def test_add_event_is_logged(): protocol = "testing" source_ip = "1.2.3.4" source_port = 11 destination_ip = "5.6.7.8" destination_port = 22 log_queue = LogQueueFake() session = AttackSession( protocol=protocol, source_ip=source_ip, source_port=source_port, destination_ip=destination_ip, destination_port=destination_port, log_queue=log_queue, ) event = {"foo": "bar"} session.add_event(event) logged = log_queue.events[0] assert logged["data"] == event assert logged["data_type"] == protocol assert logged["src_ip"] == source_ip assert logged["src_port"] == source_port assert logged["remote"] == (source_ip, source_port) assert logged["dst_ip"] == destination_ip assert logged["dst_port"] == destination_port assert logged["local"] == (destination_ip, destination_port) # TODO should this even include public_ip if it's always None? assert logged["public_ip"] is None
def test_add_event_sessions_have_unique_ids(): log_queue = LogQueueFake() session_1 = AttackSession( protocol=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, log_queue=log_queue, ) session_2 = AttackSession( protocol=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, log_queue=log_queue, ) session_1.add_event({"foo": "bar"}) session_2.add_event({"bar": "baz"}) assert log_queue.events[0]["id"] != log_queue.events[1]["id"]
def get_session(self, protocol, source_ip, source_port, destination_ip=None, destination_port=None): # around here we would inject dependencies into the attack session attack_session = self._find_sessions(protocol, source_ip) if not attack_session: attack_session = AttackSession(protocol, source_ip, source_port, destination_ip, destination_port, self._databus, self.log_queue) self._sessions.append(attack_session) return attack_session
def test_add_event_same_id(): log_queue = LogQueueFake() session = AttackSession( protocol=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, log_queue=log_queue, ) session.add_event({"foo": "bar"}) session.add_event({"bar": "baz"}) assert log_queue.events[0]["id"] == log_queue.events[1]["id"]
def test_add_event_uses_session_timestamp(): log_queue = LogQueueFake() session_start = datetime(2000, 1, 1) with freeze_time(session_start) as frozen_time: session = AttackSession( protocol=None, source_ip=None, source_port=None, destination_ip=None, destination_port=None, log_queue=log_queue, ) frozen_time.tick(timedelta(days=1)) session.add_event({"foo": "bar"}) session.add_event({"bar": "baz"}) # timestamp is always the time the session started, # not the time the event occurred assert log_queue.events[0]["timestamp"] == session_start assert log_queue.events[1]["timestamp"] == session_start
def test_dump_collects_events(): protocol = "testing" source_ip = "1.2.3.4" source_port = 11 destination_ip = "5.6.7.8" destination_port = 22 log_queue = LogQueueFake() session = AttackSession( protocol=protocol, source_ip=source_ip, source_port=source_port, destination_ip=destination_ip, destination_port=destination_port, log_queue=log_queue, ) event_1 = {"foo": "bar"} event_2 = {"bar": "baz"} session.add_event(event_1) session.add_event(event_2) session.add_event(event_1) dump = session.dump() assert dump["data_type"] == protocol assert list(dump["data"].keys()) == [2000, 4000, 6000] assert list(dump["data"].values()) == [event_1, event_2, event_1] assert dump["src_ip"] == source_ip assert dump["src_port"] == source_port assert dump["remote"] == (source_ip, source_port) assert dump["dst_ip"] == destination_ip assert dump["dst_port"] == destination_port assert dump["local"] == (destination_ip, destination_port) # TODO should this even include public_ip if it's always None? assert dump["public_ip"] is None