mirror/ usbrip
1
0
Fork 0
mirror of https://github.com/snovvcrash/usbrip.git synced 2024-05-18 05:06:03 +02:00
Code

Rename User column to Host

This commit is contained in:
Sam Free5ide 2020-01-12 23:05:22 +03:00
parent ce2dedf808
commit e8f5631589
6 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -5,8 +5,8 @@
----------
<p align="center">
<a href="https://github.com/snovvcrash/usbrip/blob/master/usbrip/__init__.py#L24"><img src="https://img.shields.io/badge/GitHub%20ver-2.1.4%E2%80%908-success.svg?logo=github" alt="github-version.svg" /></a>
<a href="https://pypi.org/project/usbrip/#history"><img src="https://img.shields.io/badge/PyPI%20ver-2.1.4%E2%80%908-3775a9.svg?logo=pypi" alt="pypi-version.svg" /></a>
<a href="https://github.com/snovvcrash/usbrip/blob/master/usbrip/__init__.py#L24"><img src="https://img.shields.io/badge/GitHub%20ver-2.1.4%E2%80%909-success.svg?logo=github" alt="github-version.svg" /></a>
<a href="https://pypi.org/project/usbrip/#history"><img src="https://img.shields.io/badge/PyPI%20ver-2.1.4%E2%80%909-3775a9.svg?logo=pypi" alt="pypi-version.svg" /></a>
<a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/Python-3.6-3776ab.svg?logo=python" alt="python-version.svg" /></a>
<a href="https://raw.githubusercontent.com/snovvcrash/usbrip/master/LICENSE"><img src="https://img.shields.io/badge/License-GPLv3-blue.svg" alt="license.svg" /></a>
<a href="https://blackarch.org/forensic.html"><img src="https://img.shields.io/badge/BlackArch-Linux-b40000.svg?logo=arch-linux" alt="arch-linux.svg" /></a>
@ -42,7 +42,7 @@ Table of Contents:
Description
==========
**usbrip** is a small piece of software written in pure Python 3 (using some external modules, see [Dependencies/pip](#pip-packages)) which analyzes Linux log data (`journalctl` output or `/var/log/syslog*` and `/var/log/messages*` files, depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: "Connected" (date & time), "User", "VID" (vendor ID), "PID" (product ID), "Product", "Manufacturer", "Serial Number", "Port" and "Disconnected" (date & time).
**usbrip** is a small piece of software written in pure Python 3 (using some external modules, see [Dependencies/pip](#pip-packages)) which analyzes Linux log data (`journalctl` output or `/var/log/syslog*` and `/var/log/messages*` files, depending on the distro) for constructing USB event history tables. Such tables may contain the following columns: "Connected" (date & time), "Host", "VID" (vendor ID), "PID" (product ID), "Product", "Manufacturer", "Serial Number", "Port" and "Disconnected" (date & time).
Besides, it also can:
@ -64,7 +64,7 @@ usbrip is available for download and installation at [PyPI](https://pypi.org/pro
Showcase
==========
![screenshot.png](https://user-images.githubusercontent.com/23141800/72222987-8eb99d00-357b-11ea-928d-95ddbf8a23d0.png)
![screenshot.png](https://user-images.githubusercontent.com/23141800/72224695-45267d80-358e-11ea-8a9d-794dd662700a.png)
Git Clone
==========
@ -262,16 +262,16 @@ Get usbrip banner.
# ---------- EVENTS ----------
$ usbrip events history [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
$ usbrip events history [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Get USB event history.
$ usbrip events open <DUMP.JSON> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
$ usbrip events open <DUMP.JSON> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Open USB event dump.
$ usbrip events gen_auth <OUT_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
$ usbrip events gen_auth <OUT_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Generate a list of trusted (authorized) USB devices.
$ usbrip events violations <IN_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
$ usbrip events violations <IN_AUTH.JSON> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-f <FILE> [<FILE> ...]] [-q] [--debug]
Get USB violation events based on the list of trusted devices.
# ---------- STORAGE ----------
@ -279,13 +279,13 @@ Get USB violation events based on the list of trusted devices.
$ usbrip storage list <STORAGE_TYPE> [-q] [--debug]
List contents of the selected storage. STORAGE_TYPE is "history" or "violations".
$ usbrip storage open <STORAGE_TYPE> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-q] [--debug]
$ usbrip storage open <STORAGE_TYPE> [-t | -l] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [-c <COLUMN> [<COLUMN> ...]] [-q] [--debug]
Open selected storage. Behaves similary to the EVENTS OPEN submodule.
$ usbrip storage update <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
$ usbrip storage update <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
Update storage -- add USB events to the existing storage. COMPRESSION_LEVEL is a number in [0..9].
