def testDocumentOpen(self):
"""Tests the document_open tagging rule."""
# Test: data_type is 'windows:registry:bagmru'
attribute_values_per_name = {}
self._CheckTaggingRule(bagmru.BagMRUEventData,
attribute_values_per_name, ['document_open'])
# Test: data_type is 'windows:registry:mrulist' AND
# entries not contains '.exe' AND timestamp > DATETIME(0)
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = mrulist.MRUListEventData()
event_data.entries = 'Index: 0 [MRU Value a]: file.txt'
event_data.parser = 'winreg/mrulist'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:mrulistex' AND
# entries not contains '.exe' AND timestamp > DATETIME(0)
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = mrulistex.MRUListExEventData()
event_data.entries = 'Index: 0 [MRU Value 1]: file.txt'
event_data.parser = 'winreg/mrulistex'
event.timestamp = 0
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event.timestamp = self._TEST_TIMESTAMP
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['document_open'])
# Test: data_type is 'windows:registry:office_mru'
attribute_values_per_name = {}
self._CheckTaggingRule(officemru.OfficeMRUWindowsRegistryEventData,
attribute_values_per_name, ['document_open'])
# Test: data_type is 'windows:registry:office_mru_list'
attribute_values_per_name = {}
self._CheckTaggingRule(officemru.OfficeMRUListWindowsRegistryEventData,
attribute_values_per_name, ['document_open'])
def CreateEventFromValues(event_values):
"""Creates an event and event data from event values.
Args:
event_values (dict[str, str]): event values.
Returns:
tuple[EventObject, EventData, EventDataStream]: event, event data and
event data stream for testing.
"""
copy_of_event_values = dict(event_values)
event = events.EventObject()
for attribute_name in ('timestamp', 'timestamp_desc'):
attribute_value = copy_of_event_values.pop(attribute_name, None)
if attribute_value is not None:
if attribute_name == 'timestamp' and isinstance(
attribute_value, str):
attribute_value = shared_test_lib.CopyTimestampFromSring(
attribute_value)
setattr(event, attribute_name, attribute_value)
event_data_stream = events.EventDataStream()
for attribute_name in ('path_spec', 'md5_hash', 'sha256_hash'):
attribute_value = copy_of_event_values.pop(attribute_name, None)
if attribute_value is not None:
setattr(event_data_stream, attribute_name, attribute_value)
event_data = events.EventData()
event_data.CopyFromDict(copy_of_event_values)
return event, event_data, event_data_stream
def testRuleDeviceDisconnection(self):
"""Tests the device_disconnection tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: reporter is 'kernel' AND body contains 'USB disconnect'
event_data = syslog.SyslogLineEventData()
event_data.reporter = 'kernel'
event_data.body = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.reporter = 'bogus'
event_data.body = 'USB disconnect'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.reporter = 'kernel'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['device_disconnection'])
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_object = events.EventObject()
event_object.data_type = u'test:event2'
event_object.timestamp = 1234124
event_object.timestamp_desc = u'Written'
# Prevent the event object for generating its own UUID.
event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8'
event_object.binary_string = b'\xc0\x90\x90binary'
event_object.empty_string = u''
event_object.zero_integer = 0
event_object.integer = 34
event_object.string = u'Normal string'
event_object.unicode_string = u'And I am a unicorn.'
event_object.my_list = [u'asf', 4234, 2, 54, u'asf']
event_object.my_dict = {
u'a': u'not b',
u'c': 34,
u'list': [u'sf', 234],
u'an': [234, 32]
}
event_object.a_tuple = (u'some item', [234, 52, 15], {
u'a': u'not a',
u'b': u'not b'
}, 35)
event_object.null_value = None
json_string = self._TestWriteSerialized(self._serializer, event_object,
self._json_dict)
event_object = self._serializer.ReadSerialized(json_string)
def testReadAndWriteSerializedEventObject(self):
"""Test ReadSerialized and WriteSerialized of EventObject."""
