def test4_receive_atom_missing_value(self):
"""This test case checks if missing values are reported correctly."""
description = "Test4MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 4000
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time,
self.__realert_interval, output_log_line=False)
self.analysis_context.register_component(missing_match_path_value_detector, description + "2")
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t + past_time,
missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string),
missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue))
def test4_fuzzing_path_is_none(self):
"""This testmethod is part of the Fuzz Testing and it assures, that the path-input is validated. In this case a path is not
needed, because FixedDataModelElement has no child elements."""
match_context = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s0', self.pid)
match_element = fixed_dme.get_match_element(None, match_context)
self.assertNotEqual(match_element, None, "There should exist a MatchElement!")
def test7constraint_list(self):
"""Test the allowlisting of paths."""
description = 'test7eventCorrelationDetectorTest'
ecd = EventCorrelationDetector(self.aminer_config,
[self.stream_printer_event_handler],
check_rules_flag=True,
p0=0.7,
alpha=0.1,
auto_include_flag=True)
self.analysis_context.register_component(ecd, description)
self.assertEqual([], ecd.constraint_list)
match_context_fixed_dme = MatchContext(b' pid=')
fixed_dme = FixedDataModelElement('s1', b' pid=')
match_element_fixed_dme = fixed_dme.get_match_element(
"", match_context_fixed_dme)
# unknown path
ecd.allowlist_event(self.analysis % ecd.__class__.__name__,
match_element_fixed_dme.get_path(), None)
self.assertEqual(['/s1'], ecd.constraint_list)
# known path
ecd.allowlist_event(self.analysis % ecd.__class__.__name__,
match_element_fixed_dme.get_path(), None)
self.assertEqual(['/s1'], ecd.constraint_list)
def get_systemd_model():
"""Return the parsing model for messages directly from systemd."""
type_children = [
FixedDataModelElement('apt-daily-start',
b'Starting Daily apt activities...'),
FixedDataModelElement('apt-daily-started',
b'Started Daily apt activities.'),
SequenceModelElement('apt-daily-timer', [
FixedDataModelElement('s0', b'apt-daily.timer: Adding '),
OptionalMatchModelElement(
'hopt',
SequenceModelElement('hblock', [
DecimalIntegerValueModelElement('hours'),
FixedDataModelElement('s1', b'h ')
])),
DecimalIntegerValueModelElement('minutes'),
FixedDataModelElement('s2', b'min '),
DecimalFloatValueModelElement('seconds'),
FixedDataModelElement('s3', b's random time.')
]),
FixedDataModelElement('tmp-file-cleanup',
b'Starting Cleanup of Temporary Directories...'),
FixedDataModelElement('tmp-file-cleanup-started',
b'Started Cleanup of Temporary Directories.')
]
model = SequenceModelElement('systemd', [
FixedDataModelElement('sname', b'systemd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test4get_match_element_no_match(self):
"""Parse not matching substring from MatchContext and check if the MatchContext was not changed."""
no_match_string = b"Hello World."
match_context = DummyMatchContext(self.data)
fixed_dme = FixedDataModelElement(self.id_, no_match_string)
match_element = fixed_dme.get_match_element(self.path, match_context)
self.compare_no_match_results(self.data, match_element, match_context)
def test5_missing_value_on_persisted(self):
"""Persisting elements is tested in this test case."""
description = "Test5MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t),
missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
missing_match_path_value_detector.do_persist()
past_time = 4000
other_missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(other_missing_match_path_value_detector, description + "2")
other_missing_match_path_value_detector.set_check_value(other_missing_match_path_value_detector.get_channel_key(
log_atom_fixed_dme)[1], self.__default_interval - past_time, match_element_fixed_dme.get_path())
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time,
other_missing_match_path_value_detector)
self.assertTrue(other_missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
# skipcq: PYL-R1714
self.assertTrue((self.output_stream.getvalue() == self.__expected_string % (
datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string),
other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)) or (
self.output_stream.getvalue() == self.__expected_string % (
datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string),
other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)))
def test7_receive_atom_list_without_match_element(self):
"""This test case checks if the ReceiveAtom controls the list of MatchElements and responds correctly, when a value is missing."""
