def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_object = event.EventObject() event_object.data_type = u'test:event2' event_object.timestamp = 1234124 event_object.timestamp_desc = u'Written' # Prevent the event object for generating its own UUID. event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8' event_object.empty_string = u'' event_object.zero_integer = 0 event_object.integer = 34 event_object.string = u'Normal string' event_object.unicode_string = u'And I\'m a unicorn.' event_object.my_list = [u'asf', 4234, 2, 54, u'asf'] event_object.my_dict = { u'a': u'not b', u'c': 34, u'list': [u'sf', 234], u'an': [234, 32]} event_object.a_tuple = ( u'some item', [234, 52, 15], {u'a': u'not a', u'b': u'not b'}, 35) event_object.null_value = None proto_string = self._serializer.WriteSerialized(event_object) self.assertEqual(proto_string, self._proto_string) event_object = self._serializer.ReadSerialized(proto_string) # An empty string should not get stored. self.assertFalse(hasattr(event_object, u'empty_string')) # A None (or Null) value should not get stored. self.assertFalse(hasattr(event_object, u'null_value'))
def _ConvertDictToEventObject(self, json_dict): """Converts a JSON dict into an event object. The dictionary of the JSON serialized objects consists of: { '__type__': 'EventObject' 'pathspec': { ... } 'tag': { ... } ... } Here '__type__' indicates the object base type. In this case this should be 'EventObject'. The rest of the elements of the dictionary make up the event object properties. Args: json_dict: a dictionary of the JSON serialized objects. Returns: An event object (instance of EventObject). """ event_object = event.EventObject() for key, value in iter(json_dict.items()): setattr(event_object, key, value) return event_object
def Parse(self, unused_file_entry): """Extract data from a fake plist file for testing. Args: unused_file_entry: A file entry object that is not used by the fake parser. Yields: An event object (instance of EventObject) that contains the parsed attributes. """ event_object = event.EventObject() event_object.timestamp = timelib_test.CopyStringToTimestamp( '2015-11-18 01:15:43') event_object.timestamp_desc = 'Last Written' event_object.text_short = 'This description is different than the long one.' event_object.text = ( u'User did a very bad thing, bad, bad thing that awoke Dr. Evil.') event_object.filename = ( u'/My Documents/goodfella/Documents/Hideout/myfile.txt') event_object.hostname = 'Agrabah' event_object.parser = 'Weirdo' event_object.inode = 1245 event_object.display_name = u'unknown:{0:s}'.format(event_object.filename) event_object.data_type = self.DATA_TYPE yield event_object
def testWriteSerialized(self): """Test the write serialized functionality.""" event_object = event.EventObject() event_object.data_type = 'test:event2' event_object.timestamp = 1234124 event_object.timestamp_desc = 'Written' # Prevent the event object for generating its own UUID. event_object.uuid = '5a78777006de4ddb8d7bbe12ab92ccf8' event_object.empty_string = u'' event_object.zero_integer = 0 event_object.integer = 34 event_object.string = 'Normal string' event_object.unicode_string = u'And I\'m a unicorn.' event_object.my_list = ['asf', 4234, 2, 54, 'asf'] event_object.my_dict = { 'a': 'not b', 'c': 34, 'list': ['sf', 234], 'an': [234, 32] } event_object.a_tuple = ('some item', [234, 52, 15], { 'a': 'not a', 'b': 'not b' }, 35) event_object.null_value = None serializer = json_serializer.JsonEventObjectSerializer json_string = serializer.WriteSerialized(event_object) self.assertEqual(sorted(json_string), sorted(self._json_string)) event_object = serializer.ReadSerialized(json_string)
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_object = event.EventObject() event_object.data_type = u'test:event2' event_object.timestamp = 1234124 event_object.timestamp_desc = u'Written' # Prevent the event object for generating its own UUID. event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8' event_object.binary_string = b'\xc0\x90\x90binary' event_object.empty_string = u'' event_object.zero_integer = 0 event_object.integer = 34 event_object.string = u'Normal string' event_object.unicode_string = u'And I am a unicorn.' event_object.my_list = [u'asf', 4234, 2, 54, u'asf'] event_object.my_dict = { u'a': u'not b', u'c': 34, u'list': [u'sf', 234], u'an': [234, 32] } event_object.a_tuple = (u'some item', [234, 52, 15], { u'a': u'not a', u'b': u'not b' }, 35) event_object.null_value = None json_string = self._TestWriteSerialized(self._serializer, event_object, self._json_dict) event_object = self._serializer.ReadSerialized(json_string)
