def test4_receive_atom_missing_value(self): """This test case checks if missing values are reported correctly.""" description = "Test4MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 4000 missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time, self.__realert_interval, output_log_line=False) self.analysis_context.register_component(missing_match_path_value_detector, description + "2") log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t + past_time, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue))
def test4_fuzzing_path_is_none(self): """This testmethod is part of the Fuzz Testing and it assures, that the path-input is validated. In this case a path is not needed, because FixedDataModelElement has no child elements.""" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s0', self.pid) match_element = fixed_dme.get_match_element(None, match_context) self.assertNotEqual(match_element, None, "There should exist a MatchElement!")
def test7constraint_list(self): """Test the allowlisting of paths.""" description = 'test7eventCorrelationDetectorTest' ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, auto_include_flag=True) self.analysis_context.register_component(ecd, description) self.assertEqual([], ecd.constraint_list) match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element( "", match_context_fixed_dme) # unknown path ecd.allowlist_event(self.analysis % ecd.__class__.__name__, match_element_fixed_dme.get_path(), None) self.assertEqual(['/s1'], ecd.constraint_list) # known path ecd.allowlist_event(self.analysis % ecd.__class__.__name__, match_element_fixed_dme.get_path(), None) self.assertEqual(['/s1'], ecd.constraint_list)
def get_systemd_model(): """Return the parsing model for messages directly from systemd.""" type_children = [ FixedDataModelElement('apt-daily-start', b'Starting Daily apt activities...'), FixedDataModelElement('apt-daily-started', b'Started Daily apt activities.'), SequenceModelElement('apt-daily-timer', [ FixedDataModelElement('s0', b'apt-daily.timer: Adding '), OptionalMatchModelElement( 'hopt', SequenceModelElement('hblock', [ DecimalIntegerValueModelElement('hours'), FixedDataModelElement('s1', b'h ') ])), DecimalIntegerValueModelElement('minutes'), FixedDataModelElement('s2', b'min '), DecimalFloatValueModelElement('seconds'), FixedDataModelElement('s3', b's random time.') ]), FixedDataModelElement('tmp-file-cleanup', b'Starting Cleanup of Temporary Directories...'), FixedDataModelElement('tmp-file-cleanup-started', b'Started Cleanup of Temporary Directories.') ] model = SequenceModelElement('systemd', [ FixedDataModelElement('sname', b'systemd['), DecimalIntegerValueModelElement('pid'), FixedDataModelElement('s0', b']: '), FirstMatchModelElement('msg', type_children) ]) return model
def test4get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" no_match_string = b"Hello World." match_context = DummyMatchContext(self.data) fixed_dme = FixedDataModelElement(self.id_, no_match_string) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_no_match_results(self.data, match_element, match_context)
def test5_missing_value_on_persisted(self): """Persisting elements is tested in this test case.""" description = "Test5MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) missing_match_path_value_detector.do_persist() past_time = 4000 other_missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(other_missing_match_path_value_detector, description + "2") other_missing_match_path_value_detector.set_check_value(other_missing_match_path_value_detector.get_channel_key( log_atom_fixed_dme)[1], self.__default_interval - past_time, match_element_fixed_dme.get_path()) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, other_missing_match_path_value_detector) self.assertTrue(other_missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) # skipcq: PYL-R1714 self.assertTrue((self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)) or ( self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string), other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)))
def test7_receive_atom_list_without_match_element(self): """This test case checks if the ReceiveAtom controls the list of MatchElements and responds correctly, when a value is missing.""" description = "Test7MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) match_context_fixed_dme = MatchContext(self.pid) matchElementFixedDME2 = fixed_dme.get_match_element( "match3", match_context_fixed_dme) missing_match_path_list_value_detector = MissingMatchPathListValueDetector( self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path() ], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component( missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(matchElementFixedDME2), 1, missing_match_path_list_value_detector) self.assertFalse( missing_match_path_list_value_detector.receive_atom( log_atom_fixed_dme))
def test6_receive_atom_list(self): """This test case checks, whether a missing value is created by a list without using the auto_include_flag. (should not be the case)""" description = "Test6MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector( self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path() ], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component( missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_list_value_detector) self.assertTrue( missing_match_path_list_value_detector.receive_atom( log_atom_fixed_dme))
