def get_logind_model(user_name_model=None):
"""Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog."""
if user_name_model is None:
user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz-_")
type_children = [
SequenceModelElement("new session", [
FixedDataModelElement("s0", b"New session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b" of user "),
user_name_model,
FixedDataModelElement("s2", b".")
]),
SequenceModelElement("removed session", [
FixedDataModelElement("s0", b"Removed session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b".")
]),
SequenceModelElement("logged out", [
FixedDataModelElement("s0", b"Session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b" logged out. Waiting for processes to exit.")
]),
FixedDataModelElement("failed abandon", b"Failed to abandon session scope: Transport endpoint is not connected")
]
# Will fail on username models including the dot at the end.
model = SequenceModelElement("systemd-logind", [
FixedDataModelElement("sname", b"systemd-logind["),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s0", b"]: "),
FirstMatchModelElement("msg", type_children)
])
return model
def get_model():
"""Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog."""
type_children = [
SequenceModelElement('gidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s groupid changed to '),
DecimalIntegerValueModelElement('gid')
]),
SequenceModelElement('statechange', [
FixedDataModelElement('s0',
b'[origin software="rsyslogd" swVersion="'),
DelimitedDataModelElement('version', b'"'),
FixedDataModelElement('s1', b'" x-pid="'),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s2',
b'" x-info="http://www.rsyslog.com"] '),
FirstMatchModelElement('type', [
FixedDataModelElement('HUPed', b'rsyslogd was HUPed'),
FixedDataModelElement('start', b'start')
])
]),
SequenceModelElement('uidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s userid changed to '),
DecimalIntegerValueModelElement('uid')
])
]
model = SequenceModelElement('rsyslog', [
FixedDataModelElement('sname', b'rsyslogd: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test8_receive_atom_list_no_missing_value(self):
"""This test case checks whether the class returns wrong positives on lists, when the time limit should not be passed."""
description = "Test8MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t),
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 3200
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2")
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time,
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), '')
def test7positive_number_zero_padding(self):
"""In this testcase the positive Integer equivalence class in combination with the zero padding, which represents the padding
equivalence class, is tested."""
match_context = MatchContext(self.zero_number)
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_ZERO)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'00025537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), 25537,
self.match_element_unexpected_value)
match_context = MatchContext(self.positive_string)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), 25537,
self.match_element_unexpected_value)
def get_logind_model(user_name_model=None):
"""Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog."""
if user_name_model is None:
user_name_model = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz-')
type_children = [
SequenceModelElement('new session', [
FixedDataModelElement('s0', b'New session '),
DecimalIntegerValueModelElement('session'),
FixedDataModelElement('s1', b' of user '), user_name_model,
FixedDataModelElement('s2', b'.')
]),
SequenceModelElement('removed session', [
FixedDataModelElement('s0', b'Removed session '),
DecimalIntegerValueModelElement('session'),
FixedDataModelElement('s1', b'.')
])
]
# Will fail on username models including the dot at the end.
model = SequenceModelElement('systemd-logind', [
FixedDataModelElement('sname', b'systemd-logind['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test7_receive_atom_list_without_match_element(self):
"""This test case checks if the ReceiveAtom controls the list of MatchElements and responds correctly, when a value is missing."""
description = "Test7MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
match_context_fixed_dme = MatchContext(self.pid)
matchElementFixedDME2 = fixed_dme.get_match_element(
"match3", match_context_fixed_dme)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(
self.aminer_config, [
match_element_fixed_dme.get_path(),
match_element_decimal_integer_value_me.get_path()
], [self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(matchElementFixedDME2), 1,
missing_match_path_list_value_detector)
self.assertFalse(
missing_match_path_list_value_detector.receive_atom(
log_atom_fixed_dme))
def test5sign_type_mandatory_none_padding(self):
"""
This testcase represents the equivalence class of all numbers with a mandatory sign in combination with no padding.
It tests the correctness of the Path usage for all integers with a mandatory sign without padding.
