:py:mod:`dissect.target.plugins.apps.av.mcafee` =============================================== .. py:module:: dissect.target.plugins.apps.av.mcafee Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.av.mcafee.McAfeePlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.av.mcafee.McAfeeMscLogRecord dissect.target.plugins.apps.av.mcafee.McAfeeMscFirewallRecord dissect.target.plugins.apps.av.mcafee.re_cdata dissect.target.plugins.apps.av.mcafee.re_strip_tags .. py:data:: McAfeeMscLogRecord .. py:data:: McAfeeMscFirewallRecord .. py:data:: re_cdata .. py:data:: re_strip_tags .. py:class:: McAfeePlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Base class for plugins. Plugins can optionally be namespaced by specifying the ``__namespace__`` class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified ``test`` as namespace and a function called ``example``, you must call your plugin with ``test.example``:: A ``Plugin`` class has the following private class attributes: - ``__namespace__`` - ``__record_descriptors__`` With the following three being assigned in :func:`register`: - ``__plugin__`` - ``__functions__`` - ``__exports__`` Additionally, the methods and attributes of :class:`Plugin` receive more private attributes by using decorators. The :func:`export` decorator adds the following private attributes - ``__exported__`` - ``__output__``: Set with the :func:`export` decorator. - ``__record__``: Set with the :func:`export` decorator. The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute. Finally. :func:`args` decorator sets the ``__args__`` attribute. :param target: The :class:`~dissect.target.target.Target` object to load the plugin for. .. py:attribute:: __namespace__ :value: 'mcafee' .. py:attribute:: DIRS :value: ['sysvol/ProgramData/McAfee/MSC/Logs', '/opt/McAfee/ens/log/tp', '/opt/McAfee/ens/log/esp'] .. py:attribute:: LOG_FILE_PATTERN :value: '*.log' .. py:attribute:: TEMPLATE_ID_INFECTION :value: 102 .. py:attribute:: MARKER_INFECTION :value: '%INFECTION_INFO%' .. py:attribute:: MARKER_SUSPICIOUS_TCP_CONNECTION :value: 'TCP port ' .. py:attribute:: MARKER_SUSPICIOUS_UDP_CONNECTION :value: 'UDP port ' .. py:attribute:: TABLE_LOG :value: 'log' .. py:attribute:: TABLE_FIELD :value: 'field' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: get_log_files() -> Iterator[pathlib.Path] .. py:method:: msc() -> Iterator[McAfeeMscLogRecord] Return msc log history records from McAfee. Yields McAfeeMscLogRecord with the following fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. ip (net.ipadress): IP of suspicious connection (if available). tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available). udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available). threat (string): Description of the detected threat (if available). message (string): Message as reported in the user interface (might include template slots). keywords (string): Unparsed fields that might be visible in user interface. fkey (string): Foreign key for reference for further investigation.