def get_systemd_model():
"""Return the parsing model for messages directly from systemd."""
type_children = [
FixedDataModelElement('apt-daily-start',
b'Starting Daily apt activities...'),
FixedDataModelElement('apt-daily-started',
b'Started Daily apt activities.'),
SequenceModelElement('apt-daily-timer', [
FixedDataModelElement('s0', b'apt-daily.timer: Adding '),
OptionalMatchModelElement(
'hopt',
SequenceModelElement('hblock', [
DecimalIntegerValueModelElement('hours'),
FixedDataModelElement('s1', b'h ')
])),
DecimalIntegerValueModelElement('minutes'),
FixedDataModelElement('s2', b'min '),
DecimalFloatValueModelElement('seconds'),
FixedDataModelElement('s3', b's random time.')
]),
FixedDataModelElement('tmp-file-cleanup',
b'Starting Cleanup of Temporary Directories...'),
FixedDataModelElement('tmp-file-cleanup-started',
b'Started Cleanup of Temporary Directories.')
]
model = SequenceModelElement('systemd', [
FixedDataModelElement('sname', b'systemd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def get_model():
new_time_model = DateTimeModelElement('time', b'[%d/%b/%Y:%H:%M:%S +0000]')
host_name_model = VariableByteDataModelElement(
'host', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
identity_model = VariableByteDataModelElement(
'ident', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
user_name_model = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz.-')
request_method_model = FixedWordlistDataModelElement(
'method', [
b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT',
b'OPTIONS', b'TRACE', b'PATCH'
])
request_model = VariableByteDataModelElement(
'request',
b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=<?*+'
)
version_model = VariableByteDataModelElement('version', b'0123456789.')
status_code_model = DecimalIntegerValueModelElement('status')
size_model = DecimalIntegerValueModelElement('size')
user_agent_model = VariableByteDataModelElement(
'useragent',
b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=<?*+;:_ '
)
whitespace_str = b' '
model = SequenceModelElement('accesslog', [
host_name_model,
FixedDataModelElement('sp0', whitespace_str),
identity_model,
FixedDataModelElement('sp1', whitespace_str),
user_name_model,
FixedDataModelElement('sp2', whitespace_str),
new_time_model,
FixedDataModelElement('sp3', b' "'),
request_method_model,
FixedDataModelElement('sp4', whitespace_str),
request_model,
FixedDataModelElement('sp5', b' HTTP/'),
version_model,
FixedDataModelElement('sp6', b'" '),
status_code_model,
FixedDataModelElement('sp7', whitespace_str),
size_model,
FixedDataModelElement('sp8', b' "-" "'),
user_agent_model,
FixedDataModelElement('sp9', b'"'),
])
return model
def get_model():
"""Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog."""
type_children = [
SequenceModelElement('gidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s groupid changed to '),
DecimalIntegerValueModelElement('gid')
]),
SequenceModelElement('statechange', [
FixedDataModelElement('s0',
b'[origin software="rsyslogd" swVersion="'),
DelimitedDataModelElement('version', b'"'),
FixedDataModelElement('s1', b'" x-pid="'),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s2',
b'" x-info="http://www.rsyslog.com"] '),
FirstMatchModelElement('type', [
FixedDataModelElement('HUPed', b'rsyslogd was HUPed'),
FixedDataModelElement('start', b'start')
])
]),
SequenceModelElement('uidchange', [
FixedDataModelElement('s0', b'rsyslogd\'s userid changed to '),
DecimalIntegerValueModelElement('uid')
])
]
model = SequenceModelElement('rsyslog', [
FixedDataModelElement('sname', b'rsyslogd: '),
FirstMatchModelElement('msg', type_children)
])
return model
def get_model(time_model=None):
"""This function defines the model for parsing a standard syslog preamble including timestamp and hostname.
@param time_model when not none, the given model element is used for parsing timestamps. Otherwise a standard DateTimeModelElement
with format b'%b %d %H:%M:%S' is created. CAVEAT: the standard model may not work when log data timestamp locale does not match
host or shell environment locale. See MultiLocaleDatetime_modelElement instead."""
if time_model is None:
time_model = DateTimeModelElement('time', b'%b %d %H:%M:%S')
host_name_model = VariableByteDataModelElement(
'host', b'-.01234567890abcdefghijklmnopqrstuvwxyz')
model = SequenceModelElement('syslog', [
time_model,
FixedDataModelElement('sp0', b' '), host_name_model,
FixedDataModelElement('sp1', b' ')
])
return model
def getLogindModel(userNameModel=None):
"""This function defines how to parse a systemd logind daemon
message after any standard logging preamble, e.g. from syslog."""
if userNameModel is None:
userNameModel = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz-')
typeChildren = []
# FIXME: Will fail on username models including the dot at the end.
typeChildren.append(
SequenceModelElement('new session', [
FixedDataModelElement('s0', b'New session '),
DecimalIntegerValueModelElement('session'),
FixedDataModelElement('s1', b' of user '), userNameModel,
FixedDataModelElement('s2', b'.')
]))
typeChildren.append(
SequenceModelElement('removed session', [
FixedDataModelElement('s0', b'Removed session '),
DecimalIntegerValueModelElement('session'),
FixedDataModelElement('s1', b'.')
]))
model = SequenceModelElement('systemd-logind', [
FixedDataModelElement('sname', b'systemd-logind['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', typeChildren)
])
return model
def getModel():
"""This function defines how to parse messages from kernel logging."""
typeChildren = []
typeChildren.append(
SequenceModelElement('ipv4-martian', [
FixedDataModelElement('s0', b'IPv4: martian '),
FixedWordlistDataModelElement('direction',
[b'source', b'destination']),
FixedDataModelElement('s1', b' '),
IpAddressDataModelElement('destination'),
FixedDataModelElement('s2', b' from '),
IpAddressDataModelElement('source'),
FixedDataModelElement('s3', b', on dev '),
AnyByteDataModelElement('interface')
]))
typeChildren.append(
SequenceModelElement('net-llheader', [
FixedDataModelElement('s0', b'll header: '),
AnyByteDataModelElement('data')
]))
typeChildren.append(AnyByteDataModelElement('unparsed'))
model = SequenceModelElement('kernel', [
FixedDataModelElement('sname', b'kernel: ['),
DelimitedDataModelElement('timestamp', b']'),
FixedDataModelElement('s0', b'] '),
FirstMatchModelElement('msg', typeChildren)
])
return model
def get_model():
"""This method returns the model."""
type_children = [
FixedDataModelElement('start',
b' * Starting Tomcat servlet engine tomcat7'),
FixedDataModelElement('stop',
b' * Stopping Tomcat servlet engine tomcat7'),
FixedDataModelElement('done', b' ...done.'),
AnyByteDataModelElement('unparsed')
]
model = SequenceModelElement('tomcat7', [
FixedDataModelElement('sname', b'tomcat7['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def get_tmp_files_model():
"""This function defines how to parse a systemd tmpfiles daemon message after any standard logging preamble, e.g. from syslog."""
type_children = [
SequenceModelElement('duplicate', [
FixedDataModelElement('s0', b'[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "'),
DelimitedDataModelElement('path', b'", ignoring.'),
FixedDataModelElement('s2', b'", ignoring.')
])
]
# Will fail on username models including the dot at the end.
model = SequenceModelElement('systemd-tmpfiles', [
FixedDataModelElement('sname', b'systemd-tmpfiles['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
def get_model():
"""This method returns the model."""
type_children = [
FixedDataModelElement(
'warn-no-openat',
b'WARNING: SECURITY: No secure open yet due to missing openat in python!'
),
FixedDataModelElement(
'warn-no-OPATH',
b'WARNING: SECURITY: Open should use O_PATH, but not yet available in python'
),
FixedDataModelElement(
'warn-POSIX-acls',
b'WARNING: SECURITY: No checking for backdoor access via \
POSIX ACLs, use "getfacl" from "acl" package to check manually.'),
FixedDataModelElement(
'warn-no-linkat',
b'WARNING: SECURITY: unsafe unlink (unavailable unlinkat/linkat \
should be used, but not available in python)'),
AnyByteDataModelElement('unparsed')
]
model = SequenceModelElement('aminer', [
FixedDataModelElement('sname', b'AMiner['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
class TimeCorrelationDetectorTest(TestBase):
__expected_string = '%s Correlation report\nTimeCorrelationDetector: "%s" (%d lines)\n '
string = b'25537 uid=2'
datetime_format_string = '%Y-%m-%d %H:%M:%S'
fixed_dme = FixedDataModelElement('s1', string)
decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context_first_match_me = MatchContext(string)
first_match_me = FirstMatchModelElement('f1', [fixed_dme, decimal_integer_value_me])
match_element_first_match_me = first_match_me.get_match_element('first', match_context_first_match_me)
match_context_first_match_me2 = MatchContext(string)
first_match_me2 = FirstMatchModelElement('f2', [decimal_integer_value_me, fixed_dme])
match_element_first_match_me2 = first_match_me2.get_match_element('second', match_context_first_match_me2)
def test1_normal_report(self):
"""This test case unit the creation of a report. As the rules are chosen randomly this test can not be very specific in checking
the actual values of the report."""
description = "Test1TimeCorrelationDetector"
time_correlation_detector = TimeCorrelationDetector(self.aminer_config, 2, 1, 0, [self.stream_printer_event_handler],
record_count_before_event=10)
self.analysis_context.register_component(time_correlation_detector, component_name=description)
t = time.time()
for i in range(0, 10):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t).strftime(self.datetime_format_string), description, 10)))
self.reset_output_stream()
for i in range(0, 10):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t + 9).strftime(self.datetime_format_string), description, 20)))
self.reset_output_stream()
for i in range(10, 15):
logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME)
logAtomSequenceME2 = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me2), t + i,
time_correlation_detector)
time_correlation_detector.receive_atom(logAtomSequenceME2)
self.assertTrue(self.output_stream.getvalue().startswith(
self.__expected_string % (datetime.fromtimestamp(t + 14).strftime(self.datetime_format_string), description, 30)))
def getModel(timeModel=None):
timeModel = DateTimeModelElement('time', b'[%d/%b/%Y:%H:%M:%S +0000]')
hostNameModel = VariableByteDataModelElement('host', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
identityModel = VariableByteDataModelElement('ident', b'-.01234567890abcdefghijklmnopqrstuvwxyz:')
userNameModel = VariableByteDataModelElement('user', b'0123456789abcdefghijklmnopqrstuvwxyz.-')
requestMethodModel = FixedWordlistDataModelElement('method', [b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT', b'OPTIONS', b'TRACE', b'PATCH'])
requestModel = VariableByteDataModelElement('request', b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=<?*+')
versionModel = VariableByteDataModelElement('version', b'0123456789.')
statuscodeModel = DecimalIntegerValueModelElement('status')
sizeModel = DecimalIntegerValueModelElement('size')
useragentModel = VariableByteDataModelElement('useragent', b'0123456789abcdefghijklmnopqrstuvwxyz.-/()[]{}!$%&=<?*+')
model = SequenceModelElement('accesslog', [
hostNameModel,
FixedDataModelElement('sp0', b' '),
identityModel,
FixedDataModelElement('sp1', b' '),
userNameModel,
FixedDataModelElement('sp2', b' '),
timeModel,
FixedDataModelElement('sp3', b' "'),
requestMethodModel,
FixedDataModelElement('sp4', b' '),
requestModel,
FixedDataModelElement('sp5', b' HTTP/'),
versionModel,
# AnyByteDataModelElement('any')
FixedDataModelElement('sp6', b'" '),
statuscodeModel,
FixedDataModelElement('sp7', b' '),
sizeModel,
FixedDataModelElement('sp8', b' "-" "'),
useragentModel,
FixedDataModelElement('sp9', b'"'),
])
return model
def run_match_value_stream_writer(self, number_of_pathes):
results = [None] * self.iterations
avg = 0
z = 0
while z < self.iterations:
i = 0
path_list = []
parsing_model = []
while i < number_of_pathes / 2:
path_list.append('match/integer/d' + str(i % number_of_pathes))
path_list.append('match/integer/s' + str(i % number_of_pathes))
parsing_model.append(
DecimalIntegerValueModelElement(
'd' + str(i % number_of_pathes),
DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE))
parsing_model.append(
FixedDataModelElement('s' + str(i % number_of_pathes),
b' Euro '))
i = i + 1
sequence_model_element = SequenceModelElement(
'integer', parsing_model)
match_value_stream_writer = MatchValueStreamWriter(
self.output_stream, path_list, b';', b'-')
t = time.time()
seconds = time.time()
i = 0
while int(time.time() - seconds) < self.waiting_time:
data = b''
p = process_time()
for j in range(
1,
int(number_of_pathes / 2) + number_of_pathes % 2 + 1):
data = data + str(j).encode() + b' Euro '
seconds = seconds + process_time() - p
match_context = MatchContext(data)
match_element = sequence_model_element.get_match_element(
'match', match_context)
log_atom = LogAtom(match_element.match_object,
ParserMatch(match_element), t,
match_value_stream_writer)
match_value_stream_writer.receive_atom(log_atom)
i = i + 1
results[z] = i
z = z + 1
avg = avg + i
avg = avg / self.iterations
type(self).result = self.result + self.result_string % (
match_value_stream_writer.__class__.__name__, avg, results,
self.different_pathes % number_of_pathes)
def getModel():
"""This function returns the model."""
