def _CreateTaskStore(self, session, redis_client): """Creates a task store for testing. Args: session (Session): session the task store is part of. redis_client (Redis): Redis client to query. If specified, no new client will be created. Returns: Task: the the task for the store that was created. """ task = tasks.Task(session_identifier=session.identifier) task_store = redis_writer.RedisStorageWriter( session, storage_type=definitions.STORAGE_TYPE_TASK, task=task) task_store.Open(redis_client=redis_client) for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): task_store.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) task_store.AddEvent(event) task_store.Close() return task
def testGetSerializedAttributeContainers(self): """Tests the GetSerializedAttributeContainers method.""" redis_client = self._CreateRedisClient() session = sessions.Session() task = tasks.Task(session_identifier=session.identifier) test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client, session_identifier=task.session_identifier, task_identifier=task.identifier) try: for _, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_store.AddAttributeContainer(event_data) cursor, serialized_containers = ( test_store.GetSerializedAttributeContainers( 'event_data', 0, 0)) self.assertEqual(len(serialized_containers), 4) for serialized_container in serialized_containers: self.assertIsInstance(serialized_container, bytes) self.assertIsInstance(cursor, int) finally: test_store.Close() self._RemoveSessionData(redis_client, session.identifier)
def _CreateTaskStorageFile(self, session, path, event_values_list): """Creates a task storage file for testing. Args: session (Session): session the task storage is part of. path (str): path to the task storage file that should be merged. event_values_list (list[dict[str, str]]): list of event values. """ task = tasks.Task(session_identifier=session.identifier) storage_file = writer.SQLiteStorageFileWriter( session, path, storage_type=definitions.STORAGE_TYPE_TASK, task=task) storage_file.Open() for event, event_data in containers_test_lib.CreateEventsFromValues( event_values_list): storage_file.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_file.AddEvent(event) storage_file.Close()
def testGetEventTags(self): """Tests the GetEventTags function.""" with shared_test_lib.TempDirectory() as temp_directory: temp_file = os.path.join(temp_directory, 'plaso.sqlite') storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=temp_file, read_only=False) test_events = [] for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): storage_file.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_file.AddEvent(event) test_events.append(event) test_event_tags = self._CreateTestEventTags(test_events) for event_tag in test_event_tags: storage_file.AddEventTag(event_tag) storage_file.Close() storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=temp_file) test_event_tags = list(storage_file.GetEventTags()) self.assertEqual(len(test_event_tags), 4) storage_file.Close()
def testAddEventTag(self): """Tests the AddEventTag function.""" session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() test_events = [] for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): storage_writer.AddEventDataStream(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) storage_writer.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_writer.AddEvent(event) test_events.append(event) event_tag = None test_event_tags = self._CreateTestEventTags(test_events) for event_tag in test_event_tags: storage_writer.AddEventTag(event_tag) storage_writer.Close() # Test writing an event tag twice. with self.assertRaises(IOError): storage_writer.AddEventTag(event_tag)
def testGetSortedEvents(self): """Tests the GetSortedEvents function.""" with shared_test_lib.TempDirectory() as temp_directory: test_path = os.path.join(temp_directory, 'plaso.sqlite') test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path, read_only=False) for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) test_store.Close() test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path) test_events = list(test_store.GetSortedEvents()) self.assertEqual(len(test_events), 4) test_store.Close()
