def testWriteEventBody(self): """Tests the WriteEventBody function.""" formatters_manager.FormattersManager.RegisterFormatter( TestEventFormatter) output_mediator = self._CreateOutputMediator() output_writer = cli_test_lib.TestOutputWriter() output_module = dynamic.DynamicOutputModule(output_mediator) output_module.SetFields([ 'date', 'time', 'timezone', 'macb', 'source', 'sourcetype', 'type', 'user', 'host', 'message_short', 'message', 'filename', 'inode', 'notes', 'format', 'extra' ]) output_module.SetOutputWriter(output_writer) output_module.WriteHeader() expected_header = ( 'date,time,timezone,macb,source,sourcetype,type,user,host,' 'message_short,message,filename,inode,notes,format,extra\n') header = output_writer.ReadOutput() self.assertEqual(header, expected_header) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) output_module.WriteEventBody(event, event_data, None) expected_event_body = ( '2012-06-27,18:17:01,UTC,..C.,LOG,Syslog,Metadata Modification Time,-,' 'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session ' 'closed for user root),Reporter <CRON> PID: 8442 ' '(pam_unix(cron:session): session closed for user root),log/syslog.1' ',-,-,-,-\n') event_body = output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) output_mediator = self._CreateOutputMediator() output_writer = cli_test_lib.TestOutputWriter() output_module = dynamic.DynamicOutputModule(output_mediator) output_module.SetFields( ['datetime', 'nonsense', 'hostname', 'message']) output_module.SetOutputWriter(output_writer) expected_header = 'datetime,nonsense,hostname,message\n' output_module.WriteHeader() header = output_writer.ReadOutput() self.assertEqual(header, expected_header) expected_event_body = ( '2012-06-27T18:17:01+00:00,-,ubuntu,Reporter <CRON> PID: 8442' ' (pam_unix(cron:session): session closed for user root)\n') event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) output_module.WriteEventBody(event, event_data, None) event_body = output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) formatters_manager.FormattersManager.DeregisterFormatter( TestEventFormatter)
def testFormatDate(self): """Tests the _FormatDate function.""" output_mediator = self._CreateOutputMediator() formatting_helper = dynamic.DynamicFieldFormattingHelper( output_mediator) # Test with event.date_time event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-27') output_mediator.SetTimeZone('Australia/Sydney') date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-28') output_mediator.SetTimeZone('UTC') event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1])) event.date_time._time_zone_offset = 600 date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-27') # Test with event.is_local_time event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event.timestamp += 600 * 60 * 1000000 event.date_time.is_local_time = True date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-28') # Test with event.timestamp event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event.date_time = None date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-27') event.timestamp = 0 date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '0000-00-00') event.timestamp = -9223372036854775808 date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '0000-00-00')
def testFormatTime(self): """Tests the _FormatTime function.""" output_mediator = self._CreateOutputMediator() test_helper = formatting_helper.FieldFormattingHelper(output_mediator) # Test with event.date_time event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '18:17:01') output_mediator.SetTimeZone('Europe/Amsterdam') time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '20:17:01') output_mediator.SetTimeZone('UTC') event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1])) event.date_time._time_zone_offset = 120 time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '18:17:01') # Test with event.is_local_time event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event.timestamp -= 120 * 60 * 1000000 event.date_time.is_local_time = True time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '16:17:01') # Test with event.timestamp event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event.date_time = None time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '18:17:01') event.timestamp = 0 time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '--:--:--') event.timestamp = -9223372036854775808 time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '--:--:--')
def testPushEvents(self): """Tests the PushEvents function.""" event_heap = event_heaps.EventHeap() self.assertEqual(len(event_heap._heap), 0) event1, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event2, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[1]) event_heap.PushEvents([event1, event2]) self.assertEqual(len(event_heap._heap), 2)
def testFormatTime(self): """Tests the _FormatTime function.""" output_mediator = self._CreateOutputMediator() test_helper = formatting_helper.FieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) # Test with event.date_time time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '18:17:01') # Test with event.timestamp event.date_time = None time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '18:17:01') event.timestamp = 0 time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '--:--:--') event.timestamp = -9223372036854775808 time_string = test_helper._FormatTime(event, event_data, event_data_stream) self.assertEqual(time_string, '--:--:--')
def testWriteEventBody(self): """Tests the WriteEventBody function.""" event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) formatters_manager.FormattersManager.RegisterFormatter( formatters_test_lib.TestEventFormatter) try: self._output_module.WriteEventBody(event, event_data, event_data_stream, event_data_stream) finally: formatters_manager.FormattersManager.DeregisterFormatter( formatters_test_lib.TestEventFormatter) expected_event_body = ( '1340821021|FILE|ubuntu|root|2012-06-27T18:17:01+00:00; Unknown Time; ' 'Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session closed for user root)' '|UTC|File: OS: /var/log/syslog.1 inode: 12345678\n') event_body = self._output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) self.assertEqual(event_body.count('|'), 6)
def testGetMACBRepresentation(self): """Tests the GetMACBRepresentation function.""" event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) macb_representation = self._output_mediator.GetMACBRepresentation( event, event_data) self.assertEqual(macb_representation, '..C.')
