def testInternalExportEventsDeduplicate(self):
"""Tests the _ExportEvents function with deduplication."""
knowledge_base_object = knowledge_base.KnowledgeBase()
output_writer = cli_test_lib.TestBinaryOutputWriter()
formatter_mediator = formatters_mediator.FormatterMediator()
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = TestOutputModule(output_mediator_object)
output_module.SetOutputWriter(output_writer)
test_engine = psort.PsortMultiProcessEngine()
formatters_manager.FormattersManager.RegisterFormatter(
TestEventFormatter)
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
self._CreateTestStorageFile(temp_file)
storage_reader = (storage_factory.StorageFactory.
CreateStorageReaderForFile(temp_file))
storage_reader.ReadPreprocessingInformation(knowledge_base_object)
test_engine._ExportEvents(storage_reader, output_module)
formatters_manager.FormattersManager.DeregisterFormatter(
TestEventFormatter)
lines = []
output = output_writer.ReadOutput()
for line in output.split(b'\n'):
lines.append(line)
self.assertEqual(len(output_module.events), 15)
self.assertEqual(len(output_module.macb_groups), 3)
def testInternalExportEvents(self):
"""Tests the _ExportEvents function."""
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = TestOutputModule(output_mediator_object)
test_engine = psort.PsortMultiProcessEngine()
formatters_manager.FormattersManager.RegisterFormatter(
formatters_test_lib.TestEventFormatter)
try:
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
self._CreateTestStorageFile(temp_file)
self._ReadSessionConfiguration(temp_file,
knowledge_base_object)
storage_reader = (storage_factory.StorageFactory.
CreateStorageReaderForFile(temp_file))
storage_reader.ReadSystemConfiguration(knowledge_base_object)
test_engine._ExportEvents(storage_reader,
output_module,
deduplicate_events=False)
finally:
formatters_manager.FormattersManager.DeregisterFormatter(
formatters_test_lib.TestEventFormatter)
self.assertEqual(len(output_module.events), 17)
self.assertEqual(len(output_module.macb_groups), 3)
def _TestGetMessageStrings(
self, event_data, expected_message, expected_short_message):
"""Tests the formatting of the message strings.
This function invokes the GetMessageStrings function of the event data
formatter on the event data and compares the resulting messages strings
with those expected.
Args:
event_data (EventData): event data.
expected_message (str): expected message string.
expected_short_message (str): expected short message string.
"""
formatters_directory_path = self._GetDataFilePath(['formatters'])
formatters_manager.FormattersManager.ReadFormattersFromDirectory(
formatters_directory_path)
formatter_mediator = formatters_mediator.FormatterMediator(
data_location=self._DATA_PATH)
message, message_short = (
formatters_manager.FormattersManager.GetMessageStrings(
formatter_mediator, event_data))
self.assertEqual(message, expected_message)
self.assertEqual(message_short, expected_short_message)
def testInitialization(self):
"""Tests the initialization."""
formatter_mediator = mediator.FormatterMediator()
self.assertIsNotNone(formatter_mediator)
def _CreateOutputModule(self, options):
"""Creates the output module.
Args:
options (argparse.Namespace): command line arguments.
Returns:
OutputModule: output module.
Raises:
RuntimeError: if the output module cannot be created.
"""
formatter_mediator = formatters_mediator.FormatterMediator(
data_location=self._data_location)
try:
formatter_mediator.SetPreferredLanguageIdentifier(
self._preferred_language)
except (KeyError, TypeError) as exception:
raise RuntimeError(exception)
mediator = output_mediator.OutputMediator(
self._knowledge_base,
formatter_mediator,
preferred_encoding=self.preferred_encoding)
mediator.SetTimezone(self._preferred_time_zone)
try:
output_module = output_manager.OutputManager.NewOutputModule(
self._output_format, mediator)
except (KeyError, ValueError) as exception:
raise RuntimeError(
'Unable to create output module with error: {0!s}'.format(
exception))
if output_manager.OutputManager.IsLinearOutputModule(
self._output_format):
output_file_object = open(self._output_filename, 'wb')
output_writer = tools.FileObjectOutputWriter(output_file_object)
output_module.SetOutputWriter(output_writer)
helpers_manager.ArgumentHelperManager.ParseOptions(
options, output_module)
# Check if there are parameters that have not been defined and need to
# in order for the output module to continue. Prompt user to supply
# those that may be missing.
missing_parameters = output_module.GetMissingArguments()
while missing_parameters:
for parameter in missing_parameters:
value = self._PromptUserForInput(
'Missing parameter {0:s} for output module'.format(
parameter))
if value is None:
logger.warning(
'Unable to set the missing parameter for: {0:s}'.
format(parameter))
continue
setattr(options, parameter, value)
helpers_manager.ArgumentHelperManager.ParseOptions(
options, output_module)
missing_parameters = output_module.GetMissingArguments()
return output_module
def testStorage(self):
"""Test the storage object."""
