def testParse(self): """Tests the Parse function on a "generic" BSM file.""" parser = bsm.BSMParser() knowledge_base_values = { 'operating_system': definitions.OPERATING_SYSTEM_FAMILY_LINUX } storage_writer = self._ParseFile( ['openbsm.bsm'], parser, knowledge_base_values=knowledge_base_values) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 50) events = list(storage_writer.GetEvents()) expected_extra_tokens = [ [{ 'AUT_ARG32': { 'is': 2882400000, 'num_arg': 3, 'string': 'test_arg32_token' } }], [{ 'AUT_DATA': { 'data': 'SomeData', 'format': 'String' } }], [{ 'AUT_OTHER_FILE32': { 'string': 'test', 'timestamp': '1970-01-01 20:42:45.000424' } }], [{ 'AUT_IN_ADDR': { 'ip': '192.168.100.15' } }], [{ 'AUT_IP': { 'IPv4_Header': '400000145478000040010000c0a8649bc0a86e30' } }], [{ 'AUT_IPC': { 'object_id': 305419896, 'object_type': 1 } }], [{ 'AUT_IPORT': { 'port_number': 20480 } }], [{ 'AUT_OPAQUE': { 'data': 'aabbccdd' } }], [{ 'AUT_PATH': { 'path': '/test/this/is/a/test' } }], [{ 'AUT_PROCESS32': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': -1737075662 } }], [{ 'AUT_PROCESS64': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': -1737075662 } }], [{ 'AUT_RETURN32': { 'call_status': 305419896, 'error': 'Invalid argument', 'token_status': 22 } }], [{ 'AUT_SEQ': { 'sequence_number': 305419896 } }], [{ 'AUT_SOCKET_EX': { 'from': '127.0.0.1', 'from_port': 0, 'to': '127.0.0.1', 'to_port': 0 } }], [{ 'AUT_SUBJECT32': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': -1737075662 } }], [{ 'AUT_SUBJECT32_EX': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': 'fe80:0000:0000:0000:0000:0000:0000:0001', 'terminal_port': 374945606, 'uid': -1737075662 } }], [{ 'AUT_TEXT': { 'text': 'This is a test.' } }], [{ 'AUT_ZONENAME': { 'name': 'testzone' } }], [{ 'AUT_RETURN32': { 'call_status': -1, 'error': 'Argument list too long', 'token_status': 7 } }] ] for event_index in range(0, 19): event = events[event_index] expected_extra_tokens_dict = expected_extra_tokens[event_index] extra_tokens_dict = getattr(event, 'extra_tokens', {}) self.assertEqual(extra_tokens_dict, expected_extra_tokens_dict)
def testParse(self): """Tests the Parse function on a MacOS BSM file.""" parser = bsm.BSMParser() knowledge_base_values = { 'operating_system': definitions.OPERATING_SYSTEM_FAMILY_MACOS } storage_writer = self._ParseFile( ['apple.bsm'], parser, knowledge_base_values=knowledge_base_values) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 54) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.data_type, 'bsm:event') self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:20.000381') self.assertEqual(event.event_type, 45029) expected_extra_tokens = [{ 'AUT_TEXT': { 'text': 'launchctl::Audit recovery' } }, { 'AUT_PATH': { 'path': '/var/audit/20131104171720.crash_recovery' } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value) event = events[15] self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:26.000171') self.assertEqual(event.event_type, 45023) expected_extra_tokens = [{ 'AUT_SUBJECT32': { 'aid': -1, 'egid': 92, 'euid': 92, 'gid': 92, 'pid': 143, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 143, 'uid': 92 } }, { 'AUT_TEXT': { 'text': ('Verify password for record type Users \'moxilo\' node ' '\'/Local/Default\'') } }, { 'AUT_RETURN32': { 