def _CreateTestEventTags(self):
"""Creates the event tags for testing.
Returns:
A list of event tags (instances of EventTag).
"""
event_tags = []
event_tag = events.EventTag()
event_tag.store_index = 0
event_tag.store_number = 1
event_tag.comment = u'My comment'
event_tags.append(event_tag)
event_tag = events.EventTag()
event_tag.store_index = 1
event_tag.store_number = 1
event_tag.AddLabel(u'Malware')
event_tags.append(event_tag)
event_tag = events.EventTag()
event_tag.store_number = 1
event_tag.store_index = 2
event_tag.comment = u'This is interesting'
event_tag.AddLabels([u'Malware', u'Benign'])
event_tags.append(event_tag)
event_tag = events.EventTag()
event_tag.store_index = 1
event_tag.store_number = 1
event_tag.AddLabel(u'Interesting')
event_tags.append(event_tag)
return event_tags
def testAddOrUpdateEventTag(self):
"""Tests the AddOrUpdateEventTag function."""
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
storage_writer = sqlite_writer.SQLiteStorageFileWriter()
storage_writer.Open(path=test_path)
try:
test_events = self._AddTestEvents(storage_writer)
event_tag = events.EventTag()
event_identifier = test_events[1].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Label1')
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 0)
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 1)
event_tag = events.EventTag()
event_identifier = test_events[2].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Label2')
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 2)
event_tag = events.EventTag()
event_identifier = test_events[1].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('AnotherLabel1')
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 2)
event_tags = list(
storage_writer.GetAttributeContainers(
event_tag.CONTAINER_TYPE))
self.assertEqual(event_tags[0].labels,
['Label1', 'AnotherLabel1'])
self.assertEqual(event_tags[1].labels, ['Label2'])
finally:
storage_writer.Close()
def testAddOrUpdateEventTag(self):
"""Tests the AddOrUpdateEventTag function."""
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
try:
test_events = self._AddTestEvents(storage_writer)
event_tag = events.EventTag()
event_identifier = test_events[1].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Label1')
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 0)
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 1)
event_tag = events.EventTag()
event_identifier = test_events[2].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Label2')
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 2)
event_tag = events.EventTag()
event_identifier = test_events[1].GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('AnotherLabel1')
storage_writer.AddOrUpdateEventTag(event_tag)
number_of_containers = storage_writer.GetNumberOfAttributeContainers(
event_tag.CONTAINER_TYPE)
self.assertEqual(number_of_containers, 2)
event_tags = list(
storage_writer.GetAttributeContainers(
event_tag.CONTAINER_TYPE))
self.assertEqual(event_tags[0].labels, ['Label1', 'AnotherLabel1'])
self.assertEqual(event_tags[1].labels, ['Label2'])
finally:
storage_writer.Close()
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
formatters_manager.FormattersManager.RegisterFormatter(
L2TTestEventFormatter)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Printed'])
self._formatter.WriteEventBody(event, event_data, event_tag)
expected_event_body = (
'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,'
'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session '
'closed for user root),Reporter <CRON> PID: 8442 '
'(pam_unix(cron:session): session closed for user root),'
'2,log/syslog.1,-,Malware Printed,'
'-,a_binary_field: binary; my_number: 123; some_additional_foo: True\n'
)
event_body = self._output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(','), 16)
formatters_manager.FormattersManager.DeregisterFormatter(
L2TTestEventFormatter)
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
test_file_object = io.StringIO()
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetTestFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = l2t_csv.L2TCSVOutputModule(output_mediator)
output_module._file_object = test_file_object
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Printed'])
output_module.WriteEventBody(
event, event_data, event_data_stream, event_tag)
expected_event_body = (
'06/27/2012,18:17:01,UTC,M...,FILE,Test log file,Content Modification '
'Time,-,ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session closed for user root),Reporter <CRON> PID: 8442 '
'(pam_unix(cron:session): session closed for user root),'
'2,FAKE:log/syslog.1,-,Malware Printed,test_parser,a_binary_field: '
'binary; my_number: 123; some_additional_foo: True\n')
event_body = test_file_object.getvalue()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(','), 16)
def testReadAndWriteSerializedEventTag(self):
"""Test ReadSerialized and WriteSerialized of EventTag."""