def testMessageStrings(self): """Tests the GetMessageStrings and GetSourceStrings functions.""" formatter_mediator = mediator.FormatterMediator() message_strings = [] text_message = None text_message_short = None manager.FormattersManager.RegisterFormatter(test_lib.TestEventFormatter) try: for event, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): message, message_short = manager.FormattersManager.GetMessageStrings( formatter_mediator, event_data) source_short, source_long = manager.FormattersManager.GetSourceStrings( event, event_data) text_message = message text_message_short = message_short csv_message_strings = '{0:d},{1:s},{2:s},{3:s}'.format( event.timestamp, source_short, source_long, message) message_strings.append(csv_message_strings) finally: manager.FormattersManager.DeregisterFormatter(test_lib.TestEventFormatter) self.assertIn(( '1334961526929596,REG,Registry Key,[MY AutoRun key] ' 'Value: c:/Temp/evil.exe'), message_strings) self.assertIn(( '1334966206929596,REG,Registry Key,' '[HKEY_CURRENT_USER\\Secret\\EvilEmpire\\Malicious_key] ' 'Value: send all the exes to the other world'), message_strings) self.assertIn(( '1334940286000000,REG,Registry Key,' '[HKEY_CURRENT_USER\\Windows\\Normal] ' 'Value: run all the benign stuff'), message_strings) self.assertIn(( '1335781787929596,FILE,Test log file,This log line reads ' 'ohh so much.'), message_strings) self.assertIn(( '1335781787929596,FILE,Test log file,Nothing of interest ' 'here, move on.'), message_strings) self.assertIn(( '1335791207939596,FILE,Test log file,Mr. Evil just logged ' 'into the machine and got root.'), message_strings) expected_text_message = ( 'This is a line by someone not reading the log line properly. And ' 'since this log line exceeds the accepted 80 chars it will be ' 'shortened.') self.assertEqual(text_message, expected_text_message) expected_text_message_short = ( 'This is a line by someone not reading the log line properly. ' 'And since this l...') self.assertEqual(text_message_short, expected_text_message_short)
def testGetSortedEvents(self): """Tests the GetSortedEvents method.""" redis_client = self._CreateRedisClient() session = sessions.Session() task = tasks.Task(session_identifier=session.identifier) test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client, session_identifier=task.session_identifier, task_identifier=task.identifier) try: for event, _, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_store.AddAttributeContainer(event) retrieved_events = list(test_store.GetSortedEvents()) self.assertEqual(len(retrieved_events), 4) finally: test_store.Close() self._RemoveSessionData(redis_client, session.identifier)
def testGetAttributeContainerByIdentifier(self): """Tests the _GetAttributeContainerByIdentifier method.""" test_events = [] for test_event, _, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_events.append(test_event) test_event_tags = self._CreateTestEventTags(test_events) test_event_tag = test_event_tags[0] store = redis_store.RedisStore() redis_client = self._GetRedisClient() store.Open(redis_client=redis_client) store.AddEventTag(test_event_tag) identifier = test_event_tag.GetIdentifier() retrieved_event_tag = store._GetAttributeContainerByIdentifier( test_event_tag.CONTAINER_TYPE, identifier) test_event_tag_dict = test_event_tag.CopyToDict() retrieved_event_tag_dict = retrieved_event_tag.CopyToDict() self.assertEqual(test_event_tag_dict, retrieved_event_tag_dict) store.Close()
def _CreateTestStorageFileWithTags(self, path): """Creates a storage file with event tags for testing. Args: path (str): path of the storage file. """ storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=path, read_only=False) test_events = [] for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): storage_file.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) storage_file.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_file.AddAttributeContainer(event) test_events.append(event) test_event_tags = self._CreateTestEventTags(test_events) for event_tag in test_event_tags[:-1]: storage_file.AddAttributeContainer(event_tag) for event_tag in test_event_tags[-1:]: storage_file.AddAttributeContainer(event_tag) storage_file.Close()
def testGetSortedEvents(self): """Tests the GetSortedEvents method.""" store = redis_store.RedisStore() redis_client = self._GetRedisClient() store.Open(redis_client=redis_client) for event, _, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): store.AddEvent(event) retrieved_events = list(store.GetSortedEvents()) self.assertEqual(len(retrieved_events), 4) store.Close()
def testGetEventTagByEventIdentifier(self): """Tests the GetEventTagByEventIdentifier function.""" with shared_test_lib.TempDirectory() as temp_directory: test_path = os.path.join(temp_directory, 'plaso.sqlite') test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path, read_only=False) index = 0 for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) if index == 1: event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Benign']) event_identifier = event.GetIdentifier() event_tag.SetEventIdentifier(event_identifier) test_store.AddAttributeContainer(event_tag) index += 1 test_store.Close() test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path) test_event = test_store.GetAttributeContainerByIndex( events.EventObject.CONTAINER_TYPE, 1) self.assertIsNotNone(test_event) test_event_identifier = test_event.GetIdentifier() self.assertIsNotNone(test_event_identifier) test_event_tag = test_store.GetEventTagByEventIdentifier( test_event_identifier) self.assertIsNotNone(test_event_tag) self.assertEqual(test_event_tag.labels, ['Malware', 'Benign']) test_store.Close()
