def testParseWithIIS7SQLIFile(self): """Tests the Parse function with an IIS 7 log file with SQLI.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis7_sqli.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'iis:log:line', 'dest_ip': '111.111.111.111', 'dest_port': 443, 'http_method': 'GET', 'http_status': 500, 'requested_uri_stem': '/foo/bar/baz.asp', 'source_ip': '222.222.222.222', 'timestamp': '2015-10-16 13:01:02.000000', 'user_agent': ('Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_9_2)+AppleWebKit/' '537.36+(KHTML,+like+Gecko)+Chrome/34.0.1847.131+Safari/537.36') } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseWithoutDate(self): """Tests the Parse function with logs without a date column.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis_without_date.log'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 11) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'iis:log:line', 'date_time': '2013-07-30 00:00:03', 'protocol_version': 'HTTP/1.1', 'timestamp': '2013-07-30 00:00:03.000000' } self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testParseWithIIS7OWAFile(self): """Tests the Parse function with an IIS 7 OWA log file.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis7_owa.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'iis:log:line', 'dest_ip': '10.11.2.3', 'dest_port': 443, 'http_method': 'GET', 'http_status': 200, 'requested_uri_stem': '/owa/', 'source_ip': '77.123.22.98', 'timestamp': '2015-12-31 00:19:48.000000', 'user_agent': ('Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+' '(KHTML,+like+Gecko)+Chrome/39.0.2171.95+Safari/537.36') } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 12) events = list(storage_writer.GetEvents()) expected_event_values = { 'dest_ip': '10.10.10.100', 'dest_port': 80, 'source_ip': '10.10.10.100', 'timestamp': '2013-07-30 00:00:00.000000' } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_message = ('GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ] ' 'HTTP Status: 200 ' 'User Agent: Mozilla/4.0+(compatible;+Win32;' '+WinHttp.WinHttpRequest.5)') expected_short_message = ('GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ]') event_data = self._GetEventDataOfEvent(storage_writer, events[0]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) expected_event_values = { 'http_method': 'GET', 'http_status': 200, 'requested_uri_stem': '/some/image/path/something.jpg', 'timestamp': '2013-07-30 00:00:05.000000' } self.CheckEventValues(storage_writer, events[5], expected_event_values) expected_message = ( 'GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ] ' 'HTTP Status: 404 ' 'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)' '+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7' '+Safari/534.57.2') expected_short_message = ('GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ]') event_data = self._GetEventDataOfEvent(storage_writer, events[1]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) expected_event_values = { 'cs_uri_query': 'ID=ERROR[`cat%20passwd|echo`]' } self.CheckEventValues(storage_writer, events[11], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 12) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:00.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.source_ip, '10.10.10.100') self.assertEqual(event_data.dest_ip, '10.10.10.100') self.assertEqual(event_data.dest_port, 80) expected_message = ('GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ] ' 'HTTP Status: 200 ' 'User Agent: Mozilla/4.0+(compatible;+Win32;' '+WinHttp.WinHttpRequest.5)') expected_short_message = ('GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[5] self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:05.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.http_method, 'GET') self.assertEqual(event_data.http_status, 200) self.assertEqual(event_data.requested_uri_stem, '/some/image/path/something.jpg') event = events[1] expected_message = ( 'GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ] ' 'HTTP Status: 404 ' 'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)' '+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7' '+Safari/534.57.2') expected_short_message = ('GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[11] event_data = self._GetEventDataOfEvent(storage_writer, event) expected_query_string = 'ID=ERROR[`cat%20passwd|echo`]' self.assertEqual(expected_query_string, event_data.cs_uri_query)
