Prepare project for Pypi

Update docs
wagga40 · Aug 30, 2023 · a368f2c · a368f2c
1 parent dda4834
commit a368f2c
Show file tree

Hide file tree

Showing 12 changed files with 154,069 additions and 150,501 deletions.
diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf
diff --git a/rules/rules_linux.json b/rules/rules_linux.json
diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json
diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json
diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json
diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json
diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json
diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json
diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json
diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json
diff --git a/zircolite.py b/zircolite.py
@@ -41,19 +41,19 @@
 
 
 def signal_handler(sig, frame):
- consoleLogger.info("[-] Execution interrupted !")
+ print("[-] Execution interrupted !")
  sys.exit(0)
 
 
-def quitOnError(message):
- consoleLogger.error(message)
+def quitOnError(message, logger=None):
+ logger.error(message)
  sys.exit(1)
 
 
-def checkIfExists(path, errorMessage):
+def checkIfExists(path, errorMessage, logger=None):
  """Test if path provided is a file"""
  if not (Path(path).is_file()):
- quitOnError(errorMessage)
+ quitOnError(errorMessage, logger)
 
 
 def initLogger(debugMode, logFile=None):
@@ -1507,8 +1507,8 @@ def avoidFiles(pathList, avoidFilesList):
 ################################################################
 # MAIN()
 ################################################################
-if __name__ == "__main__":
- version = "2.9.10"
+def main():
+ version = "2.9.14"
 
  # Init Args handling
  parser = argparse.ArgumentParser()
@@ -1840,7 +1840,8 @@ def avoidFiles(pathList, avoidFilesList):
  if args.remote is not None:
  if not forwarder.networkCheck():
  quitOnError(
- f"{Fore.RED} [-] Remote host cannot be reached : {args.remote}{Fore.RESET}"
+ f"{Fore.RED} [-] Remote host cannot be reached : {args.remote}{Fore.RESET}",
+ consoleLogger,
  )
 
  # Checking provided timestamps
@@ -1849,33 +1850,39 @@ def avoidFiles(pathList, avoidFilesList):
  eventsBefore = time.strptime(args.before, "%Y-%m-%dT%H:%M:%S")
  except:
  quitOnError(
- f"{Fore.RED} [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'"
+ f"{Fore.RED} [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'",
+ consoleLogger,
  )
 
  binPath = args.evtx_dump
 
  # Check ruleset arg
  for ruleset in args.ruleset:
  checkIfExists(
- ruleset, f"{Fore.RED} [-] Cannot find ruleset : {ruleset}{Fore.RESET}"
+ ruleset,
+ f"{Fore.RED} [-] Cannot find ruleset : {ruleset}. Default rulesets are available here : https:/wagga40/Zircolite-Rules{Fore.RESET}",
+ consoleLogger,
  )
  # Check templates args
  readyForTemplating = False
  if args.template is not None:
  if args.csv:
  quitOnError(
- f"{Fore.RED} [-] You cannot use templates in CSV mode{Fore.RESET}"
+ f"{Fore.RED} [-] You cannot use templates in CSV mode{Fore.RESET}",
+ consoleLogger,
  )
  if (args.templateOutput is None) or (
  len(args.template) != len(args.templateOutput)
  ):
  quitOnError(
- f"{Fore.RED} [-] Number of templates output must match number of templates{Fore.RESET}"
+ f"{Fore.RED} [-] Number of templates output must match number of templates{Fore.RESET}",
+ consoleLogger,
  )
  for template in args.template:
  checkIfExists(
  template[0],
- f"{Fore.RED} [-] Cannot find template : {template[0]}{Fore.RESET}",
+ f"{Fore.RED} [-] Cannot find template : {template[0]}. DEfault templates are available here : https:/wagga40/Zircolite/tree/master/templates{Fore.RESET}",
+ consoleLogger,
  )
  readyForTemplating = True
 
@@ -1887,7 +1894,10 @@ def avoidFiles(pathList, avoidFilesList):
 
  # If on-disk DB already exists, quit.
  if args.ondiskdb != ":memory:" and (Path(args.ondiskdb).is_file()):
- quitOnError(f"{Fore.RED} [-] On-disk database already exists{Fore.RESET}")
+ quitOnError(
+ f"{Fore.RED} [-] On-disk database already exists{Fore.RESET}",
+ consoleLogger,
+ )
 
