def test_multiple_emails_complete_processing(self):
test_email_dir = os.path.join(saq.SAQ_HOME, 'test_data', 'emails')
email_count = 0
for email_file in os.listdir(test_email_dir):
email_count += 1
self.submit_email(os.path.join(test_email_dir, email_file))
self.start_api_server()
engine = TestEngine()
engine.start()
collector = EmailCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found email', email_count, 5)
wait_for_log_count('copied file from', email_count, 5)
wait_for_log_count('scheduled ACE Mailbox Scanner Detection -',
email_count, 5)
wait_for_log_count('completed analysis RootAnalysis', email_count, 20)
engine.controlled_stop()
engine.wait()
collector.stop()
collector.wait()
def test_blacklist(self):
blacklist_yara_rule_path = os.path.join(saq.TEMP_DIR, 'blacklist.yar')
with open(blacklist_yara_rule_path, 'w') as fp:
fp.write("""
rule blacklist : blacklist {
strings:
$a = "Message-ID: <*****@*****.**>"
condition:
any of them
}""")
self.submit_email(
os.path.join(saq.SAQ_HOME, 'test_data', 'emails',
'pdf_attachment.email.rfc822'))
collector = EmailCollector(
blacklist_yara_rule_path=blacklist_yara_rule_path)
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('matched blacklist rule', 1, 5)
collector.stop()
collector.wait()
# the file that we matched should be deleted
entry = search_log('matched blacklist rule')
self.assertEquals(len(entry), 1)
entry = entry[0]
regex = re.compile(r'^(.+) matched blacklist rule .+')
m = regex.match(entry.getMessage())
self.assertIsNotNone(m)
file_path = m.group(1)
self.assertFalse(os.path.exists(file_path))
def test_complete_processing(self):
self.submit_email(
os.path.join(saq.SAQ_HOME, 'test_data', 'emails',
'pdf_attachment.email.rfc822'))
self.start_api_server()
engine = TestEngine()
engine.enable_module('analysis_module_file_type')
engine.enable_module('analysis_module_email_analyzer')
engine.start()
collector = EmailCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found email', 1, 5)
wait_for_log_count('copied file from', 1, 5)
# email analysis module should generate this log entry
wait_for_log_count('parsing email file', 1, 5)
wait_for_log_count('scheduled ACE Mailbox Scanner Detection -', 1, 5)
wait_for_log_count('completed analysis RootAnalysis', 1, 20)
engine.controlled_stop()
engine.wait()
collector.stop()
collector.wait()
def test_startup(self):
collector = EmailCollector()
collector.start_service(threaded=True)
wait_for_log_count('no work available', 1, 5)
collector.stop()
collector.wait()
def test_startup(self):
collector = EmailCollector()
collector.load_groups()
collector.start()
wait_for_log_count('no work available', 1, 5)
collector.stop()
collector.wait()
def test_single_email(self):
self.submit_email(os.path.join(saq.SAQ_HOME, 'test_data', 'emails', 'pdf_attachment.email.rfc822'))
collector = EmailCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found email', 1, 5)
wait_for_log_count('copied file from', 1, 5)
wait_for_log_count('scheduled ACE Mailbox Scanner Detection -', 1, 5)
collector.stop()
collector.wait()
# the email dir should be empty
self.assertEquals(len(os.listdir(self.email_dir)), 0)
def test_multiple_emails(self):
test_email_dir = os.path.join(saq.SAQ_HOME, 'test_data', 'emails')
email_count = 0
for email_file in os.listdir(test_email_dir):
email_count += 1
self.submit_email(os.path.join(test_email_dir, email_file))
collector = EmailCollector()
collector.load_groups()
collector.start()
# look for all the expected log entries
wait_for_log_count('found email', email_count, 5)
wait_for_log_count('copied file from', email_count, 5)
wait_for_log_count('scheduled ACE Mailbox Scanner Detection -', email_count, 5)
collector.stop()
collector.wait()