def test_event_host(self): g = event.EventGenerator() events = g.randomEvents(100) for i in range(15): events[i].host = "FOO" host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO") self.assert_(len(host_is_foo(query_events=events))==15)
def test_event_host(self):
g = event.EventGenerator()
events = g.randomEvents(100)
for i in range(15):
events[i].host = "FOO"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
self.assert_(len(host_is_foo(query_events=events)) == 15)
def test_sequence(self):
cache = TestCache([
event.Event(name="TEST", host="A", creation=1, arrival=1),
event.Event(name="TEST", host="B", creation=2, arrival=1),
event.Event(name="TEST", host="B", creation=3, arrival=1),
event.Event(name="TEST", host="C", creation=2, arrival=2),
event.Event(name="TEST", host="C", creation=3, arrival=2),
])
hosta = rulecomponents.event_host(lambda **kwargs: "A")
hostb = rulecomponents.event_host(lambda **kwargs: "B")
hostc = rulecomponents.event_host(lambda **kwargs: "C")
seq_empty_any = rulecomponents.sequence("creation", "any", [])
seq_empty_all = rulecomponents.sequence("creation", "all", [])
seq_empty_any_arrival = rulecomponents.sequence("arrival", "any", [])
seq_ab_any = rulecomponents.sequence("creation", "any", [hosta, hostb])
seq_ab_all = rulecomponents.sequence("creation", "all", [hosta, hostb])
seq_abc_any = rulecomponents.sequence("creation", "any",
[hosta, hostb, hostc])
seq_abc_all = rulecomponents.sequence("creation", "all",
[hosta, hostb, hostc])
seq_bc_any = rulecomponents.sequence("creation", "any", [hostb, hostc])
seq_bc_all = rulecomponents.sequence("creation", "all", [hostb, hostc])
seq_ab_any_arrival = rulecomponents.sequence("arrival", "any",
[hosta, hostb])
seq_ab_all_arrival = rulecomponents.sequence("arrival", "all",
[hosta, hostb])
seq_bc_any_arrival = rulecomponents.sequence("arrival", "any",
[hostb, hostc])
seq_bc_all_arrival = rulecomponents.sequence("arrival", "all",
[hostb, hostc])
self.assert_(seq_empty_any(query_events=cache.getEvents()) == True)
self.assert_(seq_empty_all(query_events=cache.getEvents()) == True)
self.assert_(seq_empty_any_arrival(query_events=cache) == True)
self.assert_(seq_ab_any(query_events=cache.getEvents()) == True)
self.assert_(seq_ab_all(query_events=cache.getEvents()) == True)
self.assert_(seq_abc_any(query_events=cache.getEvents()) == True)
self.assert_(seq_abc_all(query_events=cache.getEvents()) == False)
self.assert_(seq_bc_any(query_events=cache.getEvents()) == True)
self.assert_(seq_bc_all(query_events=cache.getEvents()) == False)
self.assert_(
seq_ab_any_arrival(query_events=cache.getEvents()) == False)
self.assert_(
seq_ab_all_arrival(query_events=cache.getEvents()) == False)
self.assert_(
seq_bc_any_arrival(query_events=cache.getEvents()) == True)
self.assert_(
seq_bc_all_arrival(query_events=cache.getEvents()) == True)
def test_alphabet(self):
cache = TestCache([
event.Event(name="A", host="A", creation=1, arrival=6),
event.Event(name="B", host="A", creation=2, arrival=5),
event.Event(name="B", host="A", creation=3, arrival=4),
event.Event(name="B", host="C", creation=4, arrival=3),
event.Event(name="C", host="C", creation=5, arrival=2),
event.Event(name="C", host="E", creation=5, arrival=2), # note the timestamps -> sorting must be stable
])
nameA = rulecomponents.event_query([rulecomponents.event_name("A")], None, None)
nameBhostA = rulecomponents.event_query([rulecomponents.event_name("B"), rulecomponents.event_host(lambda **kwargs: "A")], None, None)
nameB = rulecomponents.event_query([rulecomponents.event_name("B")], None, None)
nameChostC = rulecomponents.event_query([rulecomponents.event_name("C"), rulecomponents.event_host(lambda **kwargs: "C")], None, None)
nameC = rulecomponents.event_query([rulecomponents.event_name("C")], None, None)
alphabet = rulecomponents.alphabet(sort_by="creation", symbols=[('f', nameA), ('o', nameBhostA), ('b', nameB), ('a', nameChostC), ('r', nameC)])