expected_event_tag = events.EventTag(comment='My first comment.')
expected_event_tag.AddLabels(['Malware', 'Common'])
json_string = (
json_serializer.JSONAttributeContainerSerializer.WriteSerialized(
expected_event_tag))
self.assertIsNotNone(json_string)
event_tag = (
json_serializer.JSONAttributeContainerSerializer.ReadSerialized(
json_string))
self.assertIsNotNone(event_tag)
self.assertIsInstance(event_tag, events.EventTag)
expected_event_tag_dict = {
'comment': 'My first comment.',
'labels': ['Malware', 'Common'],
}
event_tag_dict = event_tag.CopyToDict()
self.assertEqual(
sorted(event_tag_dict.items()),
sorted(expected_event_tag_dict.items()))
def ReadSerializedDict(cls, json_dict):
"""Reads an event tag from serialized dict form.
Args:
json_dict: a dictionary of the JSON serialized objects.
Returns:
An event tag (instance of EventTag).
"""
if not json_dict:
return
event_tag = events.EventTag()
for key, value in iter(json_dict.items()):
if value is None:
continue
# Note that "_tags" is the name for "labels" prior to version
# 1.4.1-20160131
if key == u'_event_tags':
key = u'labels'
if key == u'labels':
event_tag.AddLabels(value)
else:
setattr(event_tag, key, value)
return event_tag
def testWriteEventBody(self):
"""Tests the WriteEventBody function."""
formatters_manager.FormattersManager.RegisterFormatter(
L2TTestEventFormatter)
event_tag = events.EventTag()
event_tag.uuid = self._event_object.uuid
event_tag.AddLabels([u'Malware', u'Printed'])
self._event_object.tag = event_tag
self._formatter.WriteEventBody(self._event_object)
expected_event_body = (
b'06/27/2012,18:17:01,UTC,M...,LOG,Syslog,Content Modification Time,-,'
b'ubuntu,Reporter <CRON> PID: 8442 (pam_unix(cron:session): session '
b'closed for user root),Reporter <CRON> PID: 8442 '
b'(pam_unix(cron:session): session closed for user root),'
b'2,log/syslog.1,-,Malware Printed,'
b'-,my_number: 123 some_additional_foo: True \n')
event_body = self._output_writer.ReadOutput()
self.assertEqual(event_body, expected_event_body)
# Ensure that the only commas returned are the 16 delimiters.
self.assertEqual(event_body.count(b','), 16)
formatters_manager.FormattersManager.DeregisterFormatter(
L2TTestEventFormatter)
def testReadAndWriteSerializedEventTag(self):
"""Test ReadSerialized and WriteSerialized of EventTag."""
expected_event_tag = events.EventTag(comment=u'My first comment.')
expected_event_tag.store_number = 234
expected_event_tag.store_index = 18
expected_event_tag.AddLabels([u'Malware', u'Common'])
json_string = (json_serializer.JSONAttributeContainerSerializer.
WriteSerialized(expected_event_tag))
self.assertIsNotNone(json_string)
event_tag = (json_serializer.JSONAttributeContainerSerializer.
