def test8_whitelist_event_type_exception(self): """This test case checks whether an exception is thrown when entering an event of another class.""" description = "Test8NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_log_line=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [], [self.stream_printer_event_handler], 'Default', True, True) self.assertRaises( Exception, new_match_path_detector.whitelist_event, self.analysis % new_match_path_value_combo_detector.__class__.__name__, log_atom_fixed_dme.raw_data, self.output_stream.getvalue(), None)
def test12or_match_rule(self): """This case unit the OrMatchRule.""" description = "Test12Rules" path_exists_match_rule = PathExistsMatchRule(self.match_ipv4, None) self.analysis_context.register_component(path_exists_match_rule, description) i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2") or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) self.analysis_context.register_component(or_match_rule, description + "3") ip_address_data_model_element = IpAddressDataModelElement('IPv4') match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule) self.assertTrue(or_match_rule.match(log_atom)) # changing to IPv6 path_exists_match_rule = PathExistsMatchRule('match/IPv6', None) or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule) self.assertTrue(or_match_rule.match(log_atom))
def test14negation_match_rule(self): """This case unit the NegationMatchRule.""" description = "Test14Rules" path_exists_match_rule = PathExistsMatchRule(self.match_s1, None) self.analysis_context.register_component(path_exists_match_rule, description) negation_match_rule = NegationMatchRule(path_exists_match_rule) self.analysis_context.register_component(negation_match_rule, description + "2") self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, path_exists_match_rule) self.assertTrue(path_exists_match_rule.match(log_atom)) self.assertTrue(not negation_match_rule.match(log_atom))
def test2log_atom_matches_single_path(self): """This unittest tests the receive_atom method with a single path matching.""" parser_count = ParserCount( self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'], [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.fixed_dme_m3.fixed_data, ParserMatch(self.match_element_m3), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict['fixed/m3'][current_processed_lines_str] = 1 old_count_dict['fixed/m3'][total_processed_lines_str] = 1 parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict)
def test1receive_atoms_with_default_values(self): """ In this test case multiple log_atoms are received with default values of the EventTypeDetector. path_list is empty and all paths are learned dynamically in variable_key_list. """ event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) log_atoms = [] for line in self.log_lines: t = time.time() log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) for i, log_atom in enumerate(log_atoms): self.assertTrue(event_type_detector.receive_atom(log_atom)) self.assertEqual(event_type_detector.total_records, i + 1)
def test1timestamp_lower_than_last_timestamp(self): """This test case checks if an event is created, when the timestamp is lower than the last one.""" description = "Test1TimestampsUnsortedDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector( self.aminer_config, [self.stream_printer_event_handler], False, output_log_line=False) self.analysis_context.register_component(timestamp_unsorted_detector, description + "2") self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t - 10000) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual( self.output_stream.getvalue(), self.__expected_string % (datetime.fromtimestamp(t - 10000).strftime( self.datetime_format_string), datetime.fromtimestamp(t - 10000).strftime( self.datetime_format_string), datetime.fromtimestamp(t).strftime(self.datetime_format_string), timestamp_unsorted_detector.__class__.__name__, description + "2", 1, "b' pid='"))
def test2_log_atom_known(self): """ This test case checks the functionality of the auto_include_flag. If the same MatchElement is processed a second time and the auto_include_flag was True, no event must be triggered. """ description = "Test2NewMatchPathValueComboDetector" new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [ self.stream_printer_event_handler], 'Default', False, True, output_log_line=False) self.analysis_context.register_component(new_match_path_value_combo_detector, description) t = time.time() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, new_match_path_value_combo_detector) self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), '') self.reset_output_stream() new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'], [ self.stream_printer_event_handler], 'Default', False, False, output_log_line=False) self.analysis_context.register_component(new_match_path_value_combo_detector2, description + "2") log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, new_match_path_value_combo_detector2) # other MatchElement self.assertTrue(new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " (25537, b' uid=2')\nb'25537 uid=2'"))