expected_event = events.EventObject()
expected_event.parser = 'test_parser'
expected_event.timestamp = 1234124
expected_event.timestamp_desc = 'Written'
json_string = (
json_serializer.JSONAttributeContainerSerializer.WriteSerialized(
expected_event))
self.assertIsNotNone(json_string)
event = json_serializer.JSONAttributeContainerSerializer.ReadSerialized(
json_string)
self.assertIsNotNone(event)
self.assertIsInstance(event, events.EventObject)
expected_event_dict = {
'parser': 'test_parser',
'timestamp': 1234124,
'timestamp_desc': 'Written'}
event_dict = event.CopyToDict()
self.assertEqual(event_dict, expected_event_dict)
def CreateEventFromValues(event_values):
"""Creates an event and event data from event values.
Args:
event_values (dict[str, str]): event values.
Returns:
tuple[EventObject, EventData]: event and event data for testing.
"""
copy_of_event_values = dict(event_values)
timestamp = copy_of_event_values.get('timestamp', None)
if 'timestamp' in copy_of_event_values:
del copy_of_event_values['timestamp']
timestamp_desc = copy_of_event_values.get('timestamp_desc', None)
if 'timestamp_desc' in copy_of_event_values:
del copy_of_event_values['timestamp_desc']
event = events.EventObject()
event.timestamp = timestamp
event.timestamp_desc = timestamp_desc
event_data = events.EventData()
event_data.CopyFromDict(copy_of_event_values)
return event, event_data
def testRuleDeviceConnection(self):
"""Tests the device_connection tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = ipod.IPodPlistEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['device_connection'])
event_data = plist_event.PlistTimeEventData()
event_data.plugin = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data = plist_event.PlistTimeEventData()
event_data.plugin = 'plist_airport'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['device_connection'])
def testRuleApplicationExecution(self):
"""Tests the application_execution tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = appusage.MacOSApplicationUsageEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
event_data = syslog.SyslogLineEventData()
event_data.body = 'some random log message'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data = syslog.SyslogLineEventData()
event_data.body = 'somethin invoked COMMAND=/bin/launchctl'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_execution'])
def testFileDownload(self):
"""Tests the file_download tagging rule."""
# Test: data_type is 'chrome:history:file_downloaded'
attribute_values_per_name = {}
self._CheckTaggingRule(
chrome_history.ChromeHistoryFileDownloadedEventData,
attribute_values_per_name, ['file_download'])
# Test: timestamp_desc is 'File Downloaded'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = utorrent.UTorrentEventData()
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
def testRuleAutorun(self):
"""Tests the autorun tagging rule."""
# Test: data_type is 'fs:stat' AND
# timestamp_desc is 'Creation Time' AND
# filename contains PATH('LaunchAgents') AND
# filename contains '.plist'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_CREATION
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchDaemons/test.plist'
event_data.parser = 'filestat'
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchAgents/test.plist'
event_data.parser = 'filestat'
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['autorun'])
def testMatch(self):
"""Tests the Match function."""
test_filter = event_filter.EventObjectFilter()
test_filter.CompileFilter(
'timestamp is DATETIME("2020-12-23T15:00:00")')
event = events.EventObject()
event.timestamp = 1608735600000000
result = test_filter.Match(event, None, None, None)
self.assertTrue(result)
test_filter = event_filter.EventObjectFilter()
test_filter.CompileFilter('filename contains PATH("etc/issue")')
event_data = events.EventData()
event_data.filename = '/usr/local/etc/issue'
result = test_filter.Match(None, event_data, None, None)
self.assertTrue(result)
event_data.filename = '/etc/issue.net'
result = test_filter.Match(None, event_data, None, None)
self.assertFalse(result)
def testWriteSerializedAttributeContainerList(self):
"""Tests the _WriteSerializedAttributeContainerList function."""