ReadSerialized(json_string))
self.assertIsNotNone(event_tag)
self.assertIsInstance(event_tag, events.EventTag)
expected_event_tag_dict = {
u'comment': u'My first comment.',
u'labels': [u'Malware', u'Common'],
u'store_index': 18,
u'store_number': 234,
}
event_tag_dict = event_tag.CopyToDict()
self.assertEqual(sorted(event_tag_dict.items()),
sorted(expected_event_tag_dict.items()))
def testReadAndWriteSerializedAnalysisReport(self):
"""Test ReadSerialized and WriteSerialized of AnalysisReport."""
expected_comment = u'This is a test event tag.'
expected_uuid = u'403818f93dce467bac497ef0f263fde8'
expected_labels = [u'Test', u'AnotherTest']
expected_report_dict = {
u'dude': [[
u'Google Keep - notes and lists',
u'hmjkmjkepdijhoojdojkdfohbdgmmhki'
]],
u'frank':
[[u'YouTube', u'blpcfgokakmgnkcojhhkbfbldkacnbeo'],
[u'Google Play Music', u'icppfcnhkcmnfdhfhphakoifcfokfdhg']]
}
expected_report_text = (
u' == USER: dude ==\n'
u' Google Keep - notes and lists [hmjkmjkepdijhoojdojkdfohbdgmmhki]\n'
u'\n'
u' == USER: frank ==\n'
u' Google Play Music [icppfcnhkcmnfdhfhphakoifcfokfdhg]\n'
u' YouTube [blpcfgokakmgnkcojhhkbfbldkacnbeo]\n'
u'\n')
expected_event_tag = events.EventTag(comment=expected_comment,
event_uuid=expected_uuid)
expected_event_tag.AddLabels(expected_labels)
expected_analysis_report = reports.AnalysisReport(
plugin_name=u'chrome_extension_test', text=expected_report_text)
expected_analysis_report.report_dict = expected_report_dict
expected_analysis_report.time_compiled = 1431978243000000
expected_analysis_report.SetTags([expected_event_tag])
json_string = (json_serializer.JSONAttributeContainerSerializer.
WriteSerialized(expected_analysis_report))
self.assertIsNotNone(json_string)
analysis_report = (json_serializer.JSONAttributeContainerSerializer.
ReadSerialized(json_string))
self.assertIsNotNone(analysis_report)
self.assertIsInstance(analysis_report, reports.AnalysisReport)
# TODO: preserve the tuples in the report dict.
# TODO: add report_array tests.
# TODO: remove _event_tags.
expected_analysis_report_dict = {
u'_event_tags': [],
u'plugin_name': u'chrome_extension_test',
u'report_dict': expected_report_dict,
u'text': expected_report_text,
u'time_compiled': 1431978243000000
}
analysis_report_dict = analysis_report.CopyToDict()
self.assertEqual(sorted(analysis_report_dict.items()),
sorted(expected_analysis_report_dict.items()))
def testGetAttributeNames(self):
"""Tests the GetAttributeNames function."""
attribute_container = events.EventTag()
expected_attribute_names = ['_event_row_identifier', 'labels']
attribute_names = sorted(attribute_container.GetAttributeNames())
self.assertEqual(attribute_names, expected_attribute_names)
def _HandleHashAnalysis(self, mediator, hash_analysis):
"""Deals with the results of the analysis of a hash.
This method ensures that labels are generated for the hash,
then tags all events derived from files with that hash.
Args:
mediator (AnalysisMediator): mediates interactions between
analysis plugins and other components, such as storage and dfVFS.
hash_analysis (HashAnalysis): hash analysis plugin's results for a given
hash.
Returns:
collections.Counter: number of events per label.
"""
events_per_labels_counter = collections.Counter()
labels = self.GenerateLabels(hash_analysis.hash_information)
try:
data_stream_identifiers = self._data_streams_by_hash.pop(
hash_analysis.subject_hash)
except KeyError:
data_stream_identifiers = []
logger.error(
('unable to retrieve data streams for digest hash: {0:s}'
).format(hash_analysis.subject_hash))
for data_stream_identifier in data_stream_identifiers:
event_identifiers = self._event_identifiers_by_data_stream.pop(
data_stream_identifier)