def test2atom_filter_match_action(self): """This test case proves the functionality of the AtomFilters.""" description = "Test2Rules" newMatchPathDetector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) logAtomFixedDME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), time(), newMatchPathDetector) subhandlerFilter = SubhandlerFilter([newMatchPathDetector]) self.analysis_context.register_component(subhandlerFilter, description) self.analysis_context.register_component(newMatchPathDetector, description + "2") self.assertTrue(subhandlerFilter.receive_atom(logAtomFixedDME))
def check_anomaly_detection(self, ecd, t, diff): """Check if anomalies were detected as expected.""" for char in self.alphabet: self.reset_output_stream() char = bytes([char]) parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char))) t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # another LogAtom must be received to check the follow anomalies. t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # print(self.output_stream.getvalue()) # precede anomaly for i in range(1, int(5 / diff) + 1, 1): # print("in") # print(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])) self.assertIn('Event %s is missing, but should precede event %s' % ( bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]), char), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): # print("not in") # print(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])) self.assertNotIn('Event %s is missing, but should precede event %s' % ( bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]]), char), self.output_stream.getvalue()) # follow anomaly for i in range(1, int(5 / diff) + 1, 1): # print("in") # print(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])) self.assertIn('Event %s is missing, but should follow event %s' % ( bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]), char), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): # print("not in") # print(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])) self.assertNotIn('Event %s is missing, but should follow event %s' % ( bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]]), char), self.output_stream.getvalue())
def test1match_found(self): """This test case checks if valid inputs are recognized.""" description = "Test1AllowlistViolationDetector" path_exists_match_rule = PathExistsMatchRule('match/s1', None) path_exists_match_rule2 = PathExistsMatchRule('match/s2', None) t = time.time() allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, [path_exists_match_rule, path_exists_match_rule2], [ self.stream_printer_event_handler], output_log_line=False) self.analysis_context.register_component(allowlist_violation_detector, description) fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') fixed_dme = FixedDataModelElement('s2', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') fixed_dme = FixedDataModelElement('s3', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(not allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), allowlist_violation_detector.__class__.__name__, description, 1, "b'fixed String'"))
def test11multiple_paths(self): """Test the functionality of the MissingMatchPathValueDetector with multiple paths.""" description = "Test11MissingMatchPathValueDetector" match_context = MatchContext(self.pid + b"22") fixed_dme = FixedDataModelElement('s1', self.pid) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) seq = SequenceModelElement('model', [fixed_dme, decimal_integer_value_me]) match_element = seq.get_match_element("match", match_context) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [ "match/model", "match/model/s1", "match/model/d1"], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom = LogAtom(fixed_dme.fixed_data + b"22", ParserMatch(match_element), 1, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom))
def test2_check_status_not_found_error(self): """ In this test case the second log line is not found and an appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this test case. """ description = "Test2TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) t = time.time() log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self) time_correlation_violation_detector.receive_atom(log_atom1) r = self.correlation_rule.check_status(t + 2) self.assertEqual(r[0], 'FAIL: B-Event for "%s" (%s) was not found in time!\n' % ( self.match_element1.get_match_string().decode(), self.a_class_selector.action_id))
def test13value_dependent_delegated_match_rule(self): """This case unit the ValueDependentDelegatedMatchRule.""" description = "Test13Rules" string_regex_match_rule = StringRegexMatchRule(self.match_any, re.compile(r'\w'), None) self.analysis_context.register_component(string_regex_match_rule, description) any_byte_date_me = AnyByteDataModelElement('any') i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2") ip_address_data_model_element = IpAddressDataModelElement('IPv4') value_dependent_delegated_match_rule = ValueDependentDelegatedMatchRule([ self.match_any, self.match_ipv4], {(self.alphabet, None): string_regex_match_rule, (None, 3232235520): i_pv4_in_rfc1918_match_rule}) self.analysis_context.register_component(value_dependent_delegated_match_rule, description + "3") match_context = MatchContext(self.alphabet) match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(value_dependent_delegated_match_rule.match(log_atom)) match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(value_dependent_delegated_match_rule.match(log_atom)) # not matching values match_context = MatchContext('.There are 26 letters in the english alphabet') match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom)) match_context = MatchContext(b'192.168.0.1') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom))
