def _CreateTestEventTags(self): """Creates the event tags for testing. Returns: A list of event tags (instances of EventTag). """ event_tags = [] event_tag = events.EventTag() event_tag.store_index = 0 event_tag.store_number = 1 event_tag.comment = u'My comment' event_tags.append(event_tag) event_tag = events.EventTag() event_tag.store_index = 1 event_tag.store_number = 1 event_tag.AddLabel(u'Malware') event_tags.append(event_tag) event_tag = events.EventTag() event_tag.store_number = 1 event_tag.store_index = 2 event_tag.comment = u'This is interesting' event_tag.AddLabels([u'Malware', u'Benign']) event_tags.append(event_tag) event_tag = events.EventTag() event_tag.store_index = 1 event_tag.store_number = 1 event_tag.AddLabel(u'Interesting') event_tags.append(event_tag) return event_tags
def testAddOrUpdateEventTag(self): """Tests the AddOrUpdateEventTag function.""" with shared_test_lib.TempDirectory() as temp_directory: test_path = os.path.join(temp_directory, 'plaso.sqlite') storage_writer = sqlite_writer.SQLiteStorageFileWriter() storage_writer.Open(path=test_path) try: test_events = self._AddTestEvents(storage_writer) event_tag = events.EventTag() event_identifier = test_events[1].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Label1') number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 0) storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 1) event_tag = events.EventTag() event_identifier = test_events[2].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Label2') storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 2) event_tag = events.EventTag() event_identifier = test_events[1].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('AnotherLabel1') storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 2) event_tags = list( storage_writer.GetAttributeContainers( event_tag.CONTAINER_TYPE)) self.assertEqual(event_tags[0].labels, ['Label1', 'AnotherLabel1']) self.assertEqual(event_tags[1].labels, ['Label2']) finally: storage_writer.Close()
def testAddOrUpdateEventTag(self): """Tests the AddOrUpdateEventTag function.""" storage_writer = fake_writer.FakeStorageWriter() storage_writer.Open() try: test_events = self._AddTestEvents(storage_writer) event_tag = events.EventTag() event_identifier = test_events[1].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Label1') number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 0) storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 1) event_tag = events.EventTag() event_identifier = test_events[2].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Label2') storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 2) event_tag = events.EventTag() event_identifier = test_events[1].GetIdentifier() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('AnotherLabel1') storage_writer.AddOrUpdateEventTag(event_tag) number_of_containers = storage_writer.GetNumberOfAttributeContainers( event_tag.CONTAINER_TYPE) self.assertEqual(number_of_containers, 2) event_tags = list( storage_writer.GetAttributeContainers( event_tag.CONTAINER_TYPE)) self.assertEqual(event_tags[0].labels, ['Label1', 'AnotherLabel1']) self.assertEqual(event_tags[1].labels, ['Label2']) finally: storage_writer.Close()
def testWriteEventBody(self): """Tests the WriteEventBody function.""" formatters_manager.FormattersManager.RegisterFormatter( L2TTestEventFormatter) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Printed']) self._formatter.WriteEventBody(event, event_data, event_tag) expected_event_body = ( '06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,' 'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session ' 'closed for user root),Reporter <CRON> PID: 8442 ' '(pam_unix(cron:session): session closed for user root),' '2,log/syslog.1,-,Malware Printed,' '-,a_binary_field: binary; my_number: 123; some_additional_foo: True\n' ) event_body = self._output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(','), 16) formatters_manager.FormattersManager.DeregisterFormatter( L2TTestEventFormatter)