def test3_receive_atom_no_missing_value(self): """This test case checks whether the class returns wrong positives, when the time limit is not passed.""" description = "Test3MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector( self.aminer_config, match_element_fixed_dme.get_path(), [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component( missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), time.time(), missing_match_path_value_detector) self.assertTrue( missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 3200 missing_match_path_value_detector = MissingMatchPathValueDetector( self.aminer_config, match_element_fixed_dme.get_path(), [self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time, self.__realert_interval) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), time.time() + past_time, missing_match_path_value_detector) self.assertTrue( missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '')
def test3timestamp_higher_than_last_timestamp(self): """This test case checks if nothing happens, when the timestamp is, as expected, higher than the last one.""" description = "Test3TimestampsUnsortedDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector( self.aminer_config, [self.stream_printer_event_handler], False, output_log_line=False) self.analysis_context.register_component(timestamp_unsorted_detector, description + "2") self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t + 10000) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '')
def test3path_exists_match_rule(self): """This case unit the PathExistsMatchRule.""" description = "Test3Rules" path_exists_match_rule = PathExistsMatchRule(self.match_s1, None) self.analysis_context.register_component(path_exists_match_rule, description) self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) t = time() match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element( 'match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(path_exists_match_rule.match(log_atom)) self.fixed_dme = FixedDataModelElement('s2', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element( 'match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(not path_exists_match_rule.match(log_atom))
def test1simple_monotonic_timestamp_adjust_test(self): """this test case checks if the timestamp is adjusted and logAtoms are forwarded correctly.""" description = "Test1TimestampCorrectionFilter" match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element( "match", match_context_fixed_dme) t = time() new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_log_line=False) self.analysis_context.register_component(new_match_path_detector, description) simple_monotonic_timstamp_adjust = SimpleMonotonicTimestampAdjust( [new_match_path_detector], False) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) self.assertEqual( simple_monotonic_timstamp_adjust.receive_atom(log_atom_fixed_dme), True) self.assertEqual( self.output_stream.getvalue(), self.__expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), new_match_path_detector.__class__.__name__, description, 1, self.match_path))
def get_logind_model(user_name_model=None): """Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz-_") type_children = [ SequenceModelElement("new session", [ FixedDataModelElement("s0", b"New session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" of user "), user_name_model, FixedDataModelElement("s2", b".") ]), SequenceModelElement("removed session", [ FixedDataModelElement("s0", b"Removed session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b".") ]), SequenceModelElement("logged out", [ FixedDataModelElement("s0", b"Session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" logged out. Waiting for processes to exit.") ]), FixedDataModelElement("failed abandon", b"Failed to abandon session scope: Transport endpoint is not connected") ] # Will fail on username models including the dot at the end. model = SequenceModelElement("systemd-logind", [ FixedDataModelElement("sname", b"systemd-logind["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model
def test1_valid_input_with_match_element_found(self): """This testmethod is part of the Basis Path Testing / Decision Coverage. It assures, that the intended usage of the FixedDataModelElement is working. (MatchElement found)""" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s0', self.pid) match_element = fixed_dme.get_match_element("", match_context) self.assertNotEqual(match_element, None, "There should exist a MatchElement!")
def test8_receive_atom_list_no_missing_value(self): """This test case checks whether the class returns wrong positives on lists, when the time limit should not be passed.""" description = "Test8MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 3200 missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2") log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '')
def test4get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" no_match_string = b"Hello World." match_context = DummyMatchContext(self.data) fixed_dme = FixedDataModelElement("s0", no_match_string) match_element = fixed_dme.get_match_element("fixed", match_context) self.assertIsNone(match_element, None) self.assertEqual(match_context.match_data, self.data) self.assertEqual(match_context.match_string, b"")
def test3get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with the fixed string.""" fixed_string = b"fixed data." fixed_dme = FixedDataModelElement(self.id_, fixed_string) match_context = DummyMatchContext(self.data) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_match_results(self.data, match_element, match_context, self.id_, self.path, fixed_string, fixed_string, None)