def testAddEvent(self): """Tests the AddEvent function.""" with shared_test_lib.TempDirectory() as temp_directory: temp_file = os.path.join(temp_directory, 'plaso.sqlite') storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=temp_file, read_only=False) for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): storage_file.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_file.AddEvent(event) storage_file.Close()
def testGetAttributeContainers(self): """Tests the _GetAttributeContainers method.""" store = redis_store.RedisStore() redis_client = self._GetRedisClient() store.Open(redis_client=redis_client) for _, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): store.AddEventData(event_data) retrieved_event_datas = list( store._GetAttributeContainers(store._CONTAINER_TYPE_EVENT_DATA)) self.assertEqual(len(retrieved_event_datas), 4) store.Close()
def testGetSortedEvents(self): """Tests the GetSortedEvents method.""" redis_client = self._CreateRedisClient() test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client) for event, _, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_store.AddAttributeContainer(event) retrieved_events = list(test_store.GetSortedEvents()) self.assertEqual(len(retrieved_events), 4) test_store.Close()
def _AnalyzeEvents(self, event_values_list, plugin, knowledge_base_values=None): """Analyzes events using the analysis plugin. Args: event_values_list (list[dict[str, object]]): list of event values. plugin (AnalysisPlugin): plugin. knowledge_base_values (Optional[dict[str, str]]): knowledge base values. Returns: FakeStorageWriter: storage writer. """ knowledge_base_object = self._SetUpKnowledgeBase( knowledge_base_values=knowledge_base_values) session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter() storage_writer.Open() test_events = [] for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(event_values_list)): storage_writer.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) storage_writer.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_writer.AddAttributeContainer(event) test_events.append((event, event_data, event_data_stream)) mediator = analysis_mediator.AnalysisMediator(session, knowledge_base_object) mediator.SetStorageWriter(storage_writer) for event, event_data, event_data_stream in test_events: plugin.ExamineEvent(mediator, event, event_data, event_data_stream) analysis_report = plugin.CompileReport(mediator) storage_writer.AddAttributeContainer(analysis_report) return storage_writer
def testGetAttributeContainers(self): """Tests the GetAttributeContainers method.""" redis_client = self._CreateRedisClient() test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client) for _, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_store.AddAttributeContainer(event_data) containers = list( test_store.GetAttributeContainers( test_store._CONTAINER_TYPE_EVENT_DATA)) self.assertEqual(len(containers), 4) test_store.Close()
def testGetSortedEvents(self): """Tests the GetSortedEvents function.""" session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): storage_writer.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_writer.AddEvent(event) test_events = list(storage_writer.GetSortedEvents()) self.assertEqual(len(test_events), 4) storage_writer.Close()
def testGetSerializedAttributeContainers(self): """Tests the GetSerializedAttributeContainers method.""" store = redis_store.RedisStore() redis_client = self._GetRedisClient() store.Open(redis_client=redis_client) for _, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): store.AddEventData(event_data) cursor, serialized_containers = store.GetSerializedAttributeContainers( 'event_data', 0, 0) self.assertEqual(len(serialized_containers), 4) for serialized_container in serialized_containers: self.assertIsInstance(serialized_container, bytes) self.assertIsInstance(cursor, int) store.Close()
def testGetEventTagByEventIdentifier(self): """Tests the GetEventTagByEventIdentifier function.""" test_store = fake_store.FakeStore() test_store.Open() index = 0 for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) if index == 1: event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Benign']) event_identifier = event.GetIdentifier() event_tag.SetEventIdentifier(event_identifier) test_store.AddAttributeContainer(event_tag) index += 1 # Do not close and reopen the fake store. test_event = test_store.GetAttributeContainerByIndex( events.EventObject.CONTAINER_TYPE, 1) self.assertIsNotNone(test_event) test_event_identifier = test_event.GetIdentifier() self.assertIsNotNone(test_event_identifier) test_event_tag = test_store.GetEventTagByEventIdentifier( test_event_identifier) self.assertIsNotNone(test_event_tag) self.assertEqual(test_event_tag.labels, ['Malware', 'Benign']) test_store.Close()
