コード例 #1
0
  def testParseFile(self):
    """Test parsing of a Mac Wifi log file."""
    parser = mac_appfirewall.MacAppFirewallParser()
    knowledge_base_values = {'year': 2013}
    storage_writer = self._ParseFile(
        ['appfirewall.log'], parser,
        knowledge_base_values=knowledge_base_values)

    self.assertEqual(storage_writer.number_of_warnings, 0)
    self.assertEqual(storage_writer.number_of_events, 47)

    events = list(storage_writer.GetEvents())

    expected_event_values = {
        'action': 'creating /var/log/appfirewall.log',
        'agent': 'socketfilterfw[112]',
        'computer_name': 'DarkTemplar-2.local',
        'data_type': 'mac:appfirewall:line',
        'process_name': 'Logging',
        'status': 'Error',
        'timestamp': '2013-11-02 04:07:35.000000'}

    self.CheckEventValues(storage_writer, events[0], expected_event_values)

    expected_event_values = {
        'action': 'Allow TCP LISTEN  (in:0 out:1)',
        'agent': 'socketfilterfw[87]',
        'computer_name': 'DarkTemplar-2.local',
        'data_type': 'mac:appfirewall:line',
        'process_name': 'Dropbox',
        'status': 'Info',
        'timestamp': '2013-11-03 13:25:15.000000'}

    self.CheckEventValues(storage_writer, events[9], expected_event_values)

    # Check repeated lines.
    event_data = self._GetEventDataOfEvent(storage_writer, events[38])

    expected_event_values = {
        'action': event_data.action,
        'agent': event_data.agent,
        'computer_name': event_data.computer_name,
        'data_type': 'mac:appfirewall:line',
        'process_name': event_data.process_name,
        'status': event_data.status}

    self.CheckEventValues(storage_writer, events[39], expected_event_values)

    # Year changes.
    expected_event_values = {
        'data_type': 'mac:appfirewall:line',
        'timestamp': '2013-12-31 23:59:23.000000'}

    self.CheckEventValues(storage_writer, events[45], expected_event_values)

    expected_event_values = {
        'data_type': 'mac:appfirewall:line',
        'timestamp': '2014-01-01 01:13:23.000000'}

    self.CheckEventValues(storage_writer, events[46], expected_event_values)
コード例 #2
0
    def testParseFile(self):
        """Test parsing of a Mac Wifi log file."""
        parser = mac_appfirewall.MacAppFirewallParser()
        knowledge_base_values = {'year': 2013}
        storage_writer = self._ParseFile(
            ['appfirewall.log'],
            parser,
            knowledge_base_values=knowledge_base_values)

        self.assertEqual(storage_writer.number_of_warnings, 0)
        self.assertEqual(storage_writer.number_of_events, 47)

        events = list(storage_writer.GetEvents())

        event = events[0]

        self.CheckTimestamp(event.timestamp, '2013-11-02 04:07:35.000000')

        event_data = self._GetEventDataOfEvent(storage_writer, event)
        self.assertEqual(event_data.agent, 'socketfilterfw[112]')
        self.assertEqual(event_data.computer_name, 'DarkTemplar-2.local')
        self.assertEqual(event_data.status, 'Error')
        self.assertEqual(event_data.process_name, 'Logging')
        self.assertEqual(event_data.action,
                         'creating /var/log/appfirewall.log')

        expected_message = ('Computer: DarkTemplar-2.local '
                            'Agent: socketfilterfw[112] '
                            'Status: Error '
                            'Process name: Logging '
                            'Log: creating /var/log/appfirewall.log')
        expected_short_message = ('Process name: Logging ' 'Status: Error')

        self._TestGetMessageStrings(event_data, expected_message,
                                    expected_short_message)

        event = events[9]

        self.CheckTimestamp(event.timestamp, '2013-11-03 13:25:15.000000')

        event_data = self._GetEventDataOfEvent(storage_writer, event)
        self.assertEqual(event_data.agent, 'socketfilterfw[87]')
        self.assertEqual(event_data.computer_name, 'DarkTemplar-2.local')
        self.assertEqual(event_data.status, 'Info')
        self.assertEqual(event_data.process_name, 'Dropbox')
        self.assertEqual(event_data.action, 'Allow TCP LISTEN  (in:0 out:1)')

        expected_message = ('Computer: DarkTemplar-2.local '
                            'Agent: socketfilterfw[87] '
                            'Status: Info '
                            'Process name: Dropbox '
                            'Log: Allow TCP LISTEN  (in:0 out:1)')
        expected_short_message = ('Process name: Dropbox ' 'Status: Info')

        self._TestGetMessageStrings(event_data, expected_message,
                                    expected_short_message)

        # Check repeated lines.
        event = events[38]
        event_data = self._GetEventDataOfEvent(storage_writer, event)

        repeated_event = events[39]
        repeated_event_data = self._GetEventDataOfEvent(
            storage_writer, repeated_event)

        self.assertEqual(event_data.agent, repeated_event_data.agent)
        self.assertEqual(event_data.computer_name,
                         repeated_event_data.computer_name)
        self.assertEqual(event_data.status, repeated_event_data.status)
        self.assertEqual(event_data.process_name,
                         repeated_event_data.process_name)
        self.assertEqual(event_data.action, repeated_event_data.action)

        # Year changes.
        event = events[45]

        self.CheckTimestamp(event.timestamp, '2013-12-31 23:59:23.000000')

        event = events[46]

        self.CheckTimestamp(event.timestamp, '2014-01-01 01:13:23.000000')
コード例 #3
0
 def setUp(self):
     """Sets up the needed objects used throughout the test."""
     self._parser = mac_appfirewall.MacAppFirewallParser()
コード例 #4
0
ファイル: mac_appfirewall.py プロジェクト: bethlogic/plaso
    def testParseFile(self):
        """Test parsing of a Mac Wifi log file."""
        parser_object = mac_appfirewall.MacAppFirewallParser()

        knowledge_base_values = {u'year': 2013}
        test_file = self._GetTestFilePath([u'appfirewall.log'])
        event_queue_consumer = self._ParseFile(
            parser_object,
            test_file,
            knowledge_base_values=knowledge_base_values)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 47)

        event_object = event_objects[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2013-11-02 04:07:35')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        self.assertEqual(event_object.agent, u'socketfilterfw[112]')
        self.assertEqual(event_object.computer_name, u'DarkTemplar-2.local')
        self.assertEqual(event_object.status, u'Error')
        self.assertEqual(event_object.process_name, u'Logging')
        self.assertEqual(event_object.action,
                         u'creating /var/log/appfirewall.log')

        expected_msg = (u'Computer: DarkTemplar-2.local '
                        u'Agent: socketfilterfw[112] '
                        u'Status: Error '
                        u'Process name: Logging '
                        u'Log: creating /var/log/appfirewall.log')
        expected_msg_short = (u'Process name: Logging ' u'Status: Error')

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)

        event_object = event_objects[9]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2013-11-03 13:25:15')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        self.assertEqual(event_object.agent, u'socketfilterfw[87]')
        self.assertEqual(event_object.computer_name, u'DarkTemplar-2.local')
        self.assertEqual(event_object.status, u'Info')
        self.assertEqual(event_object.process_name, u'Dropbox')
        self.assertEqual(event_object.action,
                         u'Allow TCP LISTEN  (in:0 out:1)')

        expected_msg = (u'Computer: DarkTemplar-2.local '
                        u'Agent: socketfilterfw[87] '
                        u'Status: Info '
                        u'Process name: Dropbox '
                        u'Log: Allow TCP LISTEN  (in:0 out:1)')
        expected_msg_short = (u'Process name: Dropbox ' u'Status: Info')

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)

        # Check repeated lines.
        event_object = event_objects[38]
        repeated_event_object = event_objects[39]
        self.assertEqual(event_object.agent, repeated_event_object.agent)
        self.assertEqual(event_object.computer_name,
                         repeated_event_object.computer_name)
        self.assertEqual(event_object.status, repeated_event_object.status)
        self.assertEqual(event_object.process_name,
                         repeated_event_object.process_name)
        self.assertEqual(event_object.action, repeated_event_object.action)

        # Year changes.
        event_object = event_objects[45]
        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2013-12-31 23:59:23')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        event_object = event_objects[46]
        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2014-01-01 01:13:23')
        self.assertEqual(event_object.timestamp, expected_timestamp)
コード例 #5
0
 def setUp(self):
   """Makes preparations before running an individual test."""
   self._parser = mac_appfirewall.MacAppFirewallParser()
コード例 #6
0
 def setUp(self):
   """Sets up the needed objects used throughout the test."""
   pre_obj = event.PreprocessObject()
   pre_obj.year = 2013
   pre_obj.zone = pytz.timezone('UTC')
   self._parser = mac_appfirewall.MacAppFirewallParser(pre_obj, None)