def testParse(self): """Tests the Parse function.""" parser = mcafeeav.McafeeAccessProtectionParser() storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser) self.assertEqual(storage_writer.number_of_events, 14) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'av:mcafee:accessprotectionlog', 'date_time': '2013-09-27 14:42:26' } self.CheckEventValues(storage_writer, events[10], expected_event_values) # TODO: Test that the UTF-8 byte order mark gets removed from # the first line. # Test this entry: # 9/27/2013 2:42:26 PM Blocked by Access Protection rule # SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files # (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard # Protection:Prevent termination of McAfee processes Action blocked : # Terminate expected_event_values = { 'action': 'Action blocked : Terminate', 'data_type': 'av:mcafee:accessprotectionlog', 'date_time': '2013-09-27 14:42:39', 'filename': 'C:\\Windows\\System32\\procexp64.exe', 'rule': ('Common Standard Protection:Prevent termination of McAfee ' 'processes'), # Note that the trailing space is part of the status event value. 'status': 'Blocked by Access Protection rule ', 'trigger_location': ('C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame' 'workService.exe'), 'username': '******' } self.CheckEventValues(storage_writer, events[11], expected_event_values)
def testParse(self): """Tests the Parse function.""" parser = mcafeeav.McafeeAccessProtectionParser() storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser) # The file contains 14 lines which results in 14 events. self.assertEqual(storage_writer.number_of_events, 14) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) event = events[10] expected_timestamp = timelib.Timestamp.CopyFromString( '2013-09-27 14:42:26') self.assertEqual(event.timestamp, expected_timestamp) # TODO: Test that the UTF-8 byte order mark gets removed from # the first line. # Test this entry: # 9/27/2013 2:42:26 PM Blocked by Access Protection rule # SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files # (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard # Protection:Prevent termination of McAfee processes Action blocked : # Terminate event = events[11] expected_timestamp = timelib.Timestamp.CopyFromString( '2013-09-27 14:42:39') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.username, 'SOMEDOMAIN\\someUser') self.assertEqual(event.filename, 'C:\\Windows\\System32\\procexp64.exe') expected_message = ( 'File Name: C:\\Windows\\System32\\procexp64.exe ' 'User: SOMEDOMAIN\\someUser ' 'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame' 'workService.exe ' 'Blocked by Access Protection rule ' 'Common Standard Protection:Prevent termination of McAfee processes ' 'Action blocked : Terminate') expected_short_message = ('C:\\Windows\\System32\\procexp64.exe ' 'Action blocked : Terminate') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser = mcafeeav.McafeeAccessProtectionParser() storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 14) # The order in which DSVParser generates events is nondeterministic # hence we sort the events. events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'timestamp': '2013-09-27 14:42:26.000000'} self.CheckEventValues(storage_writer, events[10], expected_event_values) # TODO: Test that the UTF-8 byte order mark gets removed from # the first line. # Test this entry: # 9/27/2013 2:42:26 PM Blocked by Access Protection rule # SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files # (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard # Protection:Prevent termination of McAfee processes Action blocked : # Terminate expected_event_values = { 'filename': 'C:\\Windows\\System32\\procexp64.exe', 'timestamp': '2013-09-27 14:42:39.000000', 'username': '******'} self.CheckEventValues(storage_writer, events[11], expected_event_values) expected_message = ( 'File Name: C:\\Windows\\System32\\procexp64.exe ' 'User: SOMEDOMAIN\\someUser ' 'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame' 'workService.exe ' 'Blocked by Access Protection rule ' 'Common Standard Protection:Prevent termination of McAfee processes ' 'Action blocked : Terminate') expected_short_message = ( 'C:\\Windows\\System32\\procexp64.exe ' 'Action blocked : Terminate') event_data = self._GetEventDataOfEvent(storage_writer, events[11]) self._TestGetMessageStrings( event_data, expected_message, expected_short_message)
def testParse(self): """Tests the Parse function.""" parser_object = mcafeeav.McafeeAccessProtectionParser() test_file = self._GetTestFilePath([u'AccessProtectionLog.txt']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) # The file contains 14 lines which results in 14 event objects. self.assertEqual(len(event_objects), 14) # Test that the UTF-8 byte order mark gets removed from the first line. event_object = event_objects[0] self.assertEqual(event_object.timestamp, 1380292946000000) # Test this entry: # 9/27/2013 2:42:26 PM Blocked by Access Protection rule # SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files # (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard # Protection:Prevent termination of McAfee processes Action blocked : # Terminate event_object = event_objects[1] self.assertEqual(event_object.timestamp, 1380292959000000) self.assertEqual(event_object.username, u'SOMEDOMAIN\\someUser') self.assertEqual(event_object.full_path, u'C:\\Windows\\System32\\procexp64.exe') expected_msg = ( u'File Name: C:\\Windows\\System32\\procexp64.exe ' u'User: SOMEDOMAIN\\someUser ' u'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame' u'workService.exe ' u'Blocked by Access Protection rule ' u'Common Standard Protection:Prevent termination of McAfee processes ' u'Action blocked : Terminate') expected_msg_short = (u'C:\\Windows\\System32\\procexp64.exe ' u'Action blocked : Terminate') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = mcafeeav.McafeeAccessProtectionParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = mcafeeav.McafeeAccessProtectionParser(pre_obj)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = mcafeeav.McafeeAccessProtectionParser()