def test_options(self): # Setting attributes for testing self.analysis.config = SigmaConfiguration() self.analysis.table = "tablename" self.analysis.SQL = ForensicStoreBackend(self.analysis.config) sigma_rule = { "title": "Test", "level": "testing", "detection": { "keywords": ["test1", "test2"], "condition": "keywords" } } generated_query = "Dummy query" with patch("yaml.safe_load_all", return_value=[sigma_rule]) as mock_yaml_load: with patch("sigma.backends.sql.SQLBackend.generate", return_value=generated_query) as mock_sql_generate: # Test for yaml file containing single rule assert self.analysis.generateSqlQuery("any sigma io") == [ (generated_query, sigma_rule) ] mock_yaml_load.assert_called_with("any sigma io") # Test for yaml file containing two rules mock_yaml_load.return_value = [sigma_rule, sigma_rule] assert self.analysis.generateSqlQuery("any sigma io") == [ (generated_query, sigma_rule), (generated_query, sigma_rule) ] assert mock_yaml_load.call_count == 2 assert mock_sql_generate.call_count == 3
def test_empty_io_stream(self): self.analysis.config = SigmaConfiguration() self.analysis.table = "tablename" self.analysis.SQL = ForensicStoreBackend(self.analysis.config) with patch("builtins.open", mock_open(read_data="")): assert self.analysis.generateSqlQuery(open("empty file")) == []
def test_invalid_io_stream(self): self.analysis.config = SigmaConfiguration() self.analysis.table = "tablename" self.analysis.SQL = ForensicStoreBackend(self.analysis.config) with patch("builtins.open", mock_open(read_data="not valid\n\nwhatever")): self.assertRaises( SigmaParseError, self.analysis.generateSqlQuery, open("invalid file"))
def validate(self, detection, expectation): config = SigmaConfiguration() self.basic_rule["detection"] = detection with patch("yaml.safe_load_all", return_value=[self.basic_rule]): parser = SigmaCollectionParser("any sigma io", config, None) backend = ForensicStoreBackend(config) assert len(parser.parsers) == 1 for p in parser.parsers: if isinstance(expectation, str): self.assertEqual(expectation, backend.generate(p)) elif isinstance(expectation, Exception): self.assertRaises(type(expectation), backend.generate, p)
def __init__(self, url, sigmaconfig): if not os.path.exists(sigmaconfig): raise FileNotFoundError(sigmaconfig) if not os.path.exists(url): raise FileNotFoundError(url) self.table = "elements" self.store = forensicstore.open(url) self.config = SigmaConfiguration(open(sigmaconfig)) self.SQL = ForensicStoreBackend(self.config)
def test_fieldname_mapping(self): detection = {"selection": {"fieldname": "test1"}, "condition": "selection"} expected_result = 'SELECT json FROM {} ' \ 'WHERE json_extract(json, \'$.type\') = \'eventlog\' ' \ 'AND json_extract(json, \'$.mapped_fieldname\') = "test1"'.format(self.table) # configure mapping config = SigmaConfiguration() config.fieldmappings["fieldname"] = FieldMapping( "fieldname", "mapped_fieldname") self.basic_rule["detection"] = detection with patch("yaml.safe_load_all", return_value=[self.basic_rule]): parser = SigmaCollectionParser("any sigma io", config, None) backend = ForensicStoreBackend(config) assert len(parser.parsers) == 1 for p in parser.parsers: self.assertEqual(expected_result.lower(), backend.generate(p).lower())