def test12or_match_rule(self):
"""This case unit the OrMatchRule."""
description = "Test12Rules"
path_exists_match_rule = PathExistsMatchRule(self.match_ipv4, None)
self.analysis_context.register_component(path_exists_match_rule,
description)
i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4)
self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule,
description + "2")
or_match_rule = OrMatchRule(
[path_exists_match_rule, i_pv4_in_rfc1918_match_rule])
self.analysis_context.register_component(or_match_rule,
description + "3")
ip_address_data_model_element = IpAddressDataModelElement('IPv4')
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), time(), or_match_rule)
self.assertTrue(or_match_rule.match(log_atom))
# changing to IPv6
path_exists_match_rule = PathExistsMatchRule('match/IPv6', None)
or_match_rule = OrMatchRule(
[path_exists_match_rule, i_pv4_in_rfc1918_match_rule])
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), time(), or_match_rule)
self.assertTrue(or_match_rule.match(log_atom))
def test7string_regex_match_rule(self):
"""This case unit the StringRegexMatchRule."""
description = "Test7Rules"
string_regex_match_rule = StringRegexMatchRule(self.match_any,
re.compile(r'\w'), None)
self.analysis_context.register_component(string_regex_match_rule,
description)
any_byte_date_me = AnyByteDataModelElement('any')
match_context = MatchContext(self.alphabet)
match_element = any_byte_date_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
string_regex_match_rule)
self.assertTrue(string_regex_match_rule.match(log_atom))
match_context = MatchContext(
'--> There are 26 letters in the english alphabet')
match_element = any_byte_date_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
string_regex_match_rule)
self.assertTrue(not string_regex_match_rule.match(log_atom))
def test5value_list_match_rule(self):
"""This case unit the ValueListMatchRule."""
description = "Test5Rules"
value_list_match_rule = ValueListMatchRule(
'match/d1', [1, 2, 4, 8, 16, 32, 64, 128, 256, 512], None)
self.analysis_context.register_component(value_list_match_rule,
description)
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context = MatchContext(b'64')
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_list_match_rule)
self.assertTrue(value_list_match_rule.match(log_atom))
match_context = MatchContext(b'4711')
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_list_match_rule)
self.assertTrue(not value_list_match_rule.match(log_atom))
def test2persist_multiple_objects_of_multiple_class(self):
"""In this test case multiple instances of multiple classes are to be persisted and loaded."""
description = "Test2PersistencyUtil"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default2', True)
self.analysis_context.register_component(new_match_path_detector,
description)
t = time.time()
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
log_atom_decimal_integer_value_me = LogAtom(
self.match_context_decimal_integer_value_me.match_data,
ParserMatch(self.match_element_decimal_integer_value_me), t,
new_match_path_detector)
new_match_path_detector.receive_atom(log_atom_fixed_dme)
new_match_path_detector.receive_atom(log_atom_decimal_integer_value_me)
other_new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'otherDetector2', True)
self.analysis_context.register_component(other_new_match_path_detector,
description + "2")
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, other_new_match_path_detector)
other_new_match_path_detector.receive_atom(log_atom_fixed_dme)
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(
self.aminer_config, ['first/f1/s1'],
[self.stream_printer_event_handler], 'Default', False, True)
self.analysis_context.register_component(
new_match_path_value_combo_detector, description + "3")
log_atom_sequence_me = LogAtom(
self.fixed_dme.fixed_data,
ParserMatch(self.match_element_first_match_me), t,
new_match_path_value_combo_detector)
new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)
PersistencyUtil.persist_all()
self.assertTrue(
PersistencyUtil.load_json(
new_match_path_detector.persistence_file_name) == [
self.match_element_fixed_dme.get_path(),
self.match_element_decimal_integer_value_me.get_path()
] or PersistencyUtil.load_json(
new_match_path_detector.persistence_file_name) == [
self.match_element_decimal_integer_value_me.get_path(),
self.match_element_fixed_dme.get_path()
])
self.assertEqual(
PersistencyUtil.load_json(
other_new_match_path_detector.persistence_file_name),
[self.match_element_fixed_dme.get_path()])
self.assertEqual(
PersistencyUtil.load_json(
new_match_path_value_combo_detector.persistence_file_name),
([[log_atom_sequence_me.raw_data]]))
def test3path_exists_match_rule(self):
"""This case unit the PathExistsMatchRule."""