# Do no bail out earlier to maintain the state of
# self._data_streams_by_hash and self._event_identifiers_by_data_stream.
if not labels:
continue
for event_identifier in event_identifiers:
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
try:
event_tag.AddLabels(labels)
except (TypeError, ValueError):
error_label = 'error_{0:s}'.format(self.NAME)
logger.error((
'unable to add labels: {0!s} for digest hash: {1:s} defaulting '
'to: {2:s}').format(labels, hash_analysis.subject_hash,
error_label))
labels = [error_label]
event_tag.AddLabels(labels)
mediator.ProduceEventTag(event_tag)
for label in labels:
events_per_labels_counter[label] += 1
return events_per_labels_counter
def testGetSanitizedEventValues(self):
"""Tests the _GetSanitizedEventValues function."""
output_mediator = self._CreateOutputMediator()
formatters_directory_path = self._GetDataFilePath(['formatters'])
output_mediator.ReadMessageFormattersFromDirectory(
formatters_directory_path)
output_module = TestElasticsearchOutputModule(output_mediator)
event, event_data, event_data_stream = (
containers_test_lib.CreateEventFromValues(self._TEST_EVENTS[0]))
event_tag = events.EventTag()
event_tag.AddLabel('Test')
event_values = output_module._GetSanitizedEventValues(
event, event_data, event_data_stream, event_tag)
expected_event_values = {
'a_binary_field':
'binary',
'data_type':
'syslog:line',
'datetime':
'2012-06-27T18:17:01.000000Z',
'display_name':
'FAKE:log/syslog.1',
'filename':
'log/syslog.1',
'hostname':
'ubuntu',
'message':
'[',
'my_number':
123,
'path_spec':
('{"__type__": "PathSpec", "location": "log/syslog.1", '
'"type_indicator": "FAKE"}'),
'some_additional_foo':
True,
'source_long':
'Log File',
'source_short':
'LOG',
'tag': ['Test'],
'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
1340821021000000,
'timestamp_desc':
'Content Modification Time',
}
self.assertIsInstance(event_values, dict)
self.assertEqual(event_values, expected_event_values)
def testParseWithEvents(self):
"""Tests the Parse function with events."""
event, event_data, _ = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event_tag = events.EventTag()
event_tag.AddLabel('browser_search')
self._CheckIfExpressionMatches('filename contains \'GoodFella\'',
event, event_data, None, event_tag,
True)
# Test timestamp filtering.
self._CheckIfExpressionMatches('timestamp >= \'2015-11-18\'', event,
event_data, None, event_tag, True)
self._CheckIfExpressionMatches('timestamp < \'2015-11-19\'', event,
event_data, None, event_tag, True)
expression = ('timestamp < \'2015-11-18T01:15:44.341\' and '
'timestamp > \'2015-11-18 01:15:42\'')
self._CheckIfExpressionMatches(expression, event, event_data, None,
event_tag, True)
self._CheckIfExpressionMatches('timestamp > \'2015-11-19\'', event,
event_data, None, event_tag, False)
# Perform few attribute tests.
self._CheckIfExpressionMatches('filename not contains \'sometext\'',
event, event_data, None, event_tag,
True)
expression = (
'timestamp_desc CONTAINS \'written\' AND timestamp > \'2015-11-18\' '
'AND timestamp < \'2015-11-25 12:56:21\'')
self._CheckIfExpressionMatches(expression, event, event_data, None,
event_tag, True)
self._CheckIfExpressionMatches('parser is not \'Made\'', event,
event_data, None, event_tag, True)
self._CheckIfExpressionMatches('parser is not \'Weirdo\'', event,
event_data, None, event_tag, False)
self._CheckIfExpressionMatches('tag contains \'browser_search\'',
event, event_data, None, event_tag,
True)
# Test multiple attributes.
self._CheckIfExpressionMatches(
'text iregexp \'bad, bad thing [a-zA-Z\\\\s.]+ evil\'', event,
event_data, None, event_tag, True)
def _CreateTag(self, event_uuid, labels):
"""Creates an event tag.
Args:
event_uuid: The UUID of the event that should be tagged.
labels: A list of strings that contains the labels.