"""
match_context = MatchContext(self.negative_string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'-25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), -25537,
self.match_element_unexpected_value)
match_context = MatchContext(b'+25537 uid=2')
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'+25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), 25537,
self.match_element_unexpected_value)
def get_systemd_model():
"""Return the parsing model for messages directly from systemd."""
type_children = [
FixedDataModelElement('apt-daily-start',
b'Starting Daily apt activities...'),
FixedDataModelElement('apt-daily-started',
b'Started Daily apt activities.'),
SequenceModelElement('apt-daily-timer', [
FixedDataModelElement('s0', b'apt-daily.timer: Adding '),
OptionalMatchModelElement(
'hopt',
SequenceModelElement('hblock', [
DecimalIntegerValueModelElement('hours'),
FixedDataModelElement('s1', b'h ')
])),
DecimalIntegerValueModelElement('minutes'),
FixedDataModelElement('s2', b'min '),
DecimalFloatValueModelElement('seconds'),
FixedDataModelElement('s3', b's random time.')
]),
FixedDataModelElement('tmp-file-cleanup',
b'Starting Cleanup of Temporary Directories...'),
FixedDataModelElement('tmp-file-cleanup-started',
b'Started Cleanup of Temporary Directories.')
]
model = SequenceModelElement('systemd', [
FixedDataModelElement('sname', b'systemd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test5value_list_match_rule(self):
"""This case unit the ValueListMatchRule."""
description = "Test5Rules"
value_list_match_rule = ValueListMatchRule(
'match/d1', [1, 2, 4, 8, 16, 32, 64, 128, 256, 512], None)
self.analysis_context.register_component(value_list_match_rule,
description)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context = MatchContext(b'64')
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_list_match_rule)
self.assertTrue(value_list_match_rule.match(log_atom))
match_context = MatchContext(b'4711')
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_list_match_rule)
self.assertTrue(not value_list_match_rule.match(log_atom))
def test1event_generation_match_action(self):
"""This test case checks if events are generated and pushed to all event handlers."""
description = "Test1Rules"
output_stream2 = StringIO()
message = 'This message was generated, when the unit were successful.'
match_context = MatchContext(b'25537')
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
stream_printer_event_handler2 = StreamPrinterEventHandler(
self.analysis_context, output_stream2)
t = time()
event_generation_match_action = EventGenerationMatchAction(
'Test.%s' % self.__class__.__name__, message,
[self.stream_printer_event_handler, stream_printer_event_handler2])
self.analysis_context.register_component(event_generation_match_action,
description)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
event_generation_match_action)
event_generation_match_action.match_action(log_atom)
self.assertEqual(self.output_stream.getvalue(),
output_stream2.getvalue())
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"),
event_generation_match_action.__class__.__name__, description, 1,
log_atom.parser_match.match_element.annotate_match('')))
def test11mandatory_zero_padding(self):
"""In this testcase the mandatory sign equivalence class in combination with the zero padding is tested."""
match_context = MatchContext(b'+00025537 uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY,
DecimalIntegerValueModelElement.PAD_TYPE_ZERO)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'+00025537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), 25537,
self.match_element_unexpected_value)
match_context = MatchContext(b'-00025537 uid=2')
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'-00025537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), -25537,
self.match_element_unexpected_value)
match_context = MatchContext(b'+25537 uid=2')
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'+25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), 25537,
self.match_element_unexpected_value)
def get_model():
"""Return the model."""
type_children = [
SequenceModelElement("sent", [
FixedDataModelElement("s0", b"Sent mail for "),
DelimitedDataModelElement("to-addr", b" ("),
FixedDataModelElement("s1", b" ("),
DelimitedDataModelElement("status", b") uid="),
FixedDataModelElement("s2", b") uid="),
DecimalIntegerValueModelElement("uid"),
FixedDataModelElement("s3", b" username="******"username", b" outbytes="),
FixedDataModelElement("s4", b" outbytes="),
DecimalIntegerValueModelElement("bytes")
]),
SequenceModelElement("sent", [
DelimitedDataModelElement("program", b" "),
FixedDataModelElement("s0", b" sent mail for "),
AnyByteDataModelElement("user")
])
]
model = SequenceModelElement("ssmtp", [
FixedDataModelElement("sname", b"sSMTP["),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s0", b"]: "),
FirstMatchModelElement("msg", type_children)
])
return model
def test6_receive_atom_list(self):
"""This test case checks, whether a missing value is created by a list without using the
auto_include_flag. (should not be the case)"""
description = "Test6MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(
self.aminer_config, [
match_element_fixed_dme.get_path(),
match_element_decimal_integer_value_me.get_path()
], [self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), 1,
missing_match_path_list_value_detector)
self.assertTrue(
missing_match_path_list_value_detector.receive_atom(
log_atom_fixed_dme))
def test4_receive_atom_with_no_target_value(self):
"""
This test checks if an event is not triggered.