def test6receive_atom_without_target_paths(self): """This unittest tests the receive_atom method with multiple paths matching without having target_paths specified.""" parser_count = ParserCount(self.aminer_config, None, [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.match_context_seq.match_data, ParserMatch(self.match_element_seq), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict['fixed/seq'] = { current_processed_lines_str: 1, total_processed_lines_str: 1 } parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict)
def test4do_timer(self): """This unittest checks if the do_timer method works properly.""" parser_count = ParserCount(self.aminer_config, ['fixed/m3'], [self.stream_printer_event_handler], 600) t = time.time() self.assertEqual(int(parser_count.do_timer(t + 100)), 600) self.assertEqual(self.output_stream.getvalue(), "") log_atom = LogAtom(self.match_context_seq.match_data, ParserMatch(self.match_element_seq), t, parser_count) parser_count.receive_atom(log_atom) self.assertEqual(int(parser_count.do_timer(t + 100)), 500) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(parser_count.do_timer(t + 601), 600) self.assertNotEqual(self.output_stream.getvalue(), "") self.reset_output_stream()
def test2receive_atom_unhandled(self): """In this test case no handler can handle the log atom.""" description = "Test2AtomFilters" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) subhandler_filter = SubhandlerFilter([], True) self.assertTrue(not subhandler_filter.receive_atom(log_atom_fixed_dme))
def test2_receive_atom_trigger_no_event(self): """This test checks if an event is not triggered if the path is not in the target_path_list.""" description = "Test2MatchFilterTest" decimal_integer_me = DecimalIntegerValueModelElement('integer') match_filter = MatchFilter(self.aminer_config, ['/strings'], [self.stream_printer_event_handler]) self.analysis_context.register_component(match_filter, description) t = time.time() for val in range(1000): log_atom = LogAtom( val, ParserMatch( decimal_integer_me.get_match_element( '', MatchContext(str(val).encode('utf-8')))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual('', self.output_stream.getvalue())
def test1simple_monotonic_timestamp_adjust_test(self): """This test case checks if the timestamp is adjusted and logAtoms are forwarded correctly.""" description = "Test1TimestampCorrectionFilter" match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) t = time() new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_log_line=False) self.analysis_context.register_component(new_match_path_detector, description) simple_monotonic_timstamp_adjust = SimpleMonotonicTimestampAdjust([new_match_path_detector], False) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) self.assertEqual(simple_monotonic_timstamp_adjust.receive_atom(log_atom_fixed_dme), True) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), new_match_path_detector.__class__.__name__, description, 1, self.match_path))
def test1log_multiple_lines_event(self): """In this test case the EventHandler receives multiple lines from the test class.""" description = "Test1SyslogWriterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) syslog_writer_event_handler = SyslogWriterEventHandler( self.analysis_context, 'aminer') self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) syslog_writer_event_handler.receive_event( self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) string = '' sleep(0.2) with open("/var/log/syslog") as search: for line in search: line = line.rstrip() # remove '\n' at end of line if 'aminer[' + str(os.getpid()) + ']' in line: line = line.split("]: ") string += (line[1]) + '\n' found = False string = string.split('Syslog logger initialized\n') expected = self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), match_element.get_path(), match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 2, match_element.get_match_string().decode(), match_element2.get_match_string().decode()) for log in string: if expected in log: found = True self.assertTrue(found)
def generate_errored_data(self, iterations, diff, error_rate): """Generate data with errors according to the error_rate.""" log_atoms = [] t = time() divisor = 1 while error_rate * divisor < 1: divisor = divisor * 10 err = divisor * error_rate divisor //= err for i in range(1, iterations+1): if i % divisor == 0 and i != 0: char = bytes([self.alphabet[int(i + random.uniform(diff+1, len(self.alphabet))) % len(self.alphabet)]]) else: char = bytes([self.alphabet[i % len(self.alphabet)]]) parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char))) t += diff log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__)) return log_atoms
