def testVirusTotalLookup(self):
"""Tests for the VirusTotal analysis plugin."""
event_queue = single_process.SingleProcessQueue()
knowledge_base = self._SetUpKnowledgeBase()
# Fill the incoming queue with events.
test_queue_producer = queue.ItemQueueProducer(event_queue)
events = [
self._CreateTestEventObject(test_event)
for test_event in self.TEST_EVENTS
]
test_queue_producer.ProduceItems(events)
analysis_plugin = virustotal.VirusTotalAnalysisPlugin(event_queue)
analysis_plugin.SetAPIKey(self.FAKE_API_KEY)
# Run the analysis plugin.
analysis_report_queue_consumer = self._RunAnalysisPlugin(
analysis_plugin, knowledge_base)
analysis_reports = self._GetAnalysisReportsFromQueue(
analysis_report_queue_consumer)
self.assertEqual(len(analysis_reports), 1)
report = analysis_reports[0]
tags = report.GetTags()
self.assertEqual(len(tags), 1)
tag = tags[0]
self.assertEqual(tag.event_uuid, u'8')
self.assertEqual(tag.tags[0], u'VirusTotal Detections 10')
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
events = []
for event_dictionary in self._TEST_EVENTS:
event_dictionary['pathspec'] = fake_path_spec.FakePathSpec(
location='C:\\WINDOWS\\system32\\evil.exe')
event = self._CreateTestEventObject(event_dictionary)
events.append(event)
plugin = virustotal.VirusTotalAnalysisPlugin()
plugin.SetAPIKey(self._FAKE_API_KEY)
storage_writer = self._AnalyzeEvents(events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(storage_writer.number_of_event_tags, 1)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = (
'virustotal hash tagging results\n'
'1 path specifications tagged with label: virustotal_detections_10\n'
)
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 1)
expected_labels = ['virustotal_detections_10']
self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = virustotal.VirusTotalAnalysisPlugin()
plugin.SetAPIKey(self._FAKE_API_KEY)
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(storage_writer.number_of_event_tags, 1)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = (
'virustotal hash tagging results\n'
'1 path specifications tagged with label: virustotal_detections_10\n'
)
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 1)
expected_labels = ['virustotal_detections_10']
self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
plugin = virustotal.VirusTotalAnalysisPlugin()
plugin.SetAPIKey(self._FAKE_API_KEY)
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 1)
analysis_report = storage_writer.GetAttributeContainerByIndex(
reports.AnalysisReport.CONTAINER_TYPE, 0)
self.assertIsNotNone(analysis_report)
self.assertEqual(analysis_report.plugin_name, 'virustotal')
expected_analysis_counter = collections.Counter({
'virustotal_detections_10': 1})
self.assertEqual(
analysis_report.analysis_counter, expected_analysis_counter)
number_of_event_tags = storage_writer.GetNumberOfAttributeContainers(
'event_tag')
self.assertEqual(number_of_event_tags, 1)
labels = []
for event_tag in storage_writer.GetAttributeContainers(
events.EventTag.CONTAINER_TYPE):
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 1)
expected_labels = ['virustotal_detections_10']
self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
events = []
for event_dictionary in self._TEST_EVENTS:
event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec(
location=u'C:\\WINDOWS\\system32\\evil.exe')
event = self._CreateTestEventObject(event_dictionary)
events.append(event)
plugin = virustotal.VirusTotalAnalysisPlugin()
plugin.SetAPIKey(self._FAKE_API_KEY)
storage_writer = self._AnalyzeEvents(events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
tags = analysis_report.GetTags()
self.assertEqual(len(tags), 1)
tag = tags[0]
self.assertEqual(tag.event_uuid, u'8')
self.assertEqual(tag.labels[0], u'virustotal_detections_10')
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
analysis_plugin = virustotal.VirusTotalAnalysisPlugin()
with self.assertRaises(errors.BadConfigOption):
virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
options.virustotal_api_key = u'TEST'
virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions(
options, None)