description = "Test3Rules"
path_exists_match_rule = PathExistsMatchRule(self.match_s1, None)
self.analysis_context.register_component(path_exists_match_rule,
description)
self.fixed_dme = FixedDataModelElement('s1', self.fixed_string)
t = time()
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
path_exists_match_rule)
self.assertTrue(path_exists_match_rule.match(log_atom))
self.fixed_dme = FixedDataModelElement('s2', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = self.fixed_dme.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
path_exists_match_rule)
self.assertTrue(not path_exists_match_rule.match(log_atom))
def test5_check_status_attributes_not_matching(self):
"""
In this test case the second log line has different attributes than expected.
An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this
test case.
"""
description = "Test5TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2_different), t + 1,
self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(
self.output_stream.getvalue(),
self._expected_string_different_attributes %
(datetime.fromtimestamp(t).strftime(
self.datetime_format_string), self.correlation_rule.rule_id,
description, 1, self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id, 22500, 22501))
def test1_normal_report(self):
"""This test case unit the creation of a report. As the rules are chosen randomly this test can not be very specific in checking
the actual values of the report."""
description = "Test1TimeCorrelationDetector"
time_correlation_detector = TimeCorrelationDetector(self.aminer_config, 2, 1, 0, [self.stream_printer_event_handler],
record_count_before_event=10)
self.analysis_context.register_component(time_correlation_detector, component_name=description)
t = time.time()
for i in range(0, 10):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t).strftime(self.datetime_format_string), description, 10)))
self.reset_output_stream()
for i in range(0, 10):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t + 9).strftime(self.datetime_format_string), description, 20)))
self.reset_output_stream()
for i in range(10, 15):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
logAtomSequenceME2 = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me2), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME2)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t + 14).strftime(self.datetime_format_string), description, 30)))
def test6value_range_match_rule(self):
"""This case unit the ValueRangeMatchRule."""
description = "Test6Rules"
value_range_match_rule = ValueRangeMatchRule('match/d1', 1, 1000, None)
self.analysis_context.register_component(value_range_match_rule, description)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context = MatchContext(b'1')
match_element = decimal_integer_value_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule)
self.assertTrue(value_range_match_rule.match(log_atom))
match_context = MatchContext(b'1000')
match_element = decimal_integer_value_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule)
self.assertTrue(value_range_match_rule.match(log_atom))
match_context = MatchContext(b'0')
match_element = decimal_integer_value_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule)
self.assertTrue(not value_range_match_rule.match(log_atom))
match_context = MatchContext(b'1001')
match_element = decimal_integer_value_me.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule)
self.assertTrue(not value_range_match_rule.match(log_atom))
def test8modulo_time_match_rule(self):
"""This case unit the ModuloTimeMatchRule."""
description = "Test8Rules"
modulo_time_match_rule = ModuloTimeMatchRule(self.model_syslog_time, 86400, 43200, 86400, None)
self.analysis_context.register_component(modulo_time_match_rule, description)
date_time_model_element = DateTimeModelElement('time', b'%d.%m.%Y %H:%M:%S')
match_context = MatchContext(b'14.02.2019 13:00:00')
match_element = date_time_model_element.get_match_element(self.model_syslog, match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element)
self.assertTrue(modulo_time_match_rule.match(log_atom))
match_context = MatchContext(b'15.02.2019 00:00:00')
match_element = date_time_model_element.get_match_element(self.model_syslog, match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element)
self.assertTrue(not modulo_time_match_rule.match(log_atom))
match_context = MatchContext(b'14.02.2019 12:00:00')
match_element = date_time_model_element.get_match_element(self.model_syslog, match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element)
self.assertTrue(modulo_time_match_rule.match(log_atom))
match_context = MatchContext(b'15.02.2019 01:00:00')
match_element = date_time_model_element.get_match_element(self.model_syslog, match_context)
log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element)
self.assertTrue(not modulo_time_match_rule.match(log_atom))
def test3_receive_atom_no_missing_value(self):
"""This test case checks whether the class returns wrong positives, when the time limit is not passed."""
