def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_object = event.EventObject()
event_object.data_type = u'test:event2'
event_object.timestamp = 1234124
event_object.timestamp_desc = u'Written'
# Prevent the event object for generating its own UUID.
event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8'
event_object.empty_string = u''
event_object.zero_integer = 0
event_object.integer = 34
event_object.string = u'Normal string'
event_object.unicode_string = u'And I\'m a unicorn.'
event_object.my_list = [u'asf', 4234, 2, 54, u'asf']
event_object.my_dict = {
u'a': u'not b', u'c': 34, u'list': [u'sf', 234], u'an': [234, 32]}
event_object.a_tuple = (
u'some item', [234, 52, 15], {u'a': u'not a', u'b': u'not b'}, 35)
event_object.null_value = None
proto_string = self._serializer.WriteSerialized(event_object)
self.assertEqual(proto_string, self._proto_string)
event_object = self._serializer.ReadSerialized(proto_string)
# An empty string should not get stored.
self.assertFalse(hasattr(event_object, u'empty_string'))
# A None (or Null) value should not get stored.
self.assertFalse(hasattr(event_object, u'null_value'))
def _ConvertDictToEventObject(self, json_dict):
"""Converts a JSON dict into an event object.
The dictionary of the JSON serialized objects consists of:
{
'__type__': 'EventObject'
'pathspec': { ... }
'tag': { ... }
...
}
Here '__type__' indicates the object base type. In this case this should
be 'EventObject'. The rest of the elements of the dictionary make up the
event object properties.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An event object (instance of EventObject).
"""
event_object = event.EventObject()
for key, value in iter(json_dict.items()):
setattr(event_object, key, value)
return event_object
def Parse(self, unused_file_entry):
"""Extract data from a fake plist file for testing.
Args:
unused_file_entry: A file entry object that is not used by
the fake parser.
Yields:
An event object (instance of EventObject) that contains the parsed
attributes.
"""
event_object = event.EventObject()
event_object.timestamp = timelib_test.CopyStringToTimestamp(
'2015-11-18 01:15:43')
event_object.timestamp_desc = 'Last Written'
event_object.text_short = 'This description is different than the long one.'
event_object.text = (
u'User did a very bad thing, bad, bad thing that awoke Dr. Evil.')
event_object.filename = (
u'/My Documents/goodfella/Documents/Hideout/myfile.txt')
event_object.hostname = 'Agrabah'
event_object.parser = 'Weirdo'
event_object.inode = 1245
event_object.display_name = u'unknown:{0:s}'.format(event_object.filename)
event_object.data_type = self.DATA_TYPE
yield event_object
def testWriteSerialized(self):
"""Test the write serialized functionality."""
event_object = event.EventObject()
event_object.data_type = 'test:event2'
event_object.timestamp = 1234124
event_object.timestamp_desc = 'Written'
# Prevent the event object for generating its own UUID.
event_object.uuid = '5a78777006de4ddb8d7bbe12ab92ccf8'
event_object.empty_string = u''
event_object.zero_integer = 0
event_object.integer = 34
event_object.string = 'Normal string'
event_object.unicode_string = u'And I\'m a unicorn.'
event_object.my_list = ['asf', 4234, 2, 54, 'asf']
event_object.my_dict = {
'a': 'not b',
'c': 34,
'list': ['sf', 234],
'an': [234, 32]
}
event_object.a_tuple = ('some item', [234, 52, 15], {
'a': 'not a',
'b': 'not b'
}, 35)
event_object.null_value = None
serializer = json_serializer.JsonEventObjectSerializer
json_string = serializer.WriteSerialized(event_object)
self.assertEqual(sorted(json_string), sorted(self._json_string))
event_object = serializer.ReadSerialized(json_string)
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_object = event.EventObject()
event_object.data_type = u'test:event2'
event_object.timestamp = 1234124
event_object.timestamp_desc = u'Written'
# Prevent the event object for generating its own UUID.
event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8'
event_object.binary_string = b'\xc0\x90\x90binary'
event_object.empty_string = u''
event_object.zero_integer = 0
event_object.integer = 34
event_object.string = u'Normal string'
event_object.unicode_string = u'And I am a unicorn.'
