"""A plugin to generate a list of domains visited."""
from urllib import parse as urlparse
from plaso.analysis import interface
from plaso.analysis import manager
[docs]
class UniqueDomainsVisitedPlugin(interface.AnalysisPlugin):
"""A plugin to generate a list all domains visited.
This plugin will extract domains from browser history events extracted by Plaso. The
list produced can be used to quickly determine if there has been a visit to a site
of interest, for example, a known phishing site.
"""
NAME = "unique_domains_visited"
_SUPPORTED_EVENT_DATA_TYPES = frozenset(
[
"chrome:history:file_downloaded",
"chrome:history:page_visited",
"firefox:downloads:download",
"firefox:places:page_visited",
"macosx:lsquarantine",
"msiecf:redirected",
"msiecf:url",
"msie:webcache:container",
"opera:history",
"safari:history:visit",
]
)
# pylint: disable=unused-argument
[docs]
def ExamineEvent(self, analysis_mediator, event, event_data, event_data_stream):
"""Analyzes an event and extracts domains from it.
We only evaluate straightforward web history events, not visits which can
be inferred by TypedURLs, cookies or other means.
Args:
analysis_mediator (AnalysisMediator): mediates interactions between
analysis plugins and other components, such as storage and dfVFS.
event (EventObject): event to examine.
event_data (EventData): event data.
event_data_stream (EventDataStream): event data stream.
"""
if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES:
return
url = getattr(event_data, "url", None)
if url:
parsed_url = urlparse.urlparse(url)
domain = getattr(parsed_url, "netloc", None)
if domain:
self._analysis_counter[domain] += 1
manager.AnalysisPluginManager.RegisterPlugin(UniqueDomainsVisitedPlugin)