description = "Test7MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
match_context_fixed_dme = MatchContext(self.pid)
matchElementFixedDME2 = fixed_dme.get_match_element(
"match3", match_context_fixed_dme)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(
self.aminer_config, [
match_element_fixed_dme.get_path(),
match_element_decimal_integer_value_me.get_path()
], [self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(matchElementFixedDME2), 1,
missing_match_path_list_value_detector)
self.assertFalse(
missing_match_path_list_value_detector.receive_atom(
log_atom_fixed_dme))
def test6_receive_atom_list(self):
"""This test case checks, whether a missing value is created by a list without using the
auto_include_flag. (should not be the case)"""
description = "Test6MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(
self.aminer_config, [
match_element_fixed_dme.get_path(),
match_element_decimal_integer_value_me.get_path()
], [self.stream_printer_event_handler], 'Default', False,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), 1,
missing_match_path_list_value_detector)
self.assertTrue(
missing_match_path_list_value_detector.receive_atom(
log_atom_fixed_dme))
def test3_receive_atom_no_missing_value(self):
"""This test case checks whether the class returns wrong positives, when the time limit is not passed."""
description = "Test3MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(
self.aminer_config, match_element_fixed_dme.get_path(),
[self.stream_printer_event_handler], 'Default', True,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme),
time.time(),
missing_match_path_value_detector)
self.assertTrue(
missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 3200
missing_match_path_value_detector = MissingMatchPathValueDetector(
self.aminer_config, match_element_fixed_dme.get_path(),
[self.stream_printer_event_handler], 'Default', True,
missing_match_path_value_detector.default_interval - past_time,
self.__realert_interval)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme),
time.time() + past_time,
missing_match_path_value_detector)
self.assertTrue(
missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), '')
def test3timestamp_higher_than_last_timestamp(self):
"""This test case checks if nothing happens, when the timestamp is, as expected, higher than the last one."""
description = "Test3TimestampsUnsortedDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match", match_context_fixed_dme)
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler], 'Default',
False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time()
log_atom = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), t,
new_match_path_detector)
timestamp_unsorted_detector = TimestampsUnsortedDetector(
self.aminer_config, [self.stream_printer_event_handler],
False,
output_log_line=False)
self.analysis_context.register_component(timestamp_unsorted_detector,
description + "2")
self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
log_atom.set_timestamp(t)
self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
log_atom.set_timestamp(t + 10000)
self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
def test3path_exists_match_rule(self):
"""This case unit the PathExistsMatchRule."""
description = "Test3Rules"
path_exists_match_rule = PathExistsMatchRule(self.match_s1, None)
self.analysis_context.register_component(path_exists_match_rule,
description)
self.fixed_dme = FixedDataModelElement('s1', self.fixed_string)
t = time()
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
path_exists_match_rule)
self.assertTrue(path_exists_match_rule.match(log_atom))
self.fixed_dme = FixedDataModelElement('s2', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
path_exists_match_rule)
self.assertTrue(not path_exists_match_rule.match(log_atom))
def test1simple_monotonic_timestamp_adjust_test(self):
"""this test case checks if the timestamp is adjusted and logAtoms are forwarded correctly."""
description = "Test1TimestampCorrectionFilter"
match_context_fixed_dme = MatchContext(b' pid=')
fixed_dme = FixedDataModelElement('s1', b' pid=')
match_element_fixed_dme = fixed_dme.get_match_element(
"match", match_context_fixed_dme)
t = time()
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector,
description)
simple_monotonic_timstamp_adjust = SimpleMonotonicTimestampAdjust(
[new_match_path_detector], False)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme), t,
new_match_path_detector)
self.assertEqual(
simple_monotonic_timstamp_adjust.receive_atom(log_atom_fixed_dme),
True)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"),
new_match_path_detector.__class__.__name__, description, 1,
self.match_path))
def get_logind_model(user_name_model=None):
"""Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog."""
if user_name_model is None:
user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz-_")
type_children = [
SequenceModelElement("new session", [
FixedDataModelElement("s0", b"New session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b" of user "),
user_name_model,
FixedDataModelElement("s2", b".")
]),
SequenceModelElement("removed session", [
FixedDataModelElement("s0", b"Removed session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b".")
]),
SequenceModelElement("logged out", [
FixedDataModelElement("s0", b"Session "),
DecimalIntegerValueModelElement("session"),
FixedDataModelElement("s1", b" logged out. Waiting for processes to exit.")
