def CreateTestEventObjects(): """Creates the event objects for testing. Returns: A list of event objects (instances of EventObject). """ event_objects = [] filetime = dfwinreg_filetime.Filetime() filetime.CopyFromString(u'2012-04-20 22:38:46.929596') values_dict = {u'Value': u'c:/Temp/evil.exe'} event_object = windows_events.WindowsRegistryEvent(filetime.timestamp, u'MY AutoRun key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-05-02 13:43:26.929596') values_dict = {u'Value': u'send all the exes to the other world'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) filetime.CopyFromString(u'2012-04-20 16:44:46') values_dict = {u'Value': u'run all the benign stuff'} event_object = windows_events.WindowsRegistryEvent( filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39') text_dict = { u'hostname': u'nomachine', u'text': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'username': u'johndoe' } event_object = text_events.TextEvent(timemstamp, 12, text_dict) event_object.parser = 'UNKNOWN' event_objects.append(event_object) return event_objects
def CreateEvent(self, timestamp, offset, attributes): """Creates an event. This function should be overwritten by text parsers that require to generate specific event object type, the default is TextEvent. Args: timestamp: The timestamp time value. The timestamp contains the number of microseconds since Jan 1, 1970 00:00:00 UTC. offset: The offset of the event. attributes: A dict that contains the events attributes. Returns: An event object (instance of TextEvent). """ return text_events.TextEvent(timestamp, offset, attributes)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._event_objects = [] event_1 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596'), u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'}) event_1.parser = 'UNKNOWN' event_2 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-05-02 13:43:26.929596'), u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', {u'Value': u'send all the exes to the other world'}) event_2.parser = 'UNKNOWN' event_3 = windows_events.WindowsRegistryEvent( timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000'), u'\\HKCU\\Windows\\Normal', {u'Value': u'run all the benign stuff'}) event_3.parser = 'UNKNOWN' text_dict = { 'text': ('This is a line by someone not reading the log line properly. And ' 'since this log line exceeds the accepted 80 chars it will be ' 'shortened.'), 'hostname': 'nomachine', 'username': '******' } event_4 = text_events.TextEvent( timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39.000000'), 12, text_dict) event_4.parser = 'UNKNOWN' self._event_objects.append(event_1) self._event_objects.append(event_2) self._event_objects.append(event_3) self._event_objects.append(event_4) self._formatter_mediator = formatters_mediator.FormatterMediator()
def setUp(self): """Sets up the needed objects used throughout the test.""" self._event_objects = [] # TODO: replace hardcoded timestamps by timelib_test.CopyStringToTimestamp. event_1 = windows_events.WindowsRegistryEvent( 13349615269295969, u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'}) event_1.parser = 'UNKNOWN' event_2 = windows_events.WindowsRegistryEvent( 13359662069295961, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key', {u'Value': u'send all the exes to the other world'}) event_2.parser = 'UNKNOWN' event_3 = windows_events.WindowsRegistryEvent( 13349402860000000, u'\\HKCU\\Windows\\Normal', {u'Value': u'run all the benign stuff'}) event_3.parser = 'UNKNOWN' text_dict = { 'text': ('This is a line by someone not reading the log line properly. And ' 'since this log line exceeds the accepted 80 chars it will be ' 'shortened.'), 'hostname': 'nomachine', 'username': '******' } event_4 = text_events.TextEvent(12389344590000000, 12, text_dict) event_4.parser = 'UNKNOWN' self._event_objects.append(event_1) self._event_objects.append(event_2) self._event_objects.append(event_3) self._event_objects.append(event_4)
def GetEventObjects(): """Returns a list of test event objects.""" event_objects = [] hostname = u'MYHOSTNAME' data_type = 'test:event' event_a = event.EventObject() event_a.username = u'joesmith' event_a.filename = u'c:/Users/joesmith/NTUSER.DAT' event_a.hostname = hostname event_a.timestamp = 0 event_a.data_type = data_type event_a.text = u'' # TODO: move this to a WindowsRegistryEvent unit test. timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596') event_b = windows_events.WindowsRegistryEvent( timestamp, u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'}) event_b.hostname = hostname event_objects.append(event_b) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 23:56:46.929596') event_c = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key', {u'Value': u'send all the exes to the other world'}) event_c.hostname = hostname event_objects.append(event_c) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000') event_d = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Windows/Normal', {u'Value': u'run all the benign stuff'}) event_d.hostname = hostname event_objects.append(event_d) event_objects.append(event_a) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') filename = u'c:/Temp/evil.exe' event_e = TestEvent(timestamp, {u'text': u'This log line reads ohh so much.'}) event_e.filename = filename event_e.hostname = hostname event_objects.append(event_e) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596') event_f = TestEvent(timestamp, {u'text': u'Nothing of interest here, move on.'}) event_f.filename = filename event_f.hostname = hostname event_objects.append(event_f) timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596') event_g = TestEvent( timestamp, {u'text': u'Mr. Evil just logged into the machine and got root.'}) event_g.filename = filename event_g.hostname = hostname event_objects.append(event_g) text_dict = { u'body': (u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), u'hostname': u'nomachine', u'username': u'johndoe' } # TODO: move this to a TextEvent unit test. timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000') event_h = text_events.TextEvent(timestamp, 12, text_dict) event_h.text = event_h.body event_h.hostname = hostname event_h.filename = filename event_objects.append(event_h) return event_objects