def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self): client_id = self.SetupClient(0) p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["test_img.dd"], ctime=long(1333718907.167083 * 1e6)) p2 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = action_mocks.ListProcessesMock([p1, p2]) session_id = flow_test_lib.TestFlowHelper( flow_processes.ListProcesses.__name__, client_mock, fetch_binaries=True, client_id=client_id, connection_states=["LISTEN"], token=self.token) # No output matched. processes = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(processes), 0)
def Start(cls, args): for proc in psutil.process_iter(): try: connections = proc.connections() except (psutil.NoSuchProcess, psutil.AccessDenied): continue for conn in connections: if args.listening_only and conn.status != "LISTEN": continue res = rdf_client.NetworkConnection() res.pid = proc.pid res.process_name = proc.name() res.family = conn.family res.type = conn.type try: if conn.status: res.state = conn.status except ValueError: logging.warn("Encountered unknown connection status (%s).", conn.status) res.local_address.ip, res.local_address.port = conn.laddr if conn.raddr: res.remote_address.ip, res.remote_address.port = conn.raddr yield res
def AddListener(self, ip, port, family="INET", sock_type="SOCK_STREAM"): """Create a network connection.""" conn = rdf_client.NetworkConnection() conn.state = "LISTEN" conn.family = family conn.type = sock_type conn.local_address = rdf_client.NetworkEndpoint(ip=ip, port=port) return conn
def ListNetworkConnections(self, _): """Returns fake connections.""" conn1 = rdf_client.NetworkConnection( state=rdf_client.NetworkConnection.State.CLOSED, type=rdf_client.NetworkConnection.Type.SOCK_STREAM, local_address=rdf_client.NetworkEndpoint(ip="0.0.0.0", port=22), remote_address=rdf_client.NetworkEndpoint(ip="0.0.0.0", port=0), pid=2136, ctime=0) conn2 = rdf_client.NetworkConnection( state=rdf_client.NetworkConnection.State.LISTEN, type=rdf_client.NetworkConnection.Type.SOCK_STREAM, local_address=rdf_client.NetworkEndpoint(ip="192.168.1.1", port=31337), remote_address=rdf_client.NetworkEndpoint(ip="1.2.3.4", port=6667), pid=1, ctime=0) return [conn1, conn2]
def testProcessListingFilterConnectionState(self): client_id = self.SetupClient(0) p1 = rdf_client.Process(pid=2, ppid=1, cmdline=["cmd.exe"], exe="c:\\windows\\cmd.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="CLOSED")) p2 = rdf_client.Process(pid=3, ppid=1, cmdline=["cmd2.exe"], exe="c:\\windows\\cmd2.exe", ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="LISTEN")) p3 = rdf_client.Process(pid=4, ppid=1, cmdline=["missing_exe.exe"], ctime=long(1333718907.167083 * 1e6), connections=rdf_client.NetworkConnection( family="INET", state="ESTABLISHED")) client_mock = action_mocks.ListProcessesMock([p1, p2, p3]) flow_urn = flow.GRRFlow.StartFlow( client_id=client_id, flow_name=flow_processes.ListProcesses.__name__, connection_states=["ESTABLISHED", "LISTEN"], token=self.token) session_id = flow_test_lib.TestFlowHelper(flow_urn, client_mock, client_id=client_id, token=self.token) processes = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(processes), 2) states = set() for process in processes: states.add(str(process.connections[0].state)) self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def Start(self): self.SendReply(rdf_client.NetworkConnection(pid=42))