typeChildren = []
typeChildren.append(SequenceModelElement('sent', [
FixedDataModelElement('s0', b'Sent mail for '),
DelimitedDataModelElement('to-addr', b' ('),
FixedDataModelElement('s1', b' ('),
DelimitedDataModelElement('status', b') uid='),
FixedDataModelElement('s2', b') uid='),
DecimalIntegerValueModelElement('uid'),
FixedDataModelElement('s3', b' username='******'username', b' outbytes='),
FixedDataModelElement('s4', b' outbytes='),
DecimalIntegerValueModelElement('bytes'),
]))
model = SequenceModelElement('ssmtp', [
FixedDataModelElement('sname', b'sSMTP['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', typeChildren)])
return model
class JsonConverterHandlerTest(TestBase):
"""Unittests for the JsonConverterHandler."""
output_log_line = True
match_context = MatchContext(b' pid=')
fixed_dme = FixedDataModelElement('s1', b' pid=')
match_element = fixed_dme.get_match_element("match", match_context)
t = time.time()
test_detector = 'Analysis.TestDetector'
event_message = 'An event happened!'
sorted_log_lines = ['Event happend at /path/ 5 times.', '', '', '', '']
persistence_id = 'Default'
description = 'jsonConverterHandlerDescription'
expected_string = '%s %s\n%s: "%s" (5 lines)\n {\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n' \
' "AnalysisComponentType": "%s",\n "AnalysisComponentName": "%s",\n "Message": "%s",\n' \
' "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n "test/path/1",\n' \
' "test/path/2"\n ]\n },\n "LogData": {\n "RawLogData": [\n " pid="\n ],\n ' \
'"Timestamps": [\n %s\n ],\n "LogLinesCount": 5,\n' \
' "AnnotatedMatchElement": "match/s1: b\' pid=\'"\n }%s\n}\n\n'
def test1receive_expected_event(self):
"""In this test case a normal Event happens and the json output should be sent to a StreamPrinterEventHandler."""
json_converter_handler = JsonConverterHandler(
[self.stream_printer_event_handler], self.analysis_context)
log_atom = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element), self.t, self)
self.analysis_context.register_component(self, self.description)
event_data = {
'AnalysisComponent': {
'AffectedParserPaths': ['test/path/1', 'test/path/2']
}
}
json_converter_handler.receive_event(self.test_detector,
self.event_message,
self.sorted_log_lines, event_data,
log_atom, self)
self.assertEqual(
self.output_stream.getvalue(), self.expected_string %
(datetime.fromtimestamp(self.t).strftime("%Y-%m-%d %H:%M:%S"),
self.event_message, self.__class__.__name__, self.description,
self.__class__.__name__, self.description, self.event_message,
self.persistence_id, round(self.t, 2), ""))
def test2receive_event_with_same_event_data_attributes(self):
"""In this test case an attribute of AnalysisComponent is overwritten and an JsonError attribute is expected."""
json_converter_handler = JsonConverterHandler(
[self.stream_printer_event_handler], self.analysis_context)
log_atom = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element), self.t, self)
self.analysis_context.register_component(self, self.description)
event_data = {
'AnalysisComponent': {
'AffectedParserPaths': ['test/path/1', 'test/path/2'],
'Message': 'An other event happened too!'
}
}
json_converter_handler.receive_event(self.test_detector,
self.event_message,
self.sorted_log_lines, event_data,
log_atom, self)
self.assertEqual(
self.output_stream.getvalue(), self.expected_string %
(datetime.fromtimestamp(self.t).strftime("%Y-%m-%d %H:%M:%S"),
self.event_message, self.__class__.__name__, self.description,
self.__class__.__name__, self.description, self.event_message,
self.persistence_id, round(float("%.2f" % self.t), 2),
',\n "JsonError": "AnalysisComponent attribute \'Message\' is already in use and can not be overwritten!\\n"'
))
class KafkaEventHandlerTest(TestBase):
output_log_line = True
kafka_topic = 'test_topic'
kafka_group = 'test_group'
consumer = None
match_context = MatchContext(b' pid=')
fixed_dme = FixedDataModelElement('s1', b' pid=')
other_data = 4
match_element = fixed_dme.get_match_element("match", match_context)
description = 'jsonConverterHandlerDescription'
t = time.time()
persistence_id = 'Default'
test_detector = 'Analysis.TestDetector'
event_message = 'An event happened!'
sorted_log_lines = ['Event happend at /path/ 5 times.', '', '', '', '']
expected_string = '%s %s\n%s: "%s" (5 lines)\n {\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n' \
' "AnalysisComponentType": "%s",\n "AnalysisComponentName": "%s",\n "Message": "%s",\n' \
' "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n "test/path/1",\n' \
' "test/path/2"\n ]\n },\n "LogData": {\n "RawLogData": [\n " pid="\n ],\n ' \
'"Timestamps": [\n %s\n ],\n "LogLinesCount": 5,\n' \
' "AnnotatedMatchElement": "match/s1: b\' pid=\'"\n }%s\n}\n\n'
@classmethod
def setUpClass(cls):
cls.consumer = KafkaConsumer(cls.kafka_topic,
bootstrap_servers=['localhost:9092'],
enable_auto_commit=True,
consumer_timeout_ms=10000,
group_id=cls.kafka_group,
value_deserializer=lambda x: x.decode(),
api_version=(2, 0, 1),
auto_offset_reset='earliest')
@classmethod
def tearDownClass(cls):
cls.consumer.close()
def test1receive_serialized_data(self):
"""This unittest tests the receive_event method with serialized data from the JsonConverterHandler."""
json_converter_handler = JsonConverterHandler(
[self.stream_printer_event_handler], self.analysis_context)
log_atom = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element), self.t, self)
self.analysis_context.register_component(self, self.description)
event_data = {
'AnalysisComponent': {
'AffectedParserPaths': ['test/path/1', 'test/path/2']
}
}
json_converter_handler.receive_event(self.test_detector,
self.event_message,
self.sorted_log_lines, event_data,
log_atom, self)
output = self.output_stream.getvalue()
kafka_event_handler = KafkaEventHandler(
self.analysis_context, self.kafka_topic, {
'bootstrap_servers': ['localhost:9092'],
'api_version': (2, 0, 1)
})
self.assertTrue(
kafka_event_handler.receive_event(self.test_detector,
self.event_message,
self.sorted_log_lines, output,
log_atom, self))
self.assertEqual(
self.consumer.__next__().value, self.expected_string %
(datetime.fromtimestamp(self.t).strftime("%Y-%m-%d %H:%M:%S"),
self.event_message, self.__class__.__name__, self.description,
self.__class__.__name__, self.description, self.event_message,
self.persistence_id, round(self.t, 2), ""))
def test2receive_non_serialized_data(self):
"""This unittest tests the receive_event method with not serialized data"""
log_atom = LogAtom(self.fixed_dme.fixed_data,
ParserMatch(self.match_element), self.t, self)
self.analysis_context.register_component(self, self.description)
event_data = {
'AnalysisComponent': {
'AffectedParserPaths': ['test/path/1', 'test/path/2']
}
}
kafka_event_handler = KafkaEventHandler(
self.analysis_context, self.kafka_topic, {
'bootstrap_servers': ['localhost:9092'],
'api_version': (2, 0, 1)
})
self.assertFalse(
kafka_event_handler.receive_event(self.test_detector,
self.event_message,
self.sorted_log_lines,
event_data, log_atom, self))
self.assertRaises(StopIteration, self.consumer.__next__)
class EnhancedNewMatchPathValueComboDetectorTest(TestBase):
__expected_string = '%s New value combination(s) detected\n%s: "%s" (%d lines)\n%s\n\n'
__expected_whitelisting_string = 'Whitelisted path(es) %s with %s in %s'
fixed_dme = FixedDataModelElement('s1', b'25537 uid=')
fixed_dme2 = FixedDataModelElement('s2', b' uid=2')
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context_sequence_me = MatchContext(b'25537 uid=2')
seq = SequenceModelElement('seq', [fixed_dme, decimal_integer_value_me])
match_element_sequence_me = seq.get_match_element(
'first', match_context_sequence_me)
match_context_sequence_me2 = MatchContext(b'25537 uid=2')
seq2 = SequenceModelElement('seq2', [decimal_integer_value_me, fixed_dme2])
match_element_sequence_me2 = seq2.get_match_element(
'second', match_context_sequence_me2)
first_seq_s1 = 'first/seq/s1'
first_seq_d1 = 'first/seq/d1'
datetime_format_string = '%Y-%m-%d %H:%M:%S'
exp_str = " first/seq: b'25537 uid=2'\n " + first_seq_s1 + ": b'25537 uid='\n " + first_seq_d1 + \
": 2\n{(b'25537 uid=', 2): [%s, %s, 1]}"
exp_str2 = " {(b'25537 uid=', 2): [%s, %s, 1]}\nb'25537 uid=2'"
def test1_log_atom_not_known(self):
"""This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found. The
output is directed to an output stream and compared for accuracy. The auto_include_flag is False and the output must be repeatable
on second run."""
description = "Test1EnhancedNewMatchPathValueComboDetector"
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, [self.first_seq_s1, self.first_seq_d1],
[self.stream_printer_event_handler],
'Default',
False,
False,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector, description)
t = round(time.time(), 3)
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
self.assertTrue(
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description, 1, self.exp_str2 % (t, t)))
self.reset_output_stream()
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t + 2,
enhanced_new_match_path_value_combo_detector)
# repeating should produce the same result with new extraData.
self.assertTrue(
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t + 2).strftime(
self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description, 1,
" {(b'25537 uid=', 2): [%s, %s, 2]}\nb'25537 uid=2'" %
(t, t + 2)))
self.reset_output_stream()
enhanced_new_match_path_value_combo_detector2 = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'],
[self.stream_printer_event_handler],
'Default',
False,
False,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector2, description + "2")
log_atom_sequence_me2 = LogAtom(
self.match_element_sequence_me2.get_match_string(),
ParserMatch(self.match_element_sequence_me2), t,
enhanced_new_match_path_value_combo_detector2)
# other MatchElement
self.assertTrue(
enhanced_new_match_path_value_combo_detector2.receive_atom(
log_atom_sequence_me2))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description + "2", 1,
" {(25537, b' uid=2'): [%s, %s, 1]}\nb'25537 uid=2'" % (t, t)))
def test2_log_atom_known(self):
"""This test case checks the functionality of the auto_include_flag. If the same MatchElement is processed a second time and the
auto_include_flag was True, no event must be triggered."""
description = "Test2EnhancedNewMatchPathValueComboDetector"
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, [self.first_seq_s1, self.first_seq_d1],
[self.stream_printer_event_handler],
'Default',
False,
True,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector, description)
t = round(time.time(), 3)
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
self.assertTrue(
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description, 1, self.exp_str2 % (t, t)))
self.reset_output_stream()
t = round(time.time(), 3)
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
# repeating should NOT produce the same result, only persist the new extraData.
self.assertTrue(
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me))
self.assertEqual(self.output_stream.getvalue(), '')
self.reset_output_stream()
enhanced_new_match_path_value_combo_detector2 = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'],
[self.stream_printer_event_handler],
'Default',
False,
False,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector2, description + "2")
log_atom_sequence_me2 = LogAtom(
self.match_element_sequence_me2.get_match_string(),
ParserMatch(self.match_element_sequence_me2), t,
enhanced_new_match_path_value_combo_detector2)
# other MatchElement
self.assertTrue(
enhanced_new_match_path_value_combo_detector2.receive_atom(
log_atom_sequence_me2))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description + "2", 1,
" {(25537, b' uid=2'): [%s, %s, 1]}\nb'25537 uid=2'" % (t, t)))
def test3_log_atom_known_from_persisted_data(self):
"""The persisting and reading of permitted log lines should be checked with this test."""