event_data = events.EventData()
event = events.EventObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file._AddAttributeContainer(
storage_file._CONTAINER_TYPE_EVENT_DATA, event_data)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT_DATA)
event.timestamp = 0x7fffffffffffffff
storage_file._AddSerializedEvent(event)
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT)
event.timestamp = 0x8000000000000000
storage_file._AddSerializedEvent(event)
with self.assertRaises(OverflowError):
storage_file._WriteSerializedAttributeContainerList(
storage_file._CONTAINER_TYPE_EVENT)
storage_file.Close()
def testCopyToDict(self):
"""Tests the CopyToDict function."""
event = events.EventObject()
event.timestamp = 123
event.timestamp_desc = u'LAST WRITTEN'
event.data_type = u'mock:nothing'
event.inode = 124
event.filename = u'c:/bull/skrytinmappa/skra.txt'
event.another_attribute = False
event.metadata = {
u'author': u'Some Random Dude',
u'version': 1245,
u'last_changed': u'Long time ago'}
event.strings = [u'This ', u'is a ', u'long string']
event.uuid = u'11fca043ea224a688137deaa8d162807'
expected_dict = {
u'another_attribute': False,
u'data_type': 'mock:nothing',
u'filename': u'c:/bull/skrytinmappa/skra.txt',
u'inode': 124,
u'metadata': {
u'author': u'Some Random Dude',
u'last_changed': u'Long time ago',
u'version': 1245},
u'strings': [u'This ', u'is a ', u'long string'],
u'timestamp': 123,
u'timestamp_desc': u'LAST WRITTEN',
u'uuid': u'11fca043ea224a688137deaa8d162807'}
test_dict = event.CopyToDict()
self.assertEqual(test_dict, expected_dict)
def testLoginFailed(self):
"""Tests the login_failed tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Security-Auditing' AND
# event_identifier is 4625
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 4625
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Security-Auditing'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 4625
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['login_failed'])
def _ConvertDictToEventObject(self, json_dict):
"""Converts a JSON dict into an event object.
The dictionary of the JSON serialized objects consists of:
{
'__type__': 'EventObject'
'pathspec': { ... }
'tag': { ... }
...
}
Here '__type__' indicates the object base type. In this case this should
be 'EventObject'. The rest of the elements of the dictionary make up the
event object properties.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An event object (instance of EventObject).
"""
event_object = events.EventObject()
for key, value in iter(json_dict.items()):
setattr(event_object, key, value)
return event_object
def testRuleRunlevel(self):
"""Tests the runlevel tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'linux:utmp:event' AND type == 1 AND
# username is 'runlevel'
event_data = utmp.UtmpEventData()
event_data.type = 0
event_data.username = '******'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.type = 1
event_data.username = '******'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.username = '******'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['runlevel'])
def testReadAndWriteSerializedEventObject(self):
"""Test ReadSerialized and WriteSerialized of EventObject."""
expected_event = events.EventObject()
expected_event.date_time = dfdatetime_posix_time.PosixTime(
timestamp=1621839644)
expected_event.timestamp = 1621839644
expected_event.timestamp_desc = definitions.TIME_DESCRIPTION_MODIFICATION
json_string = (json_serializer.JSONAttributeContainerSerializer.
WriteSerialized(expected_event))
self.assertIsNotNone(json_string)
event = json_serializer.JSONAttributeContainerSerializer.ReadSerialized(
json_string)
self.assertIsNotNone(event)
self.assertIsInstance(event, events.EventObject)
expected_event_dict = {
'date_time': expected_event.date_time,
'timestamp': 1621839644,
'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION
}
event_dict = event.CopyToDict()
self.assertEqual(event_dict, expected_event_dict)
def testRuleAutorun(self):
"""Tests the autorun tagging rule."""
# Test: data_type is 'fs:stat' AND
# timestamp_desc is 'HFS_DETECT crtime' AND
# filename contains 'LaunchAgents/' AND
# filename contains '.plist'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = 'HFS_DETECT crtime'
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchDaemons/test.plist'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data = filestat.FileStatEventData()
event_data.filename = '/LaunchAgents/test.plist'
storage_writer = self._TagEvent(event, event_data, None)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['autorun'])
def testRuleFileDownload(self):
"""Tests the file_download tagging rule."""
