irt/gists
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

visidata timefromts fixed

Browse Source
This commit is contained in:
TKE
2021-02-22 16:07:21 +01:00
parent 6116d23d30
commit db2c3f0a26
1 changed files with 105 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
visidatarc
View File

@@ -1,36 +1,52 @@
#copy or link this file to ~/.visidatarc # copy or link this file to ~/.visidatarc
from datetime import datetime from datetime import datetime
import functools import functools
def timefromts(val):
return datetime.fromtimestamp(float(val))
#sym-ts = hexNcoded NT-Timestamp = Nanoseconds since 01.01.1601 def timefromts(val):
try:
return datetime.fromtimestamp(float(val))
except ValueError:
pass
try:
return datetime.fromtimestamp(float(val)/1000)
except ValueError:
pass
try:
return datetime.fromtimestamp(float(val)/1000000)
except ValueError:
pass
# sym-ts = hexNcoded NT-Timestamp = Nanoseconds since 01.01.1601
def sym_time(val): def sym_time(val):
a=int(val,16) #decode hex a = int(val, 16) # decode hex
b=(a / 10000000) - 11644473600 #convert to seconds and subtract offset to 01.01.1970 # convert to seconds and subtract offset to 01.01.1970
b = (a / 10000000) - 11644473600
return datetime.fromtimestamp(b) return datetime.fromtimestamp(b)
@functools.lru_cache() @functools.lru_cache()
def vendor(mac): def vendor(mac):
try: try:
from mac_vendor_lookup import InvalidMacError, MacLookup as mlu from mac_vendor_lookup import InvalidMacError, MacLookup as mlu
return mlu().lookup(mac.strip()) return mlu().lookup(mac.strip())
except InvalidMacError: except InvalidMacError:
return f"not a MAC {str(mac).strip()} of type {type(mac)}" return f"not a MAC {str(mac).strip()} of type {type(mac)}"
except ModuleNotFoundError: except ModuleNotFoundError:
return "module not available" return "module not available"
@functools.lru_cache() @functools.lru_cache()
def dns_lookup(domain,record='A'): def dns_lookup(domain, record='A'):
if len(domain.split(","))>1: if len(domain.split(",")) > 1:
return ",".join([dns_lookup(x,record) for x in domain.split(",")]) return ",".join([dns_lookup(x, record) for x in domain.split(",")])
try: try:
import dns import dns
import dns.resolver as rs import dns.resolver as rs
result= rs.query(domain,record) result = rs.query(domain, record)
return ",".join([x.to_text() for x in result]) return ",".join([x.to_text() for x in result])
except dns.resolver.NoAnswer as e: except dns.resolver.NoAnswer as e:
return "" return ""
except dns.exception.DNSException as e: except dns.exception.DNSException as e:
@@ -39,102 +55,104 @@ def dns_lookup(domain,record='A'):
except ModuleNotFoundError: except ModuleNotFoundError:
return "module not available" return "module not available"
@functools.lru_cache() @functools.lru_cache()
def _ipinfo(ip): def _ipinfo(ip):
try: try:
import requests import requests
import json import json
r = requests.get(url='http://ipinfo.io/{}/json'.format(ip)) r = requests.get(url='http://ipinfo.io/{}/json'.format(ip))
return r.json() return r.json()
except json.JSONDecodeError as e: except json.JSONDecodeError as e:
return None return None
except ModuleNotFoundError: except ModuleNotFoundError:
return None return None
@functools.lru_cache() @functools.lru_cache()
def ipinfo(ip,type="country"): def ipinfo(ip, type="country"):
if len(ip.split(","))>1: if len(ip.split(",")) > 1:
return ",".join([ipinfo(x,type) for x in ip.split(",")]) return ",".join([ipinfo(x, type) for x in ip.split(",")])
try: try:
return _ipinfo(ip)[type] return _ipinfo(ip)[type]
except: except:
return "" return ""
@functools.lru_cache() @functools.lru_cache()
def mx_lookup(domain): def mx_lookup(domain):
domain = domain.lstrip("www.") domain = domain.lstrip("www.")
try: try:
mxs = dns_lookup(domain,'MX').split(",") mxs = dns_lookup(domain, 'MX').split(",")
mxt = [x.split(" ")[1] for x in mxs if len(x.split(" "))==2] mxt = [x.split(" ")[1] for x in mxs if len(x.split(" ")) == 2]