description = "Test3EnhancedNewMatchPathValueComboDetector"
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, [self.first_seq_s1, self.first_seq_d1],
[self.stream_printer_event_handler],
'Default',
False,
True,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector, description)
t = round(time.time(), 3)
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
self.assertTrue(
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t).strftime(self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description, 1, self.exp_str2 % (t, t)))
enhanced_new_match_path_value_combo_detector.do_persist()
self.reset_output_stream()
other_enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, [self.first_seq_s1, self.first_seq_d1],
[self.stream_printer_event_handler],
'Default',
False,
False,
output_log_line=False)
self.analysis_context.register_component(
other_enhanced_new_match_path_value_combo_detector,
description + "2")
other_log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t + 2,
other_enhanced_new_match_path_value_combo_detector)
self.assertTrue(
other_enhanced_new_match_path_value_combo_detector.receive_atom(
other_log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t + 2).strftime(
self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description + "2", 1,
" {(b'25537 uid=', 2): [%s, %s, 2]}\nb'25537 uid=2'" %
(t, t + 2)))
self.reset_output_stream()
other_log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t + 5,
other_enhanced_new_match_path_value_combo_detector)
self.assertTrue(
other_enhanced_new_match_path_value_combo_detector.receive_atom(
other_log_atom_sequence_me))
self.assertEqual(
self.output_stream.getvalue(), self.__expected_string %
(datetime.fromtimestamp(t + 5).strftime(
self.datetime_format_string),
enhanced_new_match_path_value_combo_detector.__class__.__name__,
description + "2", 1,
" {(b'25537 uid=', 2): [%s, %s, 3]}\nb'25537 uid=2'" %
(t, t + 5)))
def test4_whitelist_event_with_known_and_unknown_paths(self):
"""This test case checks in which cases an event is triggered and compares with expected results."""
description = "Test4EnhancedNewMatchPathValueComboDetector"
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, [self.first_seq_s1, self.first_seq_d1],
[self.stream_printer_event_handler],
'Default',
False,
True,
output_log_line=False)
self.analysis_context.register_component(
enhanced_new_match_path_value_combo_detector, description)
t = time.time()
log_atom_sequence_me = LogAtom(
self.match_element_sequence_me.get_match_string(),
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
self.assertEqual(
enhanced_new_match_path_value_combo_detector.whitelist_event(
'Analysis.%s' % enhanced_new_match_path_value_combo_detector.
__class__.__name__, [
log_atom_sequence_me,
[self.match_element_sequence_me.get_path()]
], [
log_atom_sequence_me,
self.match_element_sequence_me.get_path()
], None), self.__expected_whitelisting_string %
(', '.join(
enhanced_new_match_path_value_combo_detector.target_path_list),
self.match_element_sequence_me.get_path(), log_atom_sequence_me))
log_atom_sequence_me2 = LogAtom(
self.match_element_sequence_me2.get_match_string(),
ParserMatch(self.match_element_sequence_me2), t,
enhanced_new_match_path_value_combo_detector)
enhanced_new_match_path_value_combo_detector.auto_include_flag = False
self.assertEqual(
enhanced_new_match_path_value_combo_detector.whitelist_event(
'Analysis.%s' % enhanced_new_match_path_value_combo_detector.
__class__.__name__, [
log_atom_sequence_me2,
[self.match_element_sequence_me2.get_path()]
], [
log_atom_sequence_me2,
self.match_element_sequence_me2.get_path()
], None), self.__expected_whitelisting_string %
(', '.join(
enhanced_new_match_path_value_combo_detector.target_path_list),
self.match_element_sequence_me2.path, log_atom_sequence_me2))
def test5save_metadata(self):
"""This test case checks the correctness of the metadata informations"""
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
self.aminer_config, ['first/f1/s1'],
[self.stream_printer_event_handler],
'Default',
False,
True,
None,
output_log_line=False)
t = 1
log_atom_sequence_me = LogAtom(
self.fixed_dme.fixed_data,
ParserMatch(self.match_element_sequence_me), t,
enhanced_new_match_path_value_combo_detector)
enhanced_new_match_path_value_combo_detector.receive_atom(
log_atom_sequence_me)
self.assertEqual(
enhanced_new_match_path_value_combo_detector.known_values_dict.get(
(self.fixed_dme.fixed_data, (t, t, 1))), None)
def getModel():
"""This function defines how to parse a su session information message
after any standard logging preamble, e.g. from syslog."""
typeChildren = []
typeChildren.append(
SequenceModelElement('build-stack', [
FixedDataModelElement('s0',
b'building new pluginstance stack: \''),
DelimitedDataModelElement('stack', b'\''),
FixedDataModelElement('s1', b'\'')
]))
# Netflow entry
typeChildren.append(
SequenceModelElement(
'nfct-event',
[
FixedDataModelElement('s0', b'[DESTROY] ORIG: SRC='),
IpAddressDataModelElement('osrcip'),
FixedDataModelElement('s1', b' DST='),
IpAddressDataModelElement('odstip'),
FixedDataModelElement('s2', b' PROTO='),
FixedWordlistDataModelElement('proto', [b'TCP', b'UDP']),
FixedDataModelElement('s3', b' SPT='),
DecimalIntegerValueModelElement('ospt'),
FixedDataModelElement('s4', b' DPT='),
DecimalIntegerValueModelElement('odpt'),
FixedDataModelElement('s5', b' PKTS='),
DecimalIntegerValueModelElement('opkts'),
FixedDataModelElement('s6', b' BYTES='),
DecimalIntegerValueModelElement('obytes'),
FixedDataModelElement('s7', b' , REPLY: SRC='),
IpAddressDataModelElement('rsrcip'),
FixedDataModelElement('s8', b' DST='),
IpAddressDataModelElement('rdstip'),
FixedDataModelElement('s9', b' PROTO='),
FixedWordlistDataModelElement('rproto', [b'TCP', b'UDP']),
FixedDataModelElement('s10', b' SPT='),
DecimalIntegerValueModelElement('rspt'),
FixedDataModelElement('s11', b' DPT='),
DecimalIntegerValueModelElement('rdpt'),
FixedDataModelElement('s12', b' PKTS='),
DecimalIntegerValueModelElement('rpkts'),
FixedDataModelElement('s13', b' BYTES='),
DecimalIntegerValueModelElement('rbytes'),
# No additional whitespace from Ubuntu Trusty 14.04 on.
OptionalMatchModelElement('tail',
FixedDataModelElement('s0', b' ')),
]))
typeChildren.append(
FixedDataModelElement('nfct-plugin',
b'NFCT plugin working in event mode'))
typeChildren.append(
FixedDataModelElement('reopen', b'reopening capture file'))
typeChildren.append(
FixedDataModelElement('signal',
b'signal received, calling pluginstances'))
typeChildren.append(
FixedDataModelElement('uidchange', b'Changing UID / GID'))
model = SequenceModelElement('ulogd', [
FixedDataModelElement('sname', b'ulogd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', typeChildren)
])
return model
class ParserCountTest(TestBase):
match_context_m1 = MatchContext(b'First string')
match_context_m2 = MatchContext(b' to match.')
match_context_m3 = MatchContext(b'some completely other string to match.')
match_context_seq = MatchContext(b'First string to match.')
fixed_dme_m1 = FixedDataModelElement('m1', b'First string')
fixed_dme_m2 = FixedDataModelElement('m2', b' to match.')
seq = SequenceModelElement('seq', [fixed_dme_m1, fixed_dme_m2])
fixed_dme_m3 = FixedDataModelElement(
'm3', b'some completely other string to match.')
match_element_m1 = fixed_dme_m1.get_match_element('fixed',
match_context_m1)
match_element_m2 = fixed_dme_m2.get_match_element('fixed',
match_context_m2)
match_element_m3 = fixed_dme_m3.get_match_element('fixed',
match_context_m3)
match_element_seq = seq.get_match_element('fixed', match_context_seq)
def test1log_atom_not_in_path_list(self):
"""This unittest checks if no action happens, when no path in the match_dictionary matches a target_path."""
parser_count = ParserCount(
self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2'],
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.fixed_dme_m3.fixed_data,
ParserMatch(self.match_element_m3), t, parser_count)
old_count_dict = dict(parser_count.count_dict)
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def test2log_atom_matches_single_path(self):
"""This unittest tests the receive_atom method with a single path matching."""
parser_count = ParserCount(
self.aminer_config,
['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'],
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.fixed_dme_m3.fixed_data,
ParserMatch(self.match_element_m3), t, parser_count)
old_count_dict = dict(parser_count.count_dict)
old_count_dict['fixed/m3'] = 1
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def test3log_atom_matches_multiple_paths(self):
"""This unittest tests the receive_atom method with multiple paths matching."""
parser_count = ParserCount(
self.aminer_config,
['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'],
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.match_context_seq.match_data,
ParserMatch(self.match_element_seq), t,
parser_count)
old_count_dict = dict(parser_count.count_dict)
old_count_dict['fixed/seq'] = 1
old_count_dict['fixed/seq/m1'] = 1
old_count_dict['fixed/seq/m2'] = 1
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def test4do_timer(self):
"""This unittest checks if the do_timer method works properly."""
parser_count = ParserCount(self.aminer_config, ['fixed/m3'],
[self.stream_printer_event_handler], 600)
t = time.time()
self.assertEqual(int(parser_count.do_timer(t + 100)), 600)
self.assertEqual(self.output_stream.getvalue(), "")
log_atom = LogAtom(self.match_context_seq.match_data,
ParserMatch(self.match_element_seq), t,
parser_count)
parser_count.receive_atom(log_atom)
self.assertEqual(int(parser_count.do_timer(t + 100)), 500)
self.assertEqual(self.output_stream.getvalue(), "")
self.assertEqual(parser_count.do_timer(t + 601), 600)
self.assertNotEqual(self.output_stream.getvalue(), "")
self.reset_output_stream()
def test5reset_after_report_flag(self):
"""This unittest tests the functionality of the reset_after_report flag."""
parser_count = ParserCount(
self.aminer_config,
['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'],
[self.stream_printer_event_handler], 600, False)
parser_count.count_dict['fixed/seq'] = 5
parser_count.count_dict['fixed/seq/m1'] = 5
parser_count.count_dict['fixed/seq/m2'] = 5
parser_count.count_dict['fixed/m3'] = 17
old_count_dict = dict(parser_count.count_dict)
parser_count.send_report()
self.assertEqual(parser_count.count_dict, old_count_dict)
parser_count.reset_after_report_flag = True
parser_count.send_report()
old_count_dict['fixed/seq'] = 0
old_count_dict['fixed/seq/m1'] = 0
old_count_dict['fixed/seq/m2'] = 0
old_count_dict['fixed/m3'] = 0
self.assertEqual(parser_count.count_dict, old_count_dict)
def test6receive_atom_without_target_paths(self):
"""This unittest tests the receive_atom method with multiple paths matching without having target_paths specified."""
parser_count = ParserCount(self.aminer_config, None,
[self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(self.match_context_seq.match_data,
ParserMatch(self.match_element_seq), t,
parser_count)
old_count_dict = dict(parser_count.count_dict)
old_count_dict['fixed/seq'] = 1
parser_count.receive_atom(log_atom)
self.assertEqual(parser_count.count_dict, old_count_dict)
def build_analysis_pipeline(analysis_context):
"""Define the function to create pipeline for parsing the log
data. It has also to define an AtomizerFactory to instruct AMiner
how to process incoming data streams to create log atoms from
them."""
date_format_string = b'%Y-%m-%d %H:%M:%S'
cron = b' cron['
# Build the parsing model:
service_children_disk_report = [
FixedDataModelElement(
'Space',
b' Current Disk Data is: Filesystem Type Size Used Avail Use%'
),
DelimitedDataModelElement('Data', b'%'),
AnyByteDataModelElement('Rest')
]
service_children_login_details = [
FixedDataModelElement('User', b'User '),
DelimitedDataModelElement('Username', b' '),
FixedWordlistDataModelElement('Status',
[b' logged in', b' logged out']),
OptionalMatchModelElement(
'PastTime',
SequenceModelElement('Time', [
FixedDataModelElement('Blank', b' '),
DecimalIntegerValueModelElement('Minutes'),
FixedDataModelElement('Ago', b' minutes ago.')
]))
]
service_children_cron_job = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('UNameSpace1', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('UNameSpace2', b' '),
DelimitedDataModelElement('User', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Details', b']: Job `cron.daily` started.')
