class TestAnalysisYaraBasePlugin(AnalysisPluginTest):
PLUGIN_NAME = 'Yara_Base_Plugin'
def setUp(self):
super().setUp()
config = self.init_basic_config()
self.intended_signature_path = os.path.join(get_src_dir(), 'analysis/signatures', self.PLUGIN_NAME)
self.analysis_plugin = YaraBasePlugin(self, config=config, plugin_path='/foo/bar/Yara_Base_Plugin/code/test.py')
def test_get_signature_paths(self):
self.assertTrue(isinstance(self.analysis_plugin.signature_path, str), 'incorrect type')
self.assertEqual('{}.yc'.format(self.intended_signature_path.rstrip('/')), self.analysis_plugin.signature_path, 'signature path is wrong')
def test_process_object(self):
test_file = FileObject(file_path=os.path.join(get_test_data_dir(), 'yara_test_file'))
test_file.processed_analysis.update({self.PLUGIN_NAME: []})
processed_file = self.analysis_plugin.process_object(test_file)
results = processed_file.processed_analysis[self.PLUGIN_NAME]
assert len(results) == 2, 'not all matches found'
assert 'testRule' in results, 'testRule match not found'
assert results['summary'] == ['testRule']
def test_process_object_nothing_found(self):
test_file = FileObject(file_path=os.path.join(get_test_data_dir(), 'zero_byte'))
test_file.processed_analysis.update({self.PLUGIN_NAME: []})
processed_file = self.analysis_plugin.process_object(test_file)
self.assertEqual(len(processed_file.processed_analysis[self.PLUGIN_NAME]), 1, 'result present but should not')
self.assertEqual(processed_file.processed_analysis[self.PLUGIN_NAME]['summary'], [], 'summary not empty')
class TestAnalysisYaraBasePlugin(AnalysisPluginTest):
PLUGIN_NAME = "Yara_Base_Plugin"
def setUp(self):
super().setUp()
config = self.init_basic_config()
self.intended_signature_path = os.path.join(get_src_dir(),
'analysis/signatures',
self.PLUGIN_NAME)
self.analysis_plugin = YaraBasePlugin(
self,
config=config,
plugin_path='/foo/bar/Yara_Base_Plugin/code/test.py')
def test_get_signature_file_name(self):
assert self.analysis_plugin._get_signature_file_name(
'/foo/bar/plugin_name/code/test.py') == 'plugin_name.yc'
def test_get_signature_paths(self):
self.assertTrue(isinstance(self.analysis_plugin.signature_path, str),
"incorrect type")
self.assertEqual(
'{}.yc'.format(self.intended_signature_path.rstrip('/')),
self.analysis_plugin.signature_path, "signature path is wrong")
def test_process_object(self):
test_file = FileObject(
file_path=os.path.join(get_test_data_dir(), "yara_test_file"))
test_file.processed_analysis.update({self.PLUGIN_NAME: []})
processed_file = self.analysis_plugin.process_object(test_file)
results = processed_file.processed_analysis[self.PLUGIN_NAME]
self.assertEqual(len(results), 2, "not all matches found")
self.assertTrue('testRule' in results, "testRule match not found")
self.assertEqual(results['summary'], ['testRule'])
def test_process_object_nothing_found(self):
test_file = FileObject(
file_path=os.path.join(get_test_data_dir(), "zero_byte"))
test_file.processed_analysis.update({self.PLUGIN_NAME: []})
processed_file = self.analysis_plugin.process_object(test_file)
self.assertEqual(
len(processed_file.processed_analysis[self.PLUGIN_NAME]), 1,
"result present but should not")
self.assertEqual(
processed_file.processed_analysis[self.PLUGIN_NAME]['summary'], [],
"summary not empty")
def test_new_yara_matching(self):
with open(os.path.join(get_test_data_dir(), 'yara_matches'),
'r') as fd:
match_file = fd.read()
matches = self.analysis_plugin._parse_yara_output(match_file)
self.assertIsInstance(matches, dict, 'matches should be dict')
self.assertIn('PgpPublicKeyBlock', matches.keys(),
'Pgp block should have been matched')
self.assertIn(0, matches['PgpPublicKeyBlock']['strings'][0],
'first block should start at 0x0')
def setUp(self):
super().setUp()
config = self.init_basic_config()
self.intended_signature_path = os.path.join(get_src_dir(),
'analysis/signatures',
self.PLUGIN_NAME)
self.analysis_plugin = YaraBasePlugin(
self,
config=config,
plugin_path='/foo/bar/Yara_Base_Plugin/code/test.py')
def test_parse_yara_output():
matches = YaraBasePlugin._parse_yara_output(YARA_TEST_OUTPUT) # pylint: disable=protected-access
assert isinstance(matches, dict), 'matches should be dict'
assert 'PgpPublicKeyBlock' in matches.keys(), 'Pgp block should have been matched'
assert matches['PgpPublicKeyBlock']['strings'][0][0] == 0, 'first block should start at 0x0'
assert 'r_libjpeg8_8d12b1_0' in matches
assert matches['r_libjpeg8_8d12b1_0']['meta']['description'] == 'foo [bar]'
assert len(matches) == 7, 'not all matches found'
def test_get_signature_file_name():
assert YaraBasePlugin._get_signature_file_name('/foo/bar/plugin_name/code/test.py') == 'plugin_name.yc' # pylint: disable=protected-access
def test_get_signature_file_name():
assert YaraBasePlugin._get_signature_file_name(
'/foo/bar/plugin_name/code/test.py') == 'plugin_name.yc'