def test1_receive_atom(self): """This test case checks whether a missing value is created without using the auto_include_flag (should not be the case).""" description = "Test1MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def test3get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated accordingly.""" fixed_string = b'fixed data.' match_context = DummyMatchContext(self.data) fixed_dme = FixedDataModelElement("s0", fixed_string) match_element = fixed_dme.get_match_element("fixed", match_context) self.assertEqual(match_element.path, "fixed/s0") self.assertEqual(match_element.match_string, fixed_string) self.assertEqual(match_element.match_object, fixed_string) self.assertIsNone(match_element.children, None) self.assertEqual(match_context.match_string, fixed_string)
def test2do_timer(self): """In this test case the functionality of the timer is tested. The eventCollectTime must not be 0.""" description = "Test2DefaultMailNotificationEventHandler" default_mail_notification_event_handler = DefaultMailNotificationEventHandler(self.analysis_context) self.analysis_context.register_component(self, description) t = time() match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s3', self.pid) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) default_mail_notification_event_handler.receive_event( self.test % self.__class__.__name__, 'New value for pathes %s: %s' % ( 'match/s3', repr(match_element.match_object)), [log_atom.raw_data], None, log_atom, self) t = 0 default_mail_notification_event_handler.do_timer(t) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertFalse(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8')) t = time() default_mail_notification_event_handler.next_alert_time = t + 500 default_mail_notification_event_handler.do_timer(t) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertFalse(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8')) default_mail_notification_event_handler.next_alert_time = t default_mail_notification_event_handler.do_timer(t) sleep(2) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) # skipcq: PYL-W1510, BAN-B602 subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) if datetime.fromtimestamp(t).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'): print("ERROR: %s t not found in mail!" % description, file=sys.stderr) self.assertTrue(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'), msg="%s vs \n %s" % ( self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n"), str(result.stdout, 'utf-8')))
def test2_receive_atom_without_match_element(self): """This test case checks if the ReceiveAtom controls the MatchElement and responds correctly, when it is missing.""" description = "Test2MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_fixed_dme = MatchContext(self.pid) matchElementFixedDME2 = fixed_dme.get_match_element("match2", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(matchElementFixedDME2), 1, missing_match_path_value_detector) self.assertFalse(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def get_model(): """Return the model.""" type_children = [ SequenceModelElement("sent", [ FixedDataModelElement("s0", b"Sent mail for "), DelimitedDataModelElement("to-addr", b" ("), FixedDataModelElement("s1", b" ("), DelimitedDataModelElement("status", b") uid="), FixedDataModelElement("s2", b") uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s3", b" username="******"username", b" outbytes="), FixedDataModelElement("s4", b" outbytes="), DecimalIntegerValueModelElement("bytes") ]), SequenceModelElement("sent", [ DelimitedDataModelElement("program", b" "), FixedDataModelElement("s0", b" sent mail for "), AnyByteDataModelElement("user") ]) ] model = SequenceModelElement("ssmtp", [ FixedDataModelElement("sname", b"sSMTP["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model
def get_model(): """Return a model to parse messages from kernel logging.""" type_children = [ SequenceModelElement("ipv4-martian", [ FixedDataModelElement("s0", b"IPv4: martian "), FixedWordlistDataModelElement("direction", [b"source", b"destination"]), FixedDataModelElement("s1", b" "), IpAddressDataModelElement("destination"), FixedDataModelElement("s2", b" from "), IpAddressDataModelElement("source"), FixedDataModelElement("s3", b", on dev "), AnyByteDataModelElement("interface")]), SequenceModelElement("net-llheader", [ FixedDataModelElement("s0", b"ll header: "), AnyByteDataModelElement("data") ]), AnyByteDataModelElement("unparsed") ] model = SequenceModelElement("kernel", [ FixedDataModelElement("sname", b"kernel: "), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("opt_s0", b"]"), DelimitedDataModelElement("timestamp", b"]"), FixedDataModelElement("opt_s1", b"] "), ])), FirstMatchModelElement("msg", type_children) ]) return model
def get_model(): """Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement('gidchange', [ FixedDataModelElement('s0', b'rsyslogd\'s groupid changed to '), DecimalIntegerValueModelElement('gid') ]), SequenceModelElement('statechange', [ FixedDataModelElement('s0', b'[origin software="rsyslogd" swVersion="'), DelimitedDataModelElement('version', b'"'), FixedDataModelElement('s1', b'" x-pid="'), DecimalIntegerValueModelElement('pid'), FixedDataModelElement('s2', b'" x-info="http://www.rsyslog.com"] '), FirstMatchModelElement('type', [ FixedDataModelElement('HUPed', b'rsyslogd was HUPed'), FixedDataModelElement('start', b'start') ]) ]), SequenceModelElement('uidchange', [ FixedDataModelElement('s0', b'rsyslogd\'s userid changed to '), DecimalIntegerValueModelElement('uid') ]) ] model = SequenceModelElement('rsyslog', [ FixedDataModelElement('sname', b'rsyslogd: '), FirstMatchModelElement('msg', type_children) ]) return model