]
service_children_random_time = [
FixedDataModelElement('Space', b'Random: '),
DecimalIntegerValueModelElement('Random')
]
service_children_sensors = [
SequenceModelElement('CPUTemp', [
FixedDataModelElement('FixedTemp', b'CPU Temp: '),
DecimalIntegerValueModelElement('Temp'),
FixedDataModelElement('Degrees', b'\xc2\xb0C')
]),
FixedDataModelElement('Space1', b', '),
SequenceModelElement('CPUWorkload', [
FixedDataModelElement('Fixed Workload', b'CPU Workload: '),
DecimalIntegerValueModelElement('Workload'),
FixedDataModelElement('Percent', b'%')
]),
FixedDataModelElement('Space2', b', '),
DateTimeModelElement('DTM', date_format_string)
]
service_children_user_ip_address = [
FixedDataModelElement('User', b'User '),
DelimitedDataModelElement('Username', b' '),
FixedDataModelElement('Action', b' changed IP address to '),
IpAddressDataModelElement('IP')
]
service_children_cron_job_announcement = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('Space', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Run', b']: Will run job `'),
FixedWordlistDataModelElement(
'CronType',
[b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']),
FixedDataModelElement('Start Time', b'\' in 5 min.')
]
service_children_cron_job_execution = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('Space1', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Job', b']: Job `'),
FixedWordlistDataModelElement(
'CronType',
[b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']),
FixedDataModelElement('Started', b'\' started')
]
service_children_parsing_model_element = [
DateTimeModelElement('DateTimeModelElement',
b'Current DateTime: %d.%m.%Y %H:%M:%S'),
DecimalFloatValueModelElement('DecimalFloatValueModelElement',
value_sign_type='optional'),
DecimalIntegerValueModelElement('DecimalIntegerValueModelElement',
value_sign_type='optional',
value_pad_type='blank'),
SequenceModelElement('', [
DelimitedDataModelElement('DelimitedDataModelElement', b';'),
FixedDataModelElement('FixedDataModelElement', b';')
])
]
# ElementValueBranchModelElement
fixed_data_me1 = FixedDataModelElement("fixed1", b'match ')
fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String')
fixed_wordlist_data_model_element = FixedWordlistDataModelElement(
"wordlist", [b'data: ', b'string: '])
decimal_integer_value_model_element = DecimalIntegerValueModelElement(
"decimal")
service_children_parsing_model_element.append(
ElementValueBranchModelElement(
'ElementValueBranchModelElement',
FirstMatchModelElement("first", [
SequenceModelElement(
"seq1",
[fixed_data_me1, fixed_wordlist_data_model_element]),
SequenceModelElement("seq2", [
fixed_data_me1, fixed_wordlist_data_model_element,
fixed_data_me2
])
]), "wordlist", {
0: decimal_integer_value_model_element,
1: fixed_data_me2
}))
service_children_parsing_model_element.append(
HexStringModelElement('HexStringModelElement'))
service_children_parsing_model_element.append(
SequenceModelElement('', [
FixedDataModelElement('FixedDataModelElement',
b'Gateway IP-Address: '),
IpAddressDataModelElement('IpAddressDataModelElement')
]))
service_children_parsing_model_element.append(
MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement',
[(b'%b %d %Y', "de_AT.utf8", None)]))
service_children_parsing_model_element.append(
RepeatedElementDataModelElement(
'RepeatedElementDataModelElement',
SequenceModelElement('SequenceModelElement', [
FixedDataModelElement('FixedDataModelElement',
b'drawn number: '),
DecimalIntegerValueModelElement(
'DecimalIntegerValueModelElement')
]), 1))
service_children_parsing_model_element.append(
VariableByteDataModelElement('VariableByteDataModelElement', b'-@#'))
service_children_parsing_model_element.append(
SequenceModelElement('', [
WhiteSpaceLimitedDataModelElement(
'WhiteSpaceLimitedDataModelElement'),
FixedDataModelElement('', b' ')
]))
# The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches.
service_children_parsing_model_element.append(
Base64StringModelElement('Base64StringModelElement'))
# The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets
# to the AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted.
service_children_parsing_model_element.append(
OptionalMatchModelElement(
'OptionalMatchModelElement',
FirstMatchModelElement('FirstMatchModelElement', [
FixedDataModelElement('FixedDataModelElement',
b'The-searched-element-was-found!'),
AnyByteDataModelElement('AnyByteDataModelElement')
])))
parsing_model = FirstMatchModelElement('model', [
SequenceModelElement('CronAnnouncement',
service_children_cron_job_announcement),
SequenceModelElement('CronExecution',
service_children_cron_job_execution),
SequenceModelElement('DailyCron', service_children_cron_job),
SequenceModelElement('DiskReport', service_children_disk_report),
SequenceModelElement('LoginDetails', service_children_login_details),
DecimalIntegerValueModelElement('Random'),
SequenceModelElement('RandomTime', service_children_random_time),
SequenceModelElement('Sensors', service_children_sensors),
SequenceModelElement('IPAddresses', service_children_user_ip_address),
FirstMatchModelElement('ParsingME',
service_children_parsing_model_element)
])
# Some generic imports.
from aminer.analysis import AtomFilters
# Create all global handler lists here and append the real handlers
# later on.
# Use this filter to distribute all atoms to the analysis handlers.
atom_filter = AtomFilters.SubhandlerFilter(None)
from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust
simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust(
[atom_filter])
analysis_context.register_component(
simple_monotonic_timestamp_adjust,
component_name="SimpleMonotonicTimestampAdjust")
from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler
stream_printer_event_handler = StreamPrinterEventHandler(analysis_context)
from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler
syslog_event_handler = SyslogWriterEventHandler(analysis_context)
from aminer.events import DefaultMailNotificationEventHandler
if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties:
mail_notification_handler = DefaultMailNotificationEventHandler(
analysis_context)
analysis_context.register_component(mail_notification_handler,
component_name="MailHandler")
anomaly_event_handlers = [
stream_printer_event_handler, syslog_event_handler,
mail_notification_handler
]
# Now define the AtomizerFactory using the model. A simple line based one is usually sufficient.
from aminer.input import SimpleByteStreamLineAtomizerFactory
analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(
parsing_model, [simple_monotonic_timestamp_adjust],
anomaly_event_handlers)
# Just report all unparsed atoms to the event handlers.
from aminer.input import SimpleUnparsedAtomHandler
simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(
anomaly_event_handlers)
atom_filter.add_handler(simple_unparsed_atom_handler,
stop_when_handled_flag=True)
analysis_context.register_component(simple_unparsed_atom_handler,
component_name="UnparsedHandler")
from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector
timestamps_unsorted_detector = TimestampsUnsortedDetector(
analysis_context.aminer_config, anomaly_event_handlers)
atom_filter.add_handler(timestamps_unsorted_detector)
analysis_context.register_component(
timestamps_unsorted_detector,
component_name="TimestampsUnsortedDetector")
from aminer.analysis import Rules
from aminer.analysis import WhitelistViolationDetector
whitelist_rules = [
Rules.OrMatchRule([
Rules.AndMatchRule([
Rules.PathExistsMatchRule(
'/model/LoginDetails/PastTime/Time/Minutes'),
Rules.NegationMatchRule(
Rules.ValueMatchRule('/model/LoginDetails/Username',
b'root'))
]),
Rules.AndMatchRule([
Rules.NegationMatchRule(
Rules.PathExistsMatchRule(
'/model/LoginDetails/PastTime/Time/Minutes')),
Rules.PathExistsMatchRule('/model/LoginDetails')
]),
Rules.NegationMatchRule(
Rules.PathExistsMatchRule('/model/LoginDetails'))
])
]
# This rule list should trigger, when the line does not look like: User root (logged in, logged out)
# or User 'username' (logged in, logged out) x minutes ago.
whitelist_violation_detector = WhitelistViolationDetector(
analysis_context.aminer_config, whitelist_rules,
anomaly_event_handlers)
analysis_context.register_component(whitelist_violation_detector,
component_name="Whitelist")
atom_filter.add_handler(whitelist_violation_detector)
from aminer.analysis import NewMatchPathDetector
new_match_path_detector = NewMatchPathDetector(
analysis_context.aminer_config,
anomaly_event_handlers,
auto_include_flag=True)
analysis_context.register_component(new_match_path_detector,
component_name="NewMatchPath")
atom_filter.add_handler(new_match_path_detector)
def tuple_transformation_function(match_value_list):
extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(
tuple(match_value_list), None)
if extra_data is not None:
mod = 10000
if (extra_data[2] + 1) % mod == 0:
enhanced_new_match_path_value_combo_detector.auto_include_flag = False
else:
enhanced_new_match_path_value_combo_detector.auto_include_flag = True
return match_value_list
from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
analysis_context.aminer_config,
['/model/DailyCron/UName', '/model/DailyCron/JobNumber'],
anomaly_event_handlers,
auto_include_flag=True,
tuple_transformation_function=tuple_transformation_function)
analysis_context.register_component(
enhanced_new_match_path_value_combo_detector,
component_name="EnhancedNewValueCombo")
atom_filter.add_handler(enhanced_new_match_path_value_combo_detector)
from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \
PathDependentHistogramAnalysis
modulo_time_bin_definition = ModuloTimeBinDefinition(
86400, 3600, 0, 1, 24, True)
linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True)
histogram_analysis = HistogramAnalysis(
analysis_context.aminer_config,
[('/model/RandomTime/Random', modulo_time_bin_definition),
('/model/Random', linear_numeric_bin_definition)], 10,
anomaly_event_handlers)
analysis_context.register_component(histogram_analysis,
component_name="HistogramAnalysis")
atom_filter.add_handler(histogram_analysis)
path_dependent_histogram_analysis = PathDependentHistogramAnalysis(
analysis_context.aminer_config, '/model/RandomTime',
modulo_time_bin_definition, 10, anomaly_event_handlers)
analysis_context.register_component(
path_dependent_histogram_analysis,
component_name="PathDependentHistogramAnalysis")
atom_filter.add_handler(path_dependent_histogram_analysis)
from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector
match_value_average_change_detector = MatchValueAverageChangeDetector(
analysis_context.aminer_config, anomaly_event_handlers, None,
['/model/Random'], 100, 10)
analysis_context.register_component(
match_value_average_change_detector,
component_name="MatchValueAverageChange")
atom_filter.add_handler(match_value_average_change_detector)
import sys
from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter
match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [
'/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload',
'/model/Sensors/DTM'
], b';', b'')
analysis_context.register_component(
match_value_stream_writer, component_name="MatchValueStreamWriter")
atom_filter.add_handler(match_value_stream_writer)
from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(
analysis_context.aminer_config,
['/model/IPAddresses/Username', '/model/IPAddresses/IP'],
anomaly_event_handlers,
auto_include_flag=True)
analysis_context.register_component(
new_match_path_value_combo_detector,
component_name="NewMatchPathValueCombo")
atom_filter.add_handler(new_match_path_value_combo_detector)
from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector
new_match_path_value_detector = NewMatchPathValueDetector(
analysis_context.aminer_config,
['/model/DailyCron/JobNumber', '/model/IPAddresses/Username'],
anomaly_event_handlers,
auto_include_flag=True)
analysis_context.register_component(new_match_path_value_detector,
component_name="NewMatchPathValue")
atom_filter.add_handler(new_match_path_value_detector)
from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector
missing_match_path_value_detector = MissingMatchPathValueDetector(
analysis_context.aminer_config,
'/model/DiskReport/Space',
anomaly_event_handlers,
auto_include_flag=True,
default_interval=2,
realert_interval=5)
analysis_context.register_component(missing_match_path_value_detector,
component_name="MissingMatch")
atom_filter.add_handler(missing_match_path_value_detector)
from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector
time_correlation_detector = TimeCorrelationDetector(
analysis_context.aminer_config,
2,
1,
0,
anomaly_event_handlers,
record_count_before_event=70000)
analysis_context.register_component(
time_correlation_detector, component_name="TimeCorrelationDetector")
atom_filter.add_handler(time_correlation_detector)
from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector
cron_job_announcement = CorrelationRule(
'CronJobAnnouncement',
5,
6,
max_artefacts_a_for_single_b=1,
artefact_match_parameters=[('/model/CronAnnouncement/JobNumber',
'/model/CronExecution/JobNumber')])
a_class_selector = EventClassSelector('Announcement',
[cron_job_announcement], None)
b_class_selector = EventClassSelector('Execution', None,
[cron_job_announcement])
rules = [
Rules.PathExistsMatchRule('/model/CronAnnouncement/Run',
a_class_selector),
Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)
]
time_correlation_violation_detector = TimeCorrelationViolationDetector(
analysis_context.aminer_config, rules, anomaly_event_handlers)
analysis_context.register_component(
time_correlation_violation_detector,
component_name="TimeCorrelationViolationDetector")
atom_filter.add_handler(time_correlation_violation_detector)
class EventTypeDetectorTest(TestBase):
"""Unittests for the EventTypeDetector."""