event_object.my_list = [u'asf', 4234, 2, 54, u'asf']
event_object.my_dict = {
u'a': u'not b',
u'c': 34,
u'list': [u'sf', 234],
u'an': [234, 32]
}
event_object.a_tuple = (u'some item', [234, 52, 15], {
u'a': u'not a',
u'b': u'not b'
}, 35)
event_object.null_value = None
json_string = self._TestWriteSerialized(self._serializer, event_object,
self._json_dict)
event_object = self._serializer.ReadSerialized(json_string)
def _CreateTestEventObject(self, path):
"""Create a test event object with a particular path."""
event_object = event.EventObject()
event_object.data_type = 'fs:stat'
event_object.timestamp = 12345
event_object.timestamp_desc = u'Some stuff'
event_object.filename = path
return event_object
def ReadSerializedObject(cls, proto):
"""Reads an event object from serialized form.
Args:
proto: a protobuf object containing the serialized form (instance of
plaso_storage_pb2.EventObject).
Returns:
An event object (instance of EventObject).
"""
event_object = event.EventObject()
event_object.data_type = proto.data_type
for proto_attribute, value in proto.ListFields():
if proto_attribute.name == u'source_short':
event_object.source_short = cls._SOURCE_SHORT_FROM_PROTO_MAP[
value]
elif proto_attribute.name == u'pathspec':
event_object.pathspec = (
cls._path_spec_serializer.ReadSerialized(proto.pathspec))
elif proto_attribute.name == u'tag':
event_object.tag = ProtobufEventTagSerializer.ReadSerializedObject(
proto.tag)
elif proto_attribute.name == u'attributes':
continue
else:
# Register the attribute correctly.
# The attribute can be a 'regular' high level attribute or
# a message (Dict/Array) that need special handling.
if isinstance(value, message.Message):
if value.DESCRIPTOR.full_name.endswith('.Dict'):
value = ProtobufEventAttributeSerializer.ReadSerializedDictObject(
value)
elif value.DESCRIPTOR.full_name.endswith('.Array'):
value = ProtobufEventAttributeSerializer.ReadSerializedListObject(
value)
else:
value = ProtobufEventAttributeSerializer.ReadSerializedObject(
value)
setattr(event_object, proto_attribute.name, value)
# The plaso_storage_pb2.EventObject protobuf contains a field named
# attributes which technically not a Dict but behaves similar.
dict_object = ProtobufEventAttributeSerializer.ReadSerializedDictObject(
proto)
for attribute, value in iter(dict_object.items()):
setattr(event_object, attribute, value)
return event_object
def testEqualityStringFileStatParserMissingInode(self):
"""Test that FileStatParser files with missing inodes are distinct"""
event_a = event.EventObject()
event_b = event.EventObject()
event_a.timestamp = 123
event_a.timestamp_desc = u'LAST WRITTEN'
event_a.data_type = 'mock:nothing'
event_a.parser = u'filestat'
event_a.filename = u'c:/bull/skrytinmappa/skra.txt'
event_a.another_attribute = False
event_b.timestamp = 123
event_b.timestamp_desc = u'LAST WRITTEN'
event_b.data_type = 'mock:nothing'
event_b.parser = u'filestat'
event_b.filename = u'c:/bull/skrytinmappa/skra.txt'
event_b.another_attribute = False
self.assertNotEqual(event_a.EqualityString(), event_b.EqualityString())
def _CreateTestEventObject(self, test_event_dict):
"""Create a basic event object to test the plugin on."""
