src/ allow processing journal, evtx that are compressed, arch

Follow-up to cea1c6f Issue #291 Issue #284
jtmoon79 · May 29, 2024 · f2e5b4d · f2e5b4d
1 parent 319bc34
commit f2e5b4d
Show file tree

Hide file tree

Showing 44 changed files with 329,941 additions and 349,410 deletions.
diff --git a/src/common.rs b/src/common.rs
@@ -860,6 +860,23 @@ impl FileType {
             _ => false,
         }
     }
+
+    pub const fn archival_type (&self) -> FileTypeArchive {
+        match self {
+            FileType::Evtx{ archival_type } => *archival_type,
+            FileType::FixedStruct{ archival_type, .. } => *archival_type,
+            FileType::Journal{ archival_type } => *archival_type,
+            FileType::Text{ archival_type, .. } => *archival_type,
+            FileType::Unparsable => FileTypeArchive::Normal,
+        }
+    }
+
+    pub const fn encoding_type (&self) -> Option<FileTypeTextEncoding> {
+        match self {
+            FileType::Text{ encoding_type, .. } => Some(*encoding_type),
+            _ => None,
+        }
+    }
 }
 
 /// The type of message sent from file processing thread to the main printing

diff --git a/src/readers/filepreprocessor.rs b/src/readers/filepreprocessor.rs
@@ -1096,29 +1096,56 @@ pub fn process_path(path: &FPath, unparseable_are_text: bool) -> Vec<ProcessPath
         };
         match filetype {
             FileType::Evtx{ archival_type: FileTypeArchive::Normal }
-            | FileType::FixedStruct{ archival_type: _, fixedstruct_type: _ }
+            | FileType::Evtx{ archival_type: FileTypeArchive::Gz }
+            | FileType::Evtx{ archival_type: FileTypeArchive::Lz4 }
+            | FileType::Evtx{ archival_type: FileTypeArchive::Tar }
+            | FileType::Evtx{ archival_type: FileTypeArchive::Xz }
+            | FileType::FixedStruct{ archival_type: FileTypeArchive::Normal, fixedstruct_type: _ }
+            | FileType::FixedStruct{ archival_type: FileTypeArchive::Gz, fixedstruct_type: _ }
+            | FileType::FixedStruct{ archival_type: FileTypeArchive::Lz4, fixedstruct_type: _ }
+            | FileType::FixedStruct{ archival_type: FileTypeArchive::Tar, fixedstruct_type: _ }
+            | FileType::FixedStruct{ archival_type: FileTypeArchive::Xz, fixedstruct_type: _ }
             | FileType::Journal{ archival_type: FileTypeArchive::Normal }
-            | FileType::Text{ archival_type: _, encoding_type: _ }
+            | FileType::Journal{ archival_type: FileTypeArchive::Gz }
+            | FileType::Journal{ archival_type: FileTypeArchive::Lz4 }
+            | FileType::Journal{ archival_type: FileTypeArchive::Tar }
+            | FileType::Journal{ archival_type: FileTypeArchive::Xz }
+            | FileType::Text{ archival_type: FileTypeArchive::Normal, encoding_type: FileTypeTextEncoding::Utf8Ascii }
+            | FileType::Text{ archival_type: FileTypeArchive::Gz, encoding_type: FileTypeTextEncoding::Utf8Ascii }
+            | FileType::Text{ archival_type: FileTypeArchive::Lz4, encoding_type: FileTypeTextEncoding::Utf8Ascii }