  # Start time counting
  start_time = time.time()
@@ -1936,14 +1946,16 @@ def avoidFiles(pathList, avoidFilesList):
  LogList = [LogPath]
  else:
  quitOnError(
- f"{Fore.RED} [-] Unable to find events from submitted path{Fore.RESET}"
+ f"{Fore.RED} [-] Unable to find events from submitted path{Fore.RESET}",
+ consoleLogger,
  )
 
  # Applying file filters in this order : "select" than "avoid"
  FileList = avoidFiles(selectFiles(LogList, args.select), args.avoid)
  if len(FileList) <= 0:
  quitOnError(
- f"{Fore.RED} [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}"
+ f"{Fore.RED} [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}",
+ consoleLogger,
  )
 
  if not args.jsononly:
@@ -1971,10 +1983,14 @@ def avoidFiles(pathList, avoidFilesList):
  LogJSONList = FileList
 
  checkIfExists(
- args.config, f"{Fore.RED} [-] Cannot find mapping file{Fore.RESET}"
+ args.config,
+ f"{Fore.RED} [-] Cannot find mapping file, you can get the default one here : https:/wagga40/Zircolite/blob/master/config/fieldMappings.json {Fore.RESET}",
+ consoleLogger,
  )
  if LogJSONList == []:
- quitOnError(f"{Fore.RED} [-] No JSON files found.{Fore.RESET}")
+ quitOnError(
+ f"{Fore.RED} [-] No JSON files found.{Fore.RESET}", consoleLogger
+ )
 
  # Print field list and exit
  if args.fieldlist:
@@ -2083,3 +2099,7 @@ def avoidFiles(pathList, avoidFilesList):
 
  zircoliteCore.close()
  consoleLogger.info(f"\nFinished in {int((time.time() - start_time))} seconds")
+
+
+if __name__ == "__main__":
+ main()
diff --git a/zircolite_dev.py b/zircolite_dev.py
@@ -40,17 +40,17 @@
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 
 def signal_handler(sig, frame):
- consoleLogger.info("[-] Execution interrupted !")
+ print("[-] Execution interrupted !")
  sys.exit(0)
 
-def quitOnError(message):
- consoleLogger.error(message)
+def quitOnError(message, logger=None):
+ logger.error(message)
  sys.exit(1)
 
-def checkIfExists(path, errorMessage):
- """ Test if path provided is a file """
+def checkIfExists(path, errorMessage, logger=None):
+ """Test if path provided is a file"""
  if not (Path(path).is_file()):
- quitOnError(errorMessage)
+ quitOnError(errorMessage, logger)
 
 def initLogger(debugMode, logFile=None):
  fileLogLevel = logging.INFO
@@ -1056,8 +1056,8 @@ def avoidFiles(pathList, avoidFilesList):
 ################################################################
 # MAIN()
 ################################################################
-if __name__ == '__main__':
- version = "2.9.10"
+def main():
+ version = "2.9.14"
 
  # Init Args handling
  parser = argparse.ArgumentParser()
@@ -1156,28 +1156,28 @@ def avoidFiles(pathList, avoidFilesList):
  # Init Forwarding
  forwarder = eventForwarder(remote=args.remote, timeField=args.timefield, token=args.token, logger=consoleLogger, index=args.index, login=args.eslogin, password=args.espass)
  if args.remote is not None: 
- if not forwarder.networkCheck(): quitOnError(f"{Fore.RED} [-] Remote host cannot be reached : {args.remote}{Fore.RESET}")
+ if not forwarder.networkCheck(): quitOnError(f"{Fore.RED} [-] Remote host cannot be reached : {args.remote}{Fore.RESET}", consoleLogger)
 