log_lines = [
b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1'
b' ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)'
]
parsing_model = FirstMatchModelElement('type', [
SequenceModelElement('path', [
FixedDataModelElement('type', b'type=PATH '),
FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'),
FixedDataModelElement('placeholder', b':'),
DecimalIntegerValueModelElement('id'),
FixedDataModelElement('item_string', b'): item='),
DecimalIntegerValueModelElement('item'),
FixedDataModelElement('name_string', b' name="'),
DelimitedDataModelElement('name', b'"'),
FixedDataModelElement('inode_string', b'" inode='),
DecimalIntegerValueModelElement('inode'),
FixedDataModelElement('dev_string', b' dev='),
DelimitedDataModelElement('dev', b' '),
FixedDataModelElement('mode_string', b' mode='),
DecimalIntegerValueModelElement('mode'),
FixedDataModelElement('ouid_string', b' ouid='),
DecimalIntegerValueModelElement('ouid'),
FixedDataModelElement('ogid_string', b' ogid='),
DecimalIntegerValueModelElement('ogid'),
FixedDataModelElement('rdev_string', b' rdev='),
DelimitedDataModelElement('rdev', b' '),
FixedDataModelElement('nametype_string', b' nametype='),
FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])
]),
SequenceModelElement('syscall', [
FixedDataModelElement('type', b'type=SYSCALL '),
FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'),
FixedDataModelElement('placeholder', b':'),
DecimalIntegerValueModelElement('id'),
FixedDataModelElement('arch_string', b'): arch='),
DelimitedDataModelElement('arch', b' '),
FixedDataModelElement('syscall_string', b' syscall='),
DecimalIntegerValueModelElement('syscall'),
FixedDataModelElement('success_string', b' success='),
FixedWordlistDataModelElement('success', [b'yes', b'no']),
FixedDataModelElement('exit_string', b' exit='),
DecimalIntegerValueModelElement('exit'),
AnyByteDataModelElement('remainding_data')
])
])
def test1receive_atoms_with_default_values(self):
"""
In this test case multiple log_atoms are received with default values of the EventTypeDetector.
path_list is empty and all paths are learned dynamically in variable_key_list.
"""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
log_atoms = []
for line in self.log_lines:
t = time.time()
log_atoms.append(
LogAtom(
line,
ParserMatch(
self.parsing_model.get_match_element(
'parser', MatchContext(line))), t,
self.__class__.__name__))
for i, log_atom in enumerate(log_atoms):
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(event_type_detector.total_records, i + 1)
def test2receive_atoms_with_defined_path_list(self):
"""
In this test case multiple log_atoms are received with default values of the EventTypeDetector.
path_list is set to a static list of paths and variable_key_list should not be used.
"""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler],
path_list=['parser/type/path/nametype'])
results = [
True, False, True, False, True, False, True, True, False, False,
True, True, False, True, False, True, False, True, False, False,
True
]
log_atoms = []
for line in self.log_lines:
t = time.time()
log_atoms.append(
LogAtom(
line,
ParserMatch(
self.parsing_model.get_match_element(
'parser', MatchContext(line))), t,
self.__class__.__name__))
for i, log_atom in enumerate(log_atoms):
old_vals = (event_type_detector.num_events,
event_type_detector.num_eventlines,
event_type_detector.total_records,
event_type_detector.longest_path)
self.assertEqual(event_type_detector.receive_atom(log_atom),
not results[i], i)
if results[i]:
self.assertEqual(old_vals, (event_type_detector.num_events,
event_type_detector.num_eventlines,
event_type_detector.total_records,
event_type_detector.longest_path))
def test3append_values_float(self):
"""This unittest checks the append_values method with raw_match_object being a float value."""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
# initialize all values.
t = time.time()
log_atom = LogAtom(
b'22.2', ParserMatch(MatchElement('path', '22.2', 22.2, None)), t,
self.__class__.__name__)
event_type_detector.receive_atom(log_atom)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22.2]]])
log_atom = LogAtom(b'22',
ParserMatch(MatchElement('path', '22', 22, None)),
t, self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22]]])
log_atom = LogAtom(
b'22.2', ParserMatch(MatchElement('path', '22', b'22', None)), t,
self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[[22]]])
def test4append_values_bytestring(self):
"""
This unittest checks the append_values method with raw_match_object being a bytestring.
This should trigger a ValueError and append the match_string.
"""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
# initialize all values.
t = time.time()
log_atom = LogAtom(
b'This is a string',
ParserMatch(
MatchElement('path', 'This is a string', b'This is a string',
None)), t, self.__class__.__name__)
event_type_detector.receive_atom(log_atom)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[['This is a string']]])
log_atom = LogAtom(
b'24.05.',
ParserMatch(MatchElement('path', '24.05.', b'24.05.', None)), t,
self.__class__.__name__)
event_type_detector.values = [[[]]]
event_type_detector.append_values(log_atom, 0)
self.assertEqual(event_type_detector.values, [[['24.05.']]])
def test5check_value_reduction(self):
"""This unittest checks the functionality of reducing the values when the maxNumVals threshold is reached."""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
t = time.time()
val_list = [[[]]]
for i in range(1, event_type_detector.max_num_vals + 1, 1):
log_atom = LogAtom(
str(i).encode(),
ParserMatch(MatchElement('path', str(i), i, None)), t,
self.__class__.__name__)
val_list[0][0].append(float(i))
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(event_type_detector.values, val_list)
i += 1
log_atom = LogAtom(
str(i).encode(), ParserMatch(MatchElement('path', str(i), i,
None)), t,
self.__class__.__name__)
val_list[0][0].append(float(i))
self.assertTrue(event_type_detector.receive_atom(log_atom))
self.assertEqual(
event_type_detector.values,
[[val_list[0][0][-event_type_detector.min_num_vals:]]])
def test6persist_and_load_data(self):
"""This unittest checks the functionality of the persistence by persisting and reloading values."""
event_type_detector = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
t = time.time()
log_atom = LogAtom(
b'22.2', ParserMatch(MatchElement('path', '22.2', 22.2, None)), t,
self.__class__.__name__)
event_type_detector.receive_atom(log_atom)
event_type_detector.do_persist()
event_type_detector_loaded = EventTypeDetector(
self.aminer_config, [self.stream_printer_event_handler])
self.assertEqual(event_type_detector.variable_key_list,
event_type_detector_loaded.variable_key_list)
self.assertEqual(event_type_detector.values,
event_type_detector_loaded.values)
self.assertEqual(event_type_detector.longest_path,
event_type_detector_loaded.longest_path)
self.assertEqual(event_type_detector.check_variables,
event_type_detector_loaded.check_variables)
self.assertEqual(event_type_detector.num_eventlines,
event_type_detector_loaded.num_eventlines)
def build_analysis_pipeline(analysis_context):
"""Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct AMiner
how to process incoming data streams to create log atoms from them."""
# Build the parsing model:
from aminer.parsing import FirstMatchModelElement
from aminer.parsing import SequenceModelElement
from aminer.parsing.DateTimeModelElement import DateTimeModelElement
import datetime
from aminer.parsing import FixedDataModelElement
from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement
from aminer.parsing import AnyByteDataModelElement
service_children_disk_upgrade = [
DateTimeModelElement(
'DTM', b'%Y-%m-%d %H:%M:%S',
datetime.datetime.now(datetime.timezone.utc).astimezone().tzinfo),
FixedDataModelElement('UNameSpace1', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('UNameSpace2', b' '),
DelimitedDataModelElement('User', b' '),
FixedDataModelElement('HDRepair',
b' System rebooted for hard disk upgrade')
]
service_children_home_path = [
FixedDataModelElement(
'Pwd',
b'The Path of the home directory shown by pwd of the user '),
DelimitedDataModelElement('Username', b' '),
FixedDataModelElement('Is', b' is: '),
AnyByteDataModelElement('Path')
]
parsing_model = FirstMatchModelElement('model', [
SequenceModelElement('DiskUpgrade', service_children_disk_upgrade),
SequenceModelElement('HomePath', service_children_home_path)
])
# Some generic imports.
from aminer.analysis import AtomFilters
# Create all global handler lists here and append the real handlers later on.
# Use this filter to distribute all atoms to the analysis handlers.
atom_filter = AtomFilters.SubhandlerFilter(None)
from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler
stream_printer_event_handler = StreamPrinterEventHandler(analysis_context)
from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler
syslog_writer_event_handler = SyslogWriterEventHandler(analysis_context)
anomaly_event_handlers = [
stream_printer_event_handler, syslog_writer_event_handler
]
from aminer.input import SimpleMultisourceAtomSync
simple_multisource_atom_sync = SimpleMultisourceAtomSync([atom_filter], 9)
# Now define the AtomizerFactory using the model. A simple line
# based one is usually sufficient.
from aminer.input import SimpleByteStreamLineAtomizerFactory
analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(
parsing_model, [simple_multisource_atom_sync],
anomaly_event_handlers,
default_timestamp_paths=['model/DiskUpgrade/Date'])
# Just report all unparsed atoms to the event handlers.
from aminer.input import SimpleUnparsedAtomHandler
simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(
anomaly_event_handlers)
atom_filter.add_handler(simple_unparsed_atom_handler,
stop_when_handled_flag=True)
analysis_context.register_component(simple_unparsed_atom_handler,
component_name="UnparsedHandler")
from aminer.analysis import NewMatchPathDetector
new_match_path_detector = NewMatchPathDetector(
analysis_context.aminer_config,
anomaly_event_handlers,
auto_include_flag=True)
analysis_context.register_component(new_match_path_detector,
component_name="NewPath")
atom_filter.add_handler(new_match_path_detector)
from aminer.analysis import NewMatchPathValueComboDetector
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(
analysis_context.aminer_config,
['/model/HomePath/Username', '/model/HomePath/Path'],
anomaly_event_handlers,
auto_include_flag=True)
analysis_context.register_component(new_match_path_value_combo_detector,
component_name="NewValueCombo")
atom_filter.add_handler(new_match_path_value_combo_detector)
# Include the e-mail notification handler only if the configuration parameter was set.
from aminer.events import DefaultMailNotificationEventHandler
if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties:
mail_notification_handler = DefaultMailNotificationEventHandler(
analysis_context)
analysis_context.register_component(mail_notification_handler,
component_name="MailHandler")
anomaly_event_handlers.append(mail_notification_handler)
def get_model():
"""Return a model to parse Apache Access logs from the AIT-LDS."""