def test1_standard_input_values(self): """This test case verifies the functionality of the repeating Matches.""" match_context = MatchContext( b'fixed log line. \n A different line follows.') fixed_data_model_element = FixedDataModelElement( 'fixed', self.fixed_log_line) repeated_element_data_model_element = RepeatedElementDataModelElement( 'repeatedElement', fixed_data_model_element) self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context).get_match_string(), self.fixed_log_line) match_context = MatchContext( b'fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.' ) self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context).get_match_string(), b'fixed log line. fixed log line. fixed log line. fixed log line. ' ) match_context = MatchContext(b'A different line follows.') self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context).get_match_string(), b'')
def test2_min_max_repeats(self): """This test case verifies the functionality of setting the minimal and maximal repeats.""" match_context = MatchContext( b'fixed log line. \n A different line follows.') fixed_data_model_element = FixedDataModelElement( 'fixed', self.fixed_log_line) repeated_element_data_model_element = RepeatedElementDataModelElement( 'repeatedElement', fixed_data_model_element, 2, 5) self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context), None) match_context = MatchContext( b'fixed log line. fixed log line. \n A different line follows.') self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context).get_match_string(), b'fixed log line. fixed log line. ') match_context = MatchContext( b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.' ) self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context).get_match_string(), b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. ' ) match_context = MatchContext( b'fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. fixed log line. \n A different line follows.' ) self.assertEqual( repeated_element_data_model_element.get_match_element( 'match', match_context), None)
class SequenceModelElementTest(unittest.TestCase): sequence_start = b'The sequence starts with a number: ' fixed_data_model_element = FixedDataModelElement('fixed', sequence_start) decimal_integer_value_model_element = DecimalIntegerValueModelElement( 'decimal', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) fixed_wordlist_data_model_element = FixedWordlistDataModelElement('wordlist', [b' Euro', b' Dollar', b' Pfund']) sequence_model_element = SequenceModelElement( 'sequence', [fixed_data_model_element, decimal_integer_value_model_element, fixed_wordlist_data_model_element]) def test1sequence_of_matching_elements(self): """A normal sequence of matching elements is tested in this example test case""" match_context = MatchContext(b'The sequence starts with a number: 25538 Euro') self.assertEqual(self.sequence_model_element.get_match_element( 'match', match_context).get_match_string(), b'The sequence starts with a number: 25538 Euro') self.assertEqual(match_context.match_data, b'') def test2sequence_not_matching(self): """A normal sequence of elements, which do not match with the expected sequence_model is tested.""" match_context = MatchContext(b'The sequence starts with a number: 25538 US-Dollar') self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None) self.assertEqual(match_context.match_data, b'The sequence starts with a number: 25538 US-Dollar') def test3match_context_shorter_than_sequence(self): """This test case unit if the sequence_model returns None, when the match_context is too short for a match.""" match_context = MatchContext(self.sequence_start) self.assertEqual(self.sequence_model_element.get_match_element('match', match_context), None) self.assertEqual(match_context.match_data, self.sequence_start)
def test3normal_incomplete_overlong_line_stream_not_ended(self): """A incomplete, overlong line, with the stream NOT ended, is tested as Input of the Class.""" match_context_fixed_dme = MatchContext(self.illegal_access1) fixed_dme = FixedDataModelElement('s1', self.illegal_access1) _match_element_fixed_dme = fixed_dme.get_match_element( "match1", match_context_fixed_dme) byte_stream_line_atomizer = ByteStreamLineAtomizer( fixed_dme, [], [self.stream_printer_event_handler], sys.getsizeof(match_context_fixed_dme.match_data) - 1, []) self.assertGreater( byte_stream_line_atomizer.consume_data(self.illegal_access1, False), 0) self.assertEqual( self.output_stream.getvalue(), 'Start of overlong line detected (1 lines)\n %s' % self.illegal_access2)
def get_model(time_model=None): """ Return the model for parsing a standard syslog preamble including timestamp and hostname. @param time_model when not none, the given model element is used for parsing timestamps. Otherwise a standard DateTimeModelElement with format b'%b %d %H:%M:%S' is created. CAVEAT: the standard model may not work when log data timestamp locale does not match host or shell environment locale. See MultiLocaleDatetime_modelElement instead. """ if time_model is None: time_model = DateTimeModelElement('time', b'%b %d %H:%M:%S') host_name_model = VariableByteDataModelElement( 'host', b'-.01234567890abcdefghijklmnopqrstuvwxyz') model = SequenceModelElement('syslog', [ time_model, FixedDataModelElement('sp0', b' '), host_name_model, FixedDataModelElement('sp1', b' ') ]) return model
def test4value_match_rule(self): """This case unit the ValueMatchRule.""" description = "Test4Rules" value_match_rule = ValueMatchRule(self.match_s1, self.fixed_string, None) self.analysis_context.register_component(value_match_rule, description) self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule) self.assertTrue(value_match_rule.match(log_atom)) self.fixed_dme = FixedDataModelElement('s1', b'another fixed String') match_context = MatchContext(b'another fixed String') match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule) self.assertTrue(not value_match_rule.match(log_atom))