"""
event_tag = events.EventTag(
comment=u'Tag applied by {0:s} analysis plugin'.format(self.NAME),
event_uuid=event_uuid)
event_tag.AddLabels(labels)
return event_tag
def setUp(self):
"""Makes preparations before running an individual test."""
self._event_tag = events.EventTag(comment=u'My first comment.')
self._event_tag.store_number = 234
self._event_tag.store_index = 18
self._event_tag.AddLabels([u'Malware', u'Common'])
self._event_tag_dict = {
u'comment': u'My first comment.',
u'labels': [u'Malware', u'Common'],
u'store_index': 18,
u'store_number': 234,
}
def _CreateTestEventTags(self, test_events):
"""Creates the event tags for testing.
Args:
list[EventObject]: events to tag.
Returns:
list[EventTag]: event tags.
"""
event_tags = []
event_identifier = test_events[0].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Malware')
event_tags.append(event_tag)
event_identifier = test_events[2].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabels(['Malware', 'Benign'])
event_tags.append(event_tag)
event_identifier = test_events[1].GetIdentifier()
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabel('Interesting')
event_tags.append(event_tag)
return event_tags
def testFormatTag(self):
"""Tests the _FormatTag function."""
output_mediator = self._CreateOutputMediator()
test_helper = formatting_helper.FieldFormattingHelper(output_mediator)
tag_string = test_helper._FormatTag(None)
self.assertEqual(tag_string, '-')
event_tag = events.EventTag()
event_tag.AddLabel('one')
event_tag.AddLabel('two')
tag_string = test_helper._FormatTag(event_tag)
self.assertEqual(tag_string, 'one two')
def testCopyToDict(self):
"""Tests the CopyToDict function."""
event_tag = events.EventTag(
comment=u'This is a test event tag.',
event_uuid=u'11fca043ea224a688137deaa8d162807')
expected_dict = {
u'comment': u'This is a test event tag.',
u'event_uuid': u'11fca043ea224a688137deaa8d162807',
u'labels': []}
test_dict = event_tag.CopyToDict()
self.assertEqual(test_dict, expected_dict)
def testEventToDict(self):
"""Tests the _EventToDict function."""
event_timestamp = timelib.Timestamp.CopyFromString(
u'2012-06-27 18:17:01+00:00')
label = u'Test'
event = ElasticTestEvent(event_timestamp)
event_tag = events.EventTag()
event_tag.uuid = event.uuid
event_tag.AddLabel(label)
event.tag = event_tag
output_mediator = self._CreateOutputMediator()
elasticsearch_helper = elastic.ElasticSearchHelper(
output_mediator, u'127.0.0.1', 9200, 1000, u'test', {},
u'test_type')
expected_dict = {
u'data_type':
u'syslog:line',
u'datetime':
u'2012-06-27T18:17:01+00:00',
u'display_name':
u'log/syslog.1',
u'filename':
u'log/syslog.1',
u'hostname':
u'ubuntu',
u'message':
u'[',
u'my_number':
123,
u'some_additional_foo':
True,
u'source_long':
u'Log File',
u'source_short':
u'LOG',
u'tag': [label],
u'text': (u'Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
u'session\n closed for user root)'),
u'timestamp':
event_timestamp,
u'timestamp_desc':
u'Content Modification Time',
}
event_dict = elasticsearch_helper._GetSanitizedEventValues(event)
self.assertIsInstance(event_dict, dict)
self.assertDictContainsSubset(expected_dict, event_dict)
def testGetEventTagByEventIdentifier(self):
"""Tests the GetEventTagByEventIdentifier function."""