$ usbrip storage create <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--user <USER> [<USER> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
$ usbrip storage create <STORAGE_TYPE> [-a <ATTRIBUTE> [<ATTRIBUTE> ...]] [-e] [-n <NUMBER_OF_EVENTS>] [-d <DATE> [<DATE> ...]] [--host <HOST> [<HOST> ...]] [--vid <VID> [<VID> ...]] [--pid <PID> [<PID> ...]] [--prod <PROD> [<PROD> ...]] [--manufact <MANUFACT> [<MANUFACT> ...]] [--serial <SERIAL> [<SERIAL> ...]] [--port <PORT> [<PORT> ...]] [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
Create storage -- create 7zip archive and add USB events to it according to the selected options.
$ usbrip storage passwd <STORAGE_TYPE> [--lvl <COMPRESSION_LEVEL>] [-q] [--debug]
@ -335,7 +335,7 @@ Examples
~$ usbrip events history -et -c conn vid pid disconn serial -d '1995-09-15' '2018-07-01' --pid 1337 -f /var/log/syslog.1 /var/log/syslog.2.gz
```
:alien: **Note:** there is a thing to remember when working with filters. There are 4 types of filtering available: only *external* USB events (devices that can be pulled out easily, `-e`); *by date* (`-d`); *by fields* (`--user`, `--vid`, `--pid`, `--product`, `--manufact`, `--serial`, `--port`) and *by number of entries* you get as the output (`-n`). When applying different filters simultaneously, you will get the following behaviour: firstly, *external* and *by date* filters are applied, then usbrip will search for specified *field* values in the intersection of the last two filters, and in the end it will cut the output to the *number* you defined with the `-n` option. So think of it as an **intersection** for *external* and *by date* filtering and **union** for *by fields* filtering. Hope it makes sense.
:alien: **Note:** there is a thing to remember when working with filters. There are 4 types of filtering available: only *external* USB events (devices that can be pulled out easily, `-e`); *by date* (`-d`); *by fields* (`--host`, `--vid`, `--pid`, `--product`, `--manufact`, `--serial`, `--port`) and *by number of entries* you get as the output (`-n`). When applying different filters simultaneously, you will get the following behaviour: firstly, *external* and *by date* filters are applied, then usbrip will search for specified *field* values in the intersection of the last two filters, and in the end it will cut the output to the *number* you defined with the `-n` option. So think of it as an **intersection** for *external* and *by date* filtering and **union** for *by fields* filtering. Hope it makes sense.
* Build the event history of all USB devices and redirect the output to a file for further analysis. When the output stream is NOT terminal stdout (`|` or `>` for example) there would be no ANSI escape characters (color) in the output so feel free to use it that way. Also notice that usbrip uses some UNICODE symbols so it would be nice to convert the resulting file to UTF-8 encoding (with `encov` for example) as well as change newline characters to Windows style for portability (with `awk` for example):
@ -357,10 +357,10 @@ Examples
:warning: **Warning:** there are cases when different USB flash drives might have identical serial numbers. This could happen as a result of a [manufacturing error](https://forums.anandtech.com/threads/changing-creating-a-custom-serial-id-on-a-flash-drive-low-level-blocks.2099116/) or just some black hats were able to rewrite the drive's memory chip which turned out to be non-one-time programmable and so on... Anyways, *«No system is safe»*. usbrip **does not** handle such cases in a smart way so far, namely it will treat a pair of devices with identical SNs (if there exists one) as the same device regarding to the trusted device list and `gen_auth` module.
* Search the event history of the external USB devices for violations based on the list of trusted USB devices (`trusted/auth.json`) by "PID" attribute, restrict resulting events to those which have "Bob" as a user, "EvilUSBManufacturer" as a manufacturer, "1234567890" as a serial number and represent the output as a table with "Connected", "VID" and "PID" columns:
* Search the event history of the external USB devices for violations based on the list of trusted USB devices (`trusted/auth.json`) by "PID" attribute, restrict resulting events to those which have "Bob-PC" as a hostname, "EvilUSBManufacturer" as a manufacturer, "1234567890" as a serial number and represent the output as a table with "Connected", "VID" and "PID" columns:
```
~$ usbrip events violations trusted/auth.json -a pid -et --user Bob --manufact EvilUSBManufacturer --serial 1234567890 -c conn vid pid
~$ usbrip events violations trusted/auth.json -a pid -et --host Bob-PC --manufact EvilUSBManufacturer --serial 1234567890 -c conn vid pid
```
* Search for details about a specific USB device by its VID (`--vid VID`) and PID (`--pid PID`):

2
usbrip/__init__.py
View File

@ -21,4 +21,4 @@ You should have received a copy of the GNU General Public License
along with usbrip. If not, see <http://www.gnu.org/licenses/>.