if test_event_dict[u'event_type'] == u'prefetch':
event_object = TestPrefetchEvent()
elif test_event_dict[u'event_type'] == u'chrome_download':
event_object = TestChromeDownloadEvent()
else:
event_object = event.EventObject()
event_object.timestamp = test_event_dict[u'timestamp']
for key, value in test_event_dict[u'attributes']:
setattr(event_object, key, value)
return event_object
def testEqualityString(self):
"""Test the EventObject EqualityString."""
event_a = event.EventObject()
event_b = event.EventObject()
event_c = event.EventObject()
event_d = event.EventObject()
event_e = event.EventObject()
event_f = event.EventObject()
event_a.timestamp = 123
event_a.timestamp_desc = 'LAST WRITTEN'
event_a.data_type = 'mock:nothing'
event_a.inode = 124
event_a.filename = 'c:/bull/skrytinmappa/skra.txt'
event_a.another_attribute = False
event_b.timestamp = 123
event_b.timestamp_desc = 'LAST WRITTEN'
event_b.data_type = 'mock:nothing'
event_b.inode = 124
event_b.filename = 'c:/bull/skrytinmappa/skra.txt'
event_b.another_attribute = False
event_c.timestamp = 123
event_c.timestamp_desc = 'LAST UPDATED'
event_c.data_type = 'mock:nothing'
event_c.inode = 124
event_c.filename = 'c:/bull/skrytinmappa/skra.txt'
event_c.another_attribute = False
event_d.timestamp = 14523
event_d.timestamp_desc = 'LAST WRITTEN'
event_d.data_type = 'mock:nothing'
event_d.inode = 124
event_d.filename = 'c:/bull/skrytinmappa/skra.txt'
event_d.another_attribute = False
event_e.timestamp = 123
event_e.timestamp_desc = 'LAST WRITTEN'
event_e.data_type = 'mock:nothing'
event_e.inode = 623423
event_e.filename = 'c:/afrit/öñṅûŗ₅ḱŖūα.txt'
event_e.another_attribute = False
event_f.timestamp = 14523
event_f.timestamp_desc = 'LAST WRITTEN'
event_f.data_type = 'mock:nothing'
event_f.inode = 124
event_f.filename = 'c:/bull/skrytinmappa/skra.txt'
event_f.another_attribute = False
event_f.weirdness = 'I am a potato'
self.assertEquals(event_a.EqualityString(), event_b.EqualityString())
self.assertNotEquals(event_a.EqualityString(),
event_c.EqualityString())
self.assertEquals(event_a.EqualityString(), event_e.EqualityString())
self.assertNotEquals(event_c.EqualityString(),
event_d.EqualityString())
self.assertNotEquals(event_d.EqualityString(),
event_f.EqualityString())
def ParseRow(self, row):
"""Parse a line of the log file and yield extracted EventObject(s).
Args:
row: A dictionary containing all the fields as denoted in the
COLUMNS class list.
Yields:
An EventObject extracted from a single line from the log file.
"""
event_object = event.EventObject()
event_object.row_dict = row
yield event_object
def ParseRow(self, parser_mediator, row_offset, row):
"""Parse a line of the log file and extract event objects.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
row_offset: the offset of the row.
row: a dictionary containing all the fields as denoted in the
COLUMNS class list. Strings in this dict are unicode strings.
"""
event_object = event.EventObject()
if row_offset is not None:
event_object.offset = row_offset
event_object.row_dict = row
parser_mediator.ProduceEvent(event_object)
def _CreateTestEventObject(self, event_dict):
"""Create a test event object.
Args:
service_event: A hash containing attributes of an event to add to the
queue.
Returns:
An EventObject to test with.
"""
event_object = event.EventObject()
event_object.pathspec = event_dict[u'path_spec']
for attrib in event_dict.keys():
if attrib.endswith(u'_hash'):
setattr(event_object, attrib, event_dict[attrib])
return event_object
def _CreateTestEventObject(self, test_event):
"""Create a test event object with a particular path.
