From 71a0c9287287ff7ad81289199c3bf897b8b54942 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 15 Oct 2024 09:06:11 +0200 Subject: [PATCH 1/2] chg: sysdiag command for no conflicts with native mac app --- README.md | 16 ++++++++-------- doc/splunk/docker-compose.yml | 14 ++++++++++++++ pyproject.toml | 2 +- 3 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 doc/splunk/docker-compose.yml diff --git a/README.md b/README.md index 1e8214a..d271ca9 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ On linux systems you may wish to install the [unifiedlogs](#unifiedlogs) parser. Creating a new case, with the optional `-c` parameter if you want to specify the case number yourself. (such as an uuid) ``` -$ sysdiagnose init test-data/iOS12/sysdiagnose_2019.02.13_15-50-14+0100_iPhone_OS_iPhone_16C101.tar.gz +$ sysdiag init test-data/iOS12/sysdiagnose_2019.02.13_15-50-14+0100_iPhone_OS_iPhone_16C101.tar.gz Sysdiagnose file has been processed Case ID: 1 @@ -34,7 +34,7 @@ Case ID: 1 Listing existing cases can be done easily: ``` -$ sysdiagnose cases +$ sysdiag cases Case ID acquisition date Serial number Unique device ID iOS Version Tags ------------------- ------------------------- --------------- ---------------------------------------- ------------- ------ public 2023-05-24T13:29:15-07:00 F4GT2K24HG7K e22f7f830e5dcc1287a1690a2622c2b12afaa33c @@ -44,7 +44,7 @@ The `cases` folder is the current folder by default. You can change this using the environment variable `SYSDIAGNOSE_CASES_PATH`, for example. ``` $ export SYSDIAGNOSE_CASES_PATH='/path/to/folder' -$ sysdiagnose list cases +$ sysdiag list cases ``` @@ -54,10 +54,10 @@ Data of sysdiagnose is not always usable directly, use parsers to convert them t Run parsers: ``` -$ sysdiagnose -c 1 parse ps +$ sysdiag -c 1 parse ps Execution success, output saved in: cases/1/parsed_data/ps.json -$ sysdiagnose -c 1 parse sys +$ sysdiag -c 1 parse sys Execution success, output saved in: cases/1/parsed_data/sys.json ``` @@ -66,7 +66,7 @@ To run on all cases do not specify a case number or use `-c all`. List available parsers : ``` -$ sysdiagnose list parsers +$ sysdiag list parsers Parser Name Parser Description --------------------- --------------------------------------------------------------------- all Run all parsers @@ -106,7 +106,7 @@ wifisecurity Parsing WiFi Security logs List analysers: ``` -$ sysdiagnose list analysers +$ sysdiag list analysers Analyser Name Analyser Description -------------------- ------------------------------------------------------------------------------- all Run all analysers @@ -122,7 +122,7 @@ yarascan Scan the case folder using YARA rules ('./yara' or SYSDIAG Run analyser (make sure you run `parse all` before) ``` -$ sysdiagnose -c 1 analyse timesketch +$ sysdiag -c 1 analyse timesketch Execution success, output saved in: cases/1/parsed_data/timesketch.jsonl ``` diff --git a/doc/splunk/docker-compose.yml b/doc/splunk/docker-compose.yml new file mode 100644 index 0000000..db440a1 --- /dev/null +++ b/doc/splunk/docker-compose.yml @@ -0,0 +1,14 @@ +version: "0.1" + +services: + so1: + image: ${SPLUNK_IMAGE:-splunk/splunk:latest} + container_name: so1 + environment: + - SPLUNK_START_ARGS=--accept-license + - SPLUNK_PASSWORD=Password1234 + ports: + - 8000:8000 + volumes: + - ../../cases:/cases + diff --git a/pyproject.toml b/pyproject.toml index fcf64ec..c6e74cd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -33,4 +33,4 @@ dependencies = [ ] [project.scripts] -sysdiagnose = "sysdiagnose.main:main" +sysdiag = "sysdiagnose.main:main" From b014ba8fe53ff7ea615fe2f123308e8d714ccbc9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 15 Oct 2024 11:04:59 +0200 Subject: [PATCH 2/2] fix: [yarascan] cleaner error when no yara folder is present --- src/sysdiagnose/analysers/yarascan.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sysdiagnose/analysers/yarascan.py b/src/sysdiagnose/analysers/yarascan.py index e2a8b13..0e1a8b6 100644 --- a/src/sysdiagnose/analysers/yarascan.py +++ b/src/sysdiagnose/analysers/yarascan.py @@ -36,7 +36,9 @@ def execute(self): results = {'errors': [], 'matches': []} if not os.path.isdir(self.yara_rules_path): - raise FileNotFoundError(f"Could not find the YARA rules (.yar) folder: {self.yara_rules_path}") + print(f"ERROR: Could not find the YARA rules (.yar) folder: {self.yara_rules_path}") + results['errors'].append(f"Could not find the YARA rules (.yar) folder: {self.yara_rules_path}") + return results rule_files, errors = self.get_valid_yara_rule_files() if errors: