def test_parse_incident_with_B_record(): result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(create_db=True) incident = parse_incident(session, result[0], result[1], include_parts=True) assert incident.host == u"somehostname.at", "unexpected host, was: %r" % incident.host assert incident.path == u"/fubar/sr/10/SomeAction.do", "invalid path, was:%r" %incident.path assert incident.method == u"GET", "unexpected HTTP method, was: %r" % incident.method
def import_log_to_database(): parser = argparse.ArgumentParser(description="Import Log-Files into Database.") parser.add_argument('database', help="Database to import to") parser.add_argument('files', metavar='File', type=argparse.FileType('r'), nargs='+') parser.add_argument('--import-parts', help="import raw parts", action="store_true") args = parser.parse_args() if args.import_parts: print("also adding parts!") else: print("not adding parts") # open database session = setup_connection(create_db=True, path=args.database) # add files for f in args.files: print("parsing " + f.name) tmp = read_from_file(f) incident = parse_incident(session, tmp[0], tmp[1], include_parts=args.import_parts) print("adding " + f.name + " to db") session.add(incident) session.commit() # close database session.close()
def output_overview(): """ just outputs a (formatted) dump of the original data """ parser = argparse.ArgumentParser(\ description="Give an high-level overview of database.") parser.add_argument('database', help="Database to analyze") group = parser.add_mutually_exclusive_group() group.add_argument("-t", "--sort-by-time", action="store_true") group.add_argument("-s", "--sort-by-source-ip", action="store_true") group.add_argument("-d", "--sort-by-destination-ip", action="store_true") args = parser.parse_args() # open database session = setup_connection(create_db=False, path=args.database) # get results results = session.query(Incident) if args.sort_by_source_ip: results = results.join(Incident.source).order_by(Source.ip, Source.port).all() elif args.sort_by_destination_ip: results = results.join(Incident.destination).order_by(Destination.ip, Destination.port).all() else: results = results.order_by(Incident.timestamp).all() # show all incidences for incident in results: for detail in incident.details: output_details(incident, detail) # close database session.close()
def test_parse_incident_with_H_record(): result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(create_db=True) incident = parse_incident(session, result[0], result[1], include_parts=True) expected_ids = sorted([960024, 981203]) found_ids = sorted([i.incident_catalog.catalog_id for i in incident.details]) assert found_ids == expected_ids
def create_database(): parser = argparse.ArgumentParser(description="Create Database.") parser.add_argument('database', help="Database to import to") args = parser.parse_args() session = setup_connection(create_db=True, path=args.database) session.connection() session.close()
def test_parse_incident(): result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(create_db=True) incident = parse_incident(session, result[0], result[1]) assert incident.fragment_id == u'7cf8df3f' assert incident.timestamp == datetime.datetime(2015, 3, 30, 21, 10, 38) # should be in UTC assert incident.unique_id == u'VRm7zgr5AlMAAClwIZoAAAAU' assert incident.source.ip == u'10.199.23.1' assert incident.source.port == 40889 assert incident.destination.ip == u'1.2.3.4' assert incident.destination.port == 18060 assert not incident.parts
def test_insert_and_query(): """ data commited to the database should be readable afterwards""" session = setup_connection(create_db=True) destination = Destination(ip=u'127.0.0.1', port=80) session.add(destination) session.commit() result = session.query(Destination).filter(Destination.ip == u'127.0.0.1').all() assert result[0].ip == destination.ip session.close()
def test_import_with_parts(): """ import file while saving (optional) parts. """ result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(create_db=True) incident = parse_incident(session, result[0], result[1], include_parts=True) session.add(incident) session.commit() # reload from db i = session.query(Incident).filter(Incident.id == incident.id).first() common_data(i, incident) assert len(i.parts) == 6
def output_summary(): parser = argparse.ArgumentParser(\ description="Give an high-level overview of database.") parser.add_argument('database', help="Database to analyze") args = parser.parse_args() # open database session = setup_connection(create_db=False, path=args.database) # show all incidences for source, ipaddress, port, path, method, msg, cnt in retrieve_data(session): print("%5d: %s -> %s %s:%5d%s %s" % (cnt, source, method, ipaddress, port, path, msg)) # close database session.close()
def output_incident_types(): """ group database by <ip, port and error-message> and output group error counts. """ parser = argparse.ArgumentParser(\ description="List all known incident types.") parser.add_argument('database', help="Database to analyze") args = parser.parse_args() # open database session = setup_connection(create_db=False, path=args.database) # show the different catalog types for i in retrieve_data(session): print("id %3d: %s:%d %s" % (i.catalog_id, i.config_file, i.config_line, i.message)) # close database session.close()
def output_destinations(): """ group database by <ip, port and error-message> and output group error counts. """ parser = argparse.ArgumentParser(\ description="Give an high-level overview of database.") parser.add_argument('database', help="Database to analyze") args = parser.parse_args() # open database session = setup_connection(create_db=False, path=args.database) # show all incidences for ipaddress, port, msg, cnt in retrieve_data(session): print("%3d: %s:%5d %s" % (cnt, ipaddress, port, msg)) # close database session.close()
def test_import_with_parts(): """ import file while saving (optional) parts. """ result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(True, "postgresql://modsec@localhost/modsec") cache_destination = DestinationCache(session) cache_source = SourceCache(session) cache_details = IncidentDetailCache(session) incident_counter = IncidentCount(session) incident_cache = IncidentCache() incident = parse_incident(result, include_parts=True) incidentObject = forward_to_db(session, incident, incident_counter, incident_cache, cache_destination, cache_source, cache_details, diff=1) # reload from db i = session.query(Incident).filter(Incident.id == incidentObject['id']).first() common_data(i, incident) assert len(i.parts) == 6
def import_log_to_database(): parser = argparse.ArgumentParser(description="Import Log-Files into Database.") parser.add_argument('database', help="Database to import to") parser.add_argument('files', metavar='File', type=argparse.FileType('r'), nargs='+') parser.add_argument('--import-parts', help="import raw parts", action="store_true") args = parser.parse_args() if args.import_parts: print("also adding parts!") else: print("not adding parts") # open database to calculate num_worker session = setup_connection(create_db=True, path=args.database) cache_destination = DestinationCache(session) cache_source = SourceCache(session) cache_details = IncidentDetailCache(session) incident_counter = IncidentCount(session) incident_cache = IncidentCache() # files = [args.files[0].name]*20000 files = [ f.name for f in args.files ] with futures.ProcessPoolExecutor(max_workers=max(1, cpu_count()-1)) as executor: for incident in executor.map(tmp, files): try: forward_to_db(session, incident, incident_counter, incident_cache, cache_destination, cache_source, cache_details) except KeyError as e: print("ERROR: key error {0}: {1}".format(e.errno, e.strerror)) # close database conn = session.connection() cache_source.sync_to_db(conn) cache_destination.sync_to_db(conn) incident_cache.writeIncidents(conn) incident_cache.writeParts(conn) cache_details.sync_to_db(conn) session.commit() session.close()
def test_parse_incident_with_parts(): result = read_file('log_importer/tests/test_files/file_read_test.txt') session = setup_connection(create_db=True) incident = parse_incident(session, result[0], result[1], include_parts=True) assert len(incident.parts) == 6
def test_create_inmemory_db(): """ a simple in-memory database-initialization should work """ setup_connection(create_db=True)