test_event_objects = test_lib.CreateTestEventObjects()
formatter_mediator = formatters_mediator.FormatterMediator()
event_objects = []
timestamps = []
group_mock = GroupMock()
tags = []
tags_mock = []
groups = []
group_events = []
same_events = []
serializer = protobuf_serializer.ProtobufEventObjectSerializer
with shared_test_lib.TempDirectory() as dirname:
temp_file = os.path.join(dirname, 'plaso.db')
store = storage.StorageFile(temp_file)
store.AddEventObjects(test_event_objects)
# Add tagging.
tag_1 = event.EventTag()
tag_1.store_index = 0
tag_1.store_number = 1
tag_1.comment = 'My comment'
tag_1.color = 'blue'
tags_mock.append(tag_1)
tag_2 = event.EventTag()
tag_2.store_index = 1
tag_2.store_number = 1
tag_2.tags = ['Malware']
tag_2.color = 'red'
tags_mock.append(tag_2)
tag_3 = event.EventTag()
tag_3.store_number = 1
tag_3.store_index = 2
tag_3.comment = 'This is interesting'
tag_3.tags = ['Malware', 'Benign']
tag_3.color = 'red'
tags_mock.append(tag_3)
store.StoreTagging(tags_mock)
# Add additional tagging, second round.
tag_4 = event.EventTag()
tag_4.store_index = 1
tag_4.store_number = 1
tag_4.tags = ['Interesting']
store.StoreTagging([tag_4])
group_mock.AddGroup('Malicious', [(1, 1), (1, 2)],
desc='Events that are malicious',
color='red',
first=1334940286000000,
last=1334961526929596,
cat='Malware')
store.StoreGrouping(group_mock)
store.Close()
read_store = storage.StorageFile(temp_file, read_only=True)
self.assertTrue(read_store.HasTagging())
self.assertTrue(read_store.HasGrouping())
for event_object in read_store.GetEntries(1):
event_objects.append(event_object)
timestamps.append(event_object.timestamp)
if event_object.data_type == 'windows:registry:key_value':
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.WRITTEN_TIME)
else:
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.WRITTEN_TIME)
for tag in read_store.GetTagging():
event_object = read_store.GetTaggedEvent(tag)
tags.append(event_object)
groups = list(read_store.GetGrouping())
self.assertEqual(len(groups), 1)
group_events = list(read_store.GetEventsFromGroup(groups[0]))
# Read the same events that were put in the group, just to compare
# against.
event_object = read_store.GetEventObject(1, 1)
serialized_event_object = serializer.WriteSerialized(event_object)
same_events.append(serialized_event_object)
event_object = read_store.GetEventObject(1, 2)
serialized_event_object = serializer.WriteSerialized(event_object)
same_events.append(serialized_event_object)
self.assertEqual(len(event_objects), 4)
self.assertEqual(len(tags), 4)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2009-04-05 12:27:39')
self.assertEqual(tags[0].timestamp, expected_timestamp)
self.assertEqual(tags[0].store_number, 1)
self.assertEqual(tags[0].store_index, 0)
self.assertEqual(tags[0].tag.comment, u'My comment')
self.assertEqual(tags[0].tag.color, u'blue')
msg, _ = formatters_manager.FormattersManager.GetMessageStrings(
formatter_mediator, tags[0])
self.assertEqual(msg[0:10], u'This is a ')
self.assertEqual(tags[1].tag.tags[0], 'Malware')
msg, _ = formatters_manager.FormattersManager.GetMessageStrings(
formatter_mediator, tags[1])
self.assertEqual(msg[0:15], u'[\\HKCU\\Windows\\')
self.assertEqual(tags[2].tag.comment, u'This is interesting')
self.assertEqual(tags[2].tag.tags[0], 'Malware')
self.assertEqual(tags[2].tag.tags[1], 'Benign')
self.assertEqual(tags[2].parser, 'UNKNOWN')
# Test the newly added fourth tag, which should include data from
# the first version as well.
self.assertEqual(tags[3].tag.tags[0], 'Interesting')
self.assertEqual(tags[3].tag.tags[1], 'Malware')
expected_timestamps = [
1238934459000000, 1334940286000000, 1334961526929596,
1335966206929596
]
self.assertEqual(timestamps, expected_timestamps)
self.assertEqual(groups[0].name, u'Malicious')
self.assertEqual(groups[0].category, u'Malware')
self.assertEqual(groups[0].color, u'red')
self.assertEqual(groups[0].description, u'Events that are malicious')
self.assertEqual(groups[0].first_timestamp, 1334940286000000)
self.assertEqual(groups[0].last_timestamp, 1334961526929596)
self.assertEqual(len(group_events), 2)
self.assertEqual(group_events[0].timestamp, 1334940286000000)
self.assertEqual(group_events[1].timestamp, 1334961526929596)
proto_group_events = []
for group_event in group_events:
serialized_event_object = serializer.WriteSerialized(group_event)
proto_group_events.append(serialized_event_object)
self.assertEqual(same_events, proto_group_events)
def setUp(self):
"""Sets up the objects used throughout a single test."""
self._formatter_mediator = formatters_mediator.FormatterMediator()
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier('en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object,
formatter_mediator,
data_location=shared_test_lib.TEST_DATA_PATH)
output_module = null.NullOutputModule(output_mediator_object)
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugins = {'tagging': analysis_plugin}
# TODO: set tag file.
configuration = configurations.ProcessingConfiguration()
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer, output_module,
data_location,
analysis_plugins,
configuration)
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
