def testTwoRegexMatchConditionsWithDifferentActions2(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition1 = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition( mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS, regex="session opened for user .*?john")) regex_condition2 = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition( mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT, regex=".*")) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[regex_condition1, regex_condition2], expected_files=expected_files, non_expected_files=non_expected_files) # Check the output file is created fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 2) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual(fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0") self.assertEqual(fd[0].matches[1].offset, 0) self.assertEqual(fd[0].matches[1].length, 770)
def StartRequests(self): """Generate and send the Find requests.""" client = aff4.FACTORY.Open(self.client_id, token=self.token) if self.runner.output is not None: self.runner.output.Set( self.runner.output.Schema.DESCRIPTION("CacheGrep for {0}".format( self.args.data_regex))) usernames = ["%s\\%s" % (u.domain, u.username) for u in self.state.users] usernames = [u.lstrip("\\") for u in usernames] # Strip \\ if no domain. condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition( regex=self.args.data_regex, mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT)) for path in self.state.all_paths: full_paths = flow_utils.InterpolatePath(path, client, users=usernames) for full_path in full_paths: self.CallFlow( "FileFinder", paths=[os.path.join(full_path, "**5")], pathtype=self.state.args.pathtype, conditions=[condition], action=rdfvalue.FileFinderAction( action_type=rdfvalue.FileFinderAction.Action.DOWNLOAD), next_state="HandleResults")
def testLiteralMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] literal_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_LITERAL_MATCH, contents_literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition( mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS, literal="session opened for user dearjohn")) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[literal_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that the results' matches fields are correctly filled. fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual(fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def Grep(self, source, pathtype): """Grep files in paths for any matches to content_regex_list. Args: source: artifact source pathtype: pathspec path type When multiple regexes are supplied, combine them into a single regex as an OR match so that we check all regexes at once. """ path_list = self.InterpolateList(source.attributes.get("paths", [])) content_regex_list = self.InterpolateList( source.attributes.get("content_regex_list", [])) regex_condition = rdfvalue.FileFinderContentsRegexMatchCondition( regex=self._CombineRegex(content_regex_list), bytes_before=0, bytes_after=0) file_finder_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type. CONTENTS_REGEX_MATCH, contents_regex_match=regex_condition) self.CallFlow("FileFinder", paths=path_list, conditions=[file_finder_condition], action=rdfvalue.FileFinderAction(), pathtype=pathtype, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state="ProcessCollected")
def testSizeAndRegexConditionsWithDifferentActions(self): files_over_size_limit = ["auth.log"] filtered_files = ["dpkg.log", "dpkg_false.log"] expected_files = [] non_expected_files = files_over_size_limit + filtered_files sizes = [ os.stat(os.path.join(self.base_path, f)).st_size for f in files_over_size_limit ] size_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.SIZE, size=rdfvalue.FileFinderSizeCondition(max_file_size=min(sizes) - 1)) regex_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type. CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue. FileFinderContentsRegexMatchCondition( mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode. ALL_HITS, regex="session opened for user .*?john")) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[size_condition, regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that order of conditions doesn't influence results for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[regex_condition, size_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def ConditionsToFileFinderConditions(self, conditions): ff_condition_type_cls = rdfvalue.FileFinderCondition.Type result = [] for c in conditions: if c.condition_type == MemoryCollectorCondition.Type.LITERAL_MATCH: result.append( rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls. CONTENTS_LITERAL_MATCH, contents_literal_match=c.literal_match)) elif c.condition_type == MemoryCollectorCondition.Type.REGEX_MATCH: result.append( rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls. CONTENTS_REGEX_MATCH, contents_regex_match=c.regex_match)) else: raise ValueError("Unknown condition type: %s", c.condition_type) return result
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self): vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType. MEMORY] = test_lib.FakeTestDataVFSHandler paths = [ os.path.join(os.path.dirname(self.base_path), "auth.log"), os.path.join(os.path.dirname(self.base_path), "dpkg.log") ] literal_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=rdfvalue. FileFinderContentsLiteralMatchCondition( mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode. ALL_HITS, literal="session opened for user dearjohn")) # Check this condition with all the actions. This makes sense, as we may # download memeory or send it to the socket. for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): for _ in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdfvalue.PathSpec.PathType.MEMORY, conditions=[literal_condition], action=rdfvalue.FileFinderAction(action_type=action), token=self.token, output=self.output_path): pass self.CheckFilesInCollection(["auth.log"]) fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(), paths[0]) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def ConditionsToFileFinderConditions(self, conditions): ff_condition_type_cls = rdfvalue.FileFinderCondition.Type result = [] for c in conditions: if c.condition_type == RegistryFinderCondition.Type.MODIFICATION_TIME: result.append(rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls.MODIFICATION_TIME, modification_time=c.modification_time)) elif c.condition_type == RegistryFinderCondition.Type.VALUE_LITERAL_MATCH: result.append(rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls.CONTENTS_LITERAL_MATCH, contents_literal_match=c.value_literal_match)) elif c.condition_type == RegistryFinderCondition.Type.VALUE_REGEX_MATCH: result.append(rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls.CONTENTS_REGEX_MATCH, contents_regex_match=c.value_regex_match)) elif c.condition_type == RegistryFinderCondition.Type.SIZE: result.append(rdfvalue.FileFinderCondition( condition_type=ff_condition_type_cls.SIZE, size=c.size)) else: raise ValueError("Unknown condition type: %s", c.condition_type) return result
def testAccessTimeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] access_time_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.ACCESS_TIME, access_time=rdfvalue.FileFinderAccessTimeCondition( min_last_access_time=rdfvalue.RDFDatetime( ).FromSecondsFromEpoch(1444444440))) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, conditions=[access_time_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testInodeChangeTimeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440) inode_change_time_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.INODE_CHANGE_TIME, inode_change_time=rdfvalue.FileFinderInodeChangeTimeCondition( min_last_inode_change_time=change_time)) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[inode_change_time_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testModificationTimeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440) modification_time_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.MODIFICATION_TIME, modification_time=rdfvalue.FileFinderModificationTimeCondition( min_last_modified_time=change_time)) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[modification_time_condition], expected_files=expected_files, non_expected_files=non_expected_files)
def testSizeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] sizes = [os.stat(os.path.join(self.base_path, f)).st_size for f in expected_files] size_condition = rdfvalue.FileFinderCondition( condition_type=rdfvalue.FileFinderCondition.Type.SIZE, size=rdfvalue.FileFinderSizeCondition(max_file_size=max(sizes) + 1)) for action in sorted( file_finder.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults( action=action, conditions=[size_condition], expected_files=expected_files, non_expected_files=non_expected_files)