with shared_test_lib.TempDirectory() as temp_directory:
test_path = os.path.join(temp_directory, 'plaso.sqlite')
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path, read_only=False)
index = 0
for event, event_data, event_data_stream in (
containers_test_lib.CreateEventsFromValues(
self._TEST_EVENTS)):
test_store.AddAttributeContainer(event_data_stream)
event_data.SetEventDataStreamIdentifier(
event_data_stream.GetIdentifier())
test_store.AddAttributeContainer(event_data)
event.SetEventDataIdentifier(event_data.GetIdentifier())
test_store.AddAttributeContainer(event)
if index == 1:
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Benign'])
event_identifier = event.GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
test_store.AddAttributeContainer(event_tag)
index += 1
test_store.Close()
test_store = sqlite_file.SQLiteStorageFile()
test_store.Open(path=test_path)
test_event = test_store.GetAttributeContainerByIndex(
events.EventObject.CONTAINER_TYPE, 1)
self.assertIsNotNone(test_event)
test_event_identifier = test_event.GetIdentifier()
self.assertIsNotNone(test_event_identifier)
test_event_tag = test_store.GetEventTagByEventIdentifier(
test_event_identifier)
self.assertIsNotNone(test_event_tag)
self.assertEqual(test_event_tag.labels, ['Malware', 'Benign'])
test_store.Close()
def _CreateTag(self, event_uuid, labels):
"""Creates an event tag.
Args:
event_uuid (uuid.UUID): identifier of the event that should be tagged.
labels (list[str]): labels for the gag.
Returns:
EventTag: event tag.
"""
event_tag = events.EventTag(
comment=u'Tag applied by {0:s} analysis plugin'.format(self.NAME),
event_uuid=event_uuid)
event_tag.AddLabels(labels)
return event_tag
def _CreateTestEvent(self):
"""Creates an event for testing.
Returns:
EventObject: event.
"""
event_tag = events.EventTag()
event_tag.AddLabel('Test')
event_timestamp = timelib.Timestamp.CopyFromString(
'2012-06-27 18:17:01+00:00')
event = TestEvent(event_timestamp)
event.tag = event_tag
return event
def _CreateEventTag(self, event, comment, labels):
"""Creates an event tag.
Args:
event (EventObject): event to tag.
comment (str): event tag comment.
labels (list[str]): event tag labels.
"""
event_uuid = getattr(event, u'uuid', None)
event_tag = events.EventTag(comment=comment, event_uuid=event_uuid)
event_tag.AddLabels(labels)
logging.debug(u'Created event tag: {0:s} for event: {1:s}'.format(
comment, event_uuid))
return event_tag
def testWriteSerialized(self):
"""Tests the WriteSerialized function."""
event_tag = events.EventTag(comment=self._comment,
event_uuid=self._event_uuid)
event_tag.AddLabels(self._labels)
self.assertTrue(event_tag.IsValidForSerialization())
analysis_report = reports.AnalysisReport(u'chrome_extension_test',
text=self._report_text)
analysis_report.report_dict = self._report_dict
analysis_report.time_compiled = 1431978243000000
analysis_report.SetTags([event_tag])
self._TestWriteSerialized(self._serializer, analysis_report,
self._json_dict)
def setUp(self):
"""Makes preparations before running an individual test."""
self._label = u'Test'
plaso_timestamp = timelib.Timestamp()
self._event_timestamp = plaso_timestamp.CopyFromString(
u'2012-06-27 18:17:01+00:00')
self._event_object = TimesketchTestEvent(self._event_timestamp)
self._event_tag = events.EventTag()
self._event_tag.uuid = self._event_object.uuid
self._event_tag.AddLabel(self._label)
self._event_object.tag = self._event_tag
output_mediator = self._CreateOutputMediator()
self._timesketch_output = timesketch_out.TimesketchOutputModule(
output_mediator)
def testGetSanitizedEventValues(self):
"""Tests the _GetSanitizedEventValues function."""