def _CreateTestEventObject(self, path): """Create a test event object with a particular path.""" event_object = event.EventObject() event_object.data_type = 'fs:stat' event_object.timestamp = 12345 event_object.timestamp_desc = u'Some stuff' event_object.filename = path return event_object
def ReadSerializedObject(cls, proto): """Reads an event object from serialized form. Args: proto: a protobuf object containing the serialized form (instance of plaso_storage_pb2.EventObject). Returns: An event object (instance of EventObject). """ event_object = event.EventObject() event_object.data_type = proto.data_type for proto_attribute, value in proto.ListFields(): if proto_attribute.name == u'source_short': event_object.source_short = cls._SOURCE_SHORT_FROM_PROTO_MAP[ value] elif proto_attribute.name == u'pathspec': event_object.pathspec = ( cls._path_spec_serializer.ReadSerialized(proto.pathspec)) elif proto_attribute.name == u'tag': event_object.tag = ProtobufEventTagSerializer.ReadSerializedObject( proto.tag) elif proto_attribute.name == u'attributes': continue else: # Register the attribute correctly. # The attribute can be a 'regular' high level attribute or # a message (Dict/Array) that need special handling. if isinstance(value, message.Message): if value.DESCRIPTOR.full_name.endswith('.Dict'): value = ProtobufEventAttributeSerializer.ReadSerializedDictObject( value) elif value.DESCRIPTOR.full_name.endswith('.Array'): value = ProtobufEventAttributeSerializer.ReadSerializedListObject( value) else: value = ProtobufEventAttributeSerializer.ReadSerializedObject( value) setattr(event_object, proto_attribute.name, value) # The plaso_storage_pb2.EventObject protobuf contains a field named # attributes which technically not a Dict but behaves similar. dict_object = ProtobufEventAttributeSerializer.ReadSerializedDictObject( proto) for attribute, value in iter(dict_object.items()): setattr(event_object, attribute, value) return event_object
def testEqualityStringFileStatParserMissingInode(self): """Test that FileStatParser files with missing inodes are distinct""" event_a = event.EventObject() event_b = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = u'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.parser = u'filestat' event_a.filename = u'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = u'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.parser = u'filestat' event_b.filename = u'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False self.assertNotEqual(event_a.EqualityString(), event_b.EqualityString())
def _CreateTestEventObject(self, test_event_dict): """Create a basic event object to test the plugin on.""" if test_event_dict[u'event_type'] == u'prefetch': event_object = TestPrefetchEvent() elif test_event_dict[u'event_type'] == u'chrome_download': event_object = TestChromeDownloadEvent() else: event_object = event.EventObject() event_object.timestamp = test_event_dict[u'timestamp'] for key, value in test_event_dict[u'attributes']: setattr(event_object, key, value) return event_object
def testEqualityString(self): """Test the EventObject EqualityString.""" event_a = event.EventObject() event_b = event.EventObject() event_c = event.EventObject() event_d = event.EventObject() event_e = event.EventObject() event_f = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = 'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.inode = 124 event_a.filename = 'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.inode = 124 event_b.filename = 'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False event_c.timestamp = 123 event_c.timestamp_desc = 'LAST UPDATED' event_c.data_type = 'mock:nothing' event_c.inode = 124 event_c.filename = 'c:/bull/skrytinmappa/skra.txt' event_c.another_attribute = False event_d.timestamp = 14523 event_d.timestamp_desc = 'LAST WRITTEN' event_d.data_type = 'mock:nothing' event_d.inode = 124 event_d.filename = 'c:/bull/skrytinmappa/skra.txt' event_d.another_attribute = False event_e.timestamp = 123 event_e.timestamp_desc = 'LAST