Add exclusion filters to exclude data stream from processing for disabled binary parsers

log2timeline / plaso

Super timeline all the things

https://plaso.readthedocs.io

Apache License 2.0

1.72k stars 348 forks source link

Add exclusion filters to exclude data stream from processing for disabled binary parsers #1659

Open joachimmetz opened 6 years ago

joachimmetz commented 6 years ago

Some binary parsers now define GetFormatSpecification, such as: https://github.com/log2timeline/plaso/blob/master/plaso/parsers/winlnk.py#L87

[ ] check if files that match the format are ignored if the parser is disabled but they match the format
- is this this desired behaviour
[ ] consider exclusion filters for when the parser is disabled, e.g. based on file path for fseventsd

joachimmetz commented 6 years ago

format specifications used by the signature scanner are currently dependent on the parser filter expression. https://github.com/log2timeline/plaso/blob/03caa0b3aeb29f5dea3dbfb2bd149ef38e477b04/plaso/parsers/manager.py#L423

This means that if a parser with a format specification is disabled the file is parsed with the remaining parsers. I opt we change the behavior to not parse the file instead.