]),
FixedDataModelElement("failed abandon", b"Failed to abandon session scope: Transport endpoint is not connected")
]
# Will fail on username models including the dot at the end.
model = SequenceModelElement("systemd-logind", [
FixedDataModelElement("sname", b"systemd-logind["),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s0", b"]: "),
FirstMatchModelElement("msg", type_children)
])
return model
def test1_valid_input_with_match_element_found(self):
"""This testmethod is part of the Basis Path Testing / Decision Coverage. It assures, that the intended usage of the
FixedDataModelElement is working. (MatchElement found)"""
match_context = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s0', self.pid)
match_element = fixed_dme.get_match_element("", match_context)
self.assertNotEqual(match_element, None, "There should exist a MatchElement!")
def test8_receive_atom_list_no_missing_value(self):
"""This test case checks whether the class returns wrong positives on lists, when the time limit should not be passed."""
description = "Test8MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t),
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 3200
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2")
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time,
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), '')
def test4get_match_element_no_match(self):
"""Parse not matching substring from MatchContext and check if the MatchContext was not changed."""
no_match_string = b"Hello World."
match_context = DummyMatchContext(self.data)
fixed_dme = FixedDataModelElement("s0", no_match_string)
match_element = fixed_dme.get_match_element("fixed", match_context)
self.assertIsNone(match_element, None)
self.assertEqual(match_context.match_data, self.data)
self.assertEqual(match_context.match_string, b"")
def test3get_match_element_valid_match(self):
"""Parse matching substring from MatchContext and check if the MatchContext was updated with the fixed string."""
fixed_string = b"fixed data."
fixed_dme = FixedDataModelElement(self.id_, fixed_string)
match_context = DummyMatchContext(self.data)
match_element = fixed_dme.get_match_element(self.path, match_context)
self.compare_match_results(self.data, match_element, match_context,
self.id_, self.path, fixed_string,
fixed_string, None)
def test1_receive_atom(self):
"""This test case checks whether a missing value is created without using the auto_include_flag (should not be the case)."""
description = "Test1MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def test3get_match_element_valid_match(self):
"""Parse matching substring from MatchContext and check if the MatchContext was updated accordingly."""
fixed_string = b'fixed data.'
match_context = DummyMatchContext(self.data)
fixed_dme = FixedDataModelElement("s0", fixed_string)
match_element = fixed_dme.get_match_element("fixed", match_context)
self.assertEqual(match_element.path, "fixed/s0")
self.assertEqual(match_element.match_string, fixed_string)
self.assertEqual(match_element.match_object, fixed_string)
self.assertIsNone(match_element.children, None)
self.assertEqual(match_context.match_string, fixed_string)
def test2do_timer(self):
"""In this test case the functionality of the timer is tested. The eventCollectTime must not be 0."""
description = "Test2DefaultMailNotificationEventHandler"
default_mail_notification_event_handler = DefaultMailNotificationEventHandler(self.analysis_context)
self.analysis_context.register_component(self, description)
t = time()
match_context = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s3', self.pid)
match_element = fixed_dme.get_match_element("match", match_context)
log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self)
default_mail_notification_event_handler.receive_event(
self.test % self.__class__.__name__, 'New value for pathes %s: %s' % (
'match/s3', repr(match_element.match_object)), [log_atom.raw_data], None, log_atom, self)
t = 0
default_mail_notification_event_handler.do_timer(t)
# skipcq: PYL-W1510, BAN-B602
result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE)
self.assertFalse(self.__expected_string % (
match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1,
match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'))
t = time()
default_mail_notification_event_handler.next_alert_time = t + 500
default_mail_notification_event_handler.do_timer(t)
# skipcq: PYL-W1510, BAN-B602
result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE)
self.assertFalse(self.__expected_string % (
match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1,
match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'))
default_mail_notification_event_handler.next_alert_time = t
default_mail_notification_event_handler.do_timer(t)
sleep(2)
# skipcq: PYL-W1510, BAN-B602
result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE)
# skipcq: PYL-W1510, BAN-B602
subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE)
if datetime.fromtimestamp(t).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'):
print("ERROR: %s t not found in mail!" % description, file=sys.stderr)
self.assertTrue(self.__expected_string % (
match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1,
match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'), msg="%s vs \n %s" % (
self.__expected_string % (
match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1,
match_element.get_match_string().decode() + "\n\n"), str(result.stdout, 'utf-8')))
def test2_receive_atom_without_match_element(self):
"""This test case checks if the ReceiveAtom controls the MatchElement and responds correctly, when it is missing."""