'call_status': 5000, 'error': 'UNKNOWN', 'token_status': 255 } }] self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 5000, 'error': 'UNKNOWN', 'token_status': 255 } self.assertEqual(event.return_value, expected_return_value) event = events[31] self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:26.000530') self.assertEqual(event.event_type, 45025) expected_extra_tokens = [{ 'AUT_SUBJECT32': { 'aid': -1, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 67, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 67, 'uid': 0 } }, { 'AUT_TEXT': { 'text': 'system.login.done' } }, { 'AUT_TEXT': { 'text': 'system.login.done' } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value) event = events[50] self.CheckTimestamp(event.timestamp, '2013-11-04 18:37:36.000399') self.assertEqual(event.event_type, 44903) expected_extra_tokens = [{ 'AUT_ARG64': { 'is': 0, 'num_arg': 1, 'string': 'sflags' } }, { 'AUT_ARG32': { 'is': 12288, 'num_arg': 2, 'string': 'am_success' } }, { 'AUT_ARG32': { 'is': 12288, 'num_arg': 3, 'string': 'am_failure' } }, { 'AUT_SUBJECT32': { 'aid': -1, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 0, 'session_id': 100015, 'terminal_ip': '0.0.0.0', 'terminal_port': 0, 'uid': 0 } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value)
def testParse(self): """Tests the Parse function on a "generic" BSM file.""" parser = bsm.BSMParser() knowledge_base_values = { 'operating_system': definitions.OPERATING_SYSTEM_LINUX } storage_writer = self._ParseFile( ['openbsm.bsm'], parser, knowledge_base_values=knowledge_base_values) self.assertEqual(storage_writer.number_of_events, 50) events = list(storage_writer.GetEvents()) expected_extra_tokens = [{ 'BSM_TOKEN_ARGUMENT32': { 'is': 2882400000, 'num_arg': 3, 'string': 'test_arg32_token' }, 'BSM_TOKEN_TRAILER': 50 }, { 'BSM_TOKEN_DATA': { 'data': 'SomeData', 'format': 'String' }, 'BSM_TOKEN_TRAILER': 39 }, { 'BSM_TOKEN_FILE': { 'string': 'test', 'timestamp': '1970-01-01 20:42:45.000424' }, 'BSM_TOKEN_TRAILER': 41 }, { 'BSM_TOKEN_ADDR': '192.168.100.15', 'BSM_TOKEN_TRAILER': 30 }, { 'BSM_TOKEN_TRAILER': 46, 'IPv4_Header': '0x400000145478000040010000c0a8649bc0a86e30]' }, { 'BSM_TOKEN_IPC': { 'object_id': 305419896, 'object_type': 1 }, 'BSM_TOKEN_TRAILER': 31 }, { 'BSM_TOKEN_PORT': 20480, 'BSM_TOKEN_TRAILER': 28 }, { 'BSM_TOKEN_OPAQUE': 'aabbccdd', 'BSM_TOKEN_TRAILER': 32 }, { 'BSM_TOKEN_PATH': '/test/this/is/a/test', 'BSM_TOKEN_TRAILER': 49 }, { 'BSM_TOKEN_PROCESS32': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': 2557891634 }, 'BSM_TOKEN_TRAILER': 62 }, { 'BSM_TOKEN_PROCESS64': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': 2557891634 }, 'BSM_TOKEN_TRAILER': 66 }, { 'BSM_TOKEN_RETURN32': { 'call_status': 305419896, 'error': 'Invalid argument', 'token_status': 22 }, 'BSM_TOKEN_TRAILER': 31 }, { 'BSM_TOKEN_SEQUENCE': 305419896, 'BSM_TOKEN_TRAILER': 30 }, { 'BSM_TOKEN_AUT_SOCKINET32_EX': { 'from': '127.0.0.1', 'from_port': 0, 'to': '127.0.0.1', 'to_port': 0 }, 'BSM_TOKEN_TRAILER': 44 }, { 'BSM_TOKEN_SUBJECT32': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': '127.0.0.1', 'terminal_port': 374945606, 'uid': 2557891634 }, 'BSM_TOKEN_TRAILER': 62 }, { 'BSM_TOKEN_SUBJECT32_EX': { 'aid': 305419896, 'egid': 591751049, 'euid': 19088743, 'gid': 159868227, 'pid': 321140038, 