def test8_whitelist_event_type_exception(self):
"""This test case checks whether an exception is thrown when entering an event of another class."""
description = "Test8NewMatchPathDetector"
new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector, description)
t = round(time.time(), 3)
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector)
new_match_path_detector.receive_atom(log_atom_fixed_dme)
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [], [self.stream_printer_event_handler],
'Default', True, True)
self.assertRaises(
Exception, new_match_path_detector.whitelist_event, self.analysis % new_match_path_value_combo_detector.__class__.__name__,
log_atom_fixed_dme.raw_data, self.output_stream.getvalue(), None)
def test12or_match_rule(self):
"""This case unit the OrMatchRule."""
description = "Test12Rules"
path_exists_match_rule = PathExistsMatchRule(self.match_ipv4, None)
self.analysis_context.register_component(path_exists_match_rule, description)
i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4)
self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2")
or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule])
self.analysis_context.register_component(or_match_rule, description + "3")
ip_address_data_model_element = IpAddressDataModelElement('IPv4')
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule)
self.assertTrue(or_match_rule.match(log_atom))
# changing to IPv6
path_exists_match_rule = PathExistsMatchRule('match/IPv6', None)
or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule])
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule)
self.assertTrue(or_match_rule.match(log_atom))
def test14negation_match_rule(self):
"""This case unit the NegationMatchRule."""
description = "Test14Rules"
path_exists_match_rule = PathExistsMatchRule(self.match_s1, None)
self.analysis_context.register_component(path_exists_match_rule, description)
negation_match_rule = NegationMatchRule(path_exists_match_rule)
self.analysis_context.register_component(negation_match_rule, description + "2")
self.fixed_dme = FixedDataModelElement('s1', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, path_exists_match_rule)
self.assertTrue(path_exists_match_rule.match(log_atom))
self.assertTrue(not negation_match_rule.match(log_atom))
def test2log_atom_matches_single_path(self):
"""This unittest tests the receive_atom method with a single path matching."""
parser_count = ParserCount(
self.aminer_config,
['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'],
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.fixed_dme_m3.fixed_data,
ParserMatch(self.match_element_m3), t, parser_count)
old_count_dict = dict(parser_count.count_dict)
old_count_dict['fixed/m3'][current_processed_lines_str] = 1
old_count_dict['fixed/m3'][total_processed_lines_str] = 1
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def test1receive_atoms_with_default_values(self):
"""
In this test case multiple log_atoms are received with default values of the EventTypeDetector.
path_list is empty and all paths are learned dynamically in variable_key_list.
"""
event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler])
log_atoms = []
for line in self.log_lines:
t = time.time()
log_atoms.append(
LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__))
for i, log_atom in enumerate(log_atoms):
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(event_type_detector.total_records, i + 1)
def test1timestamp_lower_than_last_timestamp(self):
"""This test case checks if an event is created, when the timestamp is lower than the last one."""
description = "Test1TimestampsUnsortedDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match", match_context_fixed_dme)
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time()
log_atom = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), t,
new_match_path_detector)
timestamp_unsorted_detector = TimestampsUnsortedDetector(
self.aminer_config, [self.stream_printer_event_handler],
False,
output_log_line=False)
self.analysis_context.register_component(timestamp_unsorted_detector,
description + "2")
self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
log_atom.set_timestamp(t - 10000)
self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t - 10000).strftime(
self.datetime_format_string),
datetime.fromtimestamp(t - 10000).strftime(
self.datetime_format_string),
datetime.fromtimestamp(t).strftime(self.datetime_format_string),
timestamp_unsorted_detector.__class__.__name__, description + "2",
1, "b' pid='"))
def test2_log_atom_known(self):
"""
This test case checks the functionality of the auto_include_flag.
If the same MatchElement is processed a second time and the auto_include_flag was True, no event must be triggered.