description = "Test2MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
match_context_fixed_dme = MatchContext(self.pid)
matchElementFixedDME2 = fixed_dme.get_match_element("match2", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(matchElementFixedDME2), 1, missing_match_path_value_detector)
self.assertFalse(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def get_model():
"""Return the model."""
type_children = [
SequenceModelElement("sent", [
FixedDataModelElement("s0", b"Sent mail for "),
DelimitedDataModelElement("to-addr", b" ("),
FixedDataModelElement("s1", b" ("),
DelimitedDataModelElement("status", b") uid="),
FixedDataModelElement("s2", b") uid="),
DecimalIntegerValueModelElement("uid"),
FixedDataModelElement("s3", b" username="******"username", b" outbytes="),
FixedDataModelElement("s4", b" outbytes="),
DecimalIntegerValueModelElement("bytes")
]),
SequenceModelElement("sent", [
DelimitedDataModelElement("program", b" "),
FixedDataModelElement("s0", b" sent mail for "),
AnyByteDataModelElement("user")
])
]
model = SequenceModelElement("ssmtp", [
FixedDataModelElement("sname", b"sSMTP["),
DecimalIntegerValueModelElement("pid"),
FixedDataModelElement("s0", b"]: "),
FirstMatchModelElement("msg", type_children)
])
return model
def get_model():
"""Return a model to parse messages from kernel logging."""
type_children = [
SequenceModelElement("ipv4-martian", [
FixedDataModelElement("s0", b"IPv4: martian "),
FixedWordlistDataModelElement("direction", [b"source", b"destination"]),
FixedDataModelElement("s1", b" "),
IpAddressDataModelElement("destination"),
FixedDataModelElement("s2", b" from "),
IpAddressDataModelElement("source"),
FixedDataModelElement("s3", b", on dev "),
AnyByteDataModelElement("interface")]),
SequenceModelElement("net-llheader", [
FixedDataModelElement("s0", b"ll header: "),
AnyByteDataModelElement("data")
]),
AnyByteDataModelElement("unparsed")
]
model = SequenceModelElement("kernel", [
FixedDataModelElement("sname", b"kernel: "),
OptionalMatchModelElement("opt", SequenceModelElement("seq", [
FixedDataModelElement("opt_s0", b"]"),
DelimitedDataModelElement("timestamp", b"]"),
FixedDataModelElement("opt_s1", b"] "),
])),
FirstMatchModelElement("msg", type_children)
])
return model
def get_model():
"""Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog."""
type_children = [
SequenceModelElement('gidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s groupid changed to '),
DecimalIntegerValueModelElement('gid')
]),
SequenceModelElement('statechange', [
FixedDataModelElement('s0',
b'[origin software="rsyslogd" swVersion="'),
DelimitedDataModelElement('version', b'"'),
FixedDataModelElement('s1', b'" x-pid="'),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s2',
b'" x-info="http://www.rsyslog.com"] '),
FirstMatchModelElement('type', [
FixedDataModelElement('HUPed', b'rsyslogd was HUPed'),
FixedDataModelElement('start', b'start')
])
]),
SequenceModelElement('uidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s userid changed to '),
DecimalIntegerValueModelElement('uid')
])
]
model = SequenceModelElement('rsyslog', [
FixedDataModelElement('sname', b'rsyslogd: '),
FirstMatchModelElement('msg', type_children)
])
return model
def test1_standard_input_values(self):
"""This test case verifies the functionality of the repeating Matches."""
match_context = MatchContext(
b'fixed log line. \n A different line follows.')
fixed_data_model_element = FixedDataModelElement(
'fixed', self.fixed_log_line)
repeated_element_data_model_element = RepeatedElementDataModelElement(
'repeatedElement', fixed_data_model_element)
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context).get_match_string(),
self.fixed_log_line)
match_context = MatchContext(
b'fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.'
)
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context).get_match_string(),
b'fixed log line. fixed log line. fixed log line. fixed log line. '
)
match_context = MatchContext(b'A different line follows.')
