def testDocumentOpen(self): """Tests the document_open tagging rule.""" # Test: data_type is 'windows:registry:bagmru' attribute_values_per_name = {} self._CheckTaggingRule(bagmru.BagMRUEventData, attribute_values_per_name, ['document_open']) # Test: data_type is 'windows:registry:mrulist' AND # entries not contains '.exe' AND timestamp > DATETIME(0) event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = mrulist.MRUListEventData() event_data.entries = 'Index: 0 [MRU Value a]: file.txt' event_data.parser = 'winreg/mrulist' event.timestamp = 0 storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, ['document_open']) # Test: data_type is 'windows:registry:mrulistex' AND # entries not contains '.exe' AND timestamp > DATETIME(0) event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = mrulistex.MRUListExEventData() event_data.entries = 'Index: 0 [MRU Value 1]: file.txt' event_data.parser = 'winreg/mrulistex' event.timestamp = 0 storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, []) event.timestamp = self._TEST_TIMESTAMP storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, ['document_open']) # Test: data_type is 'windows:registry:office_mru' attribute_values_per_name = {} self._CheckTaggingRule(officemru.OfficeMRUWindowsRegistryEventData, attribute_values_per_name, ['document_open']) # Test: data_type is 'windows:registry:office_mru_list' attribute_values_per_name = {} self._CheckTaggingRule(officemru.OfficeMRUListWindowsRegistryEventData, attribute_values_per_name, ['document_open'])
def CreateEventFromValues(event_values): """Creates an event and event data from event values. Args: event_values (dict[str, str]): event values. Returns: tuple[EventObject, EventData, EventDataStream]: event, event data and event data stream for testing. """ copy_of_event_values = dict(event_values) event = events.EventObject() for attribute_name in ('timestamp', 'timestamp_desc'): attribute_value = copy_of_event_values.pop(attribute_name, None) if attribute_value is not None: if attribute_name == 'timestamp' and isinstance( attribute_value, str): attribute_value = shared_test_lib.CopyTimestampFromSring( attribute_value) setattr(event, attribute_name, attribute_value) event_data_stream = events.EventDataStream() for attribute_name in ('path_spec', 'md5_hash', 'sha256_hash'): attribute_value = copy_of_event_values.pop(attribute_name, None) if attribute_value is not None: setattr(event_data_stream, attribute_name, attribute_value) event_data = events.EventData() event_data.CopyFromDict(copy_of_event_values) return event, event_data, event_data_stream
def testRuleDeviceDisconnection(self): """Tests the device_disconnection tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: reporter is 'kernel' AND body contains 'USB disconnect' event_data = syslog.SyslogLineEventData() event_data.reporter = 'kernel' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'USB disconnect' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'kernel' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['device_disconnection'])
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_object = events.EventObject() event_object.data_type = u'test:event2' event_object.timestamp = 1234124 event_object.timestamp_desc = u'Written' # Prevent the event object for generating its own UUID. event_object.uuid = u'5a78777006de4ddb8d7bbe12ab92ccf8' event_object.binary_string = b'\xc0\x90\x90binary' event_object.empty_string = u'' event_object.zero_integer = 0 event_object.integer = 34 event_object.string = u'Normal string' event_object.unicode_string = u'And I am a unicorn.' event_object.my_list = [u'asf', 4234, 2, 54, u'asf'] event_object.my_dict = { u'a': u'not b', u'c': 34, u'list': [u'sf', 234], u'an': [234, 32] } event_object.a_tuple = (u'some item', [234, 52, 15], { u'a': u'not a', u'b': u'not b' }, 35) event_object.null_value = None json_string = self._TestWriteSerialized(self._serializer, event_object, self._json_dict) event_object = self._serializer.ReadSerialized(json_string)