"""
description = "Test2NewMatchPathValueComboDetector"
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [
self.stream_printer_event_handler], 'Default', False, True, output_log_line=False)
self.analysis_context.register_component(new_match_path_value_combo_detector, description)
t = time.time()
log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t,
new_match_path_value_combo_detector)
self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me))
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__,
description, 1, self.string2))
self.reset_output_stream()
# repeating should NOT produce the same result
self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me))
self.assertEqual(self.output_stream.getvalue(), '')
self.reset_output_stream()
new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'], [
self.stream_printer_event_handler], 'Default', False, False, output_log_line=False)
self.analysis_context.register_component(new_match_path_value_combo_detector2, description + "2")
log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t,
new_match_path_value_combo_detector2)
# other MatchElement
self.assertTrue(new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2))
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__,
description + "2", 1, " (25537, b' uid=2')\nb'25537 uid=2'"))
def test2atom_filter_match_action(self):
"""This test case proves the functionality of the AtomFilters."""
description = "Test2Rules"
newMatchPathDetector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
logAtomFixedDME = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
time(), newMatchPathDetector)
subhandlerFilter = SubhandlerFilter([newMatchPathDetector])
self.analysis_context.register_component(subhandlerFilter, description)
self.analysis_context.register_component(newMatchPathDetector,
description + "2")
self.assertTrue(subhandlerFilter.receive_atom(logAtomFixedDME))
def check_anomaly_detection(self, ecd, t, diff):
"""Check if anomalies were detected as expected."""
for char in self.alphabet:
self.reset_output_stream()
char = bytes([char])
parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char)))
t += 5 * 3
ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__))
# another LogAtom must be received to check the follow anomalies.
t += 5 * 3
ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__))
# print(self.output_stream.getvalue())
# precede anomaly
for i in range(1, int(5 / diff) + 1, 1):
# print("in")
# print(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]))
self.assertIn('Event %s is missing, but should precede event %s' % (
bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]), char), self.output_stream.getvalue())
for i in range(int(5 / diff) + 1, len(self.alphabet), 1):
# print("not in")
# print(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]))
self.assertNotIn('Event %s is missing, but should precede event %s' % (
bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]), char), self.output_stream.getvalue())
# follow anomaly
for i in range(1, int(5 / diff) + 1, 1):
# print("in")
# print(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]))
self.assertIn('Event %s is missing, but should follow event %s' % (
bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]), char), self.output_stream.getvalue())
for i in range(int(5 / diff) + 1, len(self.alphabet), 1):
# print("not in")
# print(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]))
self.assertNotIn('Event %s is missing, but should follow event %s' % (
bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]), char), self.output_stream.getvalue())
def test1match_found(self):
"""This test case checks if valid inputs are recognized."""
description = "Test1AllowlistViolationDetector"
path_exists_match_rule = PathExistsMatchRule('match/s1', None)
path_exists_match_rule2 = PathExistsMatchRule('match/s2', None)
t = time.time()
allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, [path_exists_match_rule, path_exists_match_rule2], [
self.stream_printer_event_handler], output_log_line=False)
self.analysis_context.register_component(allowlist_violation_detector, description)
fixed_dme = FixedDataModelElement('s1', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, allowlist_violation_detector)
self.assertTrue(allowlist_violation_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
fixed_dme = FixedDataModelElement('s2', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, allowlist_violation_detector)
self.assertTrue(allowlist_violation_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
fixed_dme = FixedDataModelElement('s3', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, path_exists_match_rule)
self.assertTrue(not allowlist_violation_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), allowlist_violation_detector.__class__.__name__, description, 1,
"b'fixed String'"))
def test11multiple_paths(self):
"""Test the functionality of the MissingMatchPathValueDetector with multiple paths."""
description = "Test11MissingMatchPathValueDetector"
match_context = MatchContext(self.pid + b"22")
fixed_dme = FixedDataModelElement('s1', self.pid)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
seq = SequenceModelElement('model', [fixed_dme, decimal_integer_value_me])
match_element = seq.get_match_element("match", match_context)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [
"match/model", "match/model/s1", "match/model/d1"], [self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom = LogAtom(fixed_dme.fixed_data + b"22", ParserMatch(match_element), 1, missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom))
def test2_check_status_not_found_error(self):
"""
In this test case the second log line is not found and an appropriate error message is expected from the check_status-method.