description = "Test3MissingMatchPathValueDetector"
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element(
"match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(
self.aminer_config, match_element_fixed_dme.get_path(),
[self.stream_printer_event_handler], 'Default', True,
self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(
missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme),
time.time(),
missing_match_path_value_detector)
self.assertTrue(
missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 3200
missing_match_path_value_detector = MissingMatchPathValueDetector(
self.aminer_config, match_element_fixed_dme.get_path(),
[self.stream_printer_event_handler], 'Default', True,
missing_match_path_value_detector.default_interval - past_time,
self.__realert_interval)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data,
ParserMatch(match_element_fixed_dme),
time.time() + past_time,
missing_match_path_value_detector)
self.assertTrue(
missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), '')
def test8_receive_atom_list_no_missing_value(self):
"""This test case checks whether the class returns wrong positives on lists, when the time limit should not be passed."""
description = "Test8MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
match_context_decimal_integer_value_me = MatchContext(self.string)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element(
"match2", match_context_decimal_integer_value_me)
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t),
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 3200
missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [
match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler],
'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2")
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time,
missing_match_path_list_value_detector)
self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), '')
def test5_missing_value_on_persisted(self):
"""Persisting elements is tested in this test case."""
description = "Test5MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t),
missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
missing_match_path_value_detector.do_persist()
past_time = 4000
other_missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(other_missing_match_path_value_detector, description + "2")
other_missing_match_path_value_detector.set_check_value(other_missing_match_path_value_detector.get_channel_key(
log_atom_fixed_dme)[1], self.__default_interval - past_time, match_element_fixed_dme.get_path())
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time,
other_missing_match_path_value_detector)
self.assertTrue(other_missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
# skipcq: PYL-R1714
self.assertTrue((self.output_stream.getvalue() == self.__expected_string % (
datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string),
other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)) or (
self.output_stream.getvalue() == self.__expected_string % (
datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string),
other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)))
def test5check_value_reduction(self):
"""This unittest checks the functionality of reducing the values when the maxNumVals threshold is reached."""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
t = time.time()
val_list = [[[]]]
for i in range(1, event_type_detector.max_num_vals + 1, 1):
log_atom = LogAtom(
str(i).encode(),
ParserMatch(MatchElement('path',
str(i).encode(), i, None)), t,
self.__class__.__name__)
val_list[0][0].append(float(i))
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(event_type_detector.values, val_list)
i += 1
log_atom = LogAtom(
str(i).encode(),
ParserMatch(MatchElement('path',
str(i).encode(), i, None)), t,
self.__class__.__name__)
val_list[0][0].append(float(i))
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(
event_type_detector.values,
[[val_list[0][0][-event_type_detector.min_num_vals:]]])
def test4_receive_atom_missing_value(self):
"""This test case checks if missing values are reported correctly."""
description = "Test4MissingMatchPathValueDetector"
t = time.time()
match_context_fixed_dme = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme)
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval)
self.analysis_context.register_component(missing_match_path_value_detector, description)
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
past_time = 4000
missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [
self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time,
self.__realert_interval, output_log_line=False)
self.analysis_context.register_component(missing_match_path_value_detector, description + "2")
log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t + past_time,
missing_match_path_value_detector)
self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(self.output_stream.getvalue(), self.__expected_string % (
datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string),
missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue))
def test4append_values_bytestring(self):
"""
This unittest checks the append_values method with raw_match_object being a bytestring.