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context).get_match_string(), b'')
def test2_min_max_repeats(self):
"""This test case verifies the functionality of setting the minimal and maximal repeats."""
match_context = MatchContext(
b'fixed log line. \n A different line follows.')
fixed_data_model_element = FixedDataModelElement(
'fixed', self.fixed_log_line)
repeated_element_data_model_element = RepeatedElementDataModelElement(
'repeatedElement', fixed_data_model_element, 2, 5)
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context), None)
match_context = MatchContext(
b'fixed log line. fixed log line. \n A different line follows.')
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context).get_match_string(),
b'fixed log line. fixed log line. ')
match_context = MatchContext(
b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.'
)
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context).get_match_string(),
b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. '
)
match_context = MatchContext(
b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.'
)
self.assertEqual(
repeated_element_data_model_element.get_match_element(
'match', match_context), None)
class SequenceModelElementTest(unittest.TestCase):
sequence_start = b'The sequence starts with a number: '
fixed_data_model_element = FixedDataModelElement('fixed', sequence_start)
decimal_integer_value_model_element = DecimalIntegerValueModelElement(
'decimal', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE)
fixed_wordlist_data_model_element = FixedWordlistDataModelElement('wordlist', [b' Euro', b' Dollar', b' Pfund'])
sequence_model_element = SequenceModelElement(
'sequence', [fixed_data_model_element, decimal_integer_value_model_element, fixed_wordlist_data_model_element])
def test1sequence_of_matching_elements(self):
"""A normal sequence of matching elements is tested in this example test case"""
match_context = MatchContext(b'The sequence starts with a number: 25538 Euro')
self.assertEqual(self.sequence_model_element.get_match_element(
'match', match_context).get_match_string(), b'The sequence starts with a number: 25538 Euro')
self.assertEqual(match_context.match_data, b'')
def test2sequence_not_matching(self):
"""A normal sequence of elements, which do not match with the expected sequence_model is tested."""
match_context = MatchContext(b'The sequence starts with a number: 25538 US-Dollar')
self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None)
self.assertEqual(match_context.match_data, b'The sequence starts with a number: 25538 US-Dollar')
def test3match_context_shorter_than_sequence(self):
"""This test case unit if the sequence_model returns None, when the match_context is too short for a match."""
match_context = MatchContext(self.sequence_start)
self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None)
self.assertEqual(match_context.match_data, self.sequence_start)
def test3normal_incomplete_overlong_line_stream_not_ended(self):
"""A incomplete, overlong line, with the stream NOT ended, is tested as Input of the Class."""
match_context_fixed_dme = MatchContext(self.illegal_access1)
fixed_dme = FixedDataModelElement('s1', self.illegal_access1)
_match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
byte_stream_line_atomizer = ByteStreamLineAtomizer(
fixed_dme, [], [self.stream_printer_event_handler],
sys.getsizeof(match_context_fixed_dme.match_data) - 1, [])
self.assertGreater(
byte_stream_line_atomizer.consume_data(self.illegal_access1,
False), 0)
self.assertEqual(
self.output_stream.getvalue(),
'Start of overlong line detected (1 lines)\n %s' %
self.illegal_access2)
def get_model(time_model=None):
"""
Return the model for parsing a standard syslog preamble including timestamp and hostname.
@param time_model when not none, the given model element is used for parsing timestamps. Otherwise a standard DateTimeModelElement
with format b'%b %d %H:%M:%S' is created. CAVEAT: the standard model may not work when log data timestamp locale does not match
host or shell environment locale. See MultiLocaleDatetime_modelElement instead.
"""
if time_model is None:
time_model = DateTimeModelElement('time', b'%b %d %H:%M:%S')
host_name_model = VariableByteDataModelElement(
'host', b'-.01234567890abcdefghijklmnopqrstuvwxyz')
model = SequenceModelElement('syslog', [
time_model,
FixedDataModelElement('sp0', b' '), host_name_model,
FixedDataModelElement('sp1', b' ')
])
return model
def test4value_match_rule(self):
"""This case unit the ValueMatchRule."""
description = "Test4Rules"
value_match_rule = ValueMatchRule(self.match_s1, self.fixed_string, None)
self.analysis_context.register_component(value_match_rule, description)
self.fixed_dme = FixedDataModelElement('s1', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule)
self.assertTrue(value_match_rule.match(log_atom))
self.fixed_dme = FixedDataModelElement('s1', b'another fixed String')
match_context = MatchContext(b'another fixed String')
match_element = self.fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule)
self.assertTrue(not value_match_rule.match(log_atom))
