def run_test(self, create_filter, input_blobs=None, expected_output_blobs=None):
"""Mocks out stdin, stdout, and config then runs input lines through an OutputFilter.
Args:
create_filter: A callable that returns an OutputFilter.
input_blobs: An array of dicts to pass to OutputFilter. These will be serialized into strings and passed as stdin.
expected_output_blobs: An array of dicts the output of the OutputFilter must match.
"""
if not input_blobs:
input_blobs = []
input_lines = '\n'.join([simplejson.dumps(blob) for blob in input_blobs])
with nested(
patch('sys.stdin', StringIO(input_lines)),
patch('sys.stdout', new_callable=StringIO),
patch('osxcollector.output_filters.util.config._config_file_path',
return_value='./tests/output_filters/data/test_osxcollector_config.yaml')
) as (
mock_stdin,
mock_stdout,
__
):
output_filter = create_filter()
run_filter(output_filter)
output_lines = [line for line in mock_stdout.getvalue().split('\n') if len(line)]
output_blobs = [simplejson.loads(line) for line in output_lines]
if expected_output_blobs:
T.assert_equal(len(output_blobs), len(expected_output_blobs))
for expected_blob, actual_blob in zip(expected_output_blobs, output_blobs):
assert_equal_sorted(expected_blob, actual_blob)
return output_blobs
def main():
parser = OptionParser(usage='usage: %prog [options]')
parser.add_option('-f', '--file-term', dest='file_terms', default=[], action='append',
help='[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.')
parser.add_option('-d', '--domain', dest='domain_terms', default=[], action='append',
help='[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.')
parser.add_option('-i', '--ip', dest='ip_terms', default=[], action='append',
help='[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.')
options, _ = parser.parse_args()
run_filter(AnalyzeFilter(initial_file_terms=options.file_terms, initial_domains=options.domain_terms, initial_ips=options.ip_terms))
def run_test(self,
create_filter,
input_blobs=None,
expected_output_blobs=None):
"""Mocks out stdin, stdout, and config then runs input lines through an OutputFilter.
Args:
create_filter: A callable that returns an OutputFilter.
input_blobs: An array of dicts to pass to OutputFilter. These will be serialized into strings and passed as stdin.
expected_output_blobs: An array of dicts the output of the OutputFilter must match.
"""
if not input_blobs:
input_blobs = []
input_lines = '\n'.join(
[simplejson.dumps(blob) for blob in input_blobs])
with nested(
patch('sys.stdin', StringIO(input_lines)),
patch('sys.stdout', new_callable=StringIO),
patch(
'osxcollector.output_filters.util.config._config_file_path',
return_value=
'./tests/output_filters/data/test_osxcollector_config.yaml'
)) as (mock_stdin, mock_stdout, __):
output_filter = create_filter()
run_filter(output_filter)
output_lines = [
line for line in mock_stdout.getvalue().split('\n')
if len(line)
]
output_blobs = [simplejson.loads(line) for line in output_lines]
if expected_output_blobs:
T.assert_equal(len(output_blobs), len(expected_output_blobs))
for expected_blob, actual_blob in zip(expected_output_blobs,
output_blobs):
assert_equal_sorted(expected_blob, actual_blob)
return output_blobs
def main():
parser = ArgumentParser()
parser.add_argument('-f', '--file-term', dest='file_terms', default=[], action='append',
help='[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.')
parser.add_argument('-d', '--domain', dest='domain_terms', default=[], action='append',
help='[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.')
parser.add_argument('-i', '--ip', dest='ip_terms', default=[], action='append',
help='[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.')
parser.add_argument('--related-domains-generations', dest='related_domains_generations', default=DEFAULT_RELATED_DOMAINS_GENERATIONS,
help='[OPTIONAL] How many generations of related domains to lookup with OpenDNS')
parser.add_argument('--readout', dest='readout', action='store_true', default=False,
help='[OPTIONAL] Skip the analysis and just output really readable analysis')
parser.add_argument('-M', '--monochrome', dest='monochrome', action='store_true', default=False,
help='[OPTIONAL] Output monochrome analysis')
parser.add_argument('--no-opendns', dest='no_opendns', action='store_true', default=False,
help='[OPTIONAL] Don\'t run OpenDNS filters')
parser.add_argument('--no-virustotal', dest='no_virustotal', action='store_true', default=False,
help='[OPTIONAL] Don\'t run VirusTotal filters')
parser.add_argument('--no-shadowserver', dest='no_shadowserver', action='store_true', default=False,
help='[OPTIONAL] Don\'t run ShadowServer filters')
parser.add_argument('--input-file', dest='input_file', default=None,
help='[OPTIONAL] Path to OSXCollector output to read. Defaults to stdin otherwise.')