def testWriteEventBody(self): """Tests the WriteEventBody function.""" test_file_object = io.StringIO() output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetTestFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = l2t_csv.L2TCSVOutputModule(output_mediator) output_module._file_object = test_file_object event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Printed']) output_module.WriteEventBody( event, event_data, event_data_stream, event_tag) expected_event_body = ( '06/27/2012,18:17:01,UTC,M...,FILE,Test log file,Content Modification ' 'Time,-,ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session closed for user root),Reporter <CRON> PID: 8442 ' '(pam_unix(cron:session): session closed for user root),' '2,FAKE:log/syslog.1,-,Malware Printed,test_parser,a_binary_field: ' 'binary; my_number: 123; some_additional_foo: True\n') event_body = test_file_object.getvalue() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(','), 16)
def testReadAndWriteSerializedEventTag(self): """Test ReadSerialized and WriteSerialized of EventTag.""" expected_event_tag = events.EventTag(comment='My first comment.') expected_event_tag.AddLabels(['Malware', 'Common']) json_string = ( json_serializer.JSONAttributeContainerSerializer.WriteSerialized( expected_event_tag)) self.assertIsNotNone(json_string) event_tag = ( json_serializer.JSONAttributeContainerSerializer.ReadSerialized( json_string)) self.assertIsNotNone(event_tag) self.assertIsInstance(event_tag, events.EventTag) expected_event_tag_dict = { 'comment': 'My first comment.', 'labels': ['Malware', 'Common'], } event_tag_dict = event_tag.CopyToDict() self.assertEqual( sorted(event_tag_dict.items()), sorted(expected_event_tag_dict.items()))
def ReadSerializedDict(cls, json_dict): """Reads an event tag from serialized dict form. Args: json_dict: a dictionary of the JSON serialized objects. Returns: An event tag (instance of EventTag). """ if not json_dict: return event_tag = events.EventTag() for key, value in iter(json_dict.items()): if value is None: continue # Note that "_tags" is the name for "labels" prior to version # 1.4.1-20160131 if key == u'_event_tags': key = u'labels' if key == u'labels': event_tag.AddLabels(value) else: setattr(event_tag, key, value) return event_tag
def testWriteEventBody(self): """Tests the WriteEventBody function.""" formatters_manager.FormattersManager.RegisterFormatter( L2TTestEventFormatter) event_tag = events.EventTag() event_tag.uuid = self._event_object.uuid event_tag.AddLabels([u'Malware', u'Printed']) self._event_object.tag = event_tag self._formatter.WriteEventBody(self._event_object) expected_event_body = ( b'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,' b'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session ' b'closed for user root),Reporter <CRON> PID: 8442 ' b'(pam_unix(cron:session): session closed for user root),' b'2,log/syslog.1,-,Malware Printed,' b'-,my_number: 123 some_additional_foo: True \n') event_body = self._output_writer.ReadOutput() self.assertEqual(event_body, expected_event_body) # Ensure that the only commas returned are the 16 delimiters. self.assertEqual(event_body.count(b','), 16) formatters_manager.FormattersManager.DeregisterFormatter( L2TTestEventFormatter)
def testReadAndWriteSerializedEventTag(self): """Test ReadSerialized and WriteSerialized of EventTag.""" expected_event_tag = events.EventTag(comment=u'My first comment.') expected_event_tag.store_number = 234 expected_event_tag.store_index = 18 expected_event_tag.AddLabels([u'Malware', u'Common']) json_string = (json_serializer.JSONAttributeContainerSerializer. WriteSerialized(expected_event_tag)) self.assertIsNotNone(json_string) event_tag = (json_serializer.JSONAttributeContainerSerializer. ReadSerialized(json_string)) self.assertIsNotNone(event_tag) self.assertIsInstance(event_tag, events.EventTag) expected_event_tag_dict = { u'comment': u'My first comment.', u'labels': [u'Malware', u'Common'], u'store_index': 18, u'store_number': 234, } event_tag_dict = event_tag.CopyToDict() self.assertEqual(sorted(event_tag_dict.items()), sorted(expected_event_tag_dict.items()))