This should trigger a ValueError and append the match_string.
"""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
# initialize all values.
t = time.time()
log_atom = LogAtom(
b'This is a string',
ParserMatch(
MatchElement('path', b'This is a string', b'This is a string',
None)), t, self.__class__.__name__)
event_type_detector.receive_atom(log_atom)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[['This is a string']]])
log_atom = LogAtom(
b'24.05.',
ParserMatch(MatchElement('path', b'24.05.', b'24.05.', None)), t,
self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[['24.05.']]])
def test3append_values_float(self):
"""This unittest checks the append_values method with raw_match_object being a float value."""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
# initialize all values.
t = time.time()
log_atom = LogAtom(
b'22.2', ParserMatch(MatchElement('path', b'22.2', 22.2, None)), t,
self.__class__.__name__)
event_type_detector.receive_atom(log_atom)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22.2]]])
log_atom = LogAtom(b'22',
ParserMatch(MatchElement('path', b'22', 22, None)),
t, self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22]]])
log_atom = LogAtom(
b'22.2', ParserMatch(MatchElement('path', b'22', b'22', None)), t,
self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22]]])
def test1receive_atom_min_bin_elements_not_reached(self):
"""This test verifies, that no statistic evaluation is performed, until the minimal amount of bin elements is reached."""
description = "Test1MatchValueAverageChangeDetector"
start_time = 57600
match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None)
match_value_average_change_detector = MatchValueAverageChangeDetector(self.aminer_config, [
self.stream_printer_event_handler], None, [match_element1.get_path()], 3, start_time, False, 'Default')
self.analysis_context.register_component(match_value_average_change_detector, description)
# create oldBin
log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector)
match_value_average_change_detector.receive_atom(log_atom)
match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None)
log_atom = LogAtom(
match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector)
match_value_average_change_detector.receive_atom(log_atom)
match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 2000), start_time + 2000, None)
log_atom = LogAtom(
match_element1.get_match_object(), ParserMatch(match_element1), start_time + 2000, match_value_average_change_detector)
match_value_average_change_detector.receive_atom(log_atom)
# compare Data
match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 10000), start_time + 10000, None)
log_atom = LogAtom(
match_element1.get_match_object(), ParserMatch(match_element1), start_time + 10000, match_value_average_change_detector)
match_value_average_change_detector.receive_atom(log_atom)
match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 20000), start_time + 20000, None)
log_atom = LogAtom(
match_element1.get_match_object(), ParserMatch(match_element1), start_time + 20000, match_value_average_change_detector)
match_value_average_change_detector.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), '')
def test3unsorted_log_atom(self):
"""In this test case multiple, UNSORTED LogAtoms of different sources are received by the class."""
description = "Test3SimpleMultisourceAtomSync"
sync_wait_time = 3
any_byte_data_model_element = AnyByteDataModelElement('a1')
new_match_path_detector1 = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector1,
description)
new_match_path_detector2 = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector2,
description + "2")
simple_multisource_atom_sync = SimpleMultisourceAtomSync(
[new_match_path_detector1, new_match_path_detector2],
sync_wait_time)
t = time()
match_context = MatchContext(self.calculation)
match_element = any_byte_data_model_element.get_match_element(
'match', match_context)
log_atom1 = LogAtom(match_element.match_object,
ParserMatch(match_element), t,
new_match_path_detector1)
log_atom2 = LogAtom(match_element.match_object,
ParserMatch(match_element), t - 1,
new_match_path_detector1)
self.assertTrue(
not simple_multisource_atom_sync.receive_atom(log_atom1))
sleep(sync_wait_time)
# unsorted, should be accepted
self.reset_output_stream()
self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom2))
self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t - 1).strftime(
self.datetime_format_string),
new_match_path_detector1.__class__.__name__, description, 1,
self.match_path, self.calculation) + self.__expected_string %
(datetime.fromtimestamp(t - 1).strftime(
self.datetime_format_string),
new_match_path_detector1.__class__.__name__, description + "2", 1,
self.match_path, self.calculation) + self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_detector1.__class__.__name__, description, 1,
self.match_path, self.calculation) + self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_detector1.__class__.__name__, description + "2", 1,
self.match_path, self.calculation))
def test13value_dependent_delegated_match_rule(self):
"""This case unit the ValueDependentDelegatedMatchRule."""
