def testViperLookup(self): """Tests for the Viper analysis plugin.""" event_queue = single_process.SingleProcessQueue() knowledge_base = self._SetUpKnowledgeBase() # Fill the incoming queue with events. test_queue_producer = queue.ItemQueueProducer(event_queue) events = [ self._CreateTestEventObject(test_event) for test_event in self.TEST_EVENTS ] test_queue_producer.ProduceItems(events) # Set up the plugin. analysis_plugin = viper.ViperAnalysisPlugin(event_queue) analysis_plugin.SetProtocol(u'http') analysis_plugin.SetHost(u'localhost') # Run the analysis plugin. analysis_report_queue_consumer = self._RunAnalysisPlugin( analysis_plugin, knowledge_base) analysis_reports = self._GetAnalysisReportsFromQueue( analysis_report_queue_consumer) self.assertEqual(len(analysis_reports), 1) report = analysis_reports[0] tags = report.GetTags() self.assertEqual(len(tags), 1) tag = tags[0] self.assertEqual(tag.event_uuid, u'8') expected_string = ( u'File is present in Viper. Projects: \"default\" Tags \"' u'rat, darkcomet\"') self.assertEqual(tag.tags[0], expected_string)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = viper.ViperAnalysisPlugin() plugin.SetHost('localhost') plugin.SetPort(8080) plugin.SetProtocol('http') storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) self.assertEqual(storage_writer.number_of_event_tags, 1) report = storage_writer.analysis_reports[0] self.assertIsNotNone(report) expected_text = ('viper hash tagging results\n' '1 events tagged with label: viper_present\n' '1 events tagged with label: viper_project_default\n' '1 events tagged with label: viper_tag_darkcomet\n' '1 events tagged with label: viper_tag_rat\n') self.assertEqual(report.text, expected_text) labels = [] for event_tag in storage_writer.GetEventTags(): labels.extend(event_tag.labels) self.assertEqual(len(labels), 4) expected_labels = [ 'viper_present', 'viper_project_default', 'viper_tag_darkcomet', 'viper_tag_rat' ] self.assertEqual(sorted(labels), expected_labels)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" events = [] for event_dictionary in self._TEST_EVENTS: event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec( location=u'C:\\WINDOWS\\system32\\evil.exe') event = self._CreateTestEventObject(event_dictionary) events.append(event) plugin = viper.ViperAnalysisPlugin() plugin.SetHost(u'localhost') plugin.SetPort(8080) plugin.SetProtocol(u'http') storage_writer = self._AnalyzeEvents(events, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] tags = analysis_report.GetTags() self.assertEqual(len(tags), 1) tag = tags[0] self.assertEqual(tag.event_uuid, u'8') expected_labels = [ u'viper_present', u'viper_project_default', u'viper_tag_rat', u'viper_tag_darkcomet' ] self.assertEqual(tag.labels, expected_labels)
def testParseOptions(self): """Tests the ParseOptions function.""" options = cli_test_lib.TestOptions() analysis_plugin = viper.ViperAnalysisPlugin() with self.assertRaises(errors.BadConfigOption): viper_analysis.ViperAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) with self.assertRaises(errors.BadConfigObject): viper_analysis.ViperAnalysisArgumentsHelper.ParseOptions( options, None)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = viper.ViperAnalysisPlugin() plugin.SetHost('localhost') plugin.SetPort(8080) plugin.SetProtocol('http') storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) number_of_reports = storage_writer.GetNumberOfAttributeContainers( 'analysis_report') self.assertEqual(number_of_reports, 1) analysis_report = storage_writer.GetAttributeContainerByIndex( reports.AnalysisReport.CONTAINER_TYPE, 0) self.assertIsNotNone(analysis_report) self.assertEqual(analysis_report.plugin_name, 'viper') expected_analysis_counter = collections.Counter({ 'viper_present': 1, 'viper_project_default': 1, 'viper_tag_darkcomet': 1, 'viper_tag_rat': 1 }) self.assertEqual(analysis_report.analysis_counter, expected_analysis_counter) number_of_event_tags = storage_writer.GetNumberOfAttributeContainers( 'event_tag') self.assertEqual(number_of_event_tags, 1) labels = [] for event_tag in storage_writer.GetAttributeContainers( events.EventTag.CONTAINER_TYPE): labels.extend(event_tag.labels) self.assertEqual(len(labels), 4) expected_labels = [ 'viper_present', 'viper_project_default', 'viper_tag_darkcomet', 'viper_tag_rat' ] self.assertEqual(sorted(labels), expected_labels)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" events = [] for event_dictionary in self._TEST_EVENTS: event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec( location=u'C:\\WINDOWS\\system32\\evil.exe') event = self._CreateTestEventObject(event_dictionary) events.append(event) plugin = viper.ViperAnalysisPlugin() plugin.SetHost(u'localhost') plugin.SetPort(8080) plugin.SetProtocol(u'http') storage_writer = self._AnalyzeEvents(events, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) self.assertEqual(len(storage_writer.event_tags), 1) report = storage_writer.analysis_reports[0] self.assertIsNotNone(report) expected_text = ( u'viper hash tagging results\n' u'1 path specifications tagged with label: viper_tag_rat\n' u'1 path specifications tagged with label: viper_present\n' u'1 path specifications tagged with label: viper_tag_darkcomet\n' u'1 path specifications tagged with label: viper_project_default\n' ) self.assertEqual(report.text, expected_text) labels = [] for event_tag in storage_writer.event_tags: labels.extend(event_tag.labels) self.assertEqual(len(labels), 4) expected_labels = [ u'viper_present', u'viper_project_default', u'viper_tag_darkcomet', u'viper_tag_rat' ] self.assertEqual(sorted(labels), expected_labels)