The path is in the target_path_list and the value is not in the target_value_list.
"""
description = "Test4MatchFilterTest"
decimal_integer_me = DecimalIntegerValueModelElement('integer')
match_filter = MatchFilter(self.aminer_config, ['/integer'],
[self.stream_printer_event_handler],
target_value_list=list(range(501)))
self.analysis_context.register_component(match_filter, description)
t = time.time()
for val in range(1000):
log_atom = LogAtom(
val,
ParserMatch(
decimal_integer_me.get_match_element(
'', MatchContext(str(val).encode('utf-8')))), t,
match_filter)
match_filter.receive_atom(log_atom)
if val <= 500:
self.assertEqual(
self.__expected_string %
(datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"),
description, val, val), self.output_stream.getvalue())
else:
self.assertEqual('', self.output_stream.getvalue())
self.reset_output_stream()
def test9negative_number_blank_padding(self):
"""In this testcase the negative Integer equivalence class in combination with the blank character padding, which represents the
padding equivalence class, is tested."""
match_context = MatchContext(b'- 25537 uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL,
DecimalIntegerValueModelElement.PAD_TYPE_BLANK)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'- 25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), -25537,
self.match_element_unexpected_value)
match_context = MatchContext(self.negative_string)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'-25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), -25537,
self.match_element_unexpected_value)
def test8positive_number_zero_padding_no_match(self):
"""In this testcase the positive Integer equivalence class in combination with the zero padding is tested with no match expected."""
match_context = MatchContext(b' 00025537 uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_ZERO)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def test13_no_number_input(self):
"""This test checks whether the input is validated against the datatype."""
match_context = MatchContext(b'This is no number')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def get_model():
"""Return a parser for apache2 access.log."""
new_time_model = SequenceModelElement('time_model', [
DateTimeModelElement('time', b'[%d/%b/%Y:%H:%M:%S '),
FixedWordlistDataModelElement('sign', [b'+', b'-']),
DecimalIntegerValueModelElement('tz'),
FixedDataModelElement('bracket', b']')
])
host_name_model = VariableByteDataModelElement(
'host', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
identity_model = VariableByteDataModelElement(
'ident', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
user_name_model = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz.-')
request_method_model = FixedWordlistDataModelElement(
'method', [
b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT',
b'OPTIONS', b'TRACE', b'PATCH'
])
request_model = VariableByteDataModelElement(
'request',
b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=<?*+'
)
version_model = VariableByteDataModelElement('version', b'0123456789.')
status_code_model = DecimalIntegerValueModelElement('status')
size_model = DecimalIntegerValueModelElement('size')
user_agent_model = VariableByteDataModelElement(
'useragent',
b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=<?*+;:_ '
)
whitespace_str = b' '
model = SequenceModelElement('accesslog', [
host_name_model,
FixedDataModelElement('sp0', whitespace_str),
identity_model,
FixedDataModelElement('sp1', whitespace_str),
user_name_model,
FixedDataModelElement('sp2', whitespace_str),
new_time_model,
FixedDataModelElement('sp3', b' "'),
request_method_model,
FixedDataModelElement('sp4', whitespace_str),
request_model,
FixedDataModelElement('sp5', b' HTTP/'),
version_model,
FixedDataModelElement('sp6', b'" '),
status_code_model,
FixedDataModelElement('sp7', whitespace_str),
size_model,
FixedDataModelElement('sp8', b' "-" "'),
user_agent_model,
FixedDataModelElement('sp9', b'"'),
])
return model
def test6sign_type_mandatory_none_padding_no_match(self):
"""This testcase represents the equivalence class of all numbers with a mandatory sign in combination with no padding. It unit
the correctness of the Path usage for all integers with a mandatory sign without padding, when no match is found."""
match_context = MatchContext(self.positive_string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def test4negative_number_none_padding_no_match(self):
"""This testcase represents the equivalence class of negative numbers in combination with no padding. It unit the correctness of
the Path usage for all negative integers without padding, when no match is found."""
