def Netstat(self, _): """Returns fake connections.""" conn1 = rdf_client.NetworkConnection( state=rdf_client.NetworkConnection.State.LISTEN, type=rdf_client.NetworkConnection.Type.SOCK_STREAM, local_address=rdf_client.NetworkEndpoint( ip="0.0.0.0", port=22), remote_address=rdf_client.NetworkEndpoint( ip="0.0.0.0", port=0), pid=2136, ctime=0) conn2 = rdf_client.NetworkConnection( state=rdf_client.NetworkConnection.State.LISTEN, type=rdf_client.NetworkConnection.Type.SOCK_STREAM, local_address=rdf_client.NetworkEndpoint( ip="192.168.1.1", port=31337), remote_address=rdf_client.NetworkEndpoint( ip="1.2.3.4", port=6667), pid=1, ctime=0) return [conn1, conn2]
def Run(self, unused_args): netstat = [] for proc in psutil.process_iter(): try: netstat.append((proc.pid, proc.connections())) except (psutil.NoSuchProcess, psutil.AccessDenied): pass for pid, connections in netstat: for conn in connections: res = rdf_client.NetworkConnection() res.pid = pid res.family = conn.family res.type = conn.type try: if conn.status: res.state = conn.status except ValueError: logging.warn("Encountered unknown connection status (%s).", conn.status) res.local_address.ip, res.local_address.port = conn.local_address if conn.remote_address: res.remote_address.ip, res.remote_address.port = conn.remote_address self.SendReply(res)
def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self): client_id = test_lib.TEST_CLIENT_ID p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["test_img.dd"], ctime=long(1333718907.167083 * 1e6)) p2 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = action_mocks.ListProcessesMock([p1, p2]) for s in flow_test_lib.TestFlowHelper( flow_processes.ListProcesses.__name__, client_mock, fetch_binaries=True, client_id=client_id, connection_states=["LISTEN"], token=self.token): session_id = s # No output matched. processes = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(processes), 0)
def Run(self, unused_args): for proc in psutil.process_iter(): try: connections = proc.connections() except (psutil.NoSuchProcess, psutil.AccessDenied): continue for conn in connections: res = rdf_client.NetworkConnection() res.pid = proc.pid res.process_name = proc.name() res.family = conn.family res.type = conn.type try: if conn.status: res.state = conn.status except ValueError: logging.warn("Encountered unknown connection status (%s).", conn.status) res.local_address.ip, res.local_address.port = conn.laddr if conn.raddr: res.remote_address.ip, res.remote_address.port = conn.raddr self.SendReply(res)
def AddListener(self, ip, port, family="INET", sock_type="SOCK_STREAM"): conn = rdf_client.NetworkConnection() conn.state = "LISTEN" conn.family = family conn.type = sock_type conn.local_address = rdf_client.NetworkEndpoint(ip=ip, port=port) return conn
def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self): p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["test_img.dd"], ctime=long(1333718907.167083 * 1e6)) p2 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = ListProcessesMock([p1, p2]) for s in test_lib.TestFlowHelper("ListProcesses", client_mock, fetch_binaries=True, client_id=self.client_id, connection_states=["LISTEN"], token=self.token): session_id = s # No output matched. results = aff4.FACTORY.Open( session_id.Add(flow_runner.RESULTS_SUFFIX), aff4_type=sequential_collection.GeneralIndexedCollection, token=self.token) self.assertEqual(len(results), 0)
def testProcessListingFilterConnectionState(self): p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="CLOSED")) p2 = rdf_client.Process(pid=3, ppid=1, cmdline=["cmd2.exe"], exe="c:\\windows\\cmd2.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="LISTEN")) p3 = rdf_client.Process(pid=4, ppid=1, cmdline=["missing_exe.exe"], ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = ListProcessesMock([p1, p2, p3]) flow_urn = flow.GRRFlow.StartFlow( client_id=self.client_id, flow_name="ListProcesses", connection_states=["ESTABLISHED", "LISTEN"], token=self.token) for s in test_lib.TestFlowHelper(flow_urn, client_mock, client_id=self.client_id, token=self.token): session_id = s processes = aff4.FACTORY.Open(session_id.Add( flow_runner.RESULTS_SUFFIX), token=self.token) self.assertEqual(len(processes), 2) states = set() for process in processes: states.add(str(process.connections[0].state)) self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def testProcessListingFilterConnectionState(self): client_id = test_lib.TEST_CLIENT_ID p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="CLOSED")) p2 = rdf_client.Process(pid=3, ppid=1, cmdline=["cmd2.exe"], exe="c:\\windows\\cmd2.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="LISTEN")) p3 = rdf_client.Process(pid=4, ppid=1, cmdline=["missing_exe.exe"], ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = action_mocks.ListProcessesMock([p1, p2, p3]) flow_urn = flow.GRRFlow.StartFlow( client_id=client_id, flow_name=flow_processes.ListProcesses.__name__, connection_states=["ESTABLISHED", "LISTEN"], token=self.token) for s in flow_test_lib.TestFlowHelper(flow_urn, client_mock, client_id=client_id, token=self.token): session_id = s processes = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(processes), 2) states = set() for process in processes: states.add(str(process.connections[0].state)) self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def testFileViewDoesNotHaveExportTabWhenCollectionHasNoFiles(self): collection_urn = "aff4:/C.0000000000000001/analysis/SomeFlow/results" with self.ACLChecksDisabled(): with aff4.FACTORY.Create(collection_urn, "RDFValueCollection", token=self.token) as fd: fd.Add(rdf_client.NetworkConnection(pid=42)) self.GrantClientApproval("C.0000000000000001") self.Open("/#c=C.0000000000000001") self.Click("css=a:contains('Browse Virtual Filesystem')") self.Click("css=li[path='/analysis'] > a") self.Click("css=li[path='/analysis/SomeFlow'] > a") self.Click("css=tr:contains('results')") # The Results tab should appear, but the "Export" tab should be # disabled since we only display export hint when we have collections of # StatEntries or FileFinderResults. self.WaitUntil(self.IsElementPresent, "css=#Export.disabled")
def Start(self): self.SendReply(rdf_client.NetworkConnection(pid=42))