def testGetSortedEvents(self): """Tests the GetSortedEvents function.""" storage_writer = fake_writer.FakeStorageWriter() storage_writer.Open() for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): storage_writer.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier(event_data_stream.GetIdentifier()) storage_writer.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_writer.AddAttributeContainer(event) test_events = list(storage_writer.GetSortedEvents()) self.assertEqual(len(test_events), 4) storage_writer.Close()
def testPopEvents(self): """Tests the PopEvents function.""" event_heap = psort.PsortEventHeap() self.assertEqual(len(event_heap._heap), 0) test_events = list(event_heap.PopEvents()) self.assertEqual(len(test_events), 0) for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): event_heap.PushEvent(event, event_data, event_data_stream) self.assertEqual(len(event_heap._heap), 2) test_events = list(event_heap.PopEvents()) self.assertEqual(len(test_events), 2) self.assertEqual(len(event_heap._heap), 0)
def testPopEvents(self): """Tests the PopEvents function.""" event_heap = event_heaps.EventHeap() self.assertEqual(len(event_heap._heap), 0) test_events = list(event_heap.PopEvents()) self.assertEqual(len(test_events), 0) for event, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): event_heap.PushEvent(event) self.assertEqual(len(event_heap._heap), 2) test_events = list(event_heap.PopEvents()) self.assertEqual(len(test_events), 2) self.assertEqual(len(event_heap._heap), 0)
def testPopEvent(self): """Tests the PopEvent function.""" event_heap = output_engine.PsortEventHeap() self.assertEqual(len(event_heap._heap), 0) test_event = event_heap.PopEvent() self.assertIsNone(test_event) for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): event_heap.PushEvent(event, event_data, event_data_stream) self.assertEqual(len(event_heap._heap), 2) test_event = event_heap.PopEvent() self.assertIsNotNone(test_event) self.assertEqual(len(event_heap._heap), 1)
def testGetEventTagByEventIdentifier(self): """Tests the GetEventTagByEventIdentifier function.""" redis_client = self._CreateRedisClient() test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client) index = 0 for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) if index == 1: event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Benign']) event_identifier = event.GetIdentifier() event_tag.SetEventIdentifier(event_identifier) test_store.AddAttributeContainer(event_tag) index += 1 test_store.Close() test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client) test_event = test_store.GetAttributeContainerByIndex( events.EventObject.CONTAINER_TYPE, 1) # Note that this method is not implemented. self.assertIsNone(test_event) test_store.Close()
def testAddEvent(self): """Tests the AddEvent function.""" session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() event = None for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): storage_writer.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_writer.AddEvent(event) storage_writer.Close() # Test writing an event twice. with self.assertRaises(IOError): storage_writer.AddEvent(event)
def _CreateTestStorageFile(self, path): """Creates a storage file for testing. Args: path (str): path. """ storage_file = storage_factory.StorageFactory.CreateStorageFile( definitions.DEFAULT_STORAGE_FORMAT) storage_file.Open(path=path, read_only=False) # TODO: add preprocessing information. for event, event_data in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): storage_file.AddEventData(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) storage_file.AddEvent(event) storage_file.Close()
def testGetSerializedAttributeContainers(self): """Tests the GetSerializedAttributeContainers method.""" redis_client = self._CreateRedisClient() test_store = redis_store.RedisStore( storage_type=definitions.STORAGE_TYPE_TASK) test_store.Open(redis_client=redis_client) for _, event_data, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): test_store.AddAttributeContainer(event_data) cursor, serialized_containers = test_store.GetSerializedAttributeContainers( 'event_data', 0, 0) self.assertEqual(len(serialized_containers), 4) for serialized_container in serialized_containers: self.assertIsInstance(serialized_container, bytes) self.assertIsInstance(cursor, int) test_store.Close()
def testPopEvent(self): """Tests the PopEvent function.""" event_heap = event_heaps.EventHeap() self.assertEqual(len(event_heap._heap), 0) test_event = event_heap.PopEvent() self.assertIsNone(test_event) event_index = 0 for event, _ in containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS): event_heap.PushEvent(event, event_index) event_index += 1 self.assertEqual(len(event_heap._heap), 2) test_event = event_heap.PopEvent() self.assertIsNotNone(test_event) self.assertEqual(len(event_heap._heap), 1)
def testGetSortedEvents(self): """Tests the GetSortedEvents function.""" test_store = fake_store.FakeStore() test_store.Open() try: for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) test_events = list(test_store.GetSortedEvents()) self.assertEqual(len(test_events), 4) finally: test_store.Close()