def testReadAndWriteSerializedAnalysisReport(self): """Test ReadSerialized and WriteSerialized of AnalysisReport.""" expected_comment = u'This is a test event tag.' expected_uuid = u'403818f93dce467bac497ef0f263fde8' expected_labels = [u'Test', u'AnotherTest'] expected_report_dict = { u'dude': [[ u'Google Keep - notes and lists', u'hmjkmjkepdijhoojdojkdfohbdgmmhki' ]], u'frank': [[u'YouTube', u'blpcfgokakmgnkcojhhkbfbldkacnbeo'], [u'Google Play Music', u'icppfcnhkcmnfdhfhphakoifcfokfdhg']] } expected_report_text = ( u' == USER: dude ==\n' u' Google Keep - notes and lists [hmjkmjkepdijhoojdojkdfohbdgmmhki]\n' u'\n' u' == USER: frank ==\n' u' Google Play Music [icppfcnhkcmnfdhfhphakoifcfokfdhg]\n' u' YouTube [blpcfgokakmgnkcojhhkbfbldkacnbeo]\n' u'\n') expected_event_tag = events.EventTag(comment=expected_comment, event_uuid=expected_uuid) expected_event_tag.AddLabels(expected_labels) expected_analysis_report = reports.AnalysisReport( plugin_name=u'chrome_extension_test', text=expected_report_text) expected_analysis_report.report_dict = expected_report_dict expected_analysis_report.time_compiled = 1431978243000000 expected_analysis_report.SetTags([expected_event_tag]) json_string = (json_serializer.JSONAttributeContainerSerializer. WriteSerialized(expected_analysis_report)) self.assertIsNotNone(json_string) analysis_report = (json_serializer.JSONAttributeContainerSerializer. ReadSerialized(json_string)) self.assertIsNotNone(analysis_report) self.assertIsInstance(analysis_report, reports.AnalysisReport) # TODO: preserve the tuples in the report dict. # TODO: add report_array tests. # TODO: remove _event_tags. expected_analysis_report_dict = { u'_event_tags': [], u'plugin_name': u'chrome_extension_test', u'report_dict': expected_report_dict, u'text': expected_report_text, u'time_compiled': 1431978243000000 } analysis_report_dict = analysis_report.CopyToDict() self.assertEqual(sorted(analysis_report_dict.items()), sorted(expected_analysis_report_dict.items()))
def testGetAttributeNames(self): """Tests the GetAttributeNames function.""" attribute_container = events.EventTag() expected_attribute_names = ['_event_row_identifier', 'labels'] attribute_names = sorted(attribute_container.GetAttributeNames()) self.assertEqual(attribute_names, expected_attribute_names)
def _HandleHashAnalysis(self, mediator, hash_analysis): """Deals with the results of the analysis of a hash. This method ensures that labels are generated for the hash, then tags all events derived from files with that hash. Args: mediator (AnalysisMediator): mediates interactions between analysis plugins and other components, such as storage and dfVFS. hash_analysis (HashAnalysis): hash analysis plugin's results for a given hash. Returns: collections.Counter: number of events per label. """ events_per_labels_counter = collections.Counter() labels = self.GenerateLabels(hash_analysis.hash_information) try: data_stream_identifiers = self._data_streams_by_hash.pop( hash_analysis.subject_hash) except KeyError: data_stream_identifiers = [] logger.error( ('unable to retrieve data streams for digest hash: {0:s}' ).format(hash_analysis.subject_hash)) for data_stream_identifier in data_stream_identifiers: event_identifiers = self._event_identifiers_by_data_stream.pop( data_stream_identifier) # Do no bail out earlier to maintain the state of # self._data_streams_by_hash and self._event_identifiers_by_data_stream. if not labels: continue for event_identifier in event_identifiers: event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) try: event_tag.AddLabels(labels) except (TypeError, ValueError): error_label = 'error_{0:s}'.format(self.NAME) logger.error(( 'unable to add labels: {0!s} for digest hash: {1:s} defaulting ' 'to: {2:s}').format(labels, hash_analysis.subject_hash, error_label)) labels = [error_label] event_tag.AddLabels(labels) mediator.ProduceEventTag(event_tag) for label in labels: events_per_labels_counter[label] += 1 return events_per_labels_counter
def testGetSanitizedEventValues(self): """Tests the _GetSanitizedEventValues function.""" output_mediator = self._CreateOutputMediator() formatters_directory_path = self._GetDataFilePath(['formatters']) output_mediator.ReadMessageFormattersFromDirectory( formatters_directory_path) output_module = TestElasticsearchOutputModule(output_mediator) event, event_data, event_data_stream = ( containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0])) event_tag = events.EventTag() event_tag.AddLabel('Test') event_values = output_module._GetSanitizedEventValues( event, event_data, event_data_stream, event_tag) expected_event_values = { 'a_binary_field': 'binary', 'data_type': 'syslog:line', 'datetime': '2012-06-27T18:17:01.000000Z', 'display_name': 'FAKE:log/syslog.1', 'filename': 'log/syslog.1', 'hostname': 'ubuntu', 'message': '[', 'my_number': 123, 'path_spec': ('{"__type__": "PathSpec", "location": "log/syslog.1", ' '"type_indicator": "FAKE"}'), 'some_additional_foo': True, 'source_long': 'Log File', 'source_short': 'LOG', 'tag': ['Test'], 'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': 1340821021000000, 'timestamp_desc': 'Content Modification Time', } self.assertIsInstance(event_values, dict) self.assertEqual(event_values, expected_event_values)