match_context = MatchContext(b'- 25537 uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def get_systemd_model():
"""Return the parsing model for messages directly from systemd."""
type_children = [
FixedDataModelElement("apt-daily-start", b"Starting Daily apt upgrade and clean activities..."),
FixedDataModelElement("apt-daily-started", b"Started Daily apt upgrade and clean activities."),
FixedDataModelElement("apt-daily-finished", b"Finished Daily apt upgrade and clean activities."),
SequenceModelElement("service-succeeded", [
DelimitedDataModelElement("service", b" "),
FixedDataModelElement("s0", b" Succeeded.")
]),
FixedDataModelElement("clean-php", b"Finished Clean php session files."),
FixedDataModelElement("finished-logrotate", b"Finished Rotate log files."),
FixedDataModelElement("finished-man-db-daily", b"Finished Daily man-db regeneration."),
FixedDataModelElement("finished-ubuntu-advantages", b"Finished Ubuntu Advantage APT and MOTD Messages."),
FixedDataModelElement("finished-refresh", b"Finished Refresh fwupd metadata and update motd."),
FixedDataModelElement("finished-daily-apt", b"Finished Daily apt download activities."),
SequenceModelElement("apt-daily-timer", [
FixedDataModelElement("s0", b"apt-daily.timer: Adding "),
OptionalMatchModelElement("hopt", SequenceModelElement("hblock", [
DecimalIntegerValueModelElement("hours"),
FixedDataModelElement("s1", b"h ")
])),
DecimalIntegerValueModelElement("minutes"),
FixedDataModelElement("s2", b"min "),
DecimalFloatValueModelElement("seconds"),
FixedDataModelElement("s3", b"s random time.")
]),
FixedDataModelElement("tmp-file-cleanup", b"Starting Cleanup of Temporary Directories..."),
FixedDataModelElement("tmp-file-cleanup-started", b"Started Cleanup of Temporary Directories."),
SequenceModelElement("killing-process", [
DelimitedDataModelElement("service", b":"),
FixedDataModelElement("s0", b": Killing process "),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s1", b" (update-notifier) with signal SIGKILL.")
]),
SequenceModelElement("starting", [
FixedDataModelElement("s0", b"Starting "),
DelimitedDataModelElement("service", b"."),
FixedDataModelElement("s1", b"...")
]),
SequenceModelElement("started", [
FixedDataModelElement("s0", b"Started "),
DelimitedDataModelElement("service", b".", consume_delimiter=True)
]),
FixedDataModelElement("reloading", b"Reloading.")
]
model = SequenceModelElement("systemd", [
FixedDataModelElement("sname", b"systemd["),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s0", b"]: "),
FirstMatchModelElement("msg", type_children)
])
return model
def test4atom_no_match_missing_value_string_set(self):
"""
This test case sets up a set of values, which are all expected to be matched.
The missing value string is set to a value, so when a string does not match this value is used instead.
"""
description = "Test4MatchValueStreamWriter"
output_stream = BytesIO()
match_context = MatchContext(
b'25537Euro 25538Euro 25539Euro 25540Pfund ')
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
fixed_dme = FixedDataModelElement('s1', self.euro)
sequence_model_element = SequenceModelElement(
'sequence', [decimal_integer_value_me, fixed_dme])
match_value_stream_writer = MatchValueStreamWriter(
output_stream, [self.match_sequence_d1, self.match_sequence_s1],
b';', b'-')
self.analysis_context.register_component(match_value_stream_writer,
description)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
match_element.path = self.match_sequence_d1
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
self.assertEqual(output_stream.getvalue().decode(),
'25537;Euro \n25538;Euro \n25539;Euro \n25540;-\n')
def get_model():
"""Get the model."""
interface_name_model = VariableByteDataModelElement('interface', b'0123456789abcdefghijklmnopqrstuvwxyz.')