alphabet = b'!"#$%&\'()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]'
model = SequenceModelElement('model', [
FirstMatchModelElement('client_ip', [
IpAddressDataModelElement('client_ip'),
FixedDataModelElement('localhost', b'::1')
]),
FixedDataModelElement('sp1', b' '),
VariableByteDataModelElement('client_id', alphabet),
FixedDataModelElement('sp2', b' '),
VariableByteDataModelElement('user_id', alphabet),
FixedDataModelElement('sp3', b' ['),
DateTimeModelElement('time', b'%d/%b/%Y:%H:%M:%S'),
FixedDataModelElement('sp4', b' +'),
DecimalIntegerValueModelElement('tz'),
FixedDataModelElement('sp5', b'] "'),
FirstMatchModelElement('fm', [
FixedDataModelElement('dash', b'-'),
SequenceModelElement('request', [
FixedWordlistDataModelElement('method', [
b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT', b'OPTIONS', b'TRACE', b'PATCH']),
FixedDataModelElement('sp6', b' '),
DelimitedDataModelElement('request', b' ', b'\\'),
FixedDataModelElement('sp7', b' '),
DelimitedDataModelElement('version', b'"'),
])
]),
FixedDataModelElement('sp8', b'" '),
DecimalIntegerValueModelElement('status_code'),
FixedDataModelElement('sp9', b' '),
DecimalIntegerValueModelElement('content_size'),
OptionalMatchModelElement(
'combined', SequenceModelElement('combined', [
FixedDataModelElement('sp10', b' "'),
DelimitedDataModelElement('referer', b'"', b'\\'),
FixedDataModelElement('sp11', b'" "'),
DelimitedDataModelElement('user_agent', b'"', b'\\'),
FixedDataModelElement('sp12', b'"'),
])),
])
return model
def getModel():
dict = b'!"#$%&\'()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~'
subTree0 = SequenceModelElement(
'sequence0', [FixedDataModelElement('fixed1', b' key=(null)')])
subTree1 = SequenceModelElement('sequence1', [
FixedDataModelElement('fixed2',
b'"apache2" exe="/usr/sbin/apache2" key=(null)')
])
model = SequenceModelElement('sequence3', [
FixedDataModelElement('fixed4', b'type='),
FirstMatchModelElement('firstmatch5', [
SequenceModelElement('sequence6', [
FixedDataModelElement('fixed7', b'PROCTITLE msg='),
VariableByteDataModelElement('string8', dict),
FixedDataModelElement('fixed9', b' proctitle='),
FirstMatchModelElement('firstmatch10', [
FixedDataModelElement(
'fixed11',
b'2F7573722F7362696E2F61706163686532002D6B007374617274'
),
VariableByteDataModelElement('string12', dict)
])
]),
SequenceModelElement('sequence13', [
FixedDataModelElement('fixed14', b'SYSCALL msg='),
VariableByteDataModelElement('string15', dict),
FixedDataModelElement('fixed16', b' arch=c000003e syscall='),
DecimalIntegerValueModelElement(
'integer17',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed18', b' success='),
FirstMatchModelElement('firstmatch19', [
SequenceModelElement('sequence20', [
FixedDataModelElement('fixed21', b'yes exit='),
DecimalIntegerValueModelElement(
'integer22',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed23', b' a0='),
VariableByteDataModelElement('string24', dict),
FixedDataModelElement('fixed25', b' a1='),
VariableByteDataModelElement('string26', dict),
FixedDataModelElement('fixed27', b' a2='),
VariableByteDataModelElement('string28', dict),
FixedDataModelElement('fixed29', b' a3='),
VariableByteDataModelElement('string30', dict),
FixedDataModelElement('fixed31', b' items='),
DecimalIntegerValueModelElement(
'integer32',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed33', b' ppid='),
DecimalIntegerValueModelElement(
'integer34',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed35', b' pid='),
DecimalIntegerValueModelElement(
'integer36',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed37', b' auid='),
DecimalIntegerValueModelElement(
'integer38',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed39', b' uid='),
DecimalIntegerValueModelElement(
'integer40',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed41', b' gid='),
DecimalIntegerValueModelElement(
'integer42',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed43', b' euid='),
DecimalIntegerValueModelElement(
'integer44',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed45', b' suid='),
DecimalIntegerValueModelElement(
'integer46',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed47', b' fsuid='),
DecimalIntegerValueModelElement(
'integer48',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed49', b' egid='),
DecimalIntegerValueModelElement(
'integer50',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed51', b' sgid='),
DecimalIntegerValueModelElement(
'integer52',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed53', b' fsgid='),
DecimalIntegerValueModelElement(
'integer54',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed55', b' tty=(none) ses='),
DecimalIntegerValueModelElement(
'integer56',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed57', b' comm='),
FirstMatchModelElement('firstmatch58', [
subTree1,
SequenceModelElement('sequence59', [
VariableByteDataModelElement('string60', dict),
FixedDataModelElement('fixed61', b' exe='),
FirstMatchModelElement('firstmatch62', [
SequenceModelElement(
'sequence63', [
FixedDataModelElement(
'fixed64',
b'"/usr/bin/suricata"'),
subTree0
]),
SequenceModelElement(
'sequence65', [
VariableByteDataModelElement(
'string66', dict), subTree0
])
])
])
])
]),
SequenceModelElement('sequence67', [
VariableByteDataModelElement('string68', dict),
FixedDataModelElement('fixed69', b' exit='),
DecimalIntegerValueModelElement(
'integer70',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed71', b' a0='),
VariableByteDataModelElement('string72', dict),
FixedDataModelElement('fixed73', b' a1='),
VariableByteDataModelElement('string74', dict),
FixedDataModelElement('fixed75', b' a2='),
VariableByteDataModelElement('string76', dict),
FixedDataModelElement('fixed77', b' a3='),
VariableByteDataModelElement('string78', dict),
FixedDataModelElement('fixed79', b' items='),
DecimalIntegerValueModelElement(
'integer80',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed81', b' ppid='),
DecimalIntegerValueModelElement(
'integer82',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed83', b' pid='),
DecimalIntegerValueModelElement(
'integer84',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed85', b' auid='),
DecimalIntegerValueModelElement(
'integer86',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed87', b' uid='),
DecimalIntegerValueModelElement(
'integer88',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed89', b' gid='),
DecimalIntegerValueModelElement(
'integer90',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed91', b' euid='),
DecimalIntegerValueModelElement(
'integer92',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed93', b' suid='),
DecimalIntegerValueModelElement(
'integer94',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed95', b' fsuid='),
DecimalIntegerValueModelElement(
'integer96',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed97', b' egid='),
DecimalIntegerValueModelElement(
'integer98',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed99', b' sgid='),
DecimalIntegerValueModelElement(
'integer100',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed101', b' fsgid='),
DecimalIntegerValueModelElement(
'integer102',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed103', b' tty=(none) ses='),
DecimalIntegerValueModelElement(
'integer104',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed105', b' comm='), subTree1
])
])
]),
SequenceModelElement('sequence106', [
FixedDataModelElement('fixed107', b'PATH msg='),
VariableByteDataModelElement('string108', dict),
FixedDataModelElement('fixed109', b' item='),
DecimalIntegerValueModelElement(
'integer110',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed111', b' name='),
VariableByteDataModelElement('string112', dict),
FixedDataModelElement('fixed113', b' '),
FirstMatchModelElement('firstmatch114', [
SequenceModelElement('sequence115', [
FixedDataModelElement('fixed116', b'inode='),
DecimalIntegerValueModelElement(
'integer117',
valueSignType=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed118', b' dev='),
FirstMatchModelElement('firstmatch119', [
SequenceModelElement('sequence120', [
FixedDataModelElement('fixed121',
b'fe:01 mode='),
DecimalIntegerValueModelElement(
'integer122',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed123', b' ouid='),
DecimalIntegerValueModelElement(
'integer124',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed125', b' ogid='),
DecimalIntegerValueModelElement(
'integer126',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement(
'fixed127', b' rdev=00:00 nametype='),
FirstMatchModelElement('firstmatch128', [
FixedDataModelElement(
'fixed129', b'NORMAL'),
VariableByteDataModelElement(
'string130', dict)
])
]),
SequenceModelElement('sequence131', [
VariableByteDataModelElement(
'string132', dict),
FixedDataModelElement('fixed133', b' mode='),
DecimalIntegerValueModelElement(
'integer134',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed135', b' ouid='),
DecimalIntegerValueModelElement(
'integer136',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement('fixed137', b' ogid='),
DecimalIntegerValueModelElement(
'integer138',
valueSignType=DecimalIntegerValueModelElement
.SIGN_TYPE_OPTIONAL),
FixedDataModelElement(
'fixed139', b' rdev=00:00 nametype=NORMAL')
])
])
]),
SequenceModelElement('sequence140', [
VariableByteDataModelElement('string141', dict),
FixedDataModelElement('fixed142', b'=UNKNOWN')
])
])
]),
SequenceModelElement('sequence143', [
VariableByteDataModelElement('string144', dict),
FixedDataModelElement('fixed145', b' msg='),
VariableByteDataModelElement('string146', dict),
FixedDataModelElement('fixed147', b' saddr='),
FixedWordlistDataModelElement('fixed148', [
b'01002F7661722F72756E2F6D7973716C642F6D7973716C642E736F636B',
b'020000350A12FFFE0000000000000000'
])
])
])
])
return model
def get_model():
"""Return a model to parse Apache Error logs from the AIT-LDS."""
model = SequenceModelElement('model', [
FixedDataModelElement('sp1', b'['),
FixedWordlistDataModelElement('day', [b'Mon', b'Tue', b'Wed', b'Thu', b'Fri', b'Sat', b'Sun']),
FixedDataModelElement('sp2', b' '),
DateTimeModelElement('time', b'%b %d %H:%M:%S.%f %Y'),
FixedDataModelElement('error_str', b'] [:error] [pid '),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('sp3', b'] [client '),
IpAddressDataModelElement('client_ip'),
FixedDataModelElement('colon', b':'),
DecimalIntegerValueModelElement('client_port'),
FixedDataModelElement('php', b'] PHP '),
FirstMatchModelElement('fphp', [
SequenceModelElement('warning', [
FixedDataModelElement('warning_str', b'Warning: '),
FirstMatchModelElement('warning', [
SequenceModelElement('declaration', [
FixedDataModelElement('declaration_str', b'Declaration of '),
DelimitedDataModelElement('function', b')'),
FixedDataModelElement('compatible_str', b') should be compatible with '),
DelimitedDataModelElement('function2', b')'),
FixedDataModelElement('compatible_str', b') in '),
DelimitedDataModelElement('path', b' '),
FixedDataModelElement('compatible_str', b' on line '),
DecimalIntegerValueModelElement('line'),
FixedDataModelElement('referer_str', b', referer: '),
AnyByteDataModelElement('referer')]),
SequenceModelElement('system', [
FixedDataModelElement('system_str', b'system(): Cannot execute a blank command in '),
DelimitedDataModelElement('path', b' '),
FixedDataModelElement('compatible_str', b' on line '),
DecimalIntegerValueModelElement('line')])])]),
SequenceModelElement('notice', [
FixedDataModelElement('notice_str', b'Notice: Undefined index: '),
DelimitedDataModelElement('command', b' '),
FixedDataModelElement('sp', b' in '),
DelimitedDataModelElement('path', b' '),
FixedDataModelElement('compatible_str', b' on line '),
DecimalIntegerValueModelElement('line')]),
SequenceModelElement('deprecated', [
FixedDataModelElement('deprecated_str', b'Deprecated: Methods with the same name as their class '
b'will not be constructors in a future version of PHP; '),
DelimitedDataModelElement('class', b' '),
FixedDataModelElement('constructor_str', b' has a deprecated constructor in '),
DelimitedDataModelElement('path', b' '),
FixedDataModelElement('compatible_str', b' on line '),
DecimalIntegerValueModelElement('line'),
FixedDataModelElement('referer_str', b', referer: '),
AnyByteDataModelElement('referer'),
])])])
return model
class NewMatchIdValueComboDetectorTest(TestBase):
log_lines = [
b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1'
b' ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)',
b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 '
b'nametype=NORMAL',
b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 '
b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 '
b'comm="apache2" exe="/usr/sbin/apache2" key=(null)']
expected_whitelist_string = "Whitelisted path(es) parser/type/path/name, parser/type/syscall/syscall with %s in %s"
parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [
FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'),
FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'),
FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'),
FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'),
FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '),
FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode'),
FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'),
FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'),
FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '),
FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]),
SequenceModelElement('syscall', [
FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'),
FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '),
FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'),
FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']),
FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'),
AnyByteDataModelElement('remainding_data')])])
def test1receive_match_in_time_with_auto_include_flag(self):
"""This test case checks if log_atoms are accepted as expected with the auto_include_flag=True."""
description = 'test1newMatchIdValueComboDetectorTest'
output_stream_empty_results = [True, False, True, False, True, False, True, True, True, True, True, True, True, True, False, False,
False, True, False, True, False]
id_dict_current_results = [
{1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {},
{3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 5: {'parser/type/path/name': 'two'}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'},
8: {'parser/type/syscall/syscall': 6}},
{100: {'parser/type/syscall/syscall': 1}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}},
{100: {'parser/type/syscall/syscall': 1}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 9: {'parser/type/syscall/syscall': 2}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 10: {'parser/type/path/name': 'one'}}, {100: {'parser/type/syscall/syscall': 1}}]
id_dict_old_results = [{}] * 21
min_allowed_time_diff = 0.1
log_atoms = []
for line in self.log_lines:
t = time.time()
log_atoms.append(
LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__))
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=True, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
for i, log_atom in enumerate(log_atoms):
self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i])
self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i])
self.reset_output_stream()
def test2receive_match_after_max_allowed_time_diff_with_auto_include_flag(self):
"""This test case checks if log_atoms are deleted after the maximal allowed time difference with the auto_include_flag=True."""
description = 'test2newMatchIdValueComboDetectorTest'
output_stream_empty_results = [True, False, True, False, True, False, True, True, True, True, True, True, True, True, False, False,
False, True, False, True, False]
id_dict_current_results = [
{1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {},
{3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}},
{5: {'parser/type/path/name': 'two'}, 100: {'parser/type/syscall/syscall': 1}}, {}, {6: {'parser/type/syscall/syscall': 4}},
{6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}},
{6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}},
{7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {}, {}, {9: {'parser/type/syscall/syscall': 2}},
{}, {10: {'parser/type/path/name': 'one'}}, {}]
id_dict_old_results = [{}] * 10 + [{100: {'parser/type/syscall/syscall': 1}}] * 5 + [{8: {'parser/type/syscall/syscall': 6}}] + [
{}] * 5
min_allowed_time_diff = 5
log_atoms = []
t = time.time()
for line in self.log_lines:
log_atoms.append(
LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__))
t = t + min_allowed_time_diff * 0.25
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=True, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
for i, log_atom in enumerate(log_atoms):
self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i])
self.reset_output_stream()
def test3receive_match_in_time_without_auto_include_flag(self):
"""This test case checks if log_atoms are accepted as expected with the auto_include_flag=False."""