"""
__version__ = '2.1.4-8'
__version__ = '2.1.4-9'

4
usbrip/__main__.py
View File

@ -308,8 +308,8 @@ def _validate_sieve_args(args):
(args.external, args.number, args.date, {}))
)
if args.user:
sieve['fields']['user'] = args.user
if args.host:
sieve['fields']['host'] = args.host
if args.vid:
sieve['fields']['vid'] = args.vid
if args.pid:

4
usbrip/lib/core/common.py
View File

@ -116,7 +116,7 @@ COLUMN_NAMES = OrderedDict()
if cfg.ISATTY:
COLUMN_NAMES['conn'] = colored('Connected', 'magenta', attrs=['bold'])
COLUMN_NAMES['user'] = colored('User', 'magenta', attrs=['bold'])
COLUMN_NAMES['host'] = colored('Host', 'magenta', attrs=['bold'])
COLUMN_NAMES['vid'] = colored('VID', 'magenta', attrs=['bold'])
COLUMN_NAMES['pid'] = colored('PID', 'magenta', attrs=['bold'])
COLUMN_NAMES['prod'] = colored('Product', 'magenta', attrs=['bold'])
@ -126,7 +126,7 @@ if cfg.ISATTY:
COLUMN_NAMES['disconn'] = colored('Disconnected', 'magenta', attrs=['bold'])
else:
COLUMN_NAMES['conn'] = 'Connected'
COLUMN_NAMES['user'] = 'User'
COLUMN_NAMES['host'] = 'Host'
COLUMN_NAMES['vid'] = 'VID'
COLUMN_NAMES['pid'] = 'PID'
COLUMN_NAMES['prod'] = 'Product'

12
usbrip/lib/core/usbevents.py
View File

@ -413,7 +413,7 @@ def _parse_history(filtered_history):
for date, action, logline in filtered_history:
if action == 'c':
if 'New USB device found, ' in logline:
user = logline.split(' ', 1)[0] # logline -> '<USER> <REST>'
host = logline.split(' ', 1)[0] # logline -> '<HOST> <REST>'
try:
vid = re_vid.search(logline).group(1)
@ -430,7 +430,7 @@ def _parse_history(filtered_history):
event = {
'conn': date,
'user': user,
'host': host,
'vid': vid,
'pid': pid,
'prod': None,
@ -607,7 +607,7 @@ def _represent_events(events_to_show, columns, table_data, title, repres):
max_len = {
'conn': 19,
'user': max(max(len(event['user']) for event in events_to_show), len('User')),
'host': max(max(len(event['host']) for event in events_to_show), len('Host')),
'vid': 4,
'pid': 4,
'prod': max(max(len(str(event['prod'])) for event in events_to_show), len('Product')),
@ -670,7 +670,7 @@ def _represent_events(events_to_show, columns, table_data, title, repres):
for event in events_to_show:
if cfg.ISATTY:
print(colored('Connected: ', 'magenta', attrs=['bold']) + colored(event['conn'], 'green'))
print(colored('User: ', 'magenta', attrs=['bold']) + event['user'])
print(colored('Host: ', 'magenta', attrs=['bold']) + event['host'])
print(colored('VID: ', 'magenta', attrs=['bold']) + event['vid'])
print(colored('PID: ', 'magenta', attrs=['bold']) + event['pid'])
print(colored('Product: ', 'magenta', attrs=['bold']) + str(event['prod']))
@ -680,7 +680,7 @@ def _represent_events(events_to_show, columns, table_data, title, repres):
print(colored('Disconnected: ', 'magenta', attrs=['bold']) + colored(event['disconn'], 'red'))
else:
print('Connected: ' + event['conn'])
print('User: ' + event['user'])
print('Host: ' + event['host'])
print('VID: ' + event['vid'])
print('PID: ' + event['pid'])
print('Product: ' + str(event['prod']))
@ -712,7 +712,7 @@ def _dump_events(events_to_show, list_name, abs_filename, indent):
for event in events_to_show:
tmp_event_dict = OrderedDict()
for key in ('conn', 'user', 'vid', 'pid', 'prod', 'manufact', 'serial', 'port', 'disconn'):
for key in ('conn', 'host', 'vid', 'pid', 'prod', 'manufact', 'serial', 'port', 'disconn'):
tmp_event_dict[key] = event[key]
out.append(tmp_event_dict)

6
usbrip/lib/parse/argparser.py
View File

@ -432,7 +432,7 @@ def _parse_column_args(parser):
type=str,
default=[],
help='columns to show (options: "conn", '
'"user", '
'"host", '
'"vid", '
'"pid", '
'"prod", '
@ -469,11 +469,11 @@ def _parse_sieve_args(parser):
)
parser.add_argument(
'--user',
'--host',
nargs='+',
type=str,
default=[],
help='search by users'
help='search by hostname'
)
parser.add_argument(