def testParse(self): """Tests the Parse function.""" parser_object = iis.WinIISParser() test_file = self._GetTestFilePath([u'iis.log']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 11) event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-07-30 00:00:00') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.source_ip, u'10.10.10.100') self.assertEqual(event_object.dest_ip, u'10.10.10.100') self.assertEqual(event_object.dest_port, 80) expected_msg = (u'GET /some/image/path/something.jpg ' u'[ 10.10.10.100 > 10.10.10.100 : 80 ] ' u'HTTP Status: 200 ' u'User Agent: Mozilla/4.0+(compatible;+Win32;' u'+WinHttp.WinHttpRequest.5)') expected_msg_short = (u'GET /some/image/path/something.jpg ' u'[ 10.10.10.100 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[5] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-07-30 00:00:05') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.http_method, u'GET') self.assertEqual(event_object.http_status, 200) self.assertEqual(event_object.requested_uri_stem, u'/some/image/path/something.jpg') event_object = event_objects[1] expected_msg = ( u'GET /some/image/path/something.htm ' u'[ 22.22.22.200 > 10.10.10.100 : 80 ] ' u'HTTP Status: 404 ' u'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)' u'+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7' u'+Safari/534.57.2') expected_msg_short = (u'GET /some/image/path/something.htm ' u'[ 22.22.22.200 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse(self): """Tests the Parse function.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis.log'], parser) self.assertEqual(storage_writer.number_of_events, 11) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2013-07-30 00:00:00') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.source_ip, '10.10.10.100') self.assertEqual(event.dest_ip, '10.10.10.100') self.assertEqual(event.dest_port, 80) expected_message = ( 'GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ] ' 'HTTP Status: 200 ' 'User Agent: Mozilla/4.0+(compatible;+Win32;' '+WinHttp.WinHttpRequest.5)') expected_short_message = ( 'GET /some/image/path/something.jpg ' '[ 10.10.10.100 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[5] expected_timestamp = timelib.Timestamp.CopyFromString( '2013-07-30 00:00:05') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.http_method, 'GET') self.assertEqual(event.http_status, 200) self.assertEqual( event.requested_uri_stem, '/some/image/path/something.jpg') event = events[1] expected_message = ( 'GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ] ' 'HTTP Status: 404 ' 'User Agent: Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)' '+AppleWebKit/534.57.2+(KHTML,+like+Gecko)+Version/5.1.7' '+Safari/534.57.2') expected_short_message = ( 'GET /some/image/path/something.htm ' '[ 22.22.22.200 > 10.10.10.100 : 80 ]') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 12) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'iis:log:line', 'dest_ip': '10.10.10.100', 'dest_port': 80, 'http_method': 'GET', 'http_status': 200, 'requested_uri_stem': '/some/image/path/something.jpg', 'source_ip': '10.10.10.100', 'timestamp': '2013-07-30 00:00:00.000000', 'user_agent': ( 'Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)')} self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_event_values = { 'data_type': 'iis:log:line', 'http_method': 'GET', 'http_status': 200, 'requested_uri_stem': '/some/image/path/something.jpg', 'timestamp': '2013-07-30 00:00:05.000000'} self.CheckEventValues(storage_writer, events[5], expected_event_values) expected_event_values = { 'data_type': 'iis:log:line', 'dest_ip': '10.10.10.100', 'dest_port': 80, 'http_method': 'GET', 'http_status': 404, 'requested_uri_stem': '/some/image/path/something.htm', 'source_ip': '22.22.22.200', 'timestamp': '2013-07-30 00:00:03.000000', 'user_agent': ( 'Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_6_8)+AppleWebKit/' '534.57.2+(KHTML,+like+Gecko)+Version/5.1.7+Safari/534.57.2')} self.CheckEventValues(storage_writer, events[1], expected_event_values) expected_event_values = { 'cs_uri_query': 'ID=ERROR[`cat%20passwd|echo`]', 'data_type': 'iis:log:line'} self.CheckEventValues(storage_writer, events[11], expected_event_values)
def testParseWithoutDate(self): """Tests the Parse function with logs without a date column.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis_without_date.log'], parser) self.assertEqual(storage_writer.number_of_events, 11) events = list(storage_writer.GetEvents()) event = events[1] self.CheckTimestamp(event.timestamp, '2013-07-30 00:00:03.000000') self.assertEqual(event.protocol_version, 'HTTP/1.1')
def testParseWithoutDate(self): """Tests the Parse function with logs without a date column.""" parser = iis.WinIISParser() storage_writer = self._ParseFile(['iis_without_date.log'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 11) events = list(storage_writer.GetEvents()) expected_event_values = { 'protocol_version': 'HTTP/1.1', 'timestamp': '2013-07-30 00:00:03.000000' } self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testParseWithoutDate(self): """Tests the Parse function with logs without a date column.""" parser_object = iis.WinIISParser() test_file = self._GetTestFilePath([u'iis_without_date.log']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 11) event_object = event_objects[1] expected_timestamp = timelib.Timestamp.CopyFromString( u'2013-07-30 00:00:03') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.protocol_version, u'HTTP/1.1')
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = iis.WinIISParser()