Args:
test_event_dict: A dict containing attributes of an event to add to the
queue.
Returns:
An event object (instance of EventObject) that contains the necessary
attributes for testing.
"""
event_object = event.EventObject()
event_object.data_type = test_event[u'data_type']
event_object.url = u'https://{0:s}/{1:s}'.format(
test_event.get(u'domain', u''), test_event.get(u'path', u''))
event_object.timestamp = test_event[u'timestamp']
return event_object
def ParseRow(self, parser_context, row_offset, row, file_entry=None):
"""Parse a line of the log file and extract event objects.
Args:
parser_context: A parser context object (instance of ParserContext).
row_offset: The offset of the row.
row: A dictionary containing all the fields as denoted in the
COLUMNS class list.
file_entry: optional file entry object (instance of dfvfs.FileEntry).
The default is None.
"""
event_object = event.EventObject()
if row_offset is not None:
event_object.offset = row_offset
event_object.row_dict = row
parser_context.ProduceEvent(event_object,
parser_name=self.NAME,
file_entry=file_entry)
def ReadSerialized(cls, json_string):
"""Reads an event object from serialized form.
Args:
json_string: an object containing the serialized form.
Returns:
An event object (instance of EventObject).
"""
event_object = event.EventObject()
json_attributes = json.loads(json_string)
for key, value in json_attributes.iteritems():
# TODO: Add pathspec support.
if key == 'tag':
value = JsonEventTagSerializer.ReadSerialized(value)
setattr(event_object, key, value)
return event_object
def testPlasoEvents(self):
"""Test plaso EventObjects, both Python and Protobuf version.
These are more plaso specific tests than the more generic
objectfilter ones. It will create an EventObject that stores
some attributes. These objects will then be serialzed into an
EventObject protobuf and all tests run against both the native
Python object as well as the protobuf.
"""
event_object = event.EventObject()
event_object.data_type = 'Weirdo:Made up Source:Last Written'
event_object.timestamp = timelib.Timestamp.CopyFromString(
u'2015-11-18 01:15:43')
event_object.timestamp_desc = u'Last Written'
event_object.text_short = (
u'This description is different than the long one.')
event_object.text = (
u'User did a very bad thing, bad, bad thing that awoke Dr. Evil.')
event_object.filename = (
u'/My Documents/goodfella/Documents/Hideout/myfile.txt')
event_object.hostname = u'Agrabah'
event_object.parser = u'Weirdo'
event_object.inode = 1245
event_object.mydict = {
u'value': 134,
u'another': u'value',
u'A Key (with stuff)': u'Here'
}
event_object.display_name = u'unknown:{0:s}'.format(
event_object.filename)
# Series of tests.
query = u'filename contains \'GoodFella\''
self._RunPlasoTest(event_object, query, True)
# Double negative matching -> should be the same
# as a positive one.
query = u'filename not not contains \'GoodFella\''
my_parser = pfilter.BaseParser(query)
self.assertRaises(errors.ParseError, my_parser.Parse)
# Test date filtering.
query = u'date >= \'2015-11-18\''
self._RunPlasoTest(event_object, query, True)
query = u'date < \'2015-11-19\''
self._RunPlasoTest(event_object, query, True)
# 2015-11-18T01:15:43
query = (u'date < \'2015-11-18T01:15:44.341\' and '
u'date > \'2015-11-18 01:15:42\'')
self._RunPlasoTest(event_object, query, True)
query = u'date > \'2015-11-19\''
self._RunPlasoTest(event_object, query, False)