WRITTEN' event_e.data_type = 'mock:nothing' event_e.inode = 623423 event_e.filename = 'c:/afrit/öñṅûŗ₅ḱŖūα.txt' event_e.another_attribute = False event_f.timestamp = 14523 event_f.timestamp_desc = 'LAST WRITTEN' event_f.data_type = 'mock:nothing' event_f.inode = 124 event_f.filename = 'c:/bull/skrytinmappa/skra.txt' event_f.another_attribute = False event_f.weirdness = 'I am a potato' self.assertEquals(event_a.EqualityString(), event_b.EqualityString()) self.assertNotEquals(event_a.EqualityString(), event_c.EqualityString()) self.assertEquals(event_a.EqualityString(), event_e.EqualityString()) self.assertNotEquals(event_c.EqualityString(), event_d.EqualityString()) self.assertNotEquals(event_d.EqualityString(), event_f.EqualityString())
def ParseRow(self, row): """Parse a line of the log file and yield extracted EventObject(s). Args: row: A dictionary containing all the fields as denoted in the COLUMNS class list. Yields: An EventObject extracted from a single line from the log file. """ event_object = event.EventObject() event_object.row_dict = row yield event_object
def ParseRow(self, parser_mediator, row_offset, row): """Parse a line of the log file and extract event objects. Args: parser_mediator: a parser mediator object (instance of ParserMediator). row_offset: the offset of the row. row: a dictionary containing all the fields as denoted in the COLUMNS class list. Strings in this dict are unicode strings. """ event_object = event.EventObject() if row_offset is not None: event_object.offset = row_offset event_object.row_dict = row parser_mediator.ProduceEvent(event_object)
def _CreateTestEventObject(self, event_dict): """Create a test event object. Args: service_event: A hash containing attributes of an event to add to the queue. Returns: An EventObject to test with. """ event_object = event.EventObject() event_object.pathspec = event_dict[u'path_spec'] for attrib in event_dict.keys(): if attrib.endswith(u'_hash'): setattr(event_object, attrib, event_dict[attrib]) return event_object
def _CreateTestEventObject(self, test_event): """Create a test event object with a particular path. Args: test_event_dict: A dict containing attributes of an event to add to the queue. Returns: An event object (instance of EventObject) that contains the necessary attributes for testing. """ event_object = event.EventObject() event_object.data_type = test_event[u'data_type'] event_object.url = u'https://{0:s}/{1:s}'.format( test_event.get(u'domain', u''), test_event.get(u'path', u'')) event_object.timestamp = test_event[u'timestamp'] return event_object
def ParseRow(self, parser_context, row_offset, row, file_entry=None): """Parse a line of the log file and extract event objects. Args: parser_context: A parser context object (instance of ParserContext). row_offset: The offset of the row. row: A dictionary containing all the fields as denoted in the COLUMNS class list. file_entry: optional file entry object (instance of dfvfs.FileEntry). The default is None. """ event_object = event.EventObject() if row_offset is not None: event_object.offset = row_offset event_object.row_dict = row parser_context.ProduceEvent(event_object, parser_name=self.NAME, file_entry=file_entry)
def ReadSerialized(cls, json_string): """Reads an event object from serialized form. Args: json_string: an object containing the serialized form. Returns: An event object (instance of EventObject). """ event_object = event.EventObject() json_attributes = json.loads(json_string) for key, value in json_attributes.iteritems(): # TODO: Add pathspec support. if key == 'tag': value = JsonEventTagSerializer.ReadSerialized(value) setattr(event_object, key, value) return event_object
def testPlasoEvents(self): """Test plaso EventObjects, both Python and Protobuf version. These are more plaso specific tests than the more generic objectfilter ones. It will create an EventObject that stores some attributes. These objects will then be serialzed into an EventObject protobuf and all tests run against both the native Python object as well as the protobuf. """ event_object = event.EventObject() event_object.data_type = 'Weirdo:Made up Source:Last Written' event_object.timestamp = timelib.Timestamp.CopyFromString( u'2015-11-18 01:15:43') event_object.timestamp_desc = u'Last Written' event_object.text_short = ( u'This description is different than the long