def tearDown(self): if self.yss_process: try: self.yss_process.terminate() self.yss_process.wait(5) except Exception as e: print(self.yss_process.poll()) logging.error("unable to terminate yss process {}: {}:".format(self.yss_process.pid, e)) try: self.yss_process.kill() self.yss_process.wait(5) except Exception as e: logging.critical("unable to kill yss process {}: {}".format(self.yss_process.pid, e)) self.yss_stdout_reader_thread.join() self.yss_stdout_reader_thread = None self.yss_stderr_reader_thread.join() self.yss_stderr_reader_thread = None # set the socket dir back saq.YSS_SOCKET_DIR = self.old_socket_dir # reset the config since we changed stuff saq.load_configuration() super().tearDown()
def tearDown(self): if self.yara_service is not None: self.yara_service.stop_service() #if self.yss_process: #try: #self.yss_process.terminate() #self.yss_process.wait(5) #except Exception as e: #print(self.yss_process.poll()) #logging.error("unable to terminate yss process {}: {}:".format(self.yss_process.pid, e)) #try: #self.yss_process.kill() #self.yss_process.wait(5) #except Exception as e: #logging.critical("unable to kill yss process {}: {}".format(self.yss_process.pid, e)) #self.yss_stdout_reader_thread.join() #self.yss_stdout_reader_thread = None #self.yss_stderr_reader_thread.join() #self.yss_stderr_reader_thread = None # reset the config since we changed stuff saq.load_configuration() super().tearDown()
def reset_config(self): """Resets saq.CONFIG.""" saq.load_configuration()
def wrapper(*args, **kwargs): try: return target_function(*args, **kwargs) finally: saq.load_configuration()
def setUp(self): saq.DUMP_TRACEBACKS = True logging.info("TEST: {}".format(self.id())) initialize_test_environment() saq.load_configuration() open_test_comms()
def test_email_pivot_excessive_emails(self): # process the email first -- we'll find it when we pivot root = create_root_analysis(uuid=str(uuid.uuid4()), alert_type='mailbox') root.initialize_storage() shutil.copy(os.path.join('test_data', 'emails', 'splunk_logging.email.rfc822'), os.path.join(root.storage_dir, 'email.rfc822')) file_observable = root.add_observable(F_FILE, 'email.rfc822') file_observable.add_directive(DIRECTIVE_ORIGINAL_EMAIL) file_observable.add_directive(DIRECTIVE_ARCHIVE) root.save() root.schedule() engine = TestEngine() engine.enable_module('analysis_module_file_type', 'test_groups') engine.enable_module('analysis_module_file_hash_analyzer', 'test_groups') engine.enable_module('analysis_module_email_analyzer', 'test_groups') engine.enable_module('analysis_module_email_archiver', 'test_groups') engine.enable_module('analysis_module_url_extraction', 'test_groups') engine.controlled_stop() engine.start() engine.wait() saq.load_configuration() # force this to exceed the limit saq.CONFIG['analysis_module_url_email_pivot_analyzer']['result_limit'] = '0' root = create_root_analysis(uuid=str(uuid.uuid4()), alert_type='cloudphish') root.initialize_storage() # make up some details root.details = { 'alertable': 1, 'context': { 'c': '1c38af75-0c42-4ae3-941d-de3975f68602', 'd': '1', 'i': 'ashland', 's': 'email_scanner' }, 'sha256_url': '0061537d578e4f65d13e31e190e1079e00dadd808e9fa73f77e3308fdb0e1485', 'url': 'https://www.alienvault.com', # <-- the important part } url_observable = root.add_observable(F_URL, 'https://www.alienvault.com') root.save() root.schedule() engine = TestEngine() engine.enable_module('analysis_module_url_email_pivot_analyzer', 'test_groups') engine.controlled_stop() engine.start() engine.wait() root.load() url_observable = root.get_observable(url_observable.id) from saq.modules.email import URLEmailPivotAnalysis_v2 analysis = url_observable.get_analysis(URLEmailPivotAnalysis_v2) self.assertIsNotNone(analysis) self.assertEquals(analysis.count, 1) # this should not have the details since it exceeded the limit self.assertIsNone(analysis.emails)
def test_email_pivot(self): # process the email first -- we'll find it when we pivot root = create_root_analysis(uuid=str(uuid.uuid4()), alert_type='mailbox') root.initialize_storage() shutil.copy(os.path.join('test_data', 'emails', 'splunk_logging.email.rfc822'), os.path.join(root.storage_dir, 'email.rfc822')) file_observable = root.add_observable(F_FILE, 'email.rfc822') file_observable.add_directive(DIRECTIVE_ORIGINAL_EMAIL) file_observable.add_directive(DIRECTIVE_ARCHIVE) root.save() root.schedule() engine = TestEngine() engine.enable_module('analysis_module_file_type', 'test_groups') engine.enable_module('analysis_module_file_hash_analyzer', 'test_groups') engine.enable_module('analysis_module_email_analyzer', 'test_groups') engine.enable_module('analysis_module_email_archiver', 'test_groups') engine.enable_module('analysis_module_url_extraction', 'test_groups') engine.controlled_stop() engine.start() engine.wait() saq.load_configuration() root = create_root_analysis(uuid=str(uuid.uuid4()), alert_type='cloudphish') root.initialize_storage() # make up some details root.details = { 'alertable': 1, 'context': { 'c': '1c38af75-0c42-4ae3-941d-de3975f68602', 'd': '1', 'i': 'ashland', 's': 'email_scanner' }, 'sha256_url': '0061537d578e4f65d13e31e190e1079e00dadd808e9fa73f77e3308fdb0e1485', 'url': 'https://www.alienvault.com', # <-- the important part } url_observable = root.add_observable(F_URL, 'https://www.alienvault.com') root.save() root.schedule() engine = TestEngine() engine.enable_module('analysis_module_url_email_pivot_analyzer', 'test_groups') engine.controlled_stop() engine.start() engine.wait() root.load() url_observable = root.get_observable(url_observable.id) from saq.modules.email import URLEmailPivotAnalysis_v2 analysis = url_observable.get_analysis(URLEmailPivotAnalysis_v2) self.assertIsNotNone(analysis) self.assertEquals(analysis.count, 1) self.assertIsNotNone(analysis.emails) self.assertTrue('email_archive' in analysis.emails) archive_id = list(analysis.emails['email_archive'].keys())[0] entry = analysis.emails['email_archive'][archive_id] self.assertEquals(int(archive_id), entry['archive_id']) self.assertEquals('canary #3', entry['subject']) self.assertEquals('*****@*****.**', entry['recipient']) self.assertEquals('<CANTOGZsMiMb+7aB868zXSen_fO=NS-qFTUMo9h2eHtOexY8Qhw@mail.gmail.com>', entry['message_id']) self.assertEquals('*****@*****.**', entry['sender']) self.assertEquals(len(entry['remediation_history']), 0) self.assertFalse(entry['remediated'])