def test9match_value_filter_receive_atom_target_value_not_found(self): """No target_value was found in the dictionary.""" description = "Test9AtomFilters" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(b'24999', ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_value_filter = MatchValueFilter( self.match_element_fixed_dme.get_path(), {self.fixed_dme.fixed_data: None}, None) self.assertTrue( not match_value_filter.receive_atom(log_atom_fixed_dme))
def test6_receive_atom_list(self): """This test case checks, whether a missing value is created by a list without using the auto_include_flag.""" description = "Test6MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme))
def test1_receive_atom(self): """This test case checks whether a missing value is created without using the auto_include_flag. (should not be the case)""" description = "Test1MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element( "match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector( self.aminer_config, match_element_fixed_dme.get_path(), [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component( missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_value_detector) self.assertTrue( missing_match_path_value_detector.receive_atom(log_atom_fixed_dme))
def test4match_path_filter_receive_atom_path_in_dictionary(self): """There is a path in the dictionary and the handler is not None. The default_parsed_atom_handler is None.""" description = "Test4AtomFilters" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_path_filter = MatchPathFilter([ (self.match_element_fixed_dme.get_path(), new_match_path_detector) ], None) self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme))
def test11_path_dependent_histogram_analysis_no_report(self): """ This test case aims to test the functionality of the PathDependantHistogramAnalysis.receive_atom method. No report is expected. """ description = "Test11HistogramAnalysis" start_time = 57600 end_time = 662600 diff = 30000 modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( self.aminer_config, histogram_data.property_path, modulo_time_bin_definition, 604800, [self.stream_printer_event_handler], True, 'Default') self.analysis_context.register_component(path_dependent_histogram_analysis, description) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) t = time.time() log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') # resetting the outputStream start_time = start_time + 3600 end_time = end_time + 3600 self.reset_output_stream() t = t + diff log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '')
def test6match_path_filter_receive_atom_path_not_in_dictionary_default_set( self): """The searched path is not in the dictionary. The default_parsed_atom_handler is set.""" description = "Test6AtomFilters" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_path_filter = MatchPathFilter( [(self.match_element_decimal_integer_value_me.get_path(), new_match_path_detector)], new_match_path_detector) self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme))
def test9_allowlist_event_allowlisting_data_exception(self): """The NewMatchPathDetector can not handle allowlisting data and therefore an exception is expected.""" description = "Test9NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_log_line=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) self.assertRaises( Exception, new_match_path_detector.allowlist_event, self.analysis % new_match_path_detector.__class__.__name__, self.output_stream.getvalue(), ['random', 'Data'])
def test2_atom_is_parsed(self): """The atom in this test case has no ParserMatch.""" description = "Test2SimpleUnparsedAtomHandler" any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element( 'match', match_context) log_atom = LogAtom(match_element.match_object, None, time(), new_match_path_detector1) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler( [self.stream_printer_event_handler]) self.analysis_context.register_component(simple_unparsed_atom_handler, description) self.assertTrue(simple_unparsed_atom_handler.receive_atom(log_atom))
def test9value_dependent_modulo_time_match_rule(self): """This case unit the ValueDependentModuloTimeMatchRule. Limit look up not working with tuples.""" description = "Test9Rules" value_dependent_modulo_time_match_rule = ValueDependentModuloTimeMatchRule( self.model_syslog_time, 86400, [self.model_syslog_time], {1550145600: [43200, 86400]}) self.analysis_context.register_component( value_dependent_modulo_time_match_rule, description) date_time_model_element = DateTimeModelElement('time', b'%d.%m.%Y %H:%M:%S', timezone.utc) match_context = MatchContext(b'14.02.2019 12:00:00') match_element = date_time_model_element.get_match_element( self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1550138400, date_time_model_element) self.assertTrue(value_dependent_modulo_time_match_rule.match(log_atom))
def test7match_value_filter_receive_atom_target_value_and_handler_found( self): """A target_value and a handler, which can handle the matchObject is found.""" description = "Test7AtomFilters" new_match_path_detector = NewMatchPathDetector( self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_value_filter = MatchValueFilter( self.match_element_fixed_dme.get_path(), {self.fixed_dme.fixed_data: new_match_path_detector}, None) self.assertTrue(match_value_filter.receive_atom(log_atom_fixed_dme))