The output of the do_timer-method is also tested in this test case.
"""
description = "Test2TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
r = self.correlation_rule.check_status(t + 2)
self.assertEqual(r[0], 'FAIL: B-Event for "%s" (%s) was not found in time!\n' % (
self.match_element1.get_match_string().decode(), self.a_class_selector.action_id))
def test13value_dependent_delegated_match_rule(self):
"""This case unit the ValueDependentDelegatedMatchRule."""
description = "Test13Rules"
string_regex_match_rule = StringRegexMatchRule(self.match_any, re.compile(r'\w'), None)
self.analysis_context.register_component(string_regex_match_rule, description)
any_byte_date_me = AnyByteDataModelElement('any')
i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4)
self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2")
ip_address_data_model_element = IpAddressDataModelElement('IPv4')
value_dependent_delegated_match_rule = ValueDependentDelegatedMatchRule([
self.match_any, self.match_ipv4], {(self.alphabet, None): string_regex_match_rule,
(None, 3232235520): i_pv4_in_rfc1918_match_rule})
self.analysis_context.register_component(value_dependent_delegated_match_rule, description + "3")
match_context = MatchContext(self.alphabet)
match_element = any_byte_date_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule)
self.assertTrue(value_dependent_delegated_match_rule.match(log_atom))
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule)
self.assertTrue(value_dependent_delegated_match_rule.match(log_atom))
# not matching values
match_context = MatchContext('.There are 26 letters in the english alphabet')
match_element = any_byte_date_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule)
self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom))
match_context = MatchContext(b'192.168.0.1')
match_element = ip_address_data_model_element.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule)
self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom))
def test6receive_atom_without_target_paths(self):
"""This unittest tests the receive_atom method with multiple paths matching without having target_paths specified."""
parser_count = ParserCount(self.aminer_config, None,
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.match_context_seq.match_data,
ParserMatch(self.match_element_seq), t,
parser_count)
old_count_dict = dict(parser_count.count_dict)
old_count_dict['fixed/seq'] = {
current_processed_lines_str: 1,
total_processed_lines_str: 1
}
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def test4do_timer(self):
"""This unittest checks if the do_timer method works properly."""
parser_count = ParserCount(self.aminer_config, ['fixed/m3'],
[self.stream_printer_event_handler], 600)
t = time.time()
self.assertEqual(int(parser_count.do_timer(t + 100)), 600)
self.assertEqual(self.output_stream.getvalue(), "")
log_atom = LogAtom(self.match_context_seq.match_data,
ParserMatch(self.match_element_seq), t,
parser_count)
parser_count.receive_atom(log_atom)
self.assertEqual(int(parser_count.do_timer(t + 100)), 500)
self.assertEqual(self.output_stream.getvalue(), "")
self.assertEqual(parser_count.do_timer(t + 601), 600)
self.assertNotEqual(self.output_stream.getvalue(), "")
self.reset_output_stream()
def test2receive_atom_unhandled(self):
"""In this test case no handler can handle the log atom."""
description = "Test2AtomFilters"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
subhandler_filter = SubhandlerFilter([], True)
self.assertTrue(not subhandler_filter.receive_atom(log_atom_fixed_dme))
def test2_receive_atom_trigger_no_event(self):
"""This test checks if an event is not triggered if the path is not in the target_path_list."""