def testGetOutputValues(self): """Tests the _GetOutputValues function.""" formatters_manager.FormattersManager.RegisterFormatter( L2TTestEventFormatter) expected_output_values = [ '06/27/2012', '18:17:01', 'UTC', '....', 'LOG', 'Syslog', '-', '-', 'ubuntu', ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): session closed ' 'for user root)'), ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): session closed ' 'for user root)'), '2', 'log/syslog.1', '-', '-', '-', 'a_binary_field: binary; my_number: 123; some_additional_foo: True' ] event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) output_values = self._formatter._GetOutputValues( event, event_data, None) self.assertEqual(len(output_values), 17) self.assertEqual(output_values, expected_output_values) event.timestamp = -9223372036854775808 output_values = self._formatter._GetOutputValues( event, event_data, None) self.assertEqual(len(output_values), 17) expected_output_values[0] = '00/00/0000' expected_output_values[1] = '--:--:--' self.assertEqual(output_values, expected_output_values) formatters_manager.FormattersManager.DeregisterFormatter( L2TTestEventFormatter)
def testWriteEventBody(self): """Tests the WriteEventBody function.""" test_file_object = io.StringIO() output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetTestFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = l2t_csv.L2TCSVOutputModule(output_mediator) output_module._file_object = test_file_object event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Printed']) output_module.WriteEventBody( event, event_data, event_data_stream, event_tag) expected_event_body = ( '06/27/2012,18:17:01,UTC,M...,FILE,Test log file,Content Modification ' 'Time,-,ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session closed for user root),Reporter <CRON> PID: 8442 ' '(pam_unix(cron:session): session closed for user root),' '2,FAKE:log/syslog.1,-,Malware Printed,test_parser,a_binary_field: ' 'binary; my_number: 123; some_additional_foo: True\n') event_body = test_file_object.getvalue() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(','), 16)
def testInsertEvent(self): """Tests the _InsertEvent function.""" event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetDataFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = TestElasticsearchOutputModule(output_mediator) output_module._Connect() output_module._CreateIndexIfNotExists('test', {}) self.assertEqual(len(output_module._event_documents), 0) self.assertEqual(output_module._number_of_buffered_events, 0) output_module._InsertEvent(event, event_data, event_data_stream, None) self.assertEqual(len(output_module._event_documents), 2) self.assertEqual(output_module._number_of_buffered_events, 1) output_module._InsertEvent(event, event_data, event_data_stream, None) self.assertEqual(len(output_module._event_documents), 4) self.assertEqual(output_module._number_of_buffered_events, 2) output_module._FlushEvents() self.assertEqual(len(output_module._event_documents), 0) self.assertEqual(output_module._number_of_buffered_events, 0)
def testInsertEvent(self): """Tests the _InsertEvent function.""" event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) output_mediator = self._CreateOutputMediator() output_module = TestElasticsearchOutputModule(output_mediator) output_module._Connect() output_module._CreateIndexIfNotExists('test', {}) self.assertEqual(len(output_module._event_documents), 0) self.assertEqual(output_module._number_of_buffered_events, 0) output_module._InsertEvent(event, event_data, None) self.assertEqual(len(output_module._event_documents), 2) self.assertEqual(output_module._number_of_buffered_events, 1) output_module._InsertEvent(event, event_data, None) self.assertEqual(len(output_module._event_documents), 4) self.assertEqual(output_module._number_of_buffered_events, 2) output_module._FlushEvents() self.assertEqual(len(output_module._event_documents), 0) self.assertEqual(output_module._number_of_buffered_events, 0)
def testWriteEventBody(self): """Tests the WriteEventBody function.""" test_file_object = io.StringIO() output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetTestFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = tln.L2TTLNOutputModule(output_mediator) output_module._file_object = test_file_object event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) output_module.WriteEventBody( event, event_data, event_data_stream, event_data_stream) expected_event_body = ( '1340821021|FILE|ubuntu|root|2012-06-27T18:17:01.000000+00:00; ' 'Unknown Time; ' 'Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session closed for user root)' '|UTC|File: OS: /var/log/syslog.1 inode: 12345678\n') event_body = test_file_object.getvalue() self.assertEqual(event_body, expected_event_body) self.assertEqual(event_body.count('|'), 6)
