def _CreateHuntFromFlow(self): self.client_id = self.SetupClient(0) flow_args = rdf_file_finder.FileFinderArgs( paths=["a/*", "b/*"], action=rdf_file_finder.FileFinderAction(action_type="STAT")) flow_runner_args = rdf_flow_runner.FlowRunnerArgs( flow_name=file_finder.FileFinder.__name__) flow_urn = flow.StartAFF4Flow( client_id=self.client_id, args=flow_args, runner_args=flow_runner_args, token=self.token) ref = rdf_hunts.FlowLikeObjectReference.FromFlowIdAndClientId( flow_urn.Basename(), self.client_id.Basename()) # Modify flow_args so that there are differences. flow_args.paths = ["b/*", "c/*"] flow_args.action.action_type = "DOWNLOAD" flow_args.conditions = [ rdf_file_finder.FileFinderCondition( condition_type="SIZE", size=rdf_file_finder.FileFinderSizeCondition(min_file_size=42)) ] return self.CreateHunt( flow_args=flow_args, flow_runner_args=flow_runner_args, original_object=ref), flow_urn
def testSizeCondition(self): client_id = self.SetupClient(0) # There are two values, one is 20 bytes, the other 53. session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type.SIZE, size=rdf_file_finder.FileFinderSizeCondition(min_file_size=50)) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertGreater(results[0].stat_entry.st_size, 50)
def testSizeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] sizes = [ os.stat(os.path.join(self.fixture_path, f)).st_size for f in expected_files ] size_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE, size=rdf_file_finder.FileFinderSizeCondition( max_file_size=max(sizes) + 1)) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults(action=action, conditions=[size_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testSizeAndRegexConditionsWithDifferentActions(self): files_over_size_limit = ["auth.log"] filtered_files = ["dpkg.log", "dpkg_false.log"] expected_files = [] non_expected_files = files_over_size_limit + filtered_files sizes = [ os.stat(os.path.join(self.fixture_path, f)).st_size for f in files_over_size_limit ] size_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type.SIZE, size=rdf_file_finder.FileFinderSizeCondition( max_file_size=min(sizes) - 1)) regex_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=rdf_file_finder. FileFinderContentsRegexMatchCondition( mode=(rdf_file_finder.FileFinderContentsRegexMatchCondition. Mode.ALL_HITS), bytes_before=10, bytes_after=10, regex="session opened for user .*?john")) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[size_condition, regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that order of conditions doesn't influence results for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[regex_condition, size_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def _CreateHuntFromFlow(self): self.client_id = self.SetupClient(0) flow_args = rdf_file_finder.FileFinderArgs( paths=["a/*", "b/*"], action=rdf_file_finder.FileFinderAction(action_type="STAT")) session_id = flow_test_lib.StartFlow(file_finder.FileFinder, client_id=self.client_id, flow_args=flow_args) ref = rdf_hunts.FlowLikeObjectReference.FromFlowIdAndClientId( session_id, self.client_id) # Modify flow_args so that there are differences. flow_args.paths = ["b/*", "c/*"] flow_args.action.action_type = "DOWNLOAD" flow_args.conditions = [ rdf_file_finder.FileFinderCondition( condition_type="SIZE", size=rdf_file_finder.FileFinderSizeCondition(min_file_size=42)) ] return self.StartHunt(flow_args=flow_args, flow_runner_args=rdf_flow_runner.FlowRunnerArgs( flow_name=file_finder.FileFinder.__name__), original_object=ref), session_id
def testPassesAllConditionsToClientFileFinderWhenAllConditionsSpecified( self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.Now(), ) access_time = rdf_file_finder.FileFinderAccessTimeCondition( min_last_access_time=rdfvalue.RDFDatetime.Now(), ) inode_change_time = rdf_file_finder.FileFinderInodeChangeTimeCondition( min_last_inode_change_time=rdfvalue.RDFDatetime.Now(), ) size = rdf_file_finder.FileFinderSizeCondition(min_file_size=42, ) ext_flags = rdf_file_finder.FileFinderExtFlagsCondition( linux_bits_set=42, ) contents_regex_match = ( rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=b"foo", )) contents_literal_match = ( rdf_file_finder.FileFinderContentsLiteralMatchCondition( literal=b"bar", )) flow_id = flow_test_lib.StartFlow( file.CollectMultipleFiles, client_id=self.client_id, path_expressions=["/some/path"], modification_time=modification_time, access_time=access_time, inode_change_time=inode_change_time, size=size, ext_flags=ext_flags, contents_regex_match=contents_regex_match, contents_literal_match=contents_literal_match, ) children = data_store.REL_DB.ReadChildFlowObjects( self.client_id, flow_id) self.assertLen(children, 1) child = children[0] self.assertEqual(child.flow_class_name, file_finder.ClientFileFinder.__name__) # We expect 7 condition-attributes to be converted # to 7 FileFinderConditions. self.assertLen(child.args.conditions, 7) def _GetCondition(condition_type): for c in child.args.conditions: if c.condition_type == condition_type: return c.UnionCast() raise RuntimeError( f"Condition of type {condition_type} not found.") self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.MODIFICATION_TIME), modification_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.ACCESS_TIME), access_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.INODE_CHANGE_TIME), inode_change_time) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.SIZE), size) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.EXT_FLAGS), ext_flags) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH), contents_literal_match)