description = "Test2MatchFilterTest"
decimal_integer_me = DecimalIntegerValueModelElement('integer')
match_filter = MatchFilter(self.aminer_config, ['/strings'],
[self.stream_printer_event_handler])
self.analysis_context.register_component(match_filter, description)
t = time.time()
for val in range(1000):
log_atom = LogAtom(
val,
ParserMatch(
decimal_integer_me.get_match_element(
'', MatchContext(str(val).encode('utf-8')))), t,
match_filter)
match_filter.receive_atom(log_atom)
self.assertEqual('', self.output_stream.getvalue())
def test1simple_monotonic_timestamp_adjust_test(self):
"""This test case checks if the timestamp is adjusted and logAtoms are forwarded correctly."""
description = "Test1TimestampCorrectionFilter"
match_context_fixed_dme = MatchContext(b' pid=')
fixed_dme = FixedDataModelElement('s1', b' pid=')
match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme)
t = time()
new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector, description)
simple_monotonic_timstamp_adjust = SimpleMonotonicTimestampAdjust([new_match_path_detector], False)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector)
self.assertEqual(simple_monotonic_timstamp_adjust.receive_atom(log_atom_fixed_dme), True)
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), new_match_path_detector.__class__.__name__, description, 1,
self.match_path))
def test1log_multiple_lines_event(self):
"""In this test case the EventHandler receives multiple lines from the test class."""
description = "Test1SyslogWriterEventHandler"
match_context = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element = fixed_dme.get_match_element("match", match_context)
match_context = MatchContext(self.pid)
fixed_dme2 = FixedDataModelElement('s2', self.pid)
match_element2 = fixed_dme2.get_match_element("match", match_context)
syslog_writer_event_handler = SyslogWriterEventHandler(
self.analysis_context, 'aminer')
self.analysis_context.register_component(self, description)
t = time()
log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t,
self)
syslog_writer_event_handler.receive_event(
self.test % self.__class__.__name__, self.new_val %
(self.match_s1, self.match_s2, repr(match_element.match_object)),
[log_atom.raw_data, log_atom.raw_data], None, log_atom, self)
string = ''
sleep(0.2)
with open("/var/log/syslog") as search:
for line in search:
line = line.rstrip() # remove '\n' at end of line
if 'aminer[' + str(os.getpid()) + ']' in line:
line = line.split("]: ")
string += (line[1]) + '\n'
found = False
string = string.split('Syslog logger initialized\n')
expected = self.__expected_string % (
datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"),
match_element.get_path(), match_element2.get_path(),
repr(match_element.get_match_object()), self.__class__.__name__,
description, 2, match_element.get_match_string().decode(),
match_element2.get_match_string().decode())
for log in string:
if expected in log:
found = True
self.assertTrue(found)
def generate_errored_data(self, iterations, diff, error_rate):
"""Generate data with errors according to the error_rate."""
log_atoms = []
t = time()
divisor = 1
while error_rate * divisor < 1:
divisor = divisor * 10
err = divisor * error_rate
divisor //= err
for i in range(1, iterations+1):
if i % divisor == 0 and i != 0:
char = bytes([self.alphabet[int(i + random.uniform(diff+1, len(self.alphabet))) % len(self.alphabet)]])
else:
char = bytes([self.alphabet[i % len(self.alphabet)]])
parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char)))
t += diff
log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__))
return log_atoms
def test9match_value_filter_receive_atom_target_value_not_found(self):
"""No target_value was found in the dictionary."""
description = "Test9AtomFilters"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(b'24999',
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
match_value_filter = MatchValueFilter(
self.match_element_fixed_dme.get_path(),
{self.fixed_dme.fixed_data: None}, None)
self.assertTrue(
not match_value_filter.receive_atom(log_atom_fixed_dme))
def test6_receive_atom_list(self):
"""This test case checks, whether a missing value is created by a list without using the auto_include_flag."""
description = "Test6MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', False, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
def test1_receive_atom(self):
"""This test case checks whether a missing value is created without using the auto_include_flag. (should not be the case)"""
description = "Test1MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(
self.aminer_config, match_element_fixed_dme.get_path(),
[self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), 1,
missing_match_path_value_detector)
self.assertTrue(
missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def test4match_path_filter_receive_atom_path_in_dictionary(self):
"""There is a path in the dictionary and the handler is not None. The default_parsed_atom_handler is None."""
description = "Test4AtomFilters"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
match_path_filter = MatchPathFilter([
(self.match_element_fixed_dme.get_path(), new_match_path_detector)
], None)
self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme))
def test11_path_dependent_histogram_analysis_no_report(self):
"""
This test case aims to test the functionality of the PathDependantHistogramAnalysis.receive_atom method.