description = "Test13Rules"
string_regex_match_rule = StringRegexMatchRule(self.match_any,
re.compile(rb'\w'),
None)
self.analysis_context.register_component(string_regex_match_rule,
description)
any_byte_date_me = AnyByteDataModelElement('any')
i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4)
self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule,
description + "2")
ip_address_data_model_element = IpAddressDataModelElement('IPv4')
value_dependent_delegated_match_rule = ValueDependentDelegatedMatchRule(
[self.match_any, self.match_ipv4], {
(self.alphabet, ): string_regex_match_rule,
(3232235520, ): i_pv4_in_rfc1918_match_rule
})
self.analysis_context.register_component(
value_dependent_delegated_match_rule, description + "3")
match_context = MatchContext(self.alphabet)
match_element = any_byte_date_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_dependent_delegated_match_rule)
self.assertTrue(value_dependent_delegated_match_rule.match(log_atom))
match_context = MatchContext(b'192.168.0.0')
match_element = ip_address_data_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_dependent_delegated_match_rule)
self.assertTrue(value_dependent_delegated_match_rule.match(log_atom))
# not matching values
match_context = MatchContext(
b'.There are 26 letters in the english alphabet')
match_element = any_byte_date_me.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_dependent_delegated_match_rule)
self.assertTrue(
not value_dependent_delegated_match_rule.match(log_atom))
match_context = MatchContext(b'192.168.0.1')
match_element = ip_address_data_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
value_dependent_delegated_match_rule)
self.assertTrue(
not value_dependent_delegated_match_rule.match(log_atom))
def test1_log_atom_not_known(self):
"""
This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found.
The output is directed to an output stream and compared for accuracy. The auto_include_flag is False and the output must be
repeatable on second run.
"""
description = "Test1NewMatchPathValueDetector"
new_match_path_value_detector = NewMatchPathValueDetector(
self.aminer_config, [self.first_f1_s1],
[self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_value_detector,
description)
t = time()
log_atom_sequence_me = LogAtom(
self.fixed_dme.fixed_data,
ParserMatch(self.match_element_first_match_me), t,
new_match_path_value_detector)
new_match_path_value_detector.receive_atom(log_atom_sequence_me)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_value_detector.__class__.__name__, description, 1,
self.string2))
self.reset_output_stream()
# repeating should produce the same result
new_match_path_value_detector.receive_atom(log_atom_sequence_me)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_value_detector.__class__.__name__, description, 1,
self.string2))
self.reset_output_stream()
new_match_path_value_detector2 = NewMatchPathValueDetector(
self.aminer_config, ['second/f2/d1'],
[self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(
new_match_path_value_detector2, description + "2")
log_atom_sequence_me2 = LogAtom(
b'25537', ParserMatch(self.match_element_first_match_me2), t,
new_match_path_value_detector2)
# other MatchElement
new_match_path_value_detector2.receive_atom(log_atom_sequence_me2)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_value_detector.__class__.__name__,
description + "2", 1, "{'second/f2/d1': 25537}\nb'25537'"))
def test1log_multiple_lines_event(self):
"""
In this test case multiple lines should be received, before sending an email to root@localhost.
Make sure no mail notifications are in /var/spool/mail/root, before running this test. This test case must wait some time to
ensure, that the mail can be read.