  # Checking provided timestamps
  try:
  eventsAfter = time.strptime(args.after, '%Y-%m-%dT%H:%M:%S')
  eventsBefore = time.strptime(args.before, '%Y-%m-%dT%H:%M:%S')
  except:
- quitOnError(f"{Fore.RED} [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'")
+ quitOnError(f"{Fore.RED} [-] Wrong timestamp format. Please use 'AAAA-MM-DDTHH:MM:SS'", consoleLogger)
 
  binPath = args.evtx_dump
 
  # Check ruleset arg
  for ruleset in args.ruleset:
- checkIfExists(ruleset, f"{Fore.RED} [-] Cannot find ruleset : {ruleset}{Fore.RESET}")
+ checkIfExists(ruleset, f"{Fore.RED} [-] Cannot find ruleset : {ruleset}. Default rulesets are available here : https:/wagga40/Zircolite-Rules{Fore.RESET}", consoleLogger)
  # Check templates args
  readyForTemplating = False
  if (args.template is not None):
- if args.csv: quitOnError(f"{Fore.RED} [-] You cannot use templates in CSV mode{Fore.RESET}")
+ if args.csv: quitOnError(f"{Fore.RED} [-] You cannot use templates in CSV mode{Fore.RESET}", consoleLogger)
  if (args.templateOutput is None) or (len(args.template) != len(args.templateOutput)):
- quitOnError(f"{Fore.RED} [-] Number of templates output must match number of templates{Fore.RESET}")
+ quitOnError(f"{Fore.RED} [-] Number of templates output must match number of templates{Fore.RESET}", consoleLogger)
  for template in args.template:
- checkIfExists(template[0], f"{Fore.RED} [-] Cannot find template : {template[0]}{Fore.RESET}")
+ checkIfExists(template[0], f"{Fore.RED} [-] Cannot find template : {template[0]}. DEfault templates are available here : https:/wagga40/Zircolite/tree/master/templates{Fore.RESET}", consoleLogger)
  readyForTemplating = True
 
  # Change output filename in CSV mode
@@ -1187,7 +1187,7 @@ def avoidFiles(pathList, avoidFilesList):
  args.outfile = "detected_events.csv"
 
  # If on-disk DB already exists, quit.
- if args.ondiskdb != ":memory:" and (Path(args.ondiskdb).is_file()): quitOnError(f"{Fore.RED} [-] On-disk database already exists{Fore.RESET}") 
+ if args.ondiskdb != ":memory:" and (Path(args.ondiskdb).is_file()): quitOnError(f"{Fore.RED} [-] On-disk database already exists{Fore.RESET}", consoleLogger) 
 
  # Start time counting
  start_time = time.time()
@@ -1219,12 +1219,12 @@ def avoidFiles(pathList, avoidFilesList):
  elif LogPath.is_file():
  LogList = [LogPath]
  else:
- quitOnError(f"{Fore.RED} [-] Unable to find events from submitted path{Fore.RESET}")
+ quitOnError(f"{Fore.RED} [-] Unable to find events from submitted path{Fore.RESET}", consoleLogger)
 
  # Applying file filters in this order : "select" than "avoid"
  FileList = avoidFiles(selectFiles(LogList, args.select), args.avoid)
  if len(FileList) <= 0:
- quitOnError(f"{Fore.RED} [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}")
+ quitOnError(f"{Fore.RED} [-] No file found. Please verify filters, directory or the extension with '--fileext' or '--file-pattern'{Fore.RESET}", consoleLogger)
 
  if not args.jsononly:
  # Init EVTX extractor object
@@ -1237,9 +1237,9 @@ def avoidFiles(pathList, avoidFilesList):
  else:
  LogJSONList = FileList
 
- checkIfExists(args.config, f"{Fore.RED} [-] Cannot find mapping file{Fore.RESET}")
+ checkIfExists(args.config, f"{Fore.RED} [-] Cannot find mapping file, you can get the default one here : https:/wagga40/Zircolite/blob/master/config/fieldMappings.json {Fore.RESET}", consoleLogger)
  if LogJSONList == []:
- quitOnError(f"{Fore.RED} [-] No JSON files found.{Fore.RESET}")
+ quitOnError(f"{Fore.RED} [-] No JSON files found.{Fore.RESET}", consoleLogger)
 
  # Print field list and exit
  if args.fieldlist:
@@ -1309,3 +1309,6 @@ def avoidFiles(pathList, avoidFilesList):
 
  zircoliteCore.close()
  consoleLogger.info(f"\nFinished in {int((time.time() - start_time))} seconds")
+
+if __name__ == "__main__":
+ main()