def testFormatDate(self): """Tests the _FormatDate function.""" output_mediator = self._CreateOutputMediator() formatting_helper = dynamic.DynamicFieldFormattingHelper( output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) # Test with event.date_time date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-27') # Test with event.timestamp event.date_time = None date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '2012-06-27') event.timestamp = 0 date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '0000-00-00') event.timestamp = -9223372036854775808 date_string = formatting_helper._FormatDate(event, event_data, event_data_stream) self.assertEqual(date_string, '0000-00-00')
def testWriteEventBody(self): """Tests the WriteEventBody function.""" formatters_manager.FormattersManager.RegisterFormatter( L2TTestEventFormatter) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Printed']) self._formatter.WriteEventBody(event, event_data, event_tag) expected_event_body = ( '06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,' 'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session ' 'closed for user root),Reporter <CRON> PID: 8442 ' '(pam_unix(cron:session): session closed for user root),' '2,log/syslog.1,-,Malware Printed,' '-,a_binary_field: binary; my_number: 123; some_additional_foo: True\n' ) event_body = self._output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(','), 16) formatters_manager.FormattersManager.DeregisterFormatter( L2TTestEventFormatter)
def testGetUsername(self): """Tests the GetUsername function.""" output_mediator = mediator.OutputMediator(self._knowledge_base, None) _, event_data, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) username = output_mediator.GetUsername(event_data) self.assertEqual(username, 'root')
def testFormatMACB(self): """Tests the _FormatMACB function.""" output_mediator = self._CreateOutputMediator() test_helper = formatting_helper.FieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) macb_string = test_helper._FormatMACB(event, event_data, event_data_stream) self.assertEqual(macb_string, '..C.')
def testMatches(self): """Tests the Matches function.""" event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) filter_object = filters.IdentityFilter() result = filter_object.Matches(event, event_data, None) self.assertTrue(result)
def testGetMACBRepresentation(self): """Tests the GetMACBRepresentation function.""" output_mediator = mediator.OutputMediator(self._knowledge_base, None) event, event_data, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) macb_representation = output_mediator.GetMACBRepresentation( event, event_data) self.assertEqual(macb_representation, '..C.')
def testFormatInode(self): """Tests the _FormatInode function.""" output_mediator = self._CreateOutputMediator() dynamic_fields_helper = dynamic.DynamicFieldsHelper(output_mediator) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) inode_string = dynamic_fields_helper._FormatInode(event, event_data) self.assertEqual(inode_string, '-')
def testGetSanitizedEventValues(self): """Tests the _GetSanitizedEventValues function.""" output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetDataFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = TestElasticsearchOutputModule(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event_tag = events.EventTag() event_tag.AddLabel('Test') event_values = output_module._GetSanitizedEventValues( event, event_data, event_data_stream, event_tag) expected_event_values = { 'a_binary_field': 'binary', 'data_type': 'syslog:line', 'datetime': '2012-06-27T18:17:01.000000Z', 'display_name': 'FAKE:log/syslog.1', 'filename': 'log/syslog.1', 'hostname': 'ubuntu', 'message': '[', 'my_number': 123, 'path_spec': ('{"__type__": "PathSpec", "location": "log/syslog.1", ' '"type_indicator": "FAKE"}'), 'some_additional_foo': True, 'source_long': 'Log File', 'source_short': 'LOG', 'tag': ['Test'], 'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': 1340821021000000, 'timestamp_desc': 'Content Modification Time', } self.assertIsInstance(event_values, dict) self.assertEqual(event_values, expected_event_values)
def testFormatType(self): """Tests the _FormatType function.""" output_mediator = self._CreateOutputMediator() formatting_helper = l2t_csv.L2TCSVFieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) type_string = formatting_helper._FormatType( event, event_data, event_data_stream) self.assertEqual(type_string, 'Content Modification Time')
def testFormatFilename(self): """Tests the _FormatFilename function.""" output_mediator = self._CreateOutputMediator() test_helper = formatting_helper.FieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) filename_string = test_helper._FormatFilename(event, event_data, event_data_stream) self.assertEqual(filename_string, 'log/syslog.1')