"""
description = "Test1DefaultMailNotificationEventHandler"
match_context = MatchContext(self.pid)
fixed_dme = FixedDataModelElement('s1', self.pid)
match_element = fixed_dme.get_match_element("match", match_context)
match_context = MatchContext(self.pid)
fixed_dme2 = FixedDataModelElement('s2', self.pid)
match_element2 = fixed_dme2.get_match_element("match", match_context)
default_mail_notification_event_handler = DefaultMailNotificationEventHandler(self.analysis_context)
self.analysis_context.register_component(self, description)
t = time()
log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self)
default_mail_notification_event_handler.receive_event(
self.test % self.__class__.__name__, 'New value for pathes %s, %s: %s' % (
'match/s1', 'match/s2', repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)
t += 600
log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self)
# set the next_alert_time instead of sleeping 10 seconds
default_mail_notification_event_handler.next_alert_time = time()
default_mail_notification_event_handler.receive_event(
self.test % self.__class__.__name__, 'New value for pathes %s, %s: %s' % (
'match/s1', 'match/s2', repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)
sleep(2)
# skipcq: PYL-W1510, BAN-B602
result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE)
# skipcq: PYL-W1510, BAN-B602
subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE)
if datetime.fromtimestamp(t - 600).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'):
print("ERROR: %s t-600 not found in mail!" % description, file=sys.stderr)
if datetime.fromtimestamp(t).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'):
print("ERROR: %s t not found in mail!" % description, file=sys.stderr)
self.assertTrue(self.__expected_string % (
"" + match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()),
self.__class__.__name__, description, 2, match_element.get_match_string().decode() + "\n " +
match_element2.get_match_string().decode()) in
str(result.stdout, 'utf-8'), msg="%s vs \n %s" % (self.__expected_string % (
match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1,
match_element.get_match_string().decode() + "\n\n"), str(result.stdout, 'utf-8')))
self.assertTrue(self.__expected_string % (
"" + match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()),
self.__class__.__name__, description, 2, match_element.get_match_string().decode() + "\n " +
match_element2.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'))
def test4atom_no_match_missing_value_string_set(self):
"""
This test case sets up a set of values, which are all expected to be matched.
The missing value string is set to a value, so when a string does not match this value is used instead.
"""
description = "Test4MatchValueStreamWriter"
output_stream = BytesIO()
match_context = MatchContext(
b'25537Euro 25538Euro 25539Euro 25540Pfund ')
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
fixed_dme = FixedDataModelElement('s1', self.euro)
sequence_model_element = SequenceModelElement(
'sequence', [decimal_integer_value_me, fixed_dme])
match_value_stream_writer = MatchValueStreamWriter(
output_stream, [self.match_sequence_d1, self.match_sequence_s1],
b';', b'-')
self.analysis_context.register_component(match_value_stream_writer,
description)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = decimal_integer_value_me.get_match_element(
'match', match_context)
match_element.path = self.match_sequence_d1
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
self.assertEqual(output_stream.getvalue().decode(),
'25537;Euro \n25538;Euro \n25539;Euro \n25540;-\n')
def test2all_atoms_match_no_seperator(self):
"""
This test case sets up a set of values, which are all expected to be matched.
The seperator string is None, so all values are expected to be one string.
"""
description = "Test2MatchValueStreamWriter"
output_stream = BytesIO()
match_context = MatchContext(
b'25537Euro 25538Euro 25539Euro 25540Euro ')
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
fixed_dme = FixedDataModelElement('s1', self.euro)
sequence_model_element = SequenceModelElement(
'sequence', [decimal_integer_value_me, fixed_dme])
match_value_stream_writer = MatchValueStreamWriter(
output_stream, [self.match_sequence_d1, self.match_sequence_s1],
b'', b'-')
self.analysis_context.register_component(match_value_stream_writer,
description)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), 1,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
self.assertEqual(output_stream.getvalue().decode(),
'25537Euro \n25538Euro \n25539Euro \n25540Euro \n')
def test2_log_atom_known(self):
"""
This test case checks the functionality of the auto_include_flag.
If the same MatchElement is processed a second time and the auto_include_flag was True, no event must be triggered.