type_children = [
SequenceModelElement('exit', [
FixedDataModelElement('s0', b'ntpd exiting on signal '),
DecimalIntegerValueModelElement('signal')
]),
SequenceModelElement('listen-drop', [
FixedDataModelElement('s0', b'Listen and drop on '),
DecimalIntegerValueModelElement('fd'),
FixedDataModelElement('s1', b' '),
interface_name_model,
FixedDataModelElement('s2', b' '),
FirstMatchModelElement('address', [
IpAddressDataModelElement('ipv4'),
DelimitedDataModelElement('ipv6', b' ')
]),
FixedDataModelElement('s3', b' UDP 123')
]),
SequenceModelElement('listen-normal', [
FixedDataModelElement('s0', b'Listen normally on '),
DecimalIntegerValueModelElement('fd'),
FixedDataModelElement('s1', b' '),
interface_name_model,
FixedDataModelElement('s2', b' '),
IpAddressDataModelElement('ip'),
FirstMatchModelElement('msg', [
FixedDataModelElement('port-new', b':123'),
FixedDataModelElement('port-old', b' UDP 123')
])
]),
SequenceModelElement('listen-routing', [
FixedDataModelElement('s0', b'Listening on routing socket on fd #'),
DecimalIntegerValueModelElement('fd'),
FixedDataModelElement('s1', b' for interface updates')
]),
FixedDataModelElement('new-interfaces', b'new interface(s) found: waking up resolver'),
FixedDataModelElement('ntp-io', b'ntp_io: estimated max descriptors: 1024, initial socket boundary: 16'),
FixedDataModelElement('peers-refreshed', b'peers refreshed'),
SequenceModelElement('precision', [
FixedDataModelElement('s0', b'proto: precision = '),
DecimalFloatValueModelElement('precision'),
FixedDataModelElement('s1', b' usec')])]
model = SequenceModelElement('ntpd', [
FixedDataModelElement('sname', b'ntpd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test10negative_number_blank_padding_no_match(self):
"""
In this testcase the negative Integer equivalence class in combination with the blank character padding is tested.
No match expected.
"""
match_context = MatchContext(b' -25537 uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL,
DecimalIntegerValueModelElement.PAD_TYPE_BLANK)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def get_model():
"""Return a model for su session information messages after any standard logging preamble, e.g. from syslog."""
type_children = [
SequenceModelElement('build-stack', [
FixedDataModelElement('s0', b'building new pluginstance stack: \''),
DelimitedDataModelElement('stack', b'\''),
FixedDataModelElement('s1', b'\'')
]),
SequenceModelElement('nfct-event', [
FixedDataModelElement('s0', b'[DESTROY] ORIG: SRC='),
IpAddressDataModelElement('osrcip'),
FixedDataModelElement('s1', b' DST='),
IpAddressDataModelElement('odstip'),
FixedDataModelElement('s2', b' PROTO='),
FixedWordlistDataModelElement('proto', [b'TCP', b'UDP']),
FixedDataModelElement('s3', b' SPT='),
DecimalIntegerValueModelElement('ospt'),
FixedDataModelElement('s4', b' DPT='),
DecimalIntegerValueModelElement('odpt'),
FixedDataModelElement('s5', b' PKTS='),
DecimalIntegerValueModelElement('opkts'),
FixedDataModelElement('s6', b' BYTES='),
DecimalIntegerValueModelElement('obytes'),
FixedDataModelElement('s7', b' , REPLY: SRC='),
IpAddressDataModelElement('rsrcip'),
FixedDataModelElement('s8', b' DST='),
IpAddressDataModelElement('rdstip'),
FixedDataModelElement('s9', b' PROTO='),
FixedWordlistDataModelElement('rproto', [b'TCP', b'UDP']),
FixedDataModelElement('s10', b' SPT='),
DecimalIntegerValueModelElement('rspt'),
FixedDataModelElement('s11', b' DPT='),
DecimalIntegerValueModelElement('rdpt'),
FixedDataModelElement('s12', b' PKTS='),
DecimalIntegerValueModelElement('rpkts'),
FixedDataModelElement('s13', b' BYTES='),
DecimalIntegerValueModelElement('rbytes'),
# No additional whitespace from Ubuntu Trusty 14.04 on.
OptionalMatchModelElement('tail', FixedDataModelElement('s0', b' '))
]),
FixedDataModelElement('nfct-plugin', b'NFCT plugin working in event mode'),
FixedDataModelElement('reopen', b'reopening capture file'),
FixedDataModelElement('signal', b'signal received, calling pluginstances'),
FixedDataModelElement('uidchange', b'Changing UID / GID')
]
# Netflow entry
model = SequenceModelElement('ulogd', [
FixedDataModelElement('sname', b'ulogd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test3negative_number_none_padding(self):
"""This testcase represents the equivalence class of negative numbers in combination with no padding. It unit the correctness of
the Path usage for all negative integers without padding."""