# Perform few attribute tests.
query = u'filename not contains \'sometext\''
self._RunPlasoTest(event_object, query, True)
query = (
u'timestamp_desc CONTAINS \'written\' AND date > \'2015-11-18\' AND '
u'date < \'2015-11-25 12:56:21\' AND (source_short contains \'LOG\' or '
u'source_short CONTAINS \'REG\')')
self._RunPlasoTest(event_object, query, True)
query = u'parser is not \'Made\''
self._RunPlasoTest(event_object, query, True)
query = u'parser is not \'Weirdo\''
self._RunPlasoTest(event_object, query, False)
query = u'mydict.value is 123'
self._RunPlasoTest(event_object, query, False)
query = u'mydict.akeywithstuff contains "ere"'
self._RunPlasoTest(event_object, query, True)
query = u'mydict.value is 134'
self._RunPlasoTest(event_object, query, True)
query = u'mydict.value < 200'
self._RunPlasoTest(event_object, query, True)
query = u'mydict.another contains "val"'
self._RunPlasoTest(event_object, query, True)
query = u'mydict.notthere is 123'
self._RunPlasoTest(event_object, query, False)
query = u'source_long not contains \'Fake\''
self._RunPlasoTest(event_object, query, False)
query = u'source is \'REG\''
self._RunPlasoTest(event_object, query, True)
query = u'source is not \'FILE\''
self._RunPlasoTest(event_object, query, True)
# Multiple attributes.
query = (
u'source_long is \'Fake Parsing Source\' AND description_long '
u'regexp \'bad, bad thing [\\sa-zA-Z\\.]+ evil\'')
self._RunPlasoTest(event_object, query, False)
query = (u'source_long is \'Fake Parsing Source\' AND text iregexp '
u'\'bad, bad thing [\\sa-zA-Z\\.]+ evil\'')
self._RunPlasoTest(event_object, query, True)
def testSameEvent(self):
"""Test the EventObject comparison."""
event_a = event.EventObject()
event_b = event.EventObject()
event_c = event.EventObject()
event_d = event.EventObject()
event_e = event.EventObject()
event_a.timestamp = 123
event_a.timestamp_desc = u'LAST WRITTEN'
event_a.data_type = 'mock:nothing'
event_a.inode = 124
event_a.filename = u'c:/bull/skrytinmappa/skra.txt'
event_a.another_attribute = False
event_a.metadata = {
u'author': u'Some Random Dude',
u'version': 1245L,
u'last_changed': u'Long time ago'
}
event_a.strings = [u'This ', u'is a ', u'long string']
event_b.timestamp = 123
event_b.timestamp_desc = 'LAST WRITTEN'
event_b.data_type = 'mock:nothing'
event_b.inode = 124
event_b.filename = u'c:/bull/skrytinmappa/skra.txt'
event_b.another_attribute = False
event_b.metadata = {
u'author': u'Some Random Dude',
u'version': 1245L,
u'last_changed': u'Long time ago'
}
event_b.strings = [u'This ', u'is a ', u'long string']
event_c.timestamp = 123
event_c.timestamp_desc = u'LAST UPDATED'
event_c.data_type = 'mock:nothing'
event_c.inode = 124
event_c.filename = u'c:/bull/skrytinmappa/skra.txt'
event_c.another_attribute = False
event_d.timestamp = 14523
event_d.timestamp_desc = u'LAST WRITTEN'
event_d.data_type = 'mock:nothing'
event_d.inode = 124
event_d.filename = u'c:/bull/skrytinmappa/skra.txt'
event_d.another_attribute = False
event_e.timestamp = 123
event_e.timestamp_desc = u'LAST WRITTEN'
event_e.data_type = 'mock:nothing'
event_e.inode = 623423
event_e.filename = u'c:/afrit/onnurskra.txt'
event_e.another_attribute = False
event_e.metadata = {
u'author': u'Some Random Dude',
u'version': 1245,
u'last_changed': u'Long time ago'
}
event_e.strings = [u'This ', u'is a ', u'long string']
self.assertEqual(event_a, event_b)
self.assertNotEqual(event_a, event_c)
self.assertEqual(event_a, event_e)
self.assertNotEqual(event_c, event_d)
def GetEventObjects():
"""Returns a list of test event objects."""