"""
description = "Test2NewMatchPathValueDetector"
new_match_path_value_detector = NewMatchPathValueDetector(
self.aminer_config, [self.first_f1_s1],
[self.stream_printer_event_handler],
'Default',
True,
output_log_line=False)
self.analysis_context.register_component(new_match_path_value_detector,
description)
t = time()
log_atom_sequence_me = LogAtom(
self.fixed_dme.fixed_data,
ParserMatch(self.match_element_first_match_me), t,
new_match_path_value_detector)
new_match_path_value_detector.receive_atom(log_atom_sequence_me)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_value_detector.__class__.__name__, description, 1,
self.string2))
self.reset_output_stream()
# repeating should NOT produce the same result
new_match_path_value_detector.receive_atom(log_atom_sequence_me)
self.assertEqual(self.output_stream.getvalue(), '')
self.reset_output_stream()
new_match_path_value_detector2 = NewMatchPathValueDetector(
self.aminer_config, ['second/f2/d1'],
[self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(
new_match_path_value_detector2, description + "2")
log_atom_sequence_me2 = LogAtom(
b'25537', ParserMatch(self.match_element_first_match_me2), t,
new_match_path_value_detector2)
# other MatchElement
new_match_path_value_detector2.receive_atom(log_atom_sequence_me2)
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_value_detector.__class__.__name__,
description + "2", 1, "{'second/f2/d1': 25537}\nb'25537'"))
def test6_prepare_history_entry(self):
"""In this test case the prepare_history_entry-method is tested with multiple artefact_match_parameters. Also the case of not
finding a parameter is tested."""
t = time.time()
p1 = ParserMatch(self.match_element1)
p2 = ParserMatch(self.match_element2)
log_atom1 = LogAtom(self.match_context1.match_data, p1, t, self)
log_atom2 = LogAtom(self.match_context2.match_data, p2, t + 5, self)
result = self.correlation_rule.prepare_history_entry(self.a_class_selector, log_atom1)
self.assertEqual(result, [t, 0, self.a_class_selector, p1, 22500])
result = self.correlation_rule.prepare_history_entry(self.b_class_selector, log_atom2)
self.assertEqual(result, [t + 5, 0, self.b_class_selector, p2, 22500])
def test9HistogramAnalysisReceiveAtomNoReport(self):
"""This test case aims to test the functionality of the HistogramAnalysis's receive_atom method, when NO report is expected."""
description = "Test9HistogramAnalysis"
start_time = 57600
end_time = 662600
diff = 30000
modulo_time_bin_definition = ModuloTimeBinDefinition(
86400, 3600, 0, 1, 24, False)
histogram_data = HistogramData(self.match_crontab,
modulo_time_bin_definition)
histogram_analysis = HistogramAnalysis(
self.aminer_config,
[(histogram_data.property_path, modulo_time_bin_definition)],
604800, [self.stream_printer_event_handler], True, 'Default')
self.analysis_context.register_component(histogram_analysis,
description)
match_element = MatchElement(self.match_crontab, start_time,
start_time, [])
t = time.time()
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element),
t, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, end_time, end_time,
[])
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element),
t + diff, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), '')
# resetting the outputStream
start_time = start_time + 3600
end_time = end_time + 3600
self.reset_output_stream()
t = t + diff
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element),
t, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, end_time, end_time,
[])
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element),
t + diff, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), '')
def test1_log_atom_not_known(self):
"""
This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found.
The output is directed to an output stream and compared for accuracy. The auto_include_flag is False and the output must be
repeatable on second run.
