Source code for plaso.analysis.unique_domains_visited

# -*- coding: utf-8 -*-
"""A plugin to generate a list of domains visited."""

from urllib import parse as urlparse

from plaso.analysis import interface
from plaso.analysis import manager

[docs] class UniqueDomainsVisitedPlugin(interface.AnalysisPlugin): """A plugin to generate a list all domains visited. This plugin will extract domains from browser history events extracted by Plaso. The list produced can be used to quickly determine if there has been a visit to a site of interest, for example, a known phishing site. """ NAME = 'unique_domains_visited' _SUPPORTED_EVENT_DATA_TYPES = frozenset([ 'chrome:history:file_downloaded', 'chrome:history:page_visited', 'firefox:downloads:download', 'firefox:places:page_visited', 'macosx:lsquarantine', 'msiecf:redirected', 'msiecf:url', 'msie:webcache:container', 'opera:history', 'safari:history:visit']) # pylint: disable=unused-argument
[docs] def ExamineEvent( self, analysis_mediator, event, event_data, event_data_stream): """Analyzes an event and extracts domains from it. We only evaluate straightforward web history events, not visits which can be inferred by TypedURLs, cookies or other means. Args: analysis_mediator (AnalysisMediator): mediates interactions between analysis plugins and other components, such as storage and dfVFS. event (EventObject): event to examine. event_data (EventData): event data. event_data_stream (EventDataStream): event data stream. """ if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES: return url = getattr(event_data, 'url', None) if url: parsed_url = urlparse.urlparse(url) domain = getattr(parsed_url, 'netloc', None) if domain: self._analysis_counter[domain] += 1