def assertOutput(self, original, output): q = query.Query(original) actual_output = asdottysql.asdottysql(q) self.assertEqual(output, actual_output) actual_root = query.Query(actual_output).root self.assertEqual(q.root, actual_root)
def assertOutput(self, original, output): q = query.Query(original) actual_output = asdottysql.asdottysql(q) self.assertEqual(output, actual_output) actual_root = query.Query(actual_output).root self.assertEqual(q.root, actual_root)
def assertOutput(self, original, output): if isinstance(original, six.string_types): q = query.Query(original) else: q = query.Query(original) actual_output = asdottysql.asdottysql(q) self.assertEqual(output, actual_output)
def render(self, renderer): # Do we have a query? if not self.query: return self.render_error(renderer) renderer.section("Query Analysis (As supplied)", width=140) self.render_query(renderer, self.query) renderer.section("Query Analysis (Using canonical syntax)", width=140) self.render_query(renderer, q.Query(asdottysql.asdottysql(self.query)))
def render_query_analysis(self, renderer): """Render query analysis if the input is a regular query. A non-regular query could be the user asking us to explain (e.g.) a struct. """ if not self.input_is_regular_query: return original_query = self.query.source canonical_query = asdottysql.asdottysql(self.query) renderer.section("Query Analysis", width=140) self.render_query(renderer, self.query) if canonical_query != original_query: renderer.section("Query Analysis (Using canonical syntax)", width=140) self.render_query(renderer, q.Query(canonical_query))
def render_query_analysis(self, renderer): """Render query analysis if the input is a regular query. A non-regular query could be the user asking us to explain (e.g.) a struct. """ if not self.input_is_regular_query: return original_query = self.query.source canonical_query = asdottysql.asdottysql(self.query) renderer.section("Query Analysis", width=140) self.render_query(renderer, self.query) if canonical_query != original_query: renderer.section("Query Analysis (Using canonical syntax)", width=140) self.render_query(renderer, q.Query(canonical_query))
def main(): parser = argparse.ArgumentParser(description="Convert a tafile to DottySQL") parser.add_argument("path", type=str) args = parser.parse_args() with open(args.path, "r") as fd: tag_rules = query.Query(fd, syntax="tagfile") # What does the query look like as DottySQL? dottysql = asdottysql.asdottysql(tag_rules) print("# Tagfile %r converted:\n\n%s" % (args.path, dottysql)) # How will the query tag this event? event = { "data_type": "windows:evtx:record", "timestamp_desc": "", "strings": ("foo", "bar"), "source_name": "Microsoft-Windows-Kernel-Power", "event_identifier": 42 } tags = api.apply(tag_rules, vars=event) print("\n# Tagfile %r returned %r." % (args.path, list(tags)))
def main(): parser = argparse.ArgumentParser( description="Convert a tafile to DottySQL") parser.add_argument("path", type=str) args = parser.parse_args() with open(args.path, "r") as fd: tag_rules = query.Query(fd, syntax="tagfile") # What does the query look like as DottySQL? dottysql = asdottysql.asdottysql(tag_rules) print("# Tagfile %r converted:\n\n%s" % (args.path, dottysql)) # How will the query tag this event? event = { "data_type": "windows:evtx:record", "timestamp_desc": "", "strings": ("foo", "bar"), "source_name": "Microsoft-Windows-Kernel-Power", "event_identifier": 42 } tags = api.apply(tag_rules, vars=event) print("\n# Tagfile %r returned %r." % (args.path, list(tags)))
def testReducer(self): q = query.Query(("reducer", ("var", "count"), ("var", "x"))) self.assertEqual(asdottysql.asdottysql(q), "<Subexpression cannot be formatted as DottySQL.>")
def testReducer(self): q = query.Query(("reducer", ("var", "count"), ("var", "x"))) self.assertEqual(asdottysql.asdottysql(q), "<Subexpression cannot be formatted as DottySQL.>")