def testViperLookup(self):
"""Tests for the Viper analysis plugin."""
event_queue = single_process.SingleProcessQueue()
knowledge_base = self._SetUpKnowledgeBase()
# Fill the incoming queue with events.
test_queue_producer = queue.ItemQueueProducer(event_queue)
events = [
self._CreateTestEventObject(test_event)
for test_event in self.TEST_EVENTS
]
test_queue_producer.ProduceItems(events)
# Set up the plugin.
analysis_plugin = viper.ViperAnalysisPlugin(event_queue)
analysis_plugin.SetProtocol(u'http')
analysis_plugin.SetHost(u'localhost')
# Run the analysis plugin.
analysis_report_queue_consumer = self._RunAnalysisPlugin(
analysis_plugin, knowledge_base)
analysis_reports = self._GetAnalysisReportsFromQueue(
analysis_report_queue_consumer)
self.assertEqual(len(analysis_reports), 1)
report = analysis_reports[0]
tags = report.GetTags()
self.assertEqual(len(tags), 1)
tag = tags[0]
self.assertEqual(tag.event_uuid, u'8')
expected_string = (
u'File is present in Viper. Projects: \"default\" Tags \"'
u'rat, darkcomet\"')
self.assertEqual(tag.tags[0], expected_string)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = viper.ViperAnalysisPlugin()
plugin.SetHost('localhost')
plugin.SetPort(8080)
plugin.SetProtocol('http')
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(storage_writer.number_of_event_tags, 1)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = ('viper hash tagging results\n'
'1 events tagged with label: viper_present\n'
'1 events tagged with label: viper_project_default\n'
'1 events tagged with label: viper_tag_darkcomet\n'
'1 events tagged with label: viper_tag_rat\n')
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 4)
expected_labels = [
'viper_present', 'viper_project_default', 'viper_tag_darkcomet',
'viper_tag_rat'
]
self.assertEqual(sorted(labels), expected_labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
events = []
for event_dictionary in self._TEST_EVENTS:
event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec(
location=u'C:\\WINDOWS\\system32\\evil.exe')
event = self._CreateTestEventObject(event_dictionary)
events.append(event)
plugin = viper.ViperAnalysisPlugin()
plugin.SetHost(u'localhost')
plugin.SetPort(8080)
plugin.SetProtocol(u'http')
storage_writer = self._AnalyzeEvents(events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
tags = analysis_report.GetTags()
self.assertEqual(len(tags), 1)
tag = tags[0]
self.assertEqual(tag.event_uuid, u'8')
expected_labels = [
u'viper_present', u'viper_project_default', u'viper_tag_rat',
u'viper_tag_darkcomet'
]
self.assertEqual(tag.labels, expected_labels)
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
analysis_plugin = viper.ViperAnalysisPlugin()
with self.assertRaises(errors.BadConfigOption):
viper_analysis.ViperAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
viper_analysis.ViperAnalysisArgumentsHelper.ParseOptions(
options, None)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = viper.ViperAnalysisPlugin()
plugin.SetHost('localhost')
plugin.SetPort(8080)
plugin.SetProtocol('http')
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 1)
analysis_report = storage_writer.GetAttributeContainerByIndex(
reports.AnalysisReport.CONTAINER_TYPE, 0)
self.assertIsNotNone(analysis_report)
self.assertEqual(analysis_report.plugin_name, 'viper')
expected_analysis_counter = collections.Counter({
'viper_present':
1,
'viper_project_default':
1,
'viper_tag_darkcomet':
1,
'viper_tag_rat':
1
})
self.assertEqual(analysis_report.analysis_counter,
expected_analysis_counter)
number_of_event_tags = storage_writer.GetNumberOfAttributeContainers(
'event_tag')
self.assertEqual(number_of_event_tags, 1)
labels = []
for event_tag in storage_writer.GetAttributeContainers(
events.EventTag.CONTAINER_TYPE):
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 4)
expected_labels = [
'viper_present', 'viper_project_default', 'viper_tag_darkcomet',
'viper_tag_rat'
]
self.assertEqual(sorted(labels), expected_labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
events = []
for event_dictionary in self._TEST_EVENTS:
event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec(
location=u'C:\\WINDOWS\\system32\\evil.exe')
event = self._CreateTestEventObject(event_dictionary)
events.append(event)
plugin = viper.ViperAnalysisPlugin()
plugin.SetHost(u'localhost')
plugin.SetPort(8080)
plugin.SetProtocol(u'http')
storage_writer = self._AnalyzeEvents(events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(len(storage_writer.event_tags), 1)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = (
u'viper hash tagging results\n'
u'1 path specifications tagged with label: viper_tag_rat\n'
u'1 path specifications tagged with label: viper_present\n'
u'1 path specifications tagged with label: viper_tag_darkcomet\n'
u'1 path specifications tagged with label: viper_project_default\n'
)
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.event_tags:
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 4)
expected_labels = [
u'viper_present', u'viper_project_default', u'viper_tag_darkcomet',
u'viper_tag_rat'
]
self.assertEqual(sorted(labels), expected_labels)