'session_id': 2542171492, 'terminal_ip': 'fe80::1', 'terminal_port': 374945606, 'uid': 2557891634 }, 'BSM_TOKEN_TRAILER': 78 }, { 'BSM_TOKEN_TEXT': 'This is a test.', 'BSM_TOKEN_TRAILER': 44 }, { 'BSM_TOKEN_TRAILER': 37, 'BSM_TOKEN_ZONENAME': 'testzone' }, { 'BSM_TOKEN_RETURN32': { 'call_status': 4294967295, 'error': 'Argument list too long', 'token_status': 7 }, 'BSM_TOKEN_TRAILER': 31 }] for event_index in range(0, 19): event = events[event_index] expected_extra_tokens_dict = expected_extra_tokens[event_index] extra_tokens_dict = getattr(event, 'extra_tokens', {}) self.CheckDictContents(extra_tokens_dict, expected_extra_tokens_dict)
def testParse(self): """Tests the Parse function on a MacOS BSM file.""" parser = bsm.BSMParser() knowledge_base_values = { 'operating_system': definitions.OPERATING_SYSTEM_MACOS } storage_writer = self._ParseFile( ['apple.bsm'], parser, knowledge_base_values=knowledge_base_values) self.assertEqual(storage_writer.number_of_events, 54) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.data_type, 'bsm:event') self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:20.000381') self.assertEqual(event.event_type, 'audit crash recovery (45029)') expected_extra_tokens = { 'BSM_TOKEN_PATH': '/var/audit/20131104171720.crash_recovery', 'BSM_TOKEN_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 }, 'BSM_TOKEN_TEXT': 'launchctl::Audit recovery', 'BSM_TOKEN_TRAILER': 104 } self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value) event = events[15] self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:26.000171') self.assertEqual(event.event_type, 'user authentication (45023)') expected_extra_tokens = { 'BSM_TOKEN_RETURN32': { 'call_status': 5000, 'error': 'Unknown', 'token_status': 255 }, 'BSM_TOKEN_SUBJECT32': { 'aid': 4294967295, 'egid': 92, 'euid': 92, 'gid': 92, 'pid': 143, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 143, 'uid': 92 }, 'BSM_TOKEN_TEXT': ('Verify password for record type Users \'moxilo\' node ' '\'/Local/Default\''), 'BSM_TOKEN_TRAILER': 140 } self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 5000, 'error': 'Unknown', 'token_status': 255 } self.assertEqual(event.return_value, expected_return_value) event = events[31] self.CheckTimestamp(event.timestamp, '2013-11-04 18:36:26.000530') self.assertEqual(event.event_type, 'SecSrvr AuthEngine (45025)') expected_extra_tokens = { 'BSM_TOKEN_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 }, 'BSM_TOKEN_SUBJECT32': { 'aid': 4294967295, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 67, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 67, 'uid': 0 }, 'BSM_TOKEN_TEXT': 'system.login.done', 'BSM_TOKEN_TRAILER': 110 } self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value) event = events[50] self.CheckTimestamp(event.timestamp, '2013-11-04 18:37:36.000399') self.assertEqual(event.event_type, 'session end (44903)') expected_extra_tokens = { 'BSM_TOKEN_ARGUMENT32': { 'is': 12288, 'num_arg': 3, 'string': 'am_failure' }, 'BSM_TOKEN_ARGUMENT64': { 'is': 0, 'num_arg': 1, 'string': 'sflags' }, 'BSM_TOKEN_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 }, 'BSM_TOKEN_SUBJECT32': { 'aid': 4294967295, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 0, 'session_id': 100015, 'terminal_ip': '0.0.0.0', 'terminal_port': 0, 'uid': 0 }, 'BSM_TOKEN_TRAILER': 125 } self.assertEqual(event.extra_tokens, expected_extra_tokens) expected_return_value = { 'call_status': 0, 'error': 'Success', 'token_status': 0 } self.assertEqual(event.return_value, expected_return_value)