match_context = MatchContext(self.negative_string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertNotEqual(match_element, None,
self.match_element_should_exist)
self.assertEqual(match_element.get_match_string(), b'-25537',
self.match_element_unexpected_result)
self.assertEqual(match_element.get_match_object(), -25537,
self.match_element_unexpected_value)
def get_model():
"""Return the model."""
type_children = [
FixedDataModelElement(
'warn-no-openat',
b'WARNING: SECURITY: No secure open yet due to missing openat in python!'
),
FixedDataModelElement(
'warn-no-OPATH',
b'WARNING: SECURITY: Open should use O_PATH, but not yet available in python'
),
FixedDataModelElement(
'warn-POSIX-acls',
b'WARNING: SECURITY: No checking for backdoor access via \
POSIX ACLs, use "getfacl" from "acl" package to check manually.'),
FixedDataModelElement(
'warn-no-linkat',
b'WARNING: SECURITY: unsafe unlink (unavailable unlinkat/linkat \
should be used, but not available in python)'),
AnyByteDataModelElement('unparsed')
]
model = SequenceModelElement('aminer', [
FixedDataModelElement('sname', b'aminer['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
class SequenceModelElementTest(unittest.TestCase):
sequence_start = b'The sequence starts with a number: '
fixed_data_model_element = FixedDataModelElement('fixed', sequence_start)
decimal_integer_value_model_element = DecimalIntegerValueModelElement(
'decimal', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE)
fixed_wordlist_data_model_element = FixedWordlistDataModelElement('wordlist', [b' Euro', b' Dollar', b' Pfund'])
sequence_model_element = SequenceModelElement(
'sequence', [fixed_data_model_element, decimal_integer_value_model_element, fixed_wordlist_data_model_element])
def test1sequence_of_matching_elements(self):
"""A normal sequence of matching elements is tested in this example test case"""
match_context = MatchContext(b'The sequence starts with a number: 25538 Euro')
self.assertEqual(self.sequence_model_element.get_match_element(
'match', match_context).get_match_string(), b'The sequence starts with a number: 25538 Euro')
self.assertEqual(match_context.match_data, b'')
def test2sequence_not_matching(self):
"""A normal sequence of elements, which do not match with the expected sequence_model is tested."""
match_context = MatchContext(b'The sequence starts with a number: 25538 US-Dollar')
self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None)
self.assertEqual(match_context.match_data, b'The sequence starts with a number: 25538 US-Dollar')
def test3match_context_shorter_than_sequence(self):
"""This test case unit if the sequence_model returns None, when the match_context is too short for a match."""
match_context = MatchContext(self.sequence_start)
self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None)
self.assertEqual(match_context.match_data, self.sequence_start)
def test12mandatory_zero_padding_no_match(self):
"""In this testcase the mandatory sign equivalence class in combination with the zero padding is tested with no match expected."""
match_context = MatchContext(self.zero_number)
decimal_integer_value_me = DecimalIntegerValueModelElement(
None, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY,
DecimalIntegerValueModelElement.PAD_TYPE_ZERO)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
match_context = MatchContext(self.positive_string)
match_element = decimal_integer_value_me.get_match_element(
None, match_context)
self.assertEqual(match_element, None,
self.match_element_should_not_exist)
def test11value_pad_type_input_validation(self):
"""Check if value_pad_type is validated."""
DecimalIntegerValueModelElement(self.id_, value_pad_type="none")
DecimalIntegerValueModelElement(self.id_, value_pad_type="zero")
DecimalIntegerValueModelElement(self.id_, value_pad_type="blank")
self.assertRaises(ValueError, DecimalIntegerValueModelElement, self.id_, value_pad_type="None")
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=None)
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=b"none")
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=True)
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123)
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123.22)
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type={"value_sign_type": "none"})
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=["none"])
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=[])
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=())
self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=set())
