98: 'IPPROTO_ENCAP', 103: 'IPPROTO_PIM', 41: 'IPPROTO_IPV6', 108: 'IPPROTO_COMP', 46: 'IPPROTO_RSVP', 47: 'IPPROTO_GRE', 136: 'IPPROTO_UDPLITE', 50: 'IPPROTO_ESP', 51: 'IPPROTO_AH', 255: 'IPPROTO_RAW'}

Information available: http://lxr.free-electrons.com/source/include/uapi/linux/in.h

edgemetadata = {}

This is a dict of (edge1,edge2) that will hold dicts of metadata for each edge.

graphvizprog = None

This is the graphviz program used to generate the layout.

ignorepaths = []

List of regular expressions to ignore in file or registry data.

includepaths = []

List of regular expressions to include in file or registry data.

jsonreportdata = None

This holds the actual data of the JSON report.

jsonreportfile = None

The JSON report file path.

nodemetadata = {}

This is a dict that will hold dicts of metadata for each node.

plotgraph(graphvizprog='sfdp', filename='temp-plot.html', title=None, auto_open=True, image=None, image_filename='plot_image', image_height=600, image_width=800)

Function to plot the graph of the ProcMon CSV.

Parameters:

• graphvizprog – The graphviz program to use for layout, valid options are ‘dot’, ‘neato’, ‘twopi’, ‘circo’, ‘fdp’, ‘sfdp’, ‘patchwork’, and ‘osage’. Graphviz is REQUIRED to be installed and in your path to use this library! The associated layout programs must be available in your path as well. More information for the layout types can be found here: http://www.graphviz.org/Documentation.php If this value is None, the internal networkx layout algorithms will be used.
• filename – A file name for the interactive HTML plot.
• title – A title for the plot.
• auto_open – Set to false to not open the file in a web browser.
• image – An image type of ‘png’, ‘jpeg’, ‘svg’, ‘webp’, or None.
• image_filename – The file name for the exported image.
• image_height – The number of pixels for the image height.
• image_width – The number of pixels for the image width.

Returns:

Nothing

rootpid = None

This is the pid (Node) on top.

Visualize_Logs.objects.Exceptions module

exception Visualize_Logs.objects.Exceptions.VisualizeLogsBadFunctionInput(inputname)

Bases: Exception

Exception for when bad input is given to a function.

exception Visualize_Logs.objects.Exceptions.VisualizeLogsInvalidFile(filepath)

Bases: Exception

Exception for when a file does not exist or is invalid.

exception Visualize_Logs.objects.Exceptions.VisualizeLogsInvalidFileStructure(filepath)

Bases: Exception

Exception for when a file’s content is not structured correctly.

exception Visualize_Logs.objects.Exceptions.VisualizeLogsMissingRequiredField(filepath, field)

Bases: Exception

Exception for when a file’s content is missing a data field.

exception Visualize_Logs.objects.Exceptions.VisualizeLogsParseError(data)

Bases: Exception

Exception for when data cannot be parsed correctly.

Visualize_Logs.objects.ProcMonCSV module

class Visualize_Logs.objects.ProcMonCSV.ProcMonCSV(csvlogfile=None)

Bases: object

Class to hold ProcMon CSV logs.

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

ignorepaths = []

List of regular expressions to ignore in Path column.

includepaths = []

List of regular expressions to include in Path column.

plotgraph(graphvizprog='sfdp', showproclabels=True, showtcplabels=True, showudplabels=True, showfilelabels=True, showhostlabels=True, showreglabels=True, plottcpconnects=True, plotudpsends=True, plotudprecvs=True, plotfilereads=True, plotfilewrites=True, plotfiledeletes=True, plotfilerenames=True, plotregwrites=True, plotregreads=True, plotregdeletes=True, ignorepaths=None, includepaths=None, filename='temp-plot.html', title=None, auto_open=True, image=None, image_filename='plot_image', image_height=600, image_width=800)

Function to plot the graph of the ProcMon CSV.

Parameters:

• graphvizprog – The graphviz program to use for layout, valid options are ‘dot’, ‘neato’, ‘twopi’, ‘circo’, ‘fdp’, ‘sfdp’, ‘patchwork’, and ‘osage’. Graphviz is REQUIRED to be installed and in your path to use this library! The associated layout programs must be available in your path as well. More information for the layout types can be found here: http://www.graphviz.org/Documentation.php If this value is None, the internal networkx layout algorithms will be used.
• showproclabels – If True will turn on labels on the processes. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• showtcplabels – If True will turn on labels on the TCP connects. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• showudplabels – If True will turn on labels on the UDP traffic. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• showfilelabels – If True will turn on labels on the File IO. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• showhostlabels – If True will turn on labels for the hosts. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• showhostlabels – If True will turn on labels for registry. Set to False to clean up your plot and not show the labels. The data can be viewed with mouse overs either way.
• plottcpconnects – Set to False to remove TCP connections.
• plotudpsends – Set to False to remove UDP sends. This option can be noisy if True.
• plotudprecvs – Set to False to remove UDP receives. This option can be noisy if True.
• plotfilereads – Set to False to remove File Reads.
• plotfilewrites – Set to False to remove File Writes.
• plotfiledeletes – Set to False to remove File Deletes.
• plotfilerenames – Set to False to remove File Renames.
• plotregwrites – Set to False to remove registry writes.
• plotregreads – Set to False to remove registry reads.
• plotregdeletes – Set to False to remove registry deletes.
• ignorepaths – Set this to a list of regular expressions. If the regular expression fires in the Path column, that event will not be plotted. Set to None to ignore this option. This is case insensitive. Remember to double escape since this is interpreted twice!
• includepaths – Set this to a list of regular expressions. If the regular expression fires in the Path column, that event will be plotted. This overrides ignores from ignorepaths above. Set to None to ignore this option. This is case insensitive. Remember to double escape since this is interpreted twice!
• filename – A file name for the interactive HTML plot.
• title – A title for the plot.
• auto_open – Set to false to not open the file in a web browser.
• image – An image type of ‘png’, ‘jpeg’, ‘svg’, ‘webp’, or None.
• image_filename – The file name for the exported image.
• image_height – The number of pixels for the image height.
• image_width – The number of pixels for the image width.

Returns:

Nothing

Module contents