return ",".join(mxt) return ",".join(mxt)
except Exception as e: except Exception as e:
return str(e) return str(e)
@functools.lru_cache() @functools.lru_cache()
def grab_banner(ip,port=25): def grab_banner(ip, port=25):
if len(ip.split(","))>1: if len(ip.split(",")) > 1:
return ",".join([grab_banner(x,port) for x in ip.split(",")]) return ",".join([grab_banner(x, port) for x in ip.split(",")])
try: try:
import socket import socket
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) #TCP sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # TCP
sock.settimeout(2) sock.settimeout(2)
sock.connect((ip,port)) sock.connect((ip, port))
ret = sock.recv(1024) ret = sock.recv(1024)
return str(ret.strip().decode()) return str(ret.strip().decode())
except: except:
return "" return ""
def sym_id(val): def sym_id(val):
event_ids={ event_ids = {
"2" : "Scan Stopped", "2": "Scan Stopped",
"3" : "Scan Started", "3": "Scan Started",
"4" : "Definition File Sent To Server", "4": "Definition File Sent To Server",
"5" : "Virus Found", "5": "Virus Found",
"6" : "Scan Omission", "6": "Scan Omission",
"7" : "Definition File Loaded", "7": "Definition File Loaded",
"10" : "Checksum", "10": "Checksum",
"11" : "Auto-Protect", "11": "Auto-Protect",
"12" : "Configuration Changed", "12": "Configuration Changed",
"13" : "Symantec AntiVirus Shutdown", "13": "Symantec AntiVirus Shutdown",
"14" : "Symantec AntiVirus Startup", "14": "Symantec AntiVirus Startup",
"16" : "Definition File Download", "16": "Definition File Download",
"17" : "Scan Action Auto-Changed", "17": "Scan Action Auto-Changed",
"18" : "Sent To Quarantine Server", "18": "Sent To Quarantine Server",
"19" : "Delivered To Symantec Security Response", "19": "Delivered To Symantec Security Response",
"20" : "Backup Restore Error", "20": "Backup Restore Error",
"21" : "Scan Aborted", "21": "Scan Aborted",
"22" : "Load Error", "22": "Load Error",
"23" : "Symantec AntiVirus Auto-Protect Loaded", "23": "Symantec AntiVirus Auto-Protect Loaded",
"24" : "Symantec AntiVirus Auto-Protect Unloaded", "24": "Symantec AntiVirus Auto-Protect Unloaded",
"26" : "Scan Delayed", "26": "Scan Delayed",
"27" : "Scan Re-started", "27": "Scan Re-started",
"34" : "Log Forwarding Error", "34": "Log Forwarding Error",
"39" : "Definitions Rollback", "39": "Definitions Rollback",
"40" : "Definitions Unprotected", "40": "Definitions Unprotected",
"41" : "Auto-Protect Error", "41": "Auto-Protect Error",
"42" : "Configuration Error", "42": "Configuration Error",
"45" : "SymProtect Action", "45": "SymProtect Action",
"46" : "Detection Start", "46": "Detection Start",
"47" : "Detection Action", "47": "Detection Action",
"48" : "Pending Remediation Action", "48": "Pending Remediation Action",
"49" : "Failed Remediation Action", "49": "Failed Remediation Action",
"50" : "Successful Remediation Action", "50": "Successful Remediation Action",
"51" : "Detection Finish", "51": "Detection Finish",
"65" : "Scan Stopped", "65": "Scan Stopped",
"66" : "Scan Started", "66": "Scan Started",
"71" : "Threat Now Whitelisted", "71": "Threat Now Whitelisted",
"72" : "Interesting Process Found Start", "72": "Interesting Process Found Start",
"73" : "SONAR engine load error", "73": "SONAR engine load error",
"74" : "SONAR definitions load error", "74": "SONAR definitions load error",
"75" : "Interesting Process Found Finish", "75": "Interesting Process Found Finish",
"76" : "SONAR operating system not supported", "76": "SONAR operating system not supported",
"77" : "SONAR Detected Threat Now Known", "77": "SONAR Detected Threat Now Known",
"78" : "SONAR engine is disabled", "78": "SONAR engine is disabled",
"79" : "SONAR engine is enabled", "79": "SONAR engine is enabled",
"80" : "Definition load failed", "80": "Definition load failed",
"81" : "Cache server error", "81": "Cache server error",
"82" : "Reputation check timed out"} "82": "Reputation check timed out"}
return event_ids[val] return event_ids[val]