def testParseWithIIS7SQLIFile(self):
"""Tests the Parse function with an IIS 7 log file with SQLI."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis7_sqli.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type':
'iis:log:line',
'dest_ip':
'111.111.111.111',
'dest_port':
443,
'http_method':
'GET',
'http_status':
500,
'requested_uri_stem':
'/foo/bar/baz.asp',
'source_ip':
'222.222.222.222',
'timestamp':
'2015-10-16 13:01:02.000000',
'user_agent':
('Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_9_2)+AppleWebKit/'
'537.36+(KHTML,+like+Gecko)+Chrome/34.0.1847.131+Safari/537.36')
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseWithoutDate(self):
"""Tests the Parse function with logs without a date column."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis_without_date.log'], parser)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 11)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'iis:log:line',
'date_time': '2013-07-30 00:00:03',
'protocol_version': 'HTTP/1.1',
'timestamp': '2013-07-30 00:00:03.000000'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testParseWithIIS7OWAFile(self):
"""Tests the Parse function with an IIS 7 OWA log file."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis7_owa.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 3)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type':
'iis:log:line',
'dest_ip':
'10.11.2.3',
'dest_port':
443,
'http_method':
'GET',
'http_status':
200,
'requested_uri_stem':
'/owa/',
'source_ip':
'77.123.22.98',
'timestamp':
'2015-12-31 00:19:48.000000',
'user_agent':
('Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+'
'(KHTML,+like+Gecko)+Chrome/39.0.2171.95+Safari/537.36')
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 12)
events = list(storage_writer.GetEvents())
expected_event_values = {
'dest_ip': '10.10.10.100',
'dest_port': 80,
'source_ip': '10.10.10.100',
'timestamp': '2013-07-30 00:00:00.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_message = ('GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ] '
'HTTP Status: 200 '
'User Agent: Mozilla/4.0+(compatible;+Win32;'
'+WinHttp.WinHttpRequest.5)')
expected_short_message = ('GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ]')
event_data = self._GetEventDataOfEvent(storage_writer, events[0])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
expected_event_values = {
'http_method': 'GET',
'http_status': 200,
'requested_uri_stem': '/some/image/path/something.jpg',
'timestamp': '2013-07-30 00:00:05.000000'
}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
expected_message = (
'GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ] '
'HTTP Status: 404 '
'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)'
'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7'
'+Safari/534.57.2')
expected_short_message = ('GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ]')
event_data = self._GetEventDataOfEvent(storage_writer, events[1])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
expected_event_values = {
'cs_uri_query': 'ID=ERROR[`cat%20passwd|echo`]'
}
self.CheckEventValues(storage_writer, events[11],
expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 12)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:00.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.source_ip, '10.10.10.100')
self.assertEqual(event_data.dest_ip, '10.10.10.100')
self.assertEqual(event_data.dest_port, 80)
expected_message = ('GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ] '
'HTTP Status: 200 '
'User Agent: Mozilla/4.0+(compatible;+Win32;'
'+WinHttp.WinHttpRequest.5)')
expected_short_message = ('GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[5]
self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:05.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.http_method, 'GET')
self.assertEqual(event_data.http_status, 200)
self.assertEqual(event_data.requested_uri_stem,
'/some/image/path/something.jpg')
event = events[1]
expected_message = (
'GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ] '
'HTTP Status: 404 '
'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)'
'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7'
'+Safari/534.57.2')
expected_short_message = ('GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[11]
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_query_string = 'ID=ERROR[`cat%20passwd|echo`]'
self.assertEqual(expected_query_string, event_data.cs_uri_query)
def testParse(self):
"""Tests the Parse function."""
