def test_options(self):
# Setting attributes for testing
self.analysis.config = SigmaConfiguration()
self.analysis.table = "tablename"
self.analysis.SQL = ForensicStoreBackend(self.analysis.config)
sigma_rule = {
"title": "Test",
"level": "testing",
"detection": {
"keywords": ["test1", "test2"],
"condition": "keywords"
}
}
generated_query = "Dummy query"
with patch("yaml.safe_load_all",
return_value=[sigma_rule]) as mock_yaml_load:
with patch("sigma.backends.sql.SQLBackend.generate",
return_value=generated_query) as mock_sql_generate:
# Test for yaml file containing single rule
assert self.analysis.generateSqlQuery("any sigma io") == [
(generated_query, sigma_rule)
]
mock_yaml_load.assert_called_with("any sigma io")
# Test for yaml file containing two rules
mock_yaml_load.return_value = [sigma_rule, sigma_rule]
assert self.analysis.generateSqlQuery("any sigma io") == [
(generated_query, sigma_rule),
(generated_query, sigma_rule)
]
assert mock_yaml_load.call_count == 2
assert mock_sql_generate.call_count == 3
def test_empty_io_stream(self):
self.analysis.config = SigmaConfiguration()
self.analysis.table = "tablename"
self.analysis.SQL = ForensicStoreBackend(self.analysis.config)
with patch("builtins.open", mock_open(read_data="")):
assert self.analysis.generateSqlQuery(open("empty file")) == []
def test_invalid_io_stream(self):
self.analysis.config = SigmaConfiguration()
self.analysis.table = "tablename"
self.analysis.SQL = ForensicStoreBackend(self.analysis.config)
with patch("builtins.open", mock_open(read_data="not valid\n\nwhatever")):
self.assertRaises(
SigmaParseError, self.analysis.generateSqlQuery, open("invalid file"))
def validate(self, detection, expectation):
config = SigmaConfiguration()
self.basic_rule["detection"] = detection
with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
parser = SigmaCollectionParser("any sigma io", config, None)
backend = ForensicStoreBackend(config)
assert len(parser.parsers) == 1
for p in parser.parsers:
if isinstance(expectation, str):
self.assertEqual(expectation, backend.generate(p))
elif isinstance(expectation, Exception):
self.assertRaises(type(expectation), backend.generate, p)
def __init__(self, url, sigmaconfig):
if not os.path.exists(sigmaconfig):
raise FileNotFoundError(sigmaconfig)
if not os.path.exists(url):
raise FileNotFoundError(url)
self.table = "elements"
self.store = forensicstore.open(url)
self.config = SigmaConfiguration(open(sigmaconfig))
self.SQL = ForensicStoreBackend(self.config)
def test_fieldname_mapping(self):
detection = {"selection": {"fieldname": "test1"}, "condition": "selection"}
expected_result = 'SELECT json FROM {} ' \
'WHERE json_extract(json, \'$.type\') = \'eventlog\' ' \
'AND json_extract(json, \'$.mapped_fieldname\') = "test1"'.format(self.table)
# configure mapping
config = SigmaConfiguration()
config.fieldmappings["fieldname"] = FieldMapping(
"fieldname", "mapped_fieldname")
self.basic_rule["detection"] = detection
with patch("yaml.safe_load_all", return_value=[self.basic_rule]):
parser = SigmaCollectionParser("any sigma io", config, None)
backend = ForensicStoreBackend(config)
assert len(parser.parsers) == 1
for p in parser.parsers:
self.assertEqual(expected_result.lower(),
backend.generate(p).lower())