def testReadAndWriteSerializedEventObject(self): """Test ReadSerialized and WriteSerialized of EventObject.""" expected_event = events.EventObject() expected_event.parser = 'test_parser' expected_event.timestamp = 1234124 expected_event.timestamp_desc = 'Written' json_string = ( json_serializer.JSONAttributeContainerSerializer.WriteSerialized( expected_event)) self.assertIsNotNone(json_string) event = json_serializer.JSONAttributeContainerSerializer.ReadSerialized( json_string) self.assertIsNotNone(event) self.assertIsInstance(event, events.EventObject) expected_event_dict = { 'parser': 'test_parser', 'timestamp': 1234124, 'timestamp_desc': 'Written'} event_dict = event.CopyToDict() self.assertEqual(event_dict, expected_event_dict)
def CreateEventFromValues(event_values): """Creates an event and event data from event values. Args: event_values (dict[str, str]): event values. Returns: tuple[EventObject, EventData]: event and event data for testing. """ copy_of_event_values = dict(event_values) timestamp = copy_of_event_values.get('timestamp', None) if 'timestamp' in copy_of_event_values: del copy_of_event_values['timestamp'] timestamp_desc = copy_of_event_values.get('timestamp_desc', None) if 'timestamp_desc' in copy_of_event_values: del copy_of_event_values['timestamp_desc'] event = events.EventObject() event.timestamp = timestamp event.timestamp_desc = timestamp_desc event_data = events.EventData() event_data.CopyFromDict(copy_of_event_values) return event, event_data
def testRuleDeviceConnection(self): """Tests the device_connection tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = ipod.IPodPlistEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['device_connection']) event_data = plist_event.PlistTimeEventData() event_data.plugin = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data = plist_event.PlistTimeEventData() event_data.plugin = 'plist_airport' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['device_connection'])
def testRuleApplicationExecution(self): """Tests the application_execution tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = appusage.MacOSApplicationUsageEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution']) event_data = syslog.SyslogLineEventData() event_data.body = 'some random log message' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data = syslog.SyslogLineEventData() event_data.body = 'somethin invoked COMMAND=/bin/launchctl' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_execution'])
def testFileDownload(self): """Tests the file_download tagging rule.""" # Test: data_type is 'chrome:history:file_downloaded' attribute_values_per_name = {} self._CheckTaggingRule( chrome_history.ChromeHistoryFileDownloadedEventData, attribute_values_per_name, ['file_download']) # Test: timestamp_desc is 'File Downloaded' event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = utorrent.UTorrentEventData() storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['file_download'])
def testRuleAutorun(self): """Tests the autorun tagging rule.""" # Test: data_type is 'fs:stat' AND # timestamp_desc is 'Creation Time' AND # filename contains PATH('LaunchAgents') AND # filename contains '.plist' event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_CREATION event_data = filestat.FileStatEventData() event_data.filename = '/LaunchDaemons/test.plist' event_data.parser = 'filestat' storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, []) event_data = filestat.FileStatEventData() event_data.filename = '/LaunchAgents/test.plist' event_data.parser = 'filestat' storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, ['autorun'])
def testMatch(self): """Tests the Match function.""" test_filter = event_filter.EventObjectFilter() test_filter.CompileFilter( 'timestamp is DATETIME("2020-12-23T15:00:00")') event = events.EventObject() event.timestamp = 1608735600000000 result = test_filter.Match(event, None, None, None) self.assertTrue(result) test_filter = event_filter.EventObjectFilter() test_filter.CompileFilter('filename contains PATH("etc/issue")') event_data = events.EventData() event_data.filename = '/usr/local/etc/issue' result = test_filter.Match(None, event_data, None, None) self.assertTrue(result) event_data.filename = '/etc/issue.net' result = test_filter.Match(None, event_data, None, None) self.assertFalse(result)