No report is expected.
"""
description = "Test11HistogramAnalysis"
start_time = 57600
end_time = 662600
diff = 30000
modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False)
histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition)
path_dependent_histogram_analysis = PathDependentHistogramAnalysis(
self.aminer_config, histogram_data.property_path, modulo_time_bin_definition, 604800,
[self.stream_printer_event_handler], True, 'Default')
self.analysis_context.register_component(path_dependent_histogram_analysis, description)
match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None)
t = time.time()
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), '')
# resetting the outputStream
start_time = start_time + 3600
end_time = end_time + 3600
self.reset_output_stream()
t = t + diff
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis)
path_dependent_histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), '')
def test6match_path_filter_receive_atom_path_not_in_dictionary_default_set(
self):
"""The searched path is not in the dictionary. The default_parsed_atom_handler is set."""
description = "Test6AtomFilters"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
match_path_filter = MatchPathFilter(
[(self.match_element_decimal_integer_value_me.get_path(),
new_match_path_detector)], new_match_path_detector)
self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme))
def test9_allowlist_event_allowlisting_data_exception(self):
"""The NewMatchPathDetector can not handle allowlisting data and therefore an exception is expected."""
description = "Test9NewMatchPathDetector"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default',
True,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = round(time.time(), 3)
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
new_match_path_detector.receive_atom(log_atom_fixed_dme)
self.assertRaises(
Exception, new_match_path_detector.allowlist_event,
self.analysis % new_match_path_detector.__class__.__name__,
self.output_stream.getvalue(), ['random', 'Data'])
def test2_atom_is_parsed(self):
"""The atom in this test case has no ParserMatch."""
description = "Test2SimpleUnparsedAtomHandler"
any_byte_data_model_element = AnyByteDataModelElement('a1')
new_match_path_detector1 = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
match_context = MatchContext(self.calculation)
match_element = any_byte_data_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_element.match_object, None, time(),
new_match_path_detector1)
simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(
[self.stream_printer_event_handler])
self.analysis_context.register_component(simple_unparsed_atom_handler,
description)
self.assertTrue(simple_unparsed_atom_handler.receive_atom(log_atom))
def test9value_dependent_modulo_time_match_rule(self):
"""This case unit the ValueDependentModuloTimeMatchRule. Limit look up not working with tuples."""
description = "Test9Rules"
value_dependent_modulo_time_match_rule = ValueDependentModuloTimeMatchRule(
self.model_syslog_time, 86400, [self.model_syslog_time],
{1550145600: [43200, 86400]})
self.analysis_context.register_component(
value_dependent_modulo_time_match_rule, description)
date_time_model_element = DateTimeModelElement('time',
b'%d.%m.%Y %H:%M:%S',
timezone.utc)
match_context = MatchContext(b'14.02.2019 12:00:00')
match_element = date_time_model_element.get_match_element(
self.model_syslog, match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1550138400,
date_time_model_element)
self.assertTrue(value_dependent_modulo_time_match_rule.match(log_atom))
def test7match_value_filter_receive_atom_target_value_and_handler_found(
self):
"""A target_value and a handler, which can handle the matchObject is found."""
description = "Test7AtomFilters"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
match_value_filter = MatchValueFilter(
self.match_element_fixed_dme.get_path(),
{self.fixed_dme.fixed_data: new_match_path_detector}, None)
self.assertTrue(match_value_filter.receive_atom(log_atom_fixed_dme))