one.') event_object.text = ( u'User did a very bad thing, bad, bad thing that awoke Dr. Evil.') event_object.filename = ( u'/My Documents/goodfella/Documents/Hideout/myfile.txt') event_object.hostname = u'Agrabah' event_object.parser = u'Weirdo' event_object.inode = 1245 event_object.mydict = { u'value': 134, u'another': u'value', u'A Key (with stuff)': u'Here' } event_object.display_name = u'unknown:{0:s}'.format( event_object.filename) # Series of tests. query = u'filename contains \'GoodFella\'' self._RunPlasoTest(event_object, query, True) # Double negative matching -> should be the same # as a positive one. query = u'filename not not contains \'GoodFella\'' my_parser = pfilter.BaseParser(query) self.assertRaises(errors.ParseError, my_parser.Parse) # Test date filtering. query = u'date >= \'2015-11-18\'' self._RunPlasoTest(event_object, query, True) query = u'date < \'2015-11-19\'' self._RunPlasoTest(event_object, query, True) # 2015-11-18T01:15:43 query = (u'date < \'2015-11-18T01:15:44.341\' and ' u'date > \'2015-11-18 01:15:42\'') self._RunPlasoTest(event_object, query, True) query = u'date > \'2015-11-19\'' self._RunPlasoTest(event_object, query, False) # Perform few attribute tests. query = u'filename not contains \'sometext\'' self._RunPlasoTest(event_object, query, True) query = ( u'timestamp_desc CONTAINS \'written\' AND date > \'2015-11-18\' AND ' u'date < \'2015-11-25 12:56:21\' AND (source_short contains \'LOG\' or ' u'source_short CONTAINS \'REG\')') self._RunPlasoTest(event_object, query, True) query = u'parser is not \'Made\'' self._RunPlasoTest(event_object, query, True) query = u'parser is not \'Weirdo\'' self._RunPlasoTest(event_object, query, False) query = u'mydict.value is 123' self._RunPlasoTest(event_object, query, False) query = u'mydict.akeywithstuff contains "ere"' self._RunPlasoTest(event_object, query, True) query = u'mydict.value is 134' self._RunPlasoTest(event_object, query, True) query = u'mydict.value < 200' self._RunPlasoTest(event_object, query, True) query = u'mydict.another contains "val"' self._RunPlasoTest(event_object, query, True) query = u'mydict.notthere is 123' self._RunPlasoTest(event_object, query, False) query = u'source_long not contains \'Fake\'' self._RunPlasoTest(event_object, query, False) query = u'source is \'REG\'' self._RunPlasoTest(event_object, query, True) query = u'source is not \'FILE\'' self._RunPlasoTest(event_object, query, True) # Multiple attributes. query = ( u'source_long is \'Fake Parsing Source\' AND description_long ' u'regexp \'bad, bad thing [\\sa-zA-Z\\.]+ evil\'') self._RunPlasoTest(event_object, query, False) query = (u'source_long is \'Fake Parsing Source\' AND text iregexp ' u'\'bad, bad thing [\\sa-zA-Z\\.]+ evil\'') self._RunPlasoTest(event_object, query, True)
def testSameEvent(self): """Test the EventObject comparison.""" event_a = event.EventObject() event_b = event.EventObject() event_c = event.EventObject() event_d = event.EventObject() event_e = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = u'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.inode = 124 event_a.filename = u'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_a.metadata = { u'author': u'Some Random Dude', u'version': 1245L, u'last_changed': u'Long time ago' } event_a.strings = [u'This ', u'is a ', u'long string'] event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.inode = 124 event_b.filename = u'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False event_b.metadata = { u'author': u'Some Random Dude', u'version': 1245L, u'last_changed': u'Long time ago' } event_b.strings = [u'This ', u'is a ', u'long string'] event_c.timestamp = 123 event_c.timestamp_desc = u'LAST UPDATED' event_c.data_type = 'mock:nothing' event_c.inode = 124 event_c.filename = u'c:/bull/skrytinmappa/skra.txt' event_c.another_attribute = False event_d.timestamp = 14523 event_d.timestamp_desc = u'LAST WRITTEN' event_d.data_type = 'mock:nothing' event_d.inode = 124 event_d.filename = u'c:/bull/skrytinmappa/skra.txt' event_d.another_attribute = False event_e.timestamp = 123 event_e.timestamp_desc = u'LAST WRITTEN' event_e.data_type = 'mock:nothing' event_e.inode = 623423 event_e.filename = u'c:/afrit/onnurskra.txt' event_e.another_attribute = False event_e.metadata = { u'author': u'Some Random Dude', u'version': 1245, u'last_changed': u'Long time ago' } event_e.strings = [u'This ', u'is a ', u'long string'] self.assertEqual(event_a, event_b) self.assertNotEqual(event_a, event_c) self.assertEqual(event_a, event_e) self.assertNotEqual(event_c, event_d)