alphabet2 = rulecomponents.alphabet(sort_by="arrival", symbols=[('f', nameA), ('o', nameBhostA), ('b', nameB), ('a', nameChostC), ('r', nameC)])
self.assert_(alphabet(cache=cache)=="foobar")
self.assert_(alphabet2(cache=cache)=="arboof") # not raboof, because the sorting of the two events with the same timestamp is not changed (see above)
def test_complement(self): g = event.EventGenerator() events = g.randomEvents(100) cache = TestCache(events) for i in range(15): events[i].host = "FOO" host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO") complement = rulecomponents.complement(host_is_foo) self.assert_(len(complement(cache=cache, query_events=events))==85) self.assert_(sorted(complement(cache=cache, query_events=events))==sorted(events[15:100]))
def test_alphabet(self):
cache = TestCache([
event.Event(name="A", host="A", creation=1, arrival=6),
event.Event(name="B", host="A", creation=2, arrival=5),
event.Event(name="B", host="A", creation=3, arrival=4),
event.Event(name="B", host="C", creation=4, arrival=3),
event.Event(name="C", host="C", creation=5, arrival=2),
event.Event(
name="C", host="E", creation=5,
arrival=2), # note the timestamps -> sorting must be stable
])
nameA = rulecomponents.event_query([rulecomponents.event_name("A")],
None, None)
nameBhostA = rulecomponents.event_query([
rulecomponents.event_name("B"),
rulecomponents.event_host(lambda **kwargs: "A")
], None, None)
nameB = rulecomponents.event_query([rulecomponents.event_name("B")],
None, None)
nameChostC = rulecomponents.event_query([
rulecomponents.event_name("C"),
rulecomponents.event_host(lambda **kwargs: "C")
], None, None)
nameC = rulecomponents.event_query([rulecomponents.event_name("C")],
None, None)
alphabet = rulecomponents.alphabet(sort_by="creation",
symbols=[('f', nameA),
('o', nameBhostA),
('b', nameB),
('a', nameChostC),
('r', nameC)])
alphabet2 = rulecomponents.alphabet(sort_by="arrival",
symbols=[('f', nameA),
('o', nameBhostA),
('b', nameB),
('a', nameChostC),
('r', nameC)])
self.assert_(alphabet(cache=cache) == "foobar")
self.assert_(
alphabet2(cache=cache) == "arboof"
) # not raboof, because the sorting of the two events with the same timestamp is not changed (see above)
def test_match_query(self):
g = event.EventGenerator()
events = g.randomEvents(100)
events[42].host = "FOO"
cache = TestCache(events)
query = rulecomponents.event_query([rulecomponents.event_host(lambda **kwargs: "FOO")], None, "creation")
queries = {"foo": {"bar": [query]}}
rulemanager = TestRuleManager(queries = queries)
match_query = rulecomponents.match_query("foo", "bar")
evts = match_query(cache=cache, query_events=[], rulemanager=rulemanager)
self.assert_(len(evts)==1)
self.assert_(evts[0]==events[42])
def test_complement(self):
g = event.EventGenerator()
events = g.randomEvents(100)
cache = TestCache(events)
for i in range(15):
events[i].host = "FOO"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
complement = rulecomponents.complement(host_is_foo)
self.assert_(len(complement(cache=cache, query_events=events)) == 85)
self.assert_(
sorted(complement(cache=cache, query_events=events)) == sorted(
events[15:100]))
def test_trigger_match(self):
g = event.EventGenerator()
e = g.randomEvent()
e.host = "FOO"
e.name = "BAR"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
name_is_bar = rulecomponents.event_name("BAR")
both = rulecomponents.trigger_match([host_is_foo, name_is_bar])
none = rulecomponents.trigger_match([])
self.assert_(both(trigger=e)==True)
self.assert_(none(trigger=e)==True)
e.name = "FOO"
self.assert_(both(trigger=e)==False)
def test_trigger_match(self):
g = event.EventGenerator()
e = g.randomEvent()
e.host = "FOO"
e.name = "BAR"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
name_is_bar = rulecomponents.event_name("BAR")
both = rulecomponents.trigger_match([host_is_foo, name_is_bar])
none = rulecomponents.trigger_match([])
self.assert_(both(trigger=e) == True)
self.assert_(none(trigger=e) == True)
e.name = "FOO"