description = 'test3newMatchIdValueComboDetectorTest'
output_stream_empty_results = [True, False, True, False, True, False, True, True, False, True, False, True, True, True, False,
False, False, True, False, True, False]
id_dict_current_results = [
{1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {},
{3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 5: {'parser/type/path/name': 'two'}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}},
{100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'},
8: {'parser/type/syscall/syscall': 6}},
{100: {'parser/type/syscall/syscall': 1}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}},
{100: {'parser/type/syscall/syscall': 1}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 9: {'parser/type/syscall/syscall': 2}}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 10: {'parser/type/path/name': 'one'}}, {100: {'parser/type/syscall/syscall': 1}}]
id_dict_old_results = [{}] * 21
min_allowed_time_diff = 0.1
log_atoms = []
for line in self.log_lines:
t = time.time()
log_atoms.append(
LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__))
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
for i, log_atom in enumerate(log_atoms):
self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i])
self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i])
self.assertEqual(new_match_id_value_combo_detector.known_values, [])
self.reset_output_stream()
def test4receive_match_after_max_allowed_time_diff_without_auto_include_flag(self):
"""This test case checks if log_atoms are deleted after the maximal allowed time difference with the auto_include_flag=False."""
description = 'test4newMatchIdValueComboDetectorTest'
output_stream_empty_results = [True, False, True, False, True, False, True, True, False, True, False, True, True, True, False,
False, False, True, False, True, False]
id_dict_current_results = [
{1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {},
{3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}},
{100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}},
{5: {'parser/type/path/name': 'two'}, 100: {'parser/type/syscall/syscall': 1}}, {}, {6: {'parser/type/syscall/syscall': 4}},
{6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}},
{6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}},
{7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {}, {}, {9: {'parser/type/syscall/syscall': 2}},
{}, {10: {'parser/type/path/name': 'one'}}, {}]
id_dict_old_results = [{}] * 10 + [{100: {'parser/type/syscall/syscall': 1}}] * 5 + [{8: {'parser/type/syscall/syscall': 6}}] + [
{}] * 5
min_allowed_time_diff = 5
log_atoms = []
t = time.time()
for line in self.log_lines:
log_atoms.append(
LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__))
t = t + min_allowed_time_diff * 0.25
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
for i, log_atom in enumerate(log_atoms):
self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom))
self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i], log_atom.raw_data)
self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i])
self.assertEqual(new_match_id_value_combo_detector.known_values, [])
self.reset_output_stream()
def test5whitelist_unknown_target_path(self):
"""This test case checks if a unknown target path can be added to the known_values with the whitelist_event method."""
description = 'test5newMatchIdValueComboDetectorTest'
min_allowed_time_diff = 5
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
self.assertEqual(new_match_id_value_combo_detector.known_values, [])
sorted_log_lines = [self.log_lines[1]]
event_data = [self.log_lines[1], {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]
output = new_match_id_value_combo_detector.whitelist_event('Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__,
sorted_log_lines, event_data, None)
self.assertEqual(new_match_id_value_combo_detector.known_values, [
{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}])
self.assertEqual(output, self.expected_whitelist_string % (event_data[1], self.log_lines[1]))
sorted_log_lines = [self.log_lines[3]]
event_data = [self.log_lines[3], {'parser/type/syscall/syscall': 2, 'parser/type/path/name': 'two'}]
output = new_match_id_value_combo_detector.whitelist_event('Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__,
sorted_log_lines, event_data, None)
self.assertEqual(new_match_id_value_combo_detector.known_values, [
{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'},
{'parser/type/syscall/syscall': 2, 'parser/type/path/name': 'two'}])
self.assertEqual(output, self.expected_whitelist_string % (event_data[1], self.log_lines[3]))
def test6whitelist_known_target_path(self):
"""This test case checks if a known target path is not added twice to the known_values with the whitelist_event method."""
description = 'test6newMatchIdValueComboDetectorTest'
min_allowed_time_diff = 5
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [
'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler],
id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff,
auto_include_flag=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_log_line=False)
self.analysis_context.register_component(new_match_id_value_combo_detector, description)
self.assertEqual(new_match_id_value_combo_detector.known_values, [])
sorted_log_lines = [self.log_lines[1]]
event_data = [self.log_lines[1], {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]
output = new_match_id_value_combo_detector.whitelist_event('Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__,
sorted_log_lines, event_data, None)
self.assertEqual(new_match_id_value_combo_detector.known_values,
[{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}])
self.assertEqual(output, self.expected_whitelist_string % (event_data[1], self.log_lines[1]))
sorted_log_lines = [self.log_lines[1]]
event_data = [self.log_lines[1], {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]
output = new_match_id_value_combo_detector.whitelist_event('Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__,
sorted_log_lines, event_data, None)
self.assertEqual(new_match_id_value_combo_detector.known_values,
[{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}])
self.assertEqual(output, self.expected_whitelist_string % (event_data[1], self.log_lines[1]))
def getModel(userNameModel=None):
"""This function defines how to parse a su session information message
after any standard logging preamble, e.g. from syslog."""
if userNameModel is None:
userNameModel = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz.-')
srcUserNameModel = VariableByteDataModelElement('srcuser', \
b'0123456789abcdefghijklmnopqrstuvwxyz.-')
typeChildren = []
typeChildren.append(
SequenceModelElement('su-good', [
FixedDataModelElement('s0', b'Successful su for '), userNameModel,
FixedDataModelElement('s1', b' by '), srcUserNameModel
]))
typeChildren.append(
SequenceModelElement('su-good', [
FixedDataModelElement('s0', b'+ '),
DelimitedDataModelElement('terminal', b' '),
FixedDataModelElement('s1', b' '), srcUserNameModel,
FixedDataModelElement('s2', b':'), userNameModel
]))
typeChildren.append(SequenceModelElement('pam', [
FixedDataModelElement('s0', b'pam_unix(su:session): session '),
FixedWordlistDataModelElement('change', [b'opened', b'closed']),
FixedDataModelElement('s1', b' for user '),
userNameModel,
OptionalMatchModelElement('openby', \
SequenceModelElement('userinfo', [
FixedDataModelElement('s0', b' by (uid='),
DecimalIntegerValueModelElement('uid'),
FixedDataModelElement('s1', b')')]))
]))
model = SequenceModelElement('su', [
FixedDataModelElement('sname', b'su['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', typeChildren)
])
return model
class TimeCorrelationViolationDetectorTest(TestBase):
"""Unittests for the TimeCorrelationViolationDetector."""
_expected_string = '%s Correlation rule "%s" violated\nTimeCorrelationViolationDetector: "%s" (%d lines)\n FAIL: '
_expected_string_too_early = _expected_string + 'B-Event for "%s" (%s) was found too early!\n\n\n'
_expected_string_too_late = _expected_string + 'B-Event for "%s" (%s) was not found in time!\n\n\n'
_expected_string_different_attributes = _expected_string + '"%s" (%s) %d is not equal %d\n\n\n'
model = '/model'
datetime_format_string = '%Y-%m-%d %H:%M:%S'
service_children1 = [
FixedDataModelElement('Value1Key', b'Value1: '),
FixedDataModelElement('Value1Value', b'fixed Value1'),
FixedDataModelElement('Value2Key', b', Value2: '),
DecimalIntegerValueModelElement('Value2Value'),
FixedDataModelElement('Value3Key', b', Value3: '),
FixedDataModelElement('Value3Value', b'fixed Value3'),
FixedDataModelElement('Value4Key', b', Value4: '),
FixedDataModelElement('Value4Value', b'fixed Value4')
]
service_children2 = [
FixedDataModelElement('Value1Key', b'Value1: '),
FixedDataModelElement('Value1Value', b'fixed Value1'),
FixedDataModelElement('Value2Key', b', Value2: '),
FixedDataModelElement('Value2Value', b'fixed Value2'),
FixedDataModelElement('Value3Key', b', Value3: '),
DecimalIntegerValueModelElement('Value3Value'),
FixedDataModelElement('Value4Key', b', Value4: '),
FixedDataModelElement('Value4Value', b'fixed Value4')
]
match_context1 = MatchContext(
b'Value1: fixed Value1, Value2: 22500, Value3: fixed Value3, Value4: fixed Value4'
)
match_context2 = MatchContext(
b'Value1: fixed Value1, Value2: fixed Value2, Value3: 22500, Value4: fixed Value4'
)
match_context2_different = MatchContext(
b'Value1: fixed Value1, Value2: fixed Value2, Value3: 22501, Value4: fixed Value4'
)
seq1 = SequenceModelElement('sequence1', service_children1)
seq2 = SequenceModelElement('sequence2', service_children2)
match_element1 = seq1.get_match_element(model, match_context1)
match_element2 = seq2.get_match_element(model, match_context2)
match_element2_different = seq2.get_match_element(
model, match_context2_different)
def setUp(self):
"""Set up the rules for the TimeCorrelationViolationDetector."""
TestBase.setUp(self)
self.correlation_rule = CorrelationRule(
'Correlation',
1,
1.2,
max_artefacts_a_for_single_b=1,
artefact_match_parameters=[('/model/sequence1/Value2Value',
'/model/sequence2/Value3Value')])
self.a_class_selector = EventClassSelector('Selector1',
[self.correlation_rule],
None)
self.b_class_selector = EventClassSelector('Selector2', None,
[self.correlation_rule])
self.rules = []
self.rules.append(
Rules.PathExistsMatchRule('/model/sequence1/Value2Key',
self.a_class_selector))
self.rules.append(
Rules.PathExistsMatchRule('/model/sequence2/Value3Key',
self.b_class_selector))
def test1_check_status_ok(self):
"""
In this test case the status is OK after receiving the expected data and no error message is returned.
The output of the do_timer-method is also tested in this test case.
"""
description = "Test1TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), time.time(),
self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2),
time.time() + 1, self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(self.output_stream.getvalue(), "")
def test2_check_status_not_found_error(self):
"""
In this test case the second log line is not found and an appropriate error message is expected from the check_status-method.
The output of the do_timer-method is also tested in this test case.
"""
description = "Test2TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
r = self.correlation_rule.check_status(t + 2)
self.assertEqual(
r[0], 'FAIL: B-Event for "%s" (%s) was not found in time!\n' %
(self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id))
def test3_check_status_before_expected_timespan(self):
"""
In this test case the second log line is found too early. An appropriate error message is expected from the check_status-method.
The output of the do_timer-method is also tested in this test case.
"""
description = "Test3TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2), time.time(),
self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(
self.output_stream.getvalue(), self._expected_string_too_early %
(datetime.fromtimestamp(t).strftime(
self.datetime_format_string), self.correlation_rule.rule_id,
description, 1, self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id))
def test4_check_status_after_expected_timespan(self):
"""
In this test case the second log line is found too late. An appropriate error message is expected from the check_status-method.
The output of the do_timer-method is also tested in this test case.
"""
description = "Test4TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2), t + 5, self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(
self.output_stream.getvalue(), self._expected_string_too_late %
(datetime.fromtimestamp(t).strftime(
self.datetime_format_string), self.correlation_rule.rule_id,
description, 1, self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id))
def test5_check_status_attributes_not_matching(self):
"""
In this test case the second log line has different attributes than expected.
An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this
test case.
"""
description = "Test5TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2_different), t + 1,
self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(
self.output_stream.getvalue(),
self._expected_string_different_attributes %
(datetime.fromtimestamp(t).strftime(
self.datetime_format_string), self.correlation_rule.rule_id,
description, 1, self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id, 22500, 22501))
def test6_prepare_history_entry(self):
"""
In this test case the prepare_history_entry-method is tested with multiple artefact_match_parameters.
Also the case of not finding a parameter is tested.
"""
t = time.time()
p1 = ParserMatch(self.match_element1)
p2 = ParserMatch(self.match_element2)
log_atom1 = LogAtom(self.match_context1.match_data, p1, t, self)
log_atom2 = LogAtom(self.match_context2.match_data, p2, t + 5, self)
result = self.correlation_rule.prepare_history_entry(
self.a_class_selector, log_atom1)
self.assertEqual(result, [t, 0, self.a_class_selector, p1, 22500])
result = self.correlation_rule.prepare_history_entry(
self.b_class_selector, log_atom2)
self.assertEqual(result, [t + 5, 0, self.b_class_selector, p2, 22500])
def build_analysis_pipeline(analysis_context):
"""
Define the function to create pipeline for parsing the log data.
It has also to define an AtomizerFactory to instruct AMiner how to process incoming data streams to create log atoms from them.