parser_object = iis.WinIISParser()
test_file = self._GetTestFilePath([u'iis.log'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 11)
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-30 00:00:00')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.source_ip, u'10.10.10.100')
self.assertEqual(event_object.dest_ip, u'10.10.10.100')
self.assertEqual(event_object.dest_port, 80)
expected_msg = (u'GET /some/image/path/something.jpg '
u'[ 10.10.10.100 > 10.10.10.100 : 80 ] '
u'HTTP Status: 200 '
u'User Agent: Mozilla/4.0+(compatible;+Win32;'
u'+WinHttp.WinHttpRequest.5)')
expected_msg_short = (u'GET /some/image/path/something.jpg '
u'[ 10.10.10.100 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[5]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-30 00:00:05')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.http_method, u'GET')
self.assertEqual(event_object.http_status, 200)
self.assertEqual(event_object.requested_uri_stem,
u'/some/image/path/something.jpg')
event_object = event_objects[1]
expected_msg = (
u'GET /some/image/path/something.htm '
u'[ 22.22.22.200 > 10.10.10.100 : 80 ] '
u'HTTP Status: 404 '
u'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)'
u'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7'
u'+Safari/534.57.2')
expected_msg_short = (u'GET /some/image/path/something.htm '
u'[ 22.22.22.200 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testParse(self):
"""Tests the Parse function."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis.log'], parser)
self.assertEqual(storage_writer.number_of_events, 11)
events = list(storage_writer.GetEvents())
event = events[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-07-30 00:00:00')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.source_ip, '10.10.10.100')
self.assertEqual(event.dest_ip, '10.10.10.100')
self.assertEqual(event.dest_port, 80)
expected_message = (
'GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ] '
'HTTP Status: 200 '
'User Agent: Mozilla/4.0+(compatible;+Win32;'
'+WinHttp.WinHttpRequest.5)')
expected_short_message = (
'GET /some/image/path/something.jpg '
'[ 10.10.10.100 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
event = events[5]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-07-30 00:00:05')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.http_method, 'GET')
self.assertEqual(event.http_status, 200)
self.assertEqual(
event.requested_uri_stem, '/some/image/path/something.jpg')
event = events[1]
expected_message = (
'GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ] '
'HTTP Status: 404 '
'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)'
'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7'
'+Safari/534.57.2')
expected_short_message = (
'GET /some/image/path/something.htm '
'[ 22.22.22.200 > 10.10.10.100 : 80 ]')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse(self):
"""Tests the Parse function."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 12)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'iis:log:line',
'dest_ip': '10.10.10.100',
'dest_port': 80,
'http_method': 'GET',
'http_status': 200,
'requested_uri_stem': '/some/image/path/something.jpg',
'source_ip': '10.10.10.100',
'timestamp': '2013-07-30 00:00:00.000000',
'user_agent': (
'Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)')}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'data_type': 'iis:log:line',
'http_method': 'GET',
'http_status': 200,
'requested_uri_stem': '/some/image/path/something.jpg',
'timestamp': '2013-07-30 00:00:05.000000'}
self.CheckEventValues(storage_writer, events[5], expected_event_values)
expected_event_values = {
'data_type': 'iis:log:line',
'dest_ip': '10.10.10.100',
'dest_port': 80,
'http_method': 'GET',
'http_status': 404,
'requested_uri_stem': '/some/image/path/something.htm',
'source_ip': '22.22.22.200',
'timestamp': '2013-07-30 00:00:03.000000',
'user_agent': (
'Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)+AppleWebKit/'
'534.57.2+(KHTML,+like+Gecko)+Version/5.1.7+Safari/534.57.2')}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_event_values = {
'cs_uri_query': 'ID=ERROR[`cat%20passwd|echo`]',
'data_type': 'iis:log:line'}
self.CheckEventValues(storage_writer, events[11], expected_event_values)
def testParseWithoutDate(self):
"""Tests the Parse function with logs without a date column."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis_without_date.log'], parser)
self.assertEqual(storage_writer.number_of_events, 11)
events = list(storage_writer.GetEvents())
event = events[1]
self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:03.000000')
self.assertEqual(event.protocol_version, 'HTTP/1.1')
def testParseWithoutDate(self):
"""Tests the Parse function with logs without a date column."""
parser = iis.WinIISParser()
storage_writer = self._ParseFile(['iis_without_date.log'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 11)
events = list(storage_writer.GetEvents())
expected_event_values = {
'protocol_version': 'HTTP/1.1',
'timestamp': '2013-07-30 00:00:03.000000'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testParseWithoutDate(self):
"""Tests the Parse function with logs without a date column."""
parser_object = iis.WinIISParser()
test_file = self._GetTestFilePath([u'iis_without_date.log'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 11)
event_object = event_objects[1]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-07-30 00:00:03')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.protocol_version, u'HTTP/1.1')
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = iis.WinIISParser()