def testFormatVersion(self): """Tests the _FormatVersion function.""" output_mediator = self._CreateOutputMediator() formatting_helper = l2t_csv.L2TCSVFieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) version_string = formatting_helper._FormatVersion( event, event_data, event_data_stream) self.assertEqual(version_string, '2')
def testFormatDateTime(self): """Tests the _FormatDateTime function with dynamic time.""" output_mediator = self._CreateOutputMediator(dynamic_time=True) test_helper = formatting_helper.FieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) date_time_string = test_helper._FormatDateTime(event, event_data, event_data_stream) self.assertEqual(date_time_string, '2012-06-27T18:17:01.000000+00:00') output_mediator.SetTimeZone('Europe/Amsterdam') date_time_string = test_helper._FormatDateTime(event, event_data, event_data_stream) self.assertEqual(date_time_string, '2012-06-27T20:17:01.000000+02:00') output_mediator.SetTimeZone('UTC') event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[1])) event.date_time._time_zone_offset = 120 date_time_string = test_helper._FormatDateTime(event, event_data, event_data_stream) self.assertEqual(date_time_string, '2012-06-27T18:17:01.000000+00:00') event.date_time = dfdatetime_semantic_time.InvalidTime() date_time_string = test_helper._FormatDateTime(event, event_data, event_data_stream) self.assertEqual(date_time_string, 'Invalid') # Test with event.is_local_time event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event.timestamp -= 120 * 60 * 1000000 event.date_time.is_local_time = True date_time_string = test_helper._FormatDateTime(event, event_data, event_data_stream) self.assertEqual(date_time_string, '2012-06-27T16:17:01.000000+00:00')
def testGetFormattedField(self): """Tests the GetFormattedField function.""" output_mediator = self._CreateOutputMediator() dynamic_fields_helper = dynamic.DynamicFieldsHelper(output_mediator) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) zone_string = dynamic_fields_helper.GetFormattedField( event, event_data, None, 'zone') self.assertEqual(zone_string, 'UTC')
def testGetFormattedField(self): """Tests the GetFormattedField function.""" output_mediator = self._CreateOutputMediator() test_helper = TestFieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) zone_string = test_helper.GetFormattedField('zone', event, event_data, event_data_stream, None) self.assertEqual(zone_string, 'UTC')
def testPushEvent(self): """Tests the PushEvent function.""" test_heap = event_heap.EventHeap() self.assertEqual(len(test_heap._heap), 0) event, _, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) test_heap.PushEvent(event, 0) self.assertEqual(len(test_heap._heap), 1)
def test_FormatTimestamp(self): """Tests the __FormatTimestamp function.""" output_mediator = self._CreateOutputMediator() formatting_helper = tln.TLNFieldFormattingHelper(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) timestamp_string = formatting_helper._FormatTimestamp( event, event_data, event_data_stream) self.assertEqual(timestamp_string, '1340821021')
def testPushEvent(self): """Tests the PushEvent function.""" event_heap = psort.PsortEventHeap() self.assertEqual(len(event_heap._heap), 0) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event_heap.PushEvent(event, event_data, event_data_stream) self.assertEqual(len(event_heap._heap), 1)
def testParseWithEvents(self): """Tests the Parse function with events.""" event, event_data, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event_tag = events.EventTag() event_tag.AddLabel('browser_search') self._CheckIfExpressionMatches('filename contains \'GoodFella\'', event, event_data, None, event_tag, True) # Test timestamp filtering. self._CheckIfExpressionMatches('timestamp >= \'2015-11-18\'', event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('timestamp < \'2015-11-19\'', event, event_data, None, event_tag, True) expression = ('timestamp < \'2015-11-18T01:15:44.341\' and ' 'timestamp > \'2015-11-18 01:15:42\'') self._CheckIfExpressionMatches(expression, event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('timestamp > \'2015-11-19\'', event, event_data, None, event_tag, False) # Perform few attribute tests. self._CheckIfExpressionMatches('filename not contains \'sometext\'', event, event_data, None, event_tag, True) expression = ( 'timestamp_desc CONTAINS \'written\' AND timestamp > \'2015-11-18\' ' 'AND timestamp < \'2015-11-25 12:56:21\'') self._CheckIfExpressionMatches(expression, event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('parser is not \'Made\'', event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('parser is not \'Weirdo\'', event, event_data, None, event_tag, False) self._CheckIfExpressionMatches('tag contains \'browser_search\'', event, event_data, None, event_tag, True) # Test multiple attributes. self._CheckIfExpressionMatches( 'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event, event_data, None, event_tag, True)