def test_startup(self):
collector = BroSMTPStreamCollector()
collector.load_groups()
collector.start()
wait_for_log_count('no work available', 1, 5)
collector.stop()
collector.wait()
def test_processing(self):
self.process_pcap(os.path.join(saq.SAQ_HOME, 'test_data', 'pcaps', 'smtp.pcap'))
collector = BroSMTPStreamCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found smtp stream', 1, 5)
wait_for_log_count('copied file from', 1, 5)
wait_for_log_count('scheduled BRO SMTP Scanner Detection -', 1, 5)
collector.stop()
collector.wait()
def test_complete_processing(self):
from saq.modules.email import BroSMTPStreamAnalysis
# disable cleanup so we can check the results after
saq.CONFIG['analysis_mode_email']['cleanup'] = 'no'
self.process_pcap(os.path.join(saq.SAQ_HOME, 'test_data', 'pcaps', 'smtp.pcap'))
self.start_api_server()
engine = TestEngine()
engine.enable_module('analysis_module_bro_smtp_analyzer', 'email')
engine.start()
collector = BroSMTPStreamCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found smtp stream', 1, 5)
wait_for_log_count('copied file from', 1, 5)
wait_for_log_count('scheduled BRO SMTP Scanner Detection -', 1, 5)
wait_for_log_count('completed analysis RootAnalysis', 1, 20)
engine.controlled_stop()
engine.wait()
collector.stop()
collector.wait()
# get the uuids returned by the api calls
r = re.compile(r' uuid ([a-f0-9-]+)')
for result in search_log('submit remote'):
m = r.search(result.getMessage())
self.assertIsNotNone(m)
uuid = m.group(1)
with self.subTest(uuid=uuid):
root = RootAnalysis(uuid=uuid, storage_dir=storage_dir_from_uuid(uuid))
root.load()
# find the SMTP stream
file_observable = root.find_observable(lambda x: x.type == F_FILE)
self.assertTrue(bool(file_observable))
# ensure it has the required directives
self.assertTrue(file_observable.has_directive(DIRECTIVE_ORIGINAL_SMTP))
self.assertTrue(file_observable.has_directive(DIRECTIVE_NO_SCAN))
# ensure the bro smtp analyzer ran on it
smtp_analysis = file_observable.get_analysis(BroSMTPStreamAnalysis)
self.assertIsNotNone(smtp_analysis)
# ensure it extracted a file
email_observable = smtp_analysis.find_observable(lambda x: x.type == F_FILE)
self.assertTrue(bool(email_observable))
# and then ensure that it was treated as an email
#import pdb; pdb.set_trace()
self.assertTrue(email_observable.has_directive(DIRECTIVE_NO_SCAN))
self.assertTrue(email_observable.has_directive(DIRECTIVE_ORIGINAL_EMAIL))
self.assertTrue(email_observable.has_directive(DIRECTIVE_ARCHIVE))