def testWriteSerializedAttributeContainerList(self): """Tests the _WriteSerializedAttributeContainerList function.""" event_data = events.EventData() event = events.EventObject() with shared_test_lib.TempDirectory() as temp_directory: temp_file = os.path.join(temp_directory, 'plaso.sqlite') storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=temp_file, read_only=False) storage_file._AddAttributeContainer( storage_file._CONTAINER_TYPE_EVENT_DATA, event_data) storage_file._WriteSerializedAttributeContainerList( storage_file._CONTAINER_TYPE_EVENT_DATA) event.timestamp = 0x7fffffffffffffff storage_file._AddSerializedEvent(event) storage_file._WriteSerializedAttributeContainerList( storage_file._CONTAINER_TYPE_EVENT) event.timestamp = 0x8000000000000000 storage_file._AddSerializedEvent(event) with self.assertRaises(OverflowError): storage_file._WriteSerializedAttributeContainerList( storage_file._CONTAINER_TYPE_EVENT) storage_file.Close()
def testCopyToDict(self): """Tests the CopyToDict function.""" event = events.EventObject() event.timestamp = 123 event.timestamp_desc = u'LAST WRITTEN' event.data_type = u'mock:nothing' event.inode = 124 event.filename = u'c:/bull/skrytinmappa/skra.txt' event.another_attribute = False event.metadata = { u'author': u'Some Random Dude', u'version': 1245, u'last_changed': u'Long time ago'} event.strings = [u'This ', u'is a ', u'long string'] event.uuid = u'11fca043ea224a688137deaa8d162807' expected_dict = { u'another_attribute': False, u'data_type': 'mock:nothing', u'filename': u'c:/bull/skrytinmappa/skra.txt', u'inode': 124, u'metadata': { u'author': u'Some Random Dude', u'last_changed': u'Long time ago', u'version': 1245}, u'strings': [u'This ', u'is a ', u'long string'], u'timestamp': 123, u'timestamp_desc': u'LAST WRITTEN', u'uuid': u'11fca043ea224a688137deaa8d162807'} test_dict = event.CopyToDict() self.assertEqual(test_dict, expected_dict)
def testLoginFailed(self): """Tests the login_failed tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Security-Auditing' AND # event_identifier is 4625 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 4625 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Security-Auditing' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 4625 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['login_failed'])
def _ConvertDictToEventObject(self, json_dict): """Converts a JSON dict into an event object. The dictionary of the JSON serialized objects consists of: { '__type__': 'EventObject' 'pathspec': { ... } 'tag': { ... } ... } Here '__type__' indicates the object base type. In this case this should be 'EventObject'. The rest of the elements of the dictionary make up the event object properties. Args: json_dict: a dictionary of the JSON serialized objects. Returns: An event object (instance of EventObject). """ event_object = events.EventObject() for key, value in iter(json_dict.items()): setattr(event_object, key, value) return event_object
def testRuleRunlevel(self): """Tests the runlevel tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'linux:utmp:event' AND type == 1 AND # username is 'runlevel' event_data = utmp.UtmpEventData() event_data.type = 0 event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.type = 1 event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.username = '******' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['runlevel'])
def testReadAndWriteSerializedEventObject(self): """Test ReadSerialized and WriteSerialized of EventObject.""" expected_event = events.EventObject() expected_event.date_time = dfdatetime_posix_time.PosixTime( timestamp=1621839644) expected_event.timestamp = 1621839644 expected_event.timestamp_desc = definitions.TIME_DESCRIPTION_MODIFICATION json_string = (json_serializer.JSONAttributeContainerSerializer. WriteSerialized(expected_event)) self.assertIsNotNone(json_string) event = json_serializer.JSONAttributeContainerSerializer.ReadSerialized( json_string) self.assertIsNotNone(event) self.assertIsInstance(event, events.EventObject) expected_event_dict = { 'date_time': expected_event.date_time, 'timestamp': 1621839644, 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } event_dict = event.CopyToDict() self.assertEqual(event_dict, expected_event_dict)
