search

matthewdunwoody / block-parser

Parser for Windows PowerShell script block logs
Apache License 2.0
94 stars 16 forks source link

metadata output file arg should have its full path passed #4

Closed hiddenillusion closed 7 years ago

hiddenillusion commented 7 years ago

Based on the way output_result is written for the metadata file || the way it's passed via main, if the provided args.metdata string is just the filename and doesn't include its full path on the CLI then writing to it will fail.

example:

Running with these options: $ python block-parser.py -m parsed_powershell_metadata.csv -o parsed_powershell -a powershell.evtx

with these tests:

if m:
  if not os.path.isdir(os.path.dirname(m)):
    print(m)
    print(os.path.abspath(m))
    print(os.path.dirname(m))
    print(os.path.abspath(os.path.dirname(m)))

produces; the third line being the issue:

parsed_powershell_metadata.csv
/opt/compromised_system/parsed_powershell_metadata.csv

/opt/compromised_system

Simple enough to add in main() or keep where it is, but either way adding os.path.abspath() before will eliminate the error.

matthewdunwoody commented 7 years ago

Addressed as recommended. Thanks for submitting the issue