+            | FileType::Text{ archival_type: FileTypeArchive::Tar, encoding_type: FileTypeTextEncoding::Utf8Ascii }
+            | FileType::Text{ archival_type: FileTypeArchive::Xz, encoding_type: FileTypeTextEncoding::Utf8Ascii }
             => {
                 deo!("paths.push(FileValid(({:?}, {:?})))", fpath_entry, filetype);
                 paths.push(ProcessPathResult::FileValid(fpath_entry, filetype));
             }
-            ft @ FileType::Evtx{ archival_type: FileTypeArchive::Gz }
-            | ft @ FileType::Evtx{ archival_type: FileTypeArchive::Lz4 }
-            | ft @ FileType::Evtx{ archival_type: FileTypeArchive::Tar }
-            | ft @ FileType::Evtx{ archival_type: FileTypeArchive::Xz }
-            | ft @ FileType::Journal{ archival_type: FileTypeArchive::Gz }
-            | ft @ FileType::Journal{ archival_type: FileTypeArchive::Lz4 }
-            | ft @ FileType::Journal{ archival_type: FileTypeArchive::Tar }
-            | ft @ FileType::Journal{ archival_type: FileTypeArchive::Xz }
-            | ft @ FileType::Unparsable => {
-                deo!("Path not supported {:?}", std_path_entry);
-                let k = ft.kind().to_string();
+            ft @ FileType::Text{ archival_type: FileTypeArchive::Normal, encoding_type: FileTypeTextEncoding::Utf16 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Normal, encoding_type: FileTypeTextEncoding::Utf32 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Gz, encoding_type: FileTypeTextEncoding::Utf16 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Gz, encoding_type: FileTypeTextEncoding::Utf32 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Lz4, encoding_type: FileTypeTextEncoding::Utf16 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Lz4, encoding_type: FileTypeTextEncoding::Utf32 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Tar, encoding_type: FileTypeTextEncoding::Utf16 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Tar, encoding_type: FileTypeTextEncoding::Utf32 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Xz, encoding_type: FileTypeTextEncoding::Utf16 }
+            | ft @ FileType::Text{ archival_type: FileTypeArchive::Xz, encoding_type: FileTypeTextEncoding::Utf32 }
+            => {
+                let et: String = match ft.encoding_type() {
+                    Some(e) => e.to_string(),
+                    None => String::from(""),
+                };
+                deo!("Text encoding {} not supported {:?}", et, std_path_entry);
+                paths.push(ProcessPathResult::FileErrNotSupported(
+                    fpath_entry,
+                    Some(format!("Encoding {}", et)),
+                ));
+            }
+            FileType::Unparsable
+            => {
+                deo!("Path not a log file {:?}", std_path_entry);
                 paths.push(ProcessPathResult::FileErrNotSupported(
                     fpath_entry,
-                    Some(String::from(
-                        format!("compressed or archived {} are not supported", k)
-                    )),
+                    None,
                 ));
             }
         }