def testRuleAutorun(self): """Tests the autorun tagging rule.""" # Test: data_type is 'fs:stat' AND # timestamp_desc is 'HFS_DETECT crtime' AND # filename contains 'LaunchAgents/' AND # filename contains '.plist' event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = 'HFS_DETECT crtime' event_data = filestat.FileStatEventData() event_data.filename = '/LaunchDaemons/test.plist' storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data = filestat.FileStatEventData() event_data.filename = '/LaunchAgents/test.plist' storage_writer = self._TagEvent(event, event_data, None) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['autorun'])
def testRuleFileDownload(self): """Tests the file_download tagging rule.""" # Test: data_type is 'chrome:history:file_downloaded' attribute_values_per_name = {} self._CheckTaggingRule( chrome_history.ChromeHistoryFileDownloadedEventData, attribute_values_per_name, ['file_download']) # Test: data_type is 'macosx:lsquarantine' attribute_values_per_name = {} self._CheckTaggingRule( ls_quarantine.LsQuarantineEventData, attribute_values_per_name, ['file_download']) # Test: timestamp_desc is 'File Downloaded' event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = filestat.FileStatEventData() event_data.parser = 'filestat' storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, []) event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED storage_writer = self._TagEvent(event, event_data, None) self._CheckLabels(storage_writer, ['file_download'])
def testProduceEventWithEventData(self): """Tests the ProduceEventWithEventData method.""" knowledge_base_object = knowledge_base.KnowledgeBase() parser_mediator = mediator.ParserMediator(knowledge_base_object) storage_writer = fake_writer.FakeStorageWriter() parser_mediator.SetStorageWriter(storage_writer) storage_writer.Open() event_data_stream = events.EventDataStream() parser_mediator.ProduceEventDataStream(event_data_stream) date_time = fake_time.FakeTime() event_with_timestamp = time_events.DateTimeValuesEvent( date_time, definitions.TIME_DESCRIPTION_WRITTEN) event_with_timestamp.parser = 'test_parser' event_data = events.EventData() event_data.parser = 'test_parser' parser_mediator.ProduceEventWithEventData(event_with_timestamp, event_data) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) event_without_timestamp = events.EventObject() event_without_timestamp.parser = 'test_parser' with self.assertRaises(errors.InvalidEvent): parser_mediator.ProduceEventWithEventData(event_without_timestamp, event_data)
def testRuleSessionStop(self): """Tests the session_stop tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: reporter is 'systemd-logind' and body contains 'Removed session' event_data = syslog.SyslogLineEventData() event_data.reporter = 'systemd-logind' event_data.body = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'bogus' event_data.body = 'Removed session' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.reporter = 'systemd-logind' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['session_stop'])
def testApplicationUpdate(self): """Tests the application_update tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN # Test: data_type is 'windows:evtx:record' AND # source_name is 'Microsoft-Windows-Application-Experience' AND # event_identifier is 905 event_data = winevtx.WinEvtxRecordEventData() event_data.event_identifier = 905 event_data.source_name = 'bogus' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 1 event_data.source_name = 'Microsoft-Windows-Application-Experience' storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event_data.event_identifier = 905 storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['application_update'])
def testRuleFileDownload(self): """Tests the file_download tagging rule.""" event = events.EventObject() event.timestamp = self._TEST_TIMESTAMP event.timestamp_desc = definitions.TIME_DESCRIPTION_UNKNOWN event_data = chrome.ChromeHistoryFileDownloadedEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['file_download']) event_data = ls_quarantine.LsQuarantineEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['file_download']) event_data = filestat.FileStatEventData() storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 0) self._CheckLabels(storage_writer, []) event.timestamp_desc = definitions.TIME_DESCRIPTION_FILE_DOWNLOADED storage_writer = self._TagEvent(event, event_data) self.assertEqual(storage_writer.number_of_event_tags, 1) self._CheckLabels(storage_writer, ['file_download'])