"""
description = "Test1NewMatchPathDetector"
new_match_path_detector = NewMatchPathDetector(
self.aminer_config, [self.stream_printer_event_handler],
'Default',
False,
output_log_line=False)
self.analysis_context.register_component(new_match_path_detector,
description)
t = round(time.time(), 3)
log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element_fixed_dme),
t, new_match_path_detector)
log_atom_decimal_integer_value_me = LogAtom(
self.match_context_decimal_integer_value_me.match_data,
ParserMatch(self.match_element_decimal_integer_value_me), t,
new_match_path_detector)
self.assertTrue(
new_match_path_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_detector.__class__.__name__, description, 1,
self.match_path_s1, self.pid))
self.reset_output_stream()
# repeating should produce the same result
self.assertTrue(
new_match_path_detector.receive_atom(log_atom_fixed_dme))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_detector.__class__.__name__, description, 1,
self.match_path_s1, self.pid))
self.reset_output_stream()
# other MatchElement
self.assertTrue(
new_match_path_detector.receive_atom(
log_atom_decimal_integer_value_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
new_match_path_detector.__class__.__name__, description, 1,
self.match_path_d1, self.uid))
def test10_histogram_analysis_receive_atom_report_expected(self):
"""This test case aims to test the functionality of the HistogramAnalysis's receive_atom method, when A report is expected."""
description = "Test10HistogramAnalysis"
start_time = 57600
end_time = 662600
diff = 605000
modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False)
histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition)
histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, modulo_time_bin_definition)], 604800,
[self.stream_printer_event_handler], True, 'Default')
self.analysis_context.register_component(histogram_analysis, description)
match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None)
t = time.time()
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), self.__expected_string_histogram_analysis % (
datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), histogram_analysis.__class__.__name__, description, 2,
datetime.fromtimestamp(t).strftime(self.datetime_format_string),
datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string),
'Property "match/crontab" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)'))
# resetting the outputStream
start_time = start_time + 3600
end_time = end_time + 3600
self.reset_output_stream()
t = t + diff
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
histogram_data.add_value(start_time)
histogram_data.add_value(end_time)
match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None)
log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis)
histogram_analysis.receive_atom(log_atom)
self.assertEqual(self.output_stream.getvalue(), self.__expected_string_histogram_analysis % (
datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), histogram_analysis.__class__.__name__, description, 2,
datetime.fromtimestamp(t).strftime(self.datetime_format_string),
datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string),
'Property "match/crontab" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 '
'(ratio = 5.00e-01, p = 8.16e-02)'))
def test1match_found(self):
"""This test case checks if valid inputs are recognized."""
description = "Test1WhitelistViolationDetector"
path_exists_match_rule = PathExistsMatchRule('match/s1', None)
path_exists_match_rule2 = PathExistsMatchRule('match/s2', None)
t = time.time()
whitelist_violation_detector = WhitelistViolationDetector(
self.aminer_config,
[path_exists_match_rule, path_exists_match_rule2],
[self.stream_printer_event_handler],
output_log_line=False)
self.analysis_context.register_component(whitelist_violation_detector,
description)
fixed_dme = FixedDataModelElement('s1', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_context.match_data,
ParserMatch(match_element), t,
whitelist_violation_detector)
self.assertTrue(whitelist_violation_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
fixed_dme = FixedDataModelElement('s2', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_element.match_object,
ParserMatch(match_element), t,
whitelist_violation_detector)
self.assertTrue(whitelist_violation_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue(), '')
fixed_dme = FixedDataModelElement('s3', self.fixed_string)
match_context = MatchContext(self.fixed_string)
match_element = fixed_dme.get_match_element('match', match_context)
log_atom = LogAtom(match_element.match_object,
ParserMatch(match_element), t,
path_exists_match_rule)
self.assertTrue(
not whitelist_violation_detector.receive_atom(log_atom))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"),
whitelist_violation_detector.__class__.__name__, description, 1,
"b'fixed String'"))
def test1_check_status_ok(self):
"""In this test case the status is OK after receiving the expected data and no error message is returned. The output of the
do_timer-method is also tested in this test case. """
description = "Test1TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(time_correlation_violation_detector, component_name=description)
log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), time.time(), self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), time.time() + 1, self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(self.output_stream.getvalue(), "")