def testParse(self): """Tests the Parse function on a MacOS BSM file.""" parser = bsm.BSMParser() storage_writer = self._ParseFile(['apple.bsm'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 54) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_extra_tokens = [{ 'AUT_TEXT': { 'text': 'launchctl::Audit recovery' } }, { 'AUT_PATH': { 'path': '/var/audit/20131104171720.crash_recovery' } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] expected_return_value = ( '{\'error\': \'Success\', \'token_status\': 0, \'call_status\': 0}' ) expected_event_values = { 'data_type': 'bsm:event', 'date_time': '2013-11-04 18:36:20.000381', 'event_type': 45029, 'extra_tokens': expected_extra_tokens, 'return_value': expected_return_value } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_extra_tokens = [{ 'AUT_SUBJECT32': { 'aid': -1, 'egid': 92, 'euid': 92, 'gid': 92, 'pid': 143, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 143, 'uid': 92 } }, { 'AUT_TEXT': { 'text': ('Verify password for record type Users \'moxilo\' node ' '\'/Local/Default\'') } }, { 'AUT_RETURN32': { 'call_status': 5000, 'error': 'UNKNOWN', 'token_status': 255 } }] expected_return_value = ( '{\'error\': \'UNKNOWN\', \'token_status\': 255, ' '\'call_status\': 5000}') expected_event_values = { 'data_type': 'bsm:event', 'date_time': '2013-11-04 18:36:26.000171', 'event_type': 45023, 'extra_tokens': expected_extra_tokens, 'return_value': expected_return_value } self.CheckEventValues(storage_writer, events[15], expected_event_values) expected_extra_tokens = [{ 'AUT_SUBJECT32': { 'aid': -1, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 67, 'session_id': 100004, 'terminal_ip': '0.0.0.0', 'terminal_port': 67, 'uid': 0 } }, { 'AUT_TEXT': { 'text': 'system.login.done' } }, { 'AUT_TEXT': { 'text': 'system.login.done' } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] expected_return_value = ( '{\'error\': \'Success\', \'token_status\': 0, \'call_status\': 0}' ) expected_event_values = { 'data_type': 'bsm:event', 'date_time': '2013-11-04 18:36:26.000530', 'event_type': 45025, 'extra_tokens': expected_extra_tokens, 'return_value': expected_return_value } self.CheckEventValues(storage_writer, events[31], expected_event_values) expected_extra_tokens = [{ 'AUT_ARG64': { 'is': 0, 'num_arg': 1, 'string': 'sflags' } }, { 'AUT_ARG32': { 'is': 12288, 'num_arg': 2, 'string': 'am_success' } }, { 'AUT_ARG32': { 'is': 12288, 'num_arg': 3, 'string': 'am_failure' } }, { 'AUT_SUBJECT32': { 'aid': -1, 'egid': 0, 'euid': 0, 'gid': 0, 'pid': 0, 'session_id': 100015, 'terminal_ip': '0.0.0.0', 'terminal_port': 0, 'uid': 0 } }, { 'AUT_RETURN32': { 'call_status': 0, 'error': 'Success', 'token_status': 0 } }] expected_return_value = ( '{\'error\': \'Success\', \'token_status\': 0, \'call_status\': 0}' ) expected_event_values = { 'data_type': 'bsm:event', 'date_time': '2013-11-04 18:37:36.000399', 'event_type': 44903, 'extra_tokens': expected_extra_tokens, 'return_value': expected_return_value } self.CheckEventValues(storage_writer, events[50], expected_event_values)