def _CreateTestEventObject(self, path): """Create a test event object with a particular path.""" event_object = events.EventObject() event_object.data_type = 'fs:stat' event_object.timestamp = 12345 event_object.timestamp_desc = u'Some stuff' event_object.filename = path return event_object
def testProduceEventWithEventData(self): """Tests the ProduceEventWithEventData method.""" session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter(session) storage_writer.Open() parsers_mediator = self._CreateParserMediator(storage_writer) event_with_timestamp = events.EventObject() event_with_timestamp.timestamp = fake_time.FakeTime() event_data = events.EventData() parsers_mediator.ProduceEventWithEventData(event_with_timestamp, event_data) self.assertEqual(storage_writer.number_of_events, 1) event_without_timestamp = events.EventObject() with self.assertRaises(errors.InvalidEvent): parsers_mediator.ProduceEventWithEventData(event_without_timestamp, event_data)
def testEqualityStringFileStatParserMissingInode(self): """Test that FileStatParser files with missing inodes are distinct""" event_a = events.EventObject() event_b = events.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = u'LAST WRITTEN' event_a.data_type = u'mock:nothing' event_a.parser = u'filestat' event_a.filename = u'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = u'LAST WRITTEN' event_b.data_type = u'mock:nothing' event_b.parser = u'filestat' event_b.filename = u'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False self.assertNotEqual(event_a.EqualityString(), event_b.EqualityString())
def ReadSerializedObject(cls, proto): """Reads an event object from serialized form. Args: proto: a protobuf object containing the serialized form (instance of plaso_storage_pb2.EventObject). Returns: An event object (instance of EventObject). """ event_object = events.EventObject() event_object.data_type = proto.data_type for proto_attribute, value in proto.ListFields(): if proto_attribute.name == u'source_short': event_object.source_short = cls._SOURCE_SHORT_FROM_PROTO_MAP[value] elif proto_attribute.name == u'pathspec': event_object.pathspec = ( cls._path_spec_serializer.ReadSerialized(proto.pathspec)) elif proto_attribute.name == u'tag': event_object.tag = ProtobufEventTagSerializer.ReadSerializedObject( proto.tag) elif proto_attribute.name == u'attributes': continue else: # Register the attribute correctly. # The attribute can be a 'regular' high level attribute or # a message (Dict/Array) that need special handling. if isinstance(value, message.Message): if value.DESCRIPTOR.full_name.endswith('.Dict'): value = ProtobufEventAttributeSerializer.ReadSerializedDictObject( value) elif value.DESCRIPTOR.full_name.endswith('.Array'): value = ProtobufEventAttributeSerializer.ReadSerializedListObject( value) else: value = ProtobufEventAttributeSerializer.ReadSerializedObject(value) setattr(event_object, proto_attribute.name, value) # The plaso_storage_pb2.EventObject protobuf contains a field named # attributes which technically not a Dict but behaves similar. dict_object = ProtobufEventAttributeSerializer.ReadSerializedDictObject( proto) for attribute, value in iter(dict_object.items()): setattr(event_object, attribute, value) return event_object
def testAddSerializedEvent(self): """Tests the _AddSerializedEvent function.""" event = events.EventObject() with shared_test_lib.TempDirectory() as temp_directory: temp_file = os.path.join(temp_directory, 'plaso.sqlite') storage_file = sqlite_file.SQLiteStorageFile() storage_file.Open(path=temp_file, read_only=False) storage_file._AddSerializedEvent(event) storage_file.Close()
def _CreateTestEventObject(self, event_dictionary): """Create a test event with a set of attributes. Args: event_dictionary (dict[str, str]): contains attributes of an event. Returns: EventObject: event with the appropriate attributes for testing. """ event = events.EventObject() event.CopyFromDict(event_dictionary) return event
def testGetAttributeNames(self): """Tests the GetAttributeNames function.""" attribute_container = events.EventObject() expected_attribute_names = [ '_event_data_row_identifier', 'parser', 'timestamp', 'timestamp_desc' ] attribute_names = sorted(attribute_container.GetAttributeNames()) self.assertEqual(attribute_names, expected_attribute_names)