Skip to content

Commit

Permalink
format string swap in welm data
Browse files Browse the repository at this point in the history
  • Loading branch information
tomrade committed Jul 25, 2020
1 parent d00717f commit 89e4242
Show file tree
Hide file tree
Showing 4 changed files with 393,842 additions and 40,250 deletions.
20 changes: 18 additions & 2 deletions lib/nom.py
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ def dict_fetch(self,source,key):

# Get values form EVTX-RS json which may be attributes from XML land
def get_value(item):
if not item:
if item != 0 and item == None:
return None
if isinstance(item,dict):
output = {}
Expand All @@ -208,6 +208,8 @@ def get_section(item):
value = get_value(item[field])
if value != None:
output[field.lower()] = value
if value == 0:
output[field.lower()] = str(value)
return output


Expand All @@ -228,7 +230,21 @@ def nom_file(filename,welm_map):
event['eventid']
)
if key in welm_map:
event['message'] = welm_map[key]
if welm_map[key]['swap_mode']:
if event.get('event_data') or False:
swap_target = 'event_data'
elif event.get('user_data') or False:
swap_target = 'user_data'
else:
swap_target = None
event['message'] = welm_map[key]['format_string']
if swap_target:
swap_values = ['bump']
for param in welm_map[key]['params']:
swap_values.append(event[swap_target].get(param) or "bork")
event['message'] = welm_map[key]['format_string'].format(*swap_values)
else:
event['message'] = welm_map[key]['format_string']
else:
event['message'] = "{} | {} | {} | Unknown Message String".format(
event['eventid'],
Expand Down
29 changes: 24 additions & 5 deletions welm/parse_welm.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
import json
import sys
import os

from collections import OrderedDict
import re
# This is to parse the WELMS into our JSON map file

regex = re.compile('\\%[0-9]{1,2}[^0-9]|$')

def parse_event(event):
channel = event['LoggedTo']['Name']
Expand All @@ -12,22 +13,40 @@ def parse_event(event):
eventid = event['Id']['Value']
#print("====" * 12)
#print(channel,provider,eventid)
params = []
for param in event['Parameters']:
params.append(param.lower())
#print(json.dumps(params,indent=2))
# replace %1 etc with {} for faster mapping in evtx-nomS
if re.search(regex,message):
format_string = re.sub(r'(\%([0-9]{1,2}))([^0-9]|$)',r'{\2}\3',message)
swap_mode = True
num_var = format_string.count('{}')
#s = slice(0,num_var)
#params = params[s]
else:
swap_mode = False
format_string = message
params = []


return {
"channel" : channel,
"provider" : provider,
"eventid" : eventid,
"message" : message
"message" : {'raw': message, 'params' : params, "format_string" : format_string, "swap_mode" : swap_mode},
"params" : params
}


def process_file(filename,welm_map):
with open(filename,'r') as in_file:
data = json.load(in_file)
data = json.load(in_file, object_pairs_hook=OrderedDict)
for item in data:
log = parse_event(item)
if log['channel'] == "":
continue
if log['message'] == "":
if log['message']['format_string'] == "":
continue
if log['channel'] in welm_map:
if log['provider'] in welm_map[log['channel']]:
Expand Down
Loading

0 comments on commit 89e4242

Please sign in to comment.