# Test: data_type is 'chrome:history:file_downloaded'
attribute_values_per_name = {}
self._CheckTaggingRule(
chrome_history.ChromeHistoryFileDownloadedEventData,
attribute_values_per_name, ['file_download'])
# Test: data_type is 'macosx:lsquarantine'
attribute_values_per_name = {}
self._CheckTaggingRule(
ls_quarantine.LsQuarantineEventData, attribute_values_per_name,
['file_download'])
# Test: timestamp_desc is 'File Downloaded'
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = filestat.FileStatEventData()
event_data.parser = 'filestat'
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, [])
event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
storage_writer = self._TagEvent(event, event_data, None)
self._CheckLabels(storage_writer, ['file_download'])
def testProduceEventWithEventData(self):
"""Tests the ProduceEventWithEventData method."""
knowledge_base_object = knowledge_base.KnowledgeBase()
parser_mediator = mediator.ParserMediator(knowledge_base_object)
storage_writer = fake_writer.FakeStorageWriter()
parser_mediator.SetStorageWriter(storage_writer)
storage_writer.Open()
event_data_stream = events.EventDataStream()
parser_mediator.ProduceEventDataStream(event_data_stream)
date_time = fake_time.FakeTime()
event_with_timestamp = time_events.DateTimeValuesEvent(
date_time, definitions.TIME_DESCRIPTION_WRITTEN)
event_with_timestamp.parser = 'test_parser'
event_data = events.EventData()
event_data.parser = 'test_parser'
parser_mediator.ProduceEventWithEventData(event_with_timestamp,
event_data)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
event_without_timestamp = events.EventObject()
event_without_timestamp.parser = 'test_parser'
with self.assertRaises(errors.InvalidEvent):
parser_mediator.ProduceEventWithEventData(event_without_timestamp,
event_data)
def testRuleSessionStop(self):
"""Tests the session_stop tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: reporter is 'systemd-logind' and body contains 'Removed session'
event_data = syslog.SyslogLineEventData()
event_data.reporter = 'systemd-logind'
event_data.body = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.reporter = 'bogus'
event_data.body = 'Removed session'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.reporter = 'systemd-logind'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['session_stop'])
def testApplicationUpdate(self):
"""Tests the application_update tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
# Test: data_type is 'windows:evtx:record' AND
# source_name is 'Microsoft-Windows-Application-Experience' AND
# event_identifier is 905
event_data = winevtx.WinEvtxRecordEventData()
event_data.event_identifier = 905
event_data.source_name = 'bogus'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 1
event_data.source_name = 'Microsoft-Windows-Application-Experience'
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event_data.event_identifier = 905
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['application_update'])
def testRuleFileDownload(self):
"""Tests the file_download tagging rule."""
event = events.EventObject()
event.timestamp = self._TEST_TIMESTAMP
event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN
event_data = chrome.ChromeHistoryFileDownloadedEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
event_data = ls_quarantine.LsQuarantineEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
event_data = filestat.FileStatEventData()
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 0)
self._CheckLabels(storage_writer, [])
event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED
storage_writer = self._TagEvent(event, event_data)
self.assertEqual(storage_writer.number_of_event_tags, 1)
self._CheckLabels(storage_writer, ['file_download'])
def _CreateTestEventObject(self, path):
"""Create a test event object with a particular path."""
event_object = events.EventObject()
event_object.data_type = 'fs:stat'
event_object.timestamp = 12345
event_object.timestamp_desc = u'Some stuff'
event_object.filename = path
return event_object
def testProduceEventWithEventData(self):
"""Tests the ProduceEventWithEventData method."""