output_mediator = self._CreateOutputMediator()
output_module = TestElasticsearchOutputModule(output_mediator)
event, event_data = containers_test_lib.CreateEventFromValues(
self._TEST_EVENTS[0])
event_tag = events.EventTag()
event_tag.AddLabel('Test')
event_values = output_module._GetSanitizedEventValues(
event, event_data, event_tag)
expected_event_values = {
'data_type':
'syslog:line',
'datetime':
'2012-06-27T18:17:01+00:00',
'display_name':
'log/syslog.1',
'filename':
'log/syslog.1',
'hostname':
'ubuntu',
'message':
'[',
'my_number':
123,
'some_additional_foo':
True,
'source_long':
'Log File',
'source_short':
'LOG',
'tag': ['Test'],
'text': ('Reporter <CRON> PID: 8442 (pam_unix(cron:session): '
'session\n closed for user root)'),
'timestamp':
1340821021000000,
'timestamp_desc':
'Content Modification Time',
}
self.assertIsInstance(event_values, dict)
self.assertDictContainsSubset(expected_event_values, event_values)
def _CreateEventTag(self, event, comment, labels):
"""Creates an event tag.
Args:
event (EventObject): event to tag.
comment (str): event tag comment.
labels (list[str]): event tag labels.
"""
event_identifier = event.GetIdentifier()
event_tag = events.EventTag(comment=comment)
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabels(labels)
event_identifier_string = event_identifier.CopyToString()
logging.debug('Created event tag: {0:s} for event: {1:s}'.format(
comment, event_identifier_string))
return event_tag
def testGetEventTagByEventIdentifier(self):
"""Tests the GetEventTagByEventIdentifier function."""
test_store = fake_store.FakeStore()
test_store.Open()
index = 0
for event, event_data, event_data_stream in (
containers_test_lib.CreateEventsFromValues(self._TEST_EVENTS)):
test_store.AddAttributeContainer(event_data_stream)
event_data.SetEventDataStreamIdentifier(
event_data_stream.GetIdentifier())
test_store.AddAttributeContainer(event_data)
event.SetEventDataIdentifier(event_data.GetIdentifier())
test_store.AddAttributeContainer(event)
if index == 1:
event_tag = events.EventTag()
event_tag.AddLabels(['Malware', 'Benign'])
event_identifier = event.GetIdentifier()
event_tag.SetEventIdentifier(event_identifier)
test_store.AddAttributeContainer(event_tag)
index += 1
# Do not close and reopen the fake store.
test_event = test_store.GetAttributeContainerByIndex(
events.EventObject.CONTAINER_TYPE, 1)
self.assertIsNotNone(test_event)
test_event_identifier = test_event.GetIdentifier()
self.assertIsNotNone(test_event_identifier)
test_event_tag = test_store.GetEventTagByEventIdentifier(
test_event_identifier)
self.assertIsNotNone(test_event_tag)
self.assertEqual(test_event_tag.labels, ['Malware', 'Benign'])
test_store.Close()
def _HandleHashAnalysis(self, hash_analysis):
"""Deals with the results of the analysis of a hash.
This method ensures that labels are generated for the hash,
then tags all events derived from files with that hash.
Args:
hash_analysis (HashAnalysis): hash analysis plugin's results for a given
hash.
Returns:
tuple: containing:
list[dfvfs.PathSpec]: path specifications that had the hash value
looked up.
list[str]: labels that corresponds to the hash value that was looked up.
list[EventTag]: event tags for all events that were extracted from the
path specifications.
"""
tags = []
labels = self.GenerateLabels(hash_analysis.hash_information)
path_specifications = self._hash_path_specs.pop(
hash_analysis.subject_hash)
for path_specification in path_specifications:
event_identifiers = self._event_identifiers_by_path_spec.pop(
path_specification, [])
if not labels:
continue
for event_identifier in event_identifiers:
try:
event_tag = events.EventTag()
event_tag.SetEventIdentifier(event_identifier)
event_tag.AddLabels(labels)
tags.append(event_tag)
except (TypeError, ValueError) as exception:
logger.error(
'unable to add labels to event with error: {0!s}'.
format(exception))
return path_specifications, labels, tags
