def testTwoRegexMatchConditionsWithDifferentActions2(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition1 = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex=b"session opened for user .*?john"))) regex_condition2 = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="FIRST_HIT", bytes_before=10, bytes_after=10, regex=b".*"))) for action in self.CONDITION_TESTS_ACTIONS: results = self.RunFlowAndCheckResults( action=action, conditions=[regex_condition1, regex_condition2], expected_files=expected_files, non_expected_files=non_expected_files) self.assertLen(results, 1) self.assertLen(results[0].matches, 2) self.assertEqual(results[0].matches[0].offset, 350) self.assertEqual(results[0].matches[0].data, b"session): session opened for user dearjohn by (uid=0") self.assertEqual(results[0].matches[1].offset, 0) self.assertEqual(results[0].matches[1].length, 770)
def testFindsKeyIfItMatchesRegexMatchCondition(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex="Windows.+\\.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, "ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar") self.assertEqual( results[0].stat_entry.pathspec.path, "/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/" "CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def testRegexMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex="session opened for user .*?john"))) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults(action=action, conditions=[regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) fd = flow.GRRFlow.ResultCollectionForFID(self.last_session_id) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def Grep(self, source, pathtype): """Grep files in paths for any matches to content_regex_list. Args: source: artifact source pathtype: pathspec path type When multiple regexes are supplied, combine them into a single regex as an OR match so that we check all regexes at once. """ path_list = self.InterpolateList(source.attributes.get("paths", [])) content_regex_list = self.InterpolateList( source.attributes.get("content_regex_list", [])) regex_condition = rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=self._CombineRegex(content_regex_list), bytes_before=0, bytes_after=0, mode="ALL_HITS") file_finder_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=regex_condition) self.CallFlow(file_finder.FileFinder.__name__, paths=path_list, conditions=[file_finder_condition], action=rdf_file_finder.FileFinderAction(), pathtype=pathtype, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state="ProcessCollected")
def testFindsNothingIfRegexMatchesNothing(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex=".*CanNotFindMe.*") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) self.AssertNoResults(session_id)
def Grep(self, source, pathtype, implementation_type): """Grep files in paths for any matches to content_regex_list. When multiple regexes are supplied, combine them into a single regex as an OR match so that we check all regexes at once. Args: source: artifact source pathtype: pathspec path typed implementation_type: Pathspec implementation type to use. """ path_list = self.InterpolateList(source.attributes.get("paths", [])) # `content_regex_list` elements should be binary strings, but forcing # artifact creators to use verbose YAML syntax for binary literals would # be cruel. Therefore, we allow both kind of strings and we convert to bytes # if required. content_regex_list = [] for content_regex in source.attributes.get("content_regex_list", []): if isinstance(content_regex, Text): content_regex = content_regex.encode("utf-8") content_regex_list.append(content_regex) content_regex_list = self.InterpolateList(content_regex_list) regex_condition = rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=self._CombineRegex(content_regex_list), bytes_before=0, bytes_after=0, mode="ALL_HITS") file_finder_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=regex_condition) self.CallFlow( file_finder.FileFinder.__name__, paths=path_list, conditions=[file_finder_condition], action=rdf_file_finder.FileFinderAction(), pathtype=pathtype, implementation_type=implementation_type, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state=compatibility.GetName(self.ProcessCollected))
def testPassesAllConditionsToClientFileFinderWhenAllConditionsSpecified( self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.Now(), ) access_time = rdf_file_finder.FileFinderAccessTimeCondition( min_last_access_time=rdfvalue.RDFDatetime.Now(), ) inode_change_time = rdf_file_finder.FileFinderInodeChangeTimeCondition( min_last_inode_change_time=rdfvalue.RDFDatetime.Now(), ) size = rdf_file_finder.FileFinderSizeCondition(min_file_size=42, ) ext_flags = rdf_file_finder.FileFinderExtFlagsCondition( linux_bits_set=42, ) contents_regex_match = ( rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=b"foo", )) contents_literal_match = ( rdf_file_finder.FileFinderContentsLiteralMatchCondition( literal=b"bar", )) flow_id = flow_test_lib.StartFlow( file.CollectMultipleFiles, client_id=self.client_id, path_expressions=["/some/path"], modification_time=modification_time, access_time=access_time, inode_change_time=inode_change_time, size=size, ext_flags=ext_flags, contents_regex_match=contents_regex_match, contents_literal_match=contents_literal_match, ) children = data_store.REL_DB.ReadChildFlowObjects( self.client_id, flow_id) self.assertLen(children, 1) child = children[0] self.assertEqual(child.flow_class_name, file_finder.ClientFileFinder.__name__) # We expect 7 condition-attributes to be converted # to 7 FileFinderConditions. self.assertLen(child.args.conditions, 7) def _GetCondition(condition_type): for c in child.args.conditions: if c.condition_type == condition_type: return c.UnionCast() raise RuntimeError( f"Condition of type {condition_type} not found.") self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.MODIFICATION_TIME), modification_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.ACCESS_TIME), access_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.INODE_CHANGE_TIME), inode_change_time) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.SIZE), size) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.EXT_FLAGS), ext_flags) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH), contents_literal_match)