def testParseWithEvents(self): """Tests the Parse function with events.""" event, event_data, _ = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event_tag = events.EventTag() event_tag.AddLabel('browser_search') self._CheckIfExpressionMatches('filename contains \'GoodFella\'', event, event_data, None, event_tag, True) # Test timestamp filtering. self._CheckIfExpressionMatches('timestamp >= \'2015-11-18\'', event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('timestamp < \'2015-11-19\'', event, event_data, None, event_tag, True) expression = ('timestamp < \'2015-11-18T01:15:44.341\' and ' 'timestamp > \'2015-11-18 01:15:42\'') self._CheckIfExpressionMatches(expression, event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('timestamp > \'2015-11-19\'', event, event_data, None, event_tag, False) # Perform few attribute tests. self._CheckIfExpressionMatches('filename not contains \'sometext\'', event, event_data, None, event_tag, True) expression = ( 'timestamp_desc CONTAINS \'written\' AND timestamp > \'2015-11-18\' ' 'AND timestamp < \'2015-11-25 12:56:21\'') self._CheckIfExpressionMatches(expression, event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('parser is not \'Made\'', event, event_data, None, event_tag, True) self._CheckIfExpressionMatches('parser is not \'Weirdo\'', event, event_data, None, event_tag, False) self._CheckIfExpressionMatches('tag contains \'browser_search\'', event, event_data, None, event_tag, True) # Test multiple attributes. self._CheckIfExpressionMatches( 'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event, event_data, None, event_tag, True)
def _CreateTag(self, event_uuid, labels): """Creates an event tag. Args: event_uuid: The UUID of the event that should be tagged. labels: A list of strings that contains the labels. """ event_tag = events.EventTag( comment=u'Tag applied by {0:s} analysis plugin'.format(self.NAME), event_uuid=event_uuid) event_tag.AddLabels(labels) return event_tag
def setUp(self): """Makes preparations before running an individual test.""" self._event_tag = events.EventTag(comment=u'My first comment.') self._event_tag.store_number = 234 self._event_tag.store_index = 18 self._event_tag.AddLabels([u'Malware', u'Common']) self._event_tag_dict = { u'comment': u'My first comment.', u'labels': [u'Malware', u'Common'], u'store_index': 18, u'store_number': 234, }
def _CreateTestEventTags(self, test_events): """Creates the event tags for testing. Args: list[EventObject]: events to tag. Returns: list[EventTag]: event tags. """ event_tags = [] event_identifier = test_events[0].GetIdentifier() event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) event_tags.append(event_tag) event_identifier = test_events[1].GetIdentifier() event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Malware') event_tags.append(event_tag) event_identifier = test_events[2].GetIdentifier() event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabels(['Malware', 'Benign']) event_tags.append(event_tag) event_identifier = test_events[1].GetIdentifier() event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabel('Interesting') event_tags.append(event_tag) return event_tags
def testFormatTag(self): """Tests the _FormatTag function.""" output_mediator = self._CreateOutputMediator() test_helper = formatting_helper.FieldFormattingHelper(output_mediator) tag_string = test_helper._FormatTag(None) self.assertEqual(tag_string, '-') event_tag = events.EventTag() event_tag.AddLabel('one') event_tag.AddLabel('two') tag_string = test_helper._FormatTag(event_tag) self.assertEqual(tag_string, 'one two')
def testCopyToDict(self): """Tests the CopyToDict function.""" event_tag = events.EventTag( comment=u'This is a test event tag.', event_uuid=u'11fca043ea224a688137deaa8d162807') expected_dict = { u'comment': u'This is a test event tag.', u'event_uuid': u'11fca043ea224a688137deaa8d162807', u'labels': []} test_dict = event_tag.CopyToDict() self.assertEqual(test_dict, expected_dict)