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
parsers_mediator = self._CreateParserMediator(storage_writer)
event_with_timestamp = events.EventObject()
event_with_timestamp.timestamp = fake_time.FakeTime()
event_data = events.EventData()
parsers_mediator.ProduceEventWithEventData(event_with_timestamp,
event_data)
self.assertEqual(storage_writer.number_of_events, 1)
event_without_timestamp = events.EventObject()
with self.assertRaises(errors.InvalidEvent):
parsers_mediator.ProduceEventWithEventData(event_without_timestamp,
event_data)
def testEqualityStringFileStatParserMissingInode(self):
"""Test that FileStatParser files with missing inodes are distinct"""
event_a = events.EventObject()
event_b = events.EventObject()
event_a.timestamp = 123
event_a.timestamp_desc = u'LAST WRITTEN'
event_a.data_type = u'mock:nothing'
event_a.parser = u'filestat'
event_a.filename = u'c:/bull/skrytinmappa/skra.txt'
event_a.another_attribute = False
event_b.timestamp = 123
event_b.timestamp_desc = u'LAST WRITTEN'
event_b.data_type = u'mock:nothing'
event_b.parser = u'filestat'
event_b.filename = u'c:/bull/skrytinmappa/skra.txt'
event_b.another_attribute = False
self.assertNotEqual(event_a.EqualityString(), event_b.EqualityString())
def ReadSerializedObject(cls, proto):
"""Reads an event object from serialized form.
Args:
proto: a protobuf object containing the serialized form (instance of
plaso_storage_pb2.EventObject).
Returns:
An event object (instance of EventObject).
"""
event_object = events.EventObject()
event_object.data_type = proto.data_type
for proto_attribute, value in proto.ListFields():
if proto_attribute.name == u'source_short':
event_object.source_short = cls._SOURCE_SHORT_FROM_PROTO_MAP[value]
elif proto_attribute.name == u'pathspec':
event_object.pathspec = (
cls._path_spec_serializer.ReadSerialized(proto.pathspec))
elif proto_attribute.name == u'tag':
event_object.tag = ProtobufEventTagSerializer.ReadSerializedObject(
proto.tag)
elif proto_attribute.name == u'attributes':
continue
else:
# Register the attribute correctly.
# The attribute can be a 'regular' high level attribute or
# a message (Dict/Array) that need special handling.
if isinstance(value, message.Message):
if value.DESCRIPTOR.full_name.endswith('.Dict'):
value = ProtobufEventAttributeSerializer.ReadSerializedDictObject(
value)
elif value.DESCRIPTOR.full_name.endswith('.Array'):
value = ProtobufEventAttributeSerializer.ReadSerializedListObject(
value)
else:
value = ProtobufEventAttributeSerializer.ReadSerializedObject(value)
setattr(event_object, proto_attribute.name, value)
# The plaso_storage_pb2.EventObject protobuf contains a field named
# attributes which technically not a Dict but behaves similar.
dict_object = ProtobufEventAttributeSerializer.ReadSerializedDictObject(
proto)
for attribute, value in iter(dict_object.items()):
setattr(event_object, attribute, value)
return event_object
def testAddSerializedEvent(self):
"""Tests the _AddSerializedEvent function."""
event = events.EventObject()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'plaso.sqlite')
storage_file = sqlite_file.SQLiteStorageFile()
storage_file.Open(path=temp_file, read_only=False)
storage_file._AddSerializedEvent(event)
storage_file.Close()
def _CreateTestEventObject(self, event_dictionary):
"""Create a test event with a set of attributes.
Args:
event_dictionary (dict[str, str]): contains attributes of an event.
Returns:
EventObject: event with the appropriate attributes for testing.
"""
event = events.EventObject()
event.CopyFromDict(event_dictionary)
return event
def testGetAttributeNames(self):
"""Tests the GetAttributeNames function."""
attribute_container = events.EventObject()
expected_attribute_names = [
'_event_data_row_identifier', 'parser', 'timestamp',
'timestamp_desc'
]
attribute_names = sorted(attribute_container.GetAttributeNames())
self.assertEqual(attribute_names, expected_attribute_names)