def GetEventObjects(): """Returns a list of test event objects.""" event_objects = [] hostname = 'MYHOSTNAME' data_type = 'test:event1' event_a = event.EventObject() event_a.username = '******' event_a.filename = 'c:/Users/joesmith/NTUSER.DAT' event_a.hostname = hostname event_a.timestamp = 0 event_a.data_type = data_type event_b = event.WinRegistryEvent(u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'}, timestamp=1334961526929596) event_b.hostname = hostname event_objects.append(event_b) event_c = event.WinRegistryEvent( u'//HKCU/Secret/EvilEmpire/Malicious_key', {u'Value': u'REGALERT: send all the exes to the other world'}, timestamp=1334966206929596) event_c.hostname = hostname event_objects.append(event_c) event_d = event.WinRegistryEvent(u'//HKCU/Windows/Normal', {u'Value': u'run all the benign stuff'}, timestamp=1334940286000000) event_d.hostname = hostname event_objects.append(event_d) event_objects.append(event_a) filename = 'c:/Temp/evil.exe' event_e = TestEvent1(1335781787929596, {'text': 'This log line reads ohh so much.'}) event_e.filename = filename event_e.hostname = hostname event_objects.append(event_e) event_f = TestEvent1(1335781787929596, {'text': 'Nothing of interest here, move on.'}) event_f.filename = filename event_f.hostname = hostname event_objects.append(event_f) event_g = TestEvent1( 1335791207939596, {'text': 'Mr. Evil just logged into the machine and got root.'}) event_g.filename = filename event_g.hostname = hostname event_objects.append(event_g) text_dict = { 'body': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), 'hostname': u'nomachine', 'username': u'johndoe' } event_h = event.TextEvent(1338934459000000, text_dict) event_h.text = event_h.body event_h.hostname = hostname event_h.filename = filename event_objects.append(event_h) return event_objects
def GetEventObjects(): """Returns a list of test event objects.""" event_objects = [] hostname = u'MYHOSTNAME' data_type = 'test:event' event_a = event.EventObject() event_a.username = u'joesmith' event_a.filename = u'c:/Users/joesmith/NTUSER.DAT' event_a.hostname = hostname event_a.timestamp = 0 event_a.data_type = data_type event_a.text = u'' # TODO: move this to a WindowsRegistryEvent unit test. timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596') event_b = windows_events.WindowsRegistryEvent( timestamp, u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'}) event_b.hostname = hostname event_objects.append(event_b) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 23:56:46.929596') event_c = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key', {u'Value': u'send all the exes to the other world'}) event_c.hostname = hostname event_objects.append(event_c) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000') event_d = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Windows/Normal', {u'Value': u'run all the benign stuff'}) event_d.hostname = hostname event_objects.append(event_d) event_objects.append(event_a) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') filename = u'c:/Temp/evil.exe' event_e = TestEvent(timestamp, {u'text': u'This log line reads ohh so much.'}) event_e.filename = filename event_e.hostname = hostname event_objects.append(event_e) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') event_f = TestEvent(timestamp, {u'text': u'Nothing of interest here, move on.'}) event_f.filename = filename event_f.hostname = hostname event_objects.append(event_f) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596') event_g = TestEvent( timestamp, {u'text': u'Mr. Evil just logged into the machine and got root.'}) event_g.filename = filename event_g.hostname = hostname event_objects.append(event_g) text_dict = { u'body': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'hostname': u'nomachine', u'username': u'johndoe' } # TODO: move this to a TextEvent unit test. timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000') event_h = text_events.TextEvent(timestamp, 12, text_dict) event_h.text = event_h.body event_h.hostname = hostname event_h.filename = filename event_objects.append(event_h) return event_objects