args = parser.parse_args()
if not args.readout:
output_filter = AnalyzeFilter(initial_file_terms=args.file_terms, initial_domains=args.domain_terms,
initial_ips=args.ip_terms, related_domains_generations=args.related_domains_generations,
monochrome=args.monochrome, no_opendns=args.no_opendns, no_virustotal=args.no_virustotal,
no_shadowserver=args.no_shadowserver)
else:
output_filter = _VeryReadableOutputFilter(monochrome=args.monochrome)
if args.input_file:
with(open(args.input_file, 'r')) as fp_in:
run_filter(output_filter, input_stream=fp_in)
else:
run_filter(output_filter)
def main():
run_filter(FindBlacklistedFilter())
def main():
run_filter(LookupURLsFilter())
def main():
run_filter(RelatedDomainsFilter())
def main():
run_filter(LookupDomainsFilter())
def main():
run_filter(FirefoxHistoryFilter())
def main():
run_filter(LookupURLsFilter())
def main():
run_filter(LookupDomainsFilter())
def main():
run_filter(LookupHashesFilter())
def main():
run_filter(FindDomainsFilter())
def main():
run_filter(SortHistoryFilter())
def main():
run_filter(FirefoxHistoryFilter())
def main():
run_filter(FindExtensionsFilter())
def main():
run_filter(RelatedDomainsFilter())
def main():
run_filter(ChromeHistoryFilter())
def main():
run_filter(FindBlacklistedFilter())
def main():
parser = ArgumentParser()
parser.add_argument(
'-f',
'--file-term',
dest='file_terms',
default=[],
action='append',
help=
'[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.'
)
parser.add_argument(
'-d',
'--domain',
dest='domain_terms',
default=[],
action='append',
help=
'[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.'
)
parser.add_argument(
'-i',
'--ip',
dest='ip_terms',
default=[],
action='append',
help=
'[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.'
)
parser.add_argument(
'--related-domains-generations',
dest='related_domains_generations',
default=DEFAULT_RELATED_DOMAINS_GENERATIONS,
help=
'[OPTIONAL] How many generations of related domains to lookup with OpenDNS'
)
parser.add_argument(
'--readout',
dest='readout',
action='store_true',
default=False,
help=
'[OPTIONAL] Skip the analysis and just output really readable analysis'
)
parser.add_argument('-M',
'--monochrome',
dest='monochrome',
action='store_true',
default=False,
help='[OPTIONAL] Output monochrome analysis')
parser.add_argument('--no-opendns',
dest='no_opendns',
action='store_true',
default=False,
help='[OPTIONAL] Don\'t run OpenDNS filters')
parser.add_argument('--no-virustotal',
dest='no_virustotal',
action='store_true',
default=False,
help='[OPTIONAL] Don\'t run VirusTotal filters')
parser.add_argument('--no-shadowserver',
dest='no_shadowserver',
action='store_true',
default=False,
help='[OPTIONAL] Don\'t run ShadowServer filters')
parser.add_argument(
'--show-signature-chain',
dest='show_signature_chain',
action='store_true',
default=False,
help='[OPTIONAL] Output unsigned startup items and kexts.')
parser.add_argument(
'--show-browser-ext',
dest='show_browser_ext',
action='store_true',
default=False,
help='[OPTIONAL] Output the list of installed browser extensions.')
parser.add_argument(
'--input-file',
dest='input_file',
default=None,
help=
'[OPTIONAL] Path to OSXCollector output to read. Defaults to stdin otherwise.'
)
args = parser.parse_args()
if not args.readout:
output_filter = AnalyzeFilter(
initial_file_terms=args.file_terms,
initial_domains=args.domain_terms,
initial_ips=args.ip_terms,
related_domains_generations=args.related_domains_generations,
monochrome=args.monochrome,
no_opendns=args.no_opendns,
no_virustotal=args.no_virustotal,
no_shadowserver=args.no_shadowserver,
show_signature_chain=args.show_signature_chain,
show_browser_ext=args.show_browser_ext)
else:
output_filter = _VeryReadableOutputFilter(
monochrome=args.monochrome,
show_signature_chain=args.show_signature_chain,
show_browser_ext=args.show_browser_ext)
if args.input_file:
with (open(args.input_file, 'r')) as fp_in:
run_filter(output_filter, input_stream=fp_in)
else:
run_filter(output_filter)
def main():
run_filter(LookupHashesFilter())
def main():
run_filter(ChromeHistoryFilter())