event_objects = []
hostname = 'MYHOSTNAME'
data_type = 'test:event1'
event_a = event.EventObject()
event_a.username = '******'
event_a.filename = 'c:/Users/joesmith/NTUSER.DAT'
event_a.hostname = hostname
event_a.timestamp = 0
event_a.data_type = data_type
event_b = event.WinRegistryEvent(u'MY AutoRun key',
{u'Run': u'c:/Temp/evil.exe'},
timestamp=1334961526929596)
event_b.hostname = hostname
event_objects.append(event_b)
event_c = event.WinRegistryEvent(
u'//HKCU/Secret/EvilEmpire/Malicious_key',
{u'Value': u'REGALERT: send all the exes to the other world'},
timestamp=1334966206929596)
event_c.hostname = hostname
event_objects.append(event_c)
event_d = event.WinRegistryEvent(u'//HKCU/Windows/Normal',
{u'Value': u'run all the benign stuff'},
timestamp=1334940286000000)
event_d.hostname = hostname
event_objects.append(event_d)
event_objects.append(event_a)
filename = 'c:/Temp/evil.exe'
event_e = TestEvent1(1335781787929596,
{'text': 'This log line reads ohh so much.'})
event_e.filename = filename
event_e.hostname = hostname
event_objects.append(event_e)
event_f = TestEvent1(1335781787929596,
{'text': 'Nothing of interest here, move on.'})
event_f.filename = filename
event_f.hostname = hostname
event_objects.append(event_f)
event_g = TestEvent1(
1335791207939596,
{'text': 'Mr. Evil just logged into the machine and got root.'})
event_g.filename = filename
event_g.hostname = hostname
event_objects.append(event_g)
text_dict = {
'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
'hostname':
u'nomachine',
'username':
u'johndoe'
}
event_h = event.TextEvent(1338934459000000, text_dict)
event_h.text = event_h.body
event_h.hostname = hostname
event_h.filename = filename
event_objects.append(event_h)
return event_objects
def GetEventObjects():
"""Returns a list of test event objects."""
event_objects = []
hostname = u'MYHOSTNAME'
data_type = 'test:event'
event_a = event.EventObject()
event_a.username = u'joesmith'
event_a.filename = u'c:/Users/joesmith/NTUSER.DAT'
event_a.hostname = hostname
event_a.timestamp = 0
event_a.data_type = data_type
event_a.text = u''
# TODO: move this to a WindowsRegistryEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596')
event_b = windows_events.WindowsRegistryEvent(
timestamp, u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'})
event_b.hostname = hostname
event_objects.append(event_b)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 23:56:46.929596')
event_c = windows_events.WindowsRegistryEvent(
timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key',
{u'Value': u'send all the exes to the other world'})
event_c.hostname = hostname
event_objects.append(event_c)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000')
event_d = windows_events.WindowsRegistryEvent(
timestamp, u'//HKCU/Windows/Normal',
{u'Value': u'run all the benign stuff'})
event_d.hostname = hostname
event_objects.append(event_d)
event_objects.append(event_a)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
event_e = TestEvent(timestamp,
{u'text': u'This log line reads ohh so much.'})
event_e.filename = filename
event_e.hostname = hostname
event_objects.append(event_e)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
event_f = TestEvent(timestamp,
{u'text': u'Nothing of interest here, move on.'})
event_f.filename = filename
event_f.hostname = hostname
event_objects.append(event_f)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
event_g = TestEvent(
timestamp,
{u'text': u'Mr. Evil just logged into the machine and got root.'})
event_g.filename = filename
event_g.hostname = hostname
event_objects.append(event_g)
text_dict = {
u'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'hostname':
u'nomachine',
u'username':
u'johndoe'
}
# TODO: move this to a TextEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
event_h = text_events.TextEvent(timestamp, 12, text_dict)
event_h.text = event_h.body
event_h.hostname = hostname
event_h.filename = filename
event_objects.append(event_h)
return event_objects
