def testVirusTotalLookup(self): """Tests for the VirusTotal analysis plugin.""" event_queue = single_process.SingleProcessQueue() knowledge_base = self._SetUpKnowledgeBase() # Fill the incoming queue with events. test_queue_producer = queue.ItemQueueProducer(event_queue) events = [ self._CreateTestEventObject(test_event) for test_event in self.TEST_EVENTS ] test_queue_producer.ProduceItems(events) analysis_plugin = virustotal.VirusTotalAnalysisPlugin(event_queue) analysis_plugin.SetAPIKey(self.FAKE_API_KEY) # Run the analysis plugin. analysis_report_queue_consumer = self._RunAnalysisPlugin( analysis_plugin, knowledge_base) analysis_reports = self._GetAnalysisReportsFromQueue( analysis_report_queue_consumer) self.assertEqual(len(analysis_reports), 1) report = analysis_reports[0] tags = report.GetTags() self.assertEqual(len(tags), 1) tag = tags[0] self.assertEqual(tag.event_uuid, u'8') self.assertEqual(tag.tags[0], u'VirusTotal Detections 10')
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" events = [] for event_dictionary in self._TEST_EVENTS: event_dictionary['pathspec'] = fake_path_spec.FakePathSpec( location='C:\\WINDOWS\\system32\\evil.exe') event = self._CreateTestEventObject(event_dictionary) events.append(event) plugin = virustotal.VirusTotalAnalysisPlugin() plugin.SetAPIKey(self._FAKE_API_KEY) storage_writer = self._AnalyzeEvents(events, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) self.assertEqual(storage_writer.number_of_event_tags, 1) report = storage_writer.analysis_reports[0] self.assertIsNotNone(report) expected_text = ( 'virustotal hash tagging results\n' '1 path specifications tagged with label: virustotal_detections_10\n' ) self.assertEqual(report.text, expected_text) labels = [] for event_tag in storage_writer.GetEventTags(): labels.extend(event_tag.labels) self.assertEqual(len(labels), 1) expected_labels = ['virustotal_detections_10'] self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = virustotal.VirusTotalAnalysisPlugin() plugin.SetAPIKey(self._FAKE_API_KEY) storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) self.assertEqual(storage_writer.number_of_event_tags, 1) report = storage_writer.analysis_reports[0] self.assertIsNotNone(report) expected_text = ( 'virustotal hash tagging results\n' '1 path specifications tagged with label: virustotal_detections_10\n' ) self.assertEqual(report.text, expected_text) labels = [] for event_tag in storage_writer.GetEventTags(): labels.extend(event_tag.labels) self.assertEqual(len(labels), 1) expected_labels = ['virustotal_detections_10'] self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" plugin = virustotal.VirusTotalAnalysisPlugin() plugin.SetAPIKey(self._FAKE_API_KEY) storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin) number_of_reports = storage_writer.GetNumberOfAttributeContainers( 'analysis_report') self.assertEqual(number_of_reports, 1) analysis_report = storage_writer.GetAttributeContainerByIndex( reports.AnalysisReport.CONTAINER_TYPE, 0) self.assertIsNotNone(analysis_report) self.assertEqual(analysis_report.plugin_name, 'virustotal') expected_analysis_counter = collections.Counter({ 'virustotal_detections_10': 1}) self.assertEqual( analysis_report.analysis_counter, expected_analysis_counter) number_of_event_tags = storage_writer.GetNumberOfAttributeContainers( 'event_tag') self.assertEqual(number_of_event_tags, 1) labels = [] for event_tag in storage_writer.GetAttributeContainers( events.EventTag.CONTAINER_TYPE): labels.extend(event_tag.labels) self.assertEqual(len(labels), 1) expected_labels = ['virustotal_detections_10'] self.assertEqual(labels, expected_labels)
def testExamineEventAndCompileReport(self): """Tests the ExamineEvent and CompileReport functions.""" events = [] for event_dictionary in self._TEST_EVENTS: event_dictionary[u'pathspec'] = fake_path_spec.FakePathSpec( location=u'C:\\WINDOWS\\system32\\evil.exe') event = self._CreateTestEventObject(event_dictionary) events.append(event) plugin = virustotal.VirusTotalAnalysisPlugin() plugin.SetAPIKey(self._FAKE_API_KEY) storage_writer = self._AnalyzeEvents(events, plugin) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] tags = analysis_report.GetTags() self.assertEqual(len(tags), 1) tag = tags[0] self.assertEqual(tag.event_uuid, u'8') self.assertEqual(tag.labels[0], u'virustotal_detections_10')
def testParseOptions(self): """Tests the ParseOptions function.""" options = cli_test_lib.TestOptions() analysis_plugin = virustotal.VirusTotalAnalysisPlugin() with self.assertRaises(errors.BadConfigOption): virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) options.virustotal_api_key = u'TEST' virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions( options, analysis_plugin) with self.assertRaises(errors.BadConfigObject): virustotal_analysis.VirusTotalAnalysisArgumentsHelper.ParseOptions( options, None)