diff --git a/src/tests/common.rs b/src/tests/common.rs
@@ -60,20 +60,28 @@ use ::lazy_static::lazy_static;
 
 pub const FILETYPE_EVTX: FileType =
     FileType::Evtx { archival_type: FileTypeArchive::Normal };
-pub const FILETYPE_EVTX_T: FileType =
-    FileType::Evtx { archival_type: FileTypeArchive::Tar };
 pub const FILETYPE_EVTX_GZ: FileType =
     FileType::Evtx { archival_type: FileTypeArchive::Gz };
+pub const FILETYPE_EVTX_LZ4: FileType =
+    FileType::Evtx { archival_type: FileTypeArchive::Lz4 };
+pub const FILETYPE_EVTX_TAR: FileType =
+    FileType::Evtx { archival_type: FileTypeArchive::Tar };
+pub const FILETYPE_EVTX_XZ: FileType =
+    FileType::Evtx { archival_type: FileTypeArchive::Xz };
 pub const FILETYPE_JOURNAL: FileType =
     FileType::Journal { archival_type: FileTypeArchive::Normal };
-pub const FILETYPE_JOURNAL_T: FileType =
+pub const FILETYPE_JOURNAL_GZ: FileType =
+    FileType::Journal { archival_type: FileTypeArchive::Gz };
+pub const FILETYPE_JOURNAL_LZ4: FileType =
+    FileType::Journal { archival_type: FileTypeArchive::Lz4 };
+pub const FILETYPE_JOURNAL_TAR: FileType =
     FileType::Journal { archival_type: FileTypeArchive::Tar };
 pub const FILETYPE_JOURNAL_XZ: FileType =
     FileType::Journal { archival_type: FileTypeArchive::Xz };
 pub const FILETYPE_UTMP: FileType =
-    FileType::FixedStruct { archival_type: FileTypeArchive::Normal, fixedstruct_type: FileTypeFixedStruct::Utmp};
-pub const FILETYPE_UTMP_T: FileType =
-    FileType::FixedStruct { archival_type: FileTypeArchive::Tar, fixedstruct_type: FileTypeFixedStruct::Utmp};
+    FileType::FixedStruct { archival_type: FileTypeArchive::Normal, fixedstruct_type: FileTypeFixedStruct::Utmp };
+pub const FILETYPE_UTMP_TAR: FileType =
+    FileType::FixedStruct { archival_type: FileTypeArchive::Tar, fixedstruct_type: FileTypeFixedStruct::Utmp };
 pub const FILETYPE_UTF8: FileType =
     FileType::Text { archival_type: FileTypeArchive::Normal, encoding_type: FileTypeTextEncoding::Utf8Ascii };
 pub const FILETYPE_UTF8_GZ: FileType =
@@ -2969,12 +2977,12 @@ pub const TAR_ABCDEFGHI_DATA: [u8; 10240] = [
 
 lazy_static! {
     /// fileABCDEFGHI.tar
-    pub static ref NTF_TAR_ABCDEF: NamedTempFile =
+    pub static ref NTF_TAR_ABCDEFGHI: NamedTempFile =
         create_temp_file_bytes_with_suffix(
             &TAR_ABCDEFGHI_DATA, &String::from(TAR_ABCDEFGHI_FILENAME)
         );
     /// fileABCDEFGHI.tar
-    pub static ref NTF_TAR_ABCDEFGHI_FPATH: FPath = ntf_fpath(&NTF_TAR_ABCDEF);
+    pub static ref NTF_TAR_ABCDEFGHI_FPATH: FPath = ntf_fpath(&NTF_TAR_ABCDEFGHI);
     /// fileABCDEFGHI.tar|fileA.evtx
     pub static ref NTF_TAR_ABCDEFGHI_FILEA_FPATH: FPath = {
         let mut path_: FPath = NTF_TAR_ABCDEFGHI_FPATH.clone();
@@ -3048,9 +3056,10 @@ lazy_static! {
         path_
     };
 }
-pub const NTF_TAR_ABCDEFGHI_FILEA_FILETYPE: FileType = FILETYPE_EVTX_T;
-pub const NTF_TAR_ABCDEFGHI_FILEB_FILETYPE: FileType = FILETYPE_JOURNAL_T;
-pub const NTF_TAR_ABCDEFGHI_FILEC_FILETYPE: FileType = FILETYPE_UTMP_T;
+
+pub const NTF_TAR_ABCDEFGHI_FILEA_FILETYPE: FileType = FILETYPE_EVTX_TAR;
+pub const NTF_TAR_ABCDEFGHI_FILEB_FILETYPE: FileType = FILETYPE_JOURNAL_TAR;
+pub const NTF_TAR_ABCDEFGHI_FILEC_FILETYPE: FileType = FILETYPE_UTMP_TAR;
 pub const NTF_TAR_ABCDEFGHI_FILED_FILETYPE: FileType = FILETYPE_UTF8_TAR;
 pub const NTF_TAR_ABCDEFGHI_FILEE_FILETYPE: FileType = FILETYPE_EVTX_GZ;
 pub const NTF_TAR_ABCDEFGHI_FILEF_FILETYPE: FileType = FILETYPE_JOURNAL_XZ;