timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Improve error message for plaso files if plaso version is too old

Open kiddinn opened this issue 4 years ago • 0 comments

If a plaso file is uploaded to TS and there is a mismatch in the plaso versions of the tool that generated the storage file, vs. the one that is installed on the server few things can happen:

  1. File is supported and we are all good.
  2. Storage format is too old and we get a decent error message that can be easily understood
  3. Storage format is too new and no visible error message is displayed.

It's the third option here that the issue is about.

Uploading a plaso file that is generated using plaso version 20200717 for instance to a backend that has version 20200430 results in

plaso_import

The celery logs are:

[2020-08-19 14:35:39,556] celery.worker.strategy/INFO Received task: timesketch.lib.tasks.run_plaso[8bb1d6b7-103b-4834-902a-1f9ad6368fc6]
[2020-08-19 14:35:39,565] timesketch.tasks/INFO Index timeline [..._plaso] to index [5573d23aa4a5409e9d81f95195d25f81] (source: plaso)
[2020-08-19 14:35:47,167] celery.app.trace/INFO Task timesketch.lib.tasks.run_plaso[8bb1d6b7-103b-4834-902a-1f9ad6368fc6] succeeded in 7.605973808997078s: '2020-08-19 14:35:44,854 [INFO] (MainProcess) PID:530 <data_location> Determined data location: /usr/share/plaso
2020-08-19 14:35:46,625 [INFO] (MainProcess) PID:530 <timesketch_out> Timeline name: ..._plaso
2020-08-19 14:35:46,626 [INFO] (MainProcess) PID:530 <timesketch_out> Owner of the timeline: None

And looking inside the container and running psort manually:

# psort.py -w foo.csv 2fbe9995e8184e79a37792557ae2f168
2020-08-19 14:39:46,872 [INFO] (MainProcess) PID:564 <data_location> Determined data location: /usr/share/plaso

(exit status is 1 which we should be able to capture)

Running pinfo on the file reveals

# pinfo.py 2fbe9995e8184e79a37792557ae2f168
2020-08-19 14:40:48,912 [ERROR] (MainProcess) PID:568 <pinfo_tool> Format of storage file: 2fbe9995e8184e79a37792557ae2f168 not supported

Therefore this issue is to improve the error reporting in this particular edge case of plaso file uploads. Check the subprocess exit, and maybe attempt to run pinfo on the file, which would in this case indicate the storage format is not supported, and maybe print out the version of plaso running on the backend?

kiddinn avatar Aug 19 '20 14:08 kiddinn