def testSizeAndRegexFiltersWithDifferentActions(self):
expected_files = []
non_expected_files = ["dpkg.log", "dpkg_false.log", "auth.log"]
size_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.SIZE,
size=rdfvalue.FileFinderSizeFilter(max_file_size=626))
regex_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchFilter(
mode=rdfvalue.FileFinderContentsRegexMatchFilter.Mode.ALL_HITS,
regex="session opened for user .*?john"))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[size_filter, regex_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of filters doesn't influence results
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[regex_filter, size_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
def FiltersToFileFinderFilters(self, filters):
result = []
for f in filters:
if f.filter_type == MemoryScannerFilter.Type.LITERAL_MATCH:
result.append(rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_LITERAL_MATCH,
contents_literal_match=f.literal_match))
elif f.filter_type == MemoryScannerFilter.Type.REGEX_MATCH:
result.append(rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=f.regex_match))
else:
raise ValueError("Unknown filter type: %s", f.filter_type)
return result
def Grep(self, collector, pathtype):
"""Grep files in path_list for any matches to content_regex_list."""
path_list = self.InterpolateList(collector.args.get("path_list", []))
content_regex_list = self.InterpolateList(
collector.args.get("content_regex_list", []))
filters = []
for regex in content_regex_list:
regexfilter = rdfvalue.FileFinderContentsRegexMatchFilter(
regex=regex, bytes_before=0, bytes_after=0)
file_finder_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.
CONTENTS_REGEX_MATCH,
contents_regex_match=regexfilter)
filters.append(file_finder_filter)
self.CallFlow("FileFinder",
paths=path_list,
filters=filters,
action=rdfvalue.FileFinderAction(),
pathtype=pathtype,
request_data={
"artifact_name": self.current_artifact_name,
"collector": collector.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testRegexMatchFilterWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchFilter(
mode=rdfvalue.FileFinderContentsRegexMatchFilter.Mode.ALL_HITS,
regex="session opened for user .*?john"))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[regex_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testSizeFilterWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
size_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.SIZE,
size=rdfvalue.FileFinderSizeFilter(max_file_size=626))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[size_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testAppliesLiteralFilterWhenMemoryPathTypeIsUsed(self):
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.ClientTestDataVFSFixture
vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType.
MEMORY] = test_lib.ClientTestDataVFSFixture
paths = [
os.path.join(os.path.dirname(self.base_path), "auth.log"),
os.path.join(os.path.dirname(self.base_path), "dpkg.log")
]
literal_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_LITERAL_MATCH,
contents_literal_match=rdfvalue.
FileFinderContentsLiteralMatchFilter(
mode=rdfvalue.FileFinderContentsLiteralMatchFilter.Mode.
ALL_HITS,
literal="session opened for user dearjohn"))
# Check this filter with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
for _ in test_lib.TestFlowHelper(
"FileFinder",
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdfvalue.PathSpec.PathType.MEMORY,
filters=[literal_filter],
action=rdfvalue.FileFinderAction(action_type=action),
token=self.token,
output=self.output_path):
pass
self.CheckFilesInCollection(["auth.log"])
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testInodeChangeTimeFilterWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
inode_change_time_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.INODE_CHANGE_TIME,
inode_change_time=rdfvalue.FileFinderInodeChangeTimeFilter(
min_last_inode_change_time=rdfvalue.RDFDatetime(
).FromSecondsFromEpoch(1444444440)))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[inode_change_time_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testAccessTimeFilterWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
access_time_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.ACCESS_TIME,
access_time=rdfvalue.FileFinderAccessTimeFilter(
min_last_access_time=rdfvalue.RDFDatetime(
).FromSecondsFromEpoch(1444444440)))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[access_time_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testModificationTimeFilterWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
modification_time_filter = rdfvalue.FileFinderFilter(
filter_type=rdfvalue.FileFinderFilter.Type.MODIFICATION_TIME,
modification_time=rdfvalue.FileFinderModificationTimeFilter(
min_last_modified_time=rdfvalue.RDFDatetime(
).FromSecondsFromEpoch(1444444440)))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
filters=[modification_time_filter],
expected_files=expected_files,
non_expected_files=non_expected_files)