self.assert_(both(trigger=e) == False)
def test_union(self):
g = event.EventGenerator()
events = g.randomEvents(100)
for i in range(15):
events[i].host = "FOO"
for i in range(5,20):
events[i].name = "BAR"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
name_is_bar = rulecomponents.event_name("BAR")
both = rulecomponents.union([host_is_foo, name_is_bar])
all = rulecomponents.union([])
self.assert_(len(both(query_events=events))==20)
self.assert_(sorted(both(query_events=events))==sorted(events[0:20]))
self.assert_(len(all(query_events=events))==100)
def test_union(self):
g = event.EventGenerator()
events = g.randomEvents(100)
for i in range(15):
events[i].host = "FOO"
for i in range(5, 20):
events[i].name = "BAR"
host_is_foo = rulecomponents.event_host(lambda **kwargs: "FOO")
name_is_bar = rulecomponents.event_name("BAR")
both = rulecomponents.union([host_is_foo, name_is_bar])
all = rulecomponents.union([])
self.assert_(len(both(query_events=events)) == 20)
self.assert_(sorted(both(query_events=events)) == sorted(events[0:20]))
self.assert_(len(all(query_events=events)) == 100)
def test_sequence(self):
cache = TestCache([
event.Event(name="TEST", host="A", creation=1, arrival=1),
event.Event(name="TEST", host="B", creation=2, arrival=1),
event.Event(name="TEST", host="B", creation=3, arrival=1),
event.Event(name="TEST", host="C", creation=2, arrival=2),
event.Event(name="TEST", host="C", creation=3, arrival=2),
])
hosta = rulecomponents.event_host(lambda **kwargs: "A")
hostb = rulecomponents.event_host(lambda **kwargs: "B")
hostc = rulecomponents.event_host(lambda **kwargs: "C")
seq_empty_any = rulecomponents.sequence("creation", "any", [])
seq_empty_all = rulecomponents.sequence("creation", "all", [])
seq_empty_any_arrival = rulecomponents.sequence("arrival", "any", [])
seq_ab_any = rulecomponents.sequence("creation", "any", [hosta, hostb])
seq_ab_all = rulecomponents.sequence("creation", "all", [hosta, hostb])
seq_abc_any = rulecomponents.sequence("creation", "any", [hosta, hostb, hostc])
seq_abc_all = rulecomponents.sequence("creation", "all", [hosta, hostb, hostc])
seq_bc_any = rulecomponents.sequence("creation", "any", [hostb, hostc])
seq_bc_all = rulecomponents.sequence("creation", "all", [hostb, hostc])
seq_ab_any_arrival = rulecomponents.sequence("arrival", "any", [hosta, hostb])
seq_ab_all_arrival = rulecomponents.sequence("arrival", "all", [hosta, hostb])
seq_bc_any_arrival = rulecomponents.sequence("arrival", "any", [hostb, hostc])
seq_bc_all_arrival = rulecomponents.sequence("arrival", "all", [hostb, hostc])
self.assert_(seq_empty_any(query_events=cache.getEvents())==True)
self.assert_(seq_empty_all(query_events=cache.getEvents())==True)
self.assert_(seq_empty_any_arrival(query_events=cache)==True)
self.assert_(seq_ab_any(query_events=cache.getEvents())==True)
self.assert_(seq_ab_all(query_events=cache.getEvents())==True)
self.assert_(seq_abc_any(query_events=cache.getEvents())==True)
self.assert_(seq_abc_all(query_events=cache.getEvents())==False)
self.assert_(seq_bc_any(query_events=cache.getEvents())==True)
self.assert_(seq_bc_all(query_events=cache.getEvents())==False)
self.assert_(seq_ab_any_arrival(query_events=cache.getEvents())==False)
self.assert_(seq_ab_all_arrival(query_events=cache.getEvents())==False)
self.assert_(seq_bc_any_arrival(query_events=cache.getEvents())==True)
self.assert_(seq_bc_all_arrival(query_events=cache.getEvents())==True)
def test_match_query(self):
g = event.EventGenerator()
events = g.randomEvents(100)
events[42].host = "FOO"
cache = TestCache(events)
query = rulecomponents.event_query(
[rulecomponents.event_host(lambda **kwargs: "FOO")], None,
"creation")
queries = {"foo": {"bar": [query]}}
rulemanager = TestRuleManager(queries=queries)
match_query = rulecomponents.match_query("foo", "bar")
evts = match_query(cache=cache,
query_events=[],
rulemanager=rulemanager)
self.assert_(len(evts) == 1)
self.assert_(evts[0] == events[42])