def testEventToDict(self): """Tests the _EventToDict function.""" event_timestamp = timelib.Timestamp.CopyFromString( u'2012-06-27 18:17:01+00:00') label = u'Test' event = ElasticTestEvent(event_timestamp) event_tag = events.EventTag() event_tag.uuid = event.uuid event_tag.AddLabel(label) event.tag = event_tag output_mediator = self._CreateOutputMediator() elasticsearch_helper = elastic.ElasticSearchHelper( output_mediator, u'127.0.0.1', 9200, 1000, u'test', {}, u'test_type') expected_dict = { u'data_type': u'syslog:line', u'datetime': u'2012-06-27T18:17:01+00:00', u'display_name': u'log/syslog.1', u'filename': u'log/syslog.1', u'hostname': u'ubuntu', u'message': u'[', u'my_number': 123, u'some_additional_foo': True, u'source_long': u'Log File', u'source_short': u'LOG', u'tag': [label], u'text': (u'Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' u'session\n closed for user root)'), u'timestamp': event_timestamp, u'timestamp_desc': u'Content Modification Time', } event_dict = elasticsearch_helper._GetSanitizedEventValues(event) self.assertIsInstance(event_dict, dict) self.assertDictContainsSubset(expected_dict, event_dict)
def testGetEventTagByEventIdentifier(self): """Tests the GetEventTagByEventIdentifier function.""" with shared_test_lib.TempDirectory() as temp_directory: test_path = os.path.join(temp_directory, 'plaso.sqlite') test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path, read_only=False) index = 0 for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues( self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) if index == 1: event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Benign']) event_identifier = event.GetIdentifier() event_tag.SetEventIdentifier(event_identifier) test_store.AddAttributeContainer(event_tag) index += 1 test_store.Close() test_store = sqlite_file.SQLiteStorageFile() test_store.Open(path=test_path) test_event = test_store.GetAttributeContainerByIndex( events.EventObject.CONTAINER_TYPE, 1) self.assertIsNotNone(test_event) test_event_identifier = test_event.GetIdentifier() self.assertIsNotNone(test_event_identifier) test_event_tag = test_store.GetEventTagByEventIdentifier( test_event_identifier) self.assertIsNotNone(test_event_tag) self.assertEqual(test_event_tag.labels, ['Malware', 'Benign']) test_store.Close()
def _CreateTag(self, event_uuid, labels): """Creates an event tag. Args: event_uuid (uuid.UUID): identifier of the event that should be tagged. labels (list[str]): labels for the gag. Returns: EventTag: event tag. """ event_tag = events.EventTag( comment=u'Tag applied by {0:s} analysis plugin'.format(self.NAME), event_uuid=event_uuid) event_tag.AddLabels(labels) return event_tag
def _CreateTestEvent(self): """Creates an event for testing. Returns: EventObject: event. """ event_tag = events.EventTag() event_tag.AddLabel('Test') event_timestamp = timelib.Timestamp.CopyFromString( '2012-06-27 18:17:01+00:00') event = TestEvent(event_timestamp) event.tag = event_tag return event
def _CreateEventTag(self, event, comment, labels): """Creates an event tag. Args: event (EventObject): event to tag. comment (str): event tag comment. labels (list[str]): event tag labels. """ event_uuid = getattr(event, u'uuid', None) event_tag = events.EventTag(comment=comment, event_uuid=event_uuid) event_tag.AddLabels(labels) logging.debug(u'Created event tag: {0:s} for event: {1:s}'.format( comment, event_uuid)) return event_tag
def testWriteSerialized(self): """Tests the WriteSerialized function.""" event_tag = events.EventTag(comment=self._comment, event_uuid=self._event_uuid) event_tag.AddLabels(self._labels) self.assertTrue(event_tag.IsValidForSerialization()) analysis_report = reports.AnalysisReport(u'chrome_extension_test', text=self._report_text) analysis_report.report_dict = self._report_dict analysis_report.time_compiled = 1431978243000000 analysis_report.SetTags([event_tag]) self._TestWriteSerialized(self._serializer, analysis_report, self._json_dict)
def setUp(self): """Makes preparations before running an individual test.""" self._label = u'Test' plaso_timestamp = timelib.Timestamp() self._event_timestamp = plaso_timestamp.CopyFromString( u'2012-06-27 18:17:01+00:00') self._event_object = TimesketchTestEvent(self._event_timestamp) self._event_tag = events.EventTag() self._event_tag.uuid = self._event_object.uuid self._event_tag.AddLabel(self._label) self._event_object.tag = self._event_tag output_mediator = self._CreateOutputMediator() self._timesketch_output = timesketch_out.TimesketchOutputModule( output_mediator)
def testGetSanitizedEventValues(self): """Tests the _GetSanitizedEventValues function.""" output_mediator = self._CreateOutputMediator() output_module = TestElasticsearchOutputModule(output_mediator) event, event_data = containers_test_lib.CreateEventFromValues( self._TEST_EVENTS[0]) event_tag = events.EventTag() event_tag.AddLabel('Test') event_values = output_module._GetSanitizedEventValues( event, event_data, event_tag) expected_event_values = { 'data_type': 'syslog:line', 'datetime': '2012-06-27T18:17:01+00:00', 'display_name': 'log/syslog.1', 'filename': 'log/syslog.1', 'hostname': 'ubuntu', 'message': '[', 'my_number': 123, 'some_additional_foo': True, 'source_long': 'Log File', 'source_short': 'LOG', 'tag': ['Test'], 'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): ' 'session\n closed for user root)'), 'timestamp': 1340821021000000, 'timestamp_desc': 'Content Modification Time', } self.assertIsInstance(event_values, dict) self.assertDictContainsSubset(expected_event_values, event_values)
def _CreateEventTag(self, event, comment, labels): """Creates an event tag. Args: event (EventObject): event to tag. comment (str): event tag comment. labels (list[str]): event tag labels. """ event_identifier = event.GetIdentifier() event_tag = events.EventTag(comment=comment) event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabels(labels) event_identifier_string = event_identifier.CopyToString() logging.debug('Created event tag: {0:s} for event: {1:s}'.format( comment, event_identifier_string)) return event_tag
def testGetEventTagByEventIdentifier(self): """Tests the GetEventTagByEventIdentifier function.""" test_store = fake_store.FakeStore() test_store.Open() index = 0 for event, event_data, event_data_stream in ( containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)): test_store.AddAttributeContainer(event_data_stream) event_data.SetEventDataStreamIdentifier( event_data_stream.GetIdentifier()) test_store.AddAttributeContainer(event_data) event.SetEventDataIdentifier(event_data.GetIdentifier()) test_store.AddAttributeContainer(event) if index == 1: event_tag = events.EventTag() event_tag.AddLabels(['Malware', 'Benign']) event_identifier = event.GetIdentifier() event_tag.SetEventIdentifier(event_identifier) test_store.AddAttributeContainer(event_tag) index += 1 # Do not close and reopen the fake store. test_event = test_store.GetAttributeContainerByIndex( events.EventObject.CONTAINER_TYPE, 1) self.assertIsNotNone(test_event) test_event_identifier = test_event.GetIdentifier() self.assertIsNotNone(test_event_identifier) test_event_tag = test_store.GetEventTagByEventIdentifier( test_event_identifier) self.assertIsNotNone(test_event_tag) self.assertEqual(test_event_tag.labels, ['Malware', 'Benign']) test_store.Close()
def _HandleHashAnalysis(self, hash_analysis): """Deals with the results of the analysis of a hash. This method ensures that labels are generated for the hash, then tags all events derived from files with that hash. Args: hash_analysis (HashAnalysis): hash analysis plugin's results for a given hash. Returns: tuple: containing: list[dfvfs.PathSpec]: path specifications that had the hash value looked up. list[str]: labels that corresponds to the hash value that was looked up. list[EventTag]: event tags for all events that were extracted from the path specifications. """ tags = [] labels = self.GenerateLabels(hash_analysis.hash_information) path_specifications = self._hash_path_specs.pop( hash_analysis.subject_hash) for path_specification in path_specifications: event_identifiers = self._event_identifiers_by_path_spec.pop( path_specification, []) if not labels: continue for event_identifier in event_identifiers: try: event_tag = events.EventTag() event_tag.SetEventIdentifier(event_identifier) event_tag.AddLabels(labels) tags.append(event_tag) except (TypeError, ValueError) as exception: logger.error( 'unable to add labels to event with error: {0!s}'. format(exception)) return path_specifications, labels, tags