"""
date_format_string = b'%Y-%m-%d %H:%M:%S'
cron = b' cron['
# Build the parsing model:
from aminer.parsing import FirstMatchModelElement, SequenceModelElement, DecimalFloatValueModelElement, FixedDataModelElement, \
DelimitedDataModelElement, AnyByteDataModelElement, FixedWordlistDataModelElement, DecimalIntegerValueModelElement, \
DateTimeModelElement, IpAddressDataModelElement, Base64StringModelElement, ElementValueBranchModelElement, HexStringModelElement, \
MultiLocaleDateTimeModelElement, OptionalMatchModelElement, RepeatedElementDataModelElement, VariableByteDataModelElement, \
WhiteSpaceLimitedDataModelElement
service_children_disk_report = [
FixedDataModelElement(
'Space',
b' Current Disk Data is: Filesystem Type Size Used Avail Use%'
),
DelimitedDataModelElement('Data', b'%'),
AnyByteDataModelElement('Rest')
]
service_children_login_details = [
FixedDataModelElement('User', b'User '),
DelimitedDataModelElement('Username', b' '),
FixedWordlistDataModelElement('Status',
[b' logged in', b' logged out']),
OptionalMatchModelElement(
'PastTime',
SequenceModelElement('Time', [
FixedDataModelElement('Blank', b' '),
DecimalIntegerValueModelElement('Minutes'),
FixedDataModelElement('Ago', b' minutes ago.')
]))
]
service_children_cron_job = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('UNameSpace1', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('UNameSpace2', b' '),
DelimitedDataModelElement('User', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Details', b']: Job `cron.daily` started.')
]
service_children_random_time = [
FixedDataModelElement('Space', b'Random: '),
DecimalIntegerValueModelElement('Random')
]
service_children_sensors = [
SequenceModelElement('CPUTemp', [
FixedDataModelElement('FixedTemp', b'CPU Temp: '),
DecimalIntegerValueModelElement('Temp'),
FixedDataModelElement('Degrees', b'\xc2\xb0C')
]),
FixedDataModelElement('Space1', b', '),
SequenceModelElement('CPUWorkload', [
FixedDataModelElement('FixedWorkload', b'CPU Workload: '),
DecimalIntegerValueModelElement('Workload'),
FixedDataModelElement('Percent', b'%')
]),
FixedDataModelElement('Space2', b', '),
DateTimeModelElement('DTM', date_format_string)
]
service_children_user_ip_address = [
FixedDataModelElement('User', b'User '),
DelimitedDataModelElement('Username', b' '),
FixedDataModelElement('Action', b' changed IP address to '),
IpAddressDataModelElement('IP')
]
service_children_cron_job_announcement = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('Space', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Run', b']: Will run job `'),
FixedWordlistDataModelElement(
'CronType',
[b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']),
FixedDataModelElement('StartTime', b'\' in 5 min.')
]
service_children_cron_job_execution = [
DateTimeModelElement('DTM', date_format_string),
FixedDataModelElement('Space1', b' '),
DelimitedDataModelElement('UName', b' '),
FixedDataModelElement('Cron', cron),
DecimalIntegerValueModelElement('JobNumber'),
FixedDataModelElement('Job', b']: Job `'),
FixedWordlistDataModelElement(
'CronType',
[b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']),
FixedDataModelElement('Started', b'\' started')
]
service_children_audit = [
SequenceModelElement('path', [
FixedDataModelElement('type', b'type=PATH '),
FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'),
FixedDataModelElement('placeholder', b':'),
DecimalIntegerValueModelElement('id'),
FixedDataModelElement('item_string', b'): item='),
DecimalIntegerValueModelElement('item'),
FixedDataModelElement('name_string', b' name="'),
DelimitedDataModelElement('name', b'"'),
FixedDataModelElement('inode_string', b'" inode='),
DecimalIntegerValueModelElement('inode'),
FixedDataModelElement('dev_string', b' dev='),
DelimitedDataModelElement('dev', b' '),
FixedDataModelElement('mode_string', b' mode='),
DecimalIntegerValueModelElement('mode'),
FixedDataModelElement('ouid_string', b' ouid='),
DecimalIntegerValueModelElement('ouid'),
FixedDataModelElement('ogid_string', b' ogid='),
DecimalIntegerValueModelElement('ogid'),
FixedDataModelElement('rdev_string', b' rdev='),
DelimitedDataModelElement('rdev', b' '),
FixedDataModelElement('nametype_string', b' nametype='),
FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])
]),
SequenceModelElement('syscall', [
FixedDataModelElement('type', b'type=SYSCALL '),
FixedDataModelElement('msg_audit', b'msg=audit('),
DelimitedDataModelElement('msg', b':'),
FixedDataModelElement('placeholder', b':'),
DecimalIntegerValueModelElement('id'),
FixedDataModelElement('arch_string', b'): arch='),
DelimitedDataModelElement('arch', b' '),
FixedDataModelElement('syscall_string', b' syscall='),
DecimalIntegerValueModelElement('syscall'),
FixedDataModelElement('success_string', b' success='),
FixedWordlistDataModelElement('success', [b'yes', b'no']),
FixedDataModelElement('exit_string', b' exit='),
DecimalIntegerValueModelElement('exit'),
AnyByteDataModelElement('remainding_data')
])
]
service_children_parsing_model_element = [
DateTimeModelElement('DateTimeModelElement',
b'Current DateTime: %d.%m.%Y %H:%M:%S'),
DecimalFloatValueModelElement('DecimalFloatValueModelElement',
value_sign_type='optional'),
DecimalIntegerValueModelElement('DecimalIntegerValueModelElement',
value_sign_type='optional',
value_pad_type='blank'),
SequenceModelElement('', [
DelimitedDataModelElement('DelimitedDataModelElement', b';'),
FixedDataModelElement('FixedDataModelElement', b';')
])
]
# ElementValueBranchModelElement
fixed_data_me1 = FixedDataModelElement("fixed1", b'match ')
fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String')
fixed_wordlist_data_model_element = FixedWordlistDataModelElement(
"wordlist", [b'data: ', b'string: '])
decimal_integer_value_model_element = DecimalIntegerValueModelElement(
"decimal")
service_children_parsing_model_element.append(
ElementValueBranchModelElement(
'ElementValueBranchModelElement',
FirstMatchModelElement("first", [
SequenceModelElement(
"seq1",
[fixed_data_me1, fixed_wordlist_data_model_element]),
SequenceModelElement("seq2", [
fixed_data_me1, fixed_wordlist_data_model_element,
fixed_data_me2
])
]), "wordlist", {
0: decimal_integer_value_model_element,
1: fixed_data_me2
}))
service_children_parsing_model_element.append(
HexStringModelElement('HexStringModelElement'))
service_children_parsing_model_element.append(
SequenceModelElement('', [
FixedDataModelElement('FixedDataModelElement',
b'Gateway IP-Address: '),
IpAddressDataModelElement('IpAddressDataModelElement')
]))
import locale
loc = locale.getlocale()
if loc == (None, None):
loc = ('en_US', 'utf8')
service_children_parsing_model_element.append(
MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement',
[(b'%b %d %Y', '%s.%s' %
(loc), None)]))
service_children_parsing_model_element.append(
RepeatedElementDataModelElement(
'RepeatedElementDataModelElement',
SequenceModelElement('SequenceModelElement', [
FixedDataModelElement('FixedDataModelElement',
b'drawn number: '),
DecimalIntegerValueModelElement(
'DecimalIntegerValueModelElement')
]), 1))
service_children_parsing_model_element.append(
VariableByteDataModelElement('VariableByteDataModelElement', b'-@#'))
service_children_parsing_model_element.append(
SequenceModelElement('', [
WhiteSpaceLimitedDataModelElement(
'WhiteSpaceLimitedDataModelElement'),
FixedDataModelElement('', b' ')
]))
# The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches.
service_children_parsing_model_element.append(
Base64StringModelElement('Base64StringModelElement'))
# The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets to the
# AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted.
service_children_parsing_model_element.append(
OptionalMatchModelElement(
'OptionalMatchModelElement',
FirstMatchModelElement('FirstMatchModelElement', [
FixedDataModelElement('FixedDataModelElement',
b'The-searched-element-was-found!'),
SequenceModelElement('', [
FixedDataModelElement('FixedDME', b'Any:'),
AnyByteDataModelElement('AnyByteDataModelElement')
])
])))
alphabet = b'abcdef'
service_children_ecd = []
for _, char in enumerate(alphabet):
char = bytes([char])
service_children_ecd.append(FixedDataModelElement(char.decode(), char))
parsing_model = FirstMatchModelElement('model', [
SequenceModelElement('CronAnnouncement',
service_children_cron_job_announcement),
SequenceModelElement('CronExecution',
service_children_cron_job_execution),
SequenceModelElement('DailyCron', service_children_cron_job),
SequenceModelElement('DiskReport', service_children_disk_report),
SequenceModelElement('LoginDetails', service_children_login_details),
DecimalIntegerValueModelElement('Random'),
SequenceModelElement('RandomTime', service_children_random_time),
SequenceModelElement('Sensors', service_children_sensors),
SequenceModelElement('IPAddresses', service_children_user_ip_address),
FirstMatchModelElement('type', service_children_audit),
FirstMatchModelElement('ECD', service_children_ecd),
FirstMatchModelElement('ParsingME',
service_children_parsing_model_element)
])
# Some generic imports.
from aminer.analysis import AtomFilters
# Create all global handler lists here and append the real handlers later on.
# Use this filter to distribute all atoms to the analysis handlers.
atom_filter = AtomFilters.SubhandlerFilter(None)
from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust
simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust(
[atom_filter])
analysis_context.register_component(
simple_monotonic_timestamp_adjust,
component_name="SimpleMonotonicTimestampAdjust")
from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler
stream_printer_event_handler = StreamPrinterEventHandler(analysis_context)
anomaly_event_handlers = [stream_printer_event_handler]
# Now define the AtomizerFactory using the model. A simple line
# based one is usually sufficient.
from aminer.input import SimpleByteStreamLineAtomizerFactory
analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(
parsing_model, [simple_monotonic_timestamp_adjust],
anomaly_event_handlers,
default_timestamp_paths=["/model/DailyCron/DTM"])
# Just report all unparsed atoms to the event handlers.
from aminer.input import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler
simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(
anomaly_event_handlers)
atom_filter.add_handler(simple_unparsed_atom_handler,
stop_when_handled_flag=False)
analysis_context.register_component(simple_unparsed_atom_handler,
component_name="SimpleUnparsedHandler")
verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler(
anomaly_event_handlers, parsing_model)
atom_filter.add_handler(verbose_unparsed_atom_handler,
stop_when_handled_flag=True)
analysis_context.register_component(
verbose_unparsed_atom_handler, component_name="VerboseUnparsedHandler")
from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector
timestamps_unsorted_detector = TimestampsUnsortedDetector(
analysis_context.aminer_config, anomaly_event_handlers)
atom_filter.add_handler(timestamps_unsorted_detector)
analysis_context.register_component(
timestamps_unsorted_detector,
component_name="TimestampsUnsortedDetector")
from aminer.analysis import Rules
from aminer.analysis import AllowlistViolationDetector
# This rule list should trigger, when the line does not look like: User root (logged in, logged out)
# or User 'username' (logged in, logged out) x minutes ago.
allowlist_rules = [
Rules.OrMatchRule([
Rules.AndMatchRule([
Rules.PathExistsMatchRule(
'/model/LoginDetails/PastTime/Time/Minutes'),
Rules.NegationMatchRule(
Rules.ValueMatchRule('/model/LoginDetails/Username',
b'root'))
]),
Rules.AndMatchRule([
Rules.NegationMatchRule(
Rules.PathExistsMatchRule(
'/model/LoginDetails/PastTime/Time/Minutes')),
Rules.PathExistsMatchRule('/model/LoginDetails')
]),
Rules.NegationMatchRule(
Rules.PathExistsMatchRule('/model/LoginDetails'))
])
]
allowlist_violation_detector = AllowlistViolationDetector(
analysis_context.aminer_config,
allowlist_rules,
anomaly_event_handlers,
output_log_line=True)
analysis_context.register_component(allowlist_violation_detector,
component_name="Allowlist")
atom_filter.add_handler(allowlist_violation_detector)
from aminer.analysis import ParserCount
parser_count = ParserCount(analysis_context.aminer_config, None,
anomaly_event_handlers, 10)
analysis_context.register_component(parser_count,
component_name="ParserCount")
atom_filter.add_handler(parser_count)
from aminer.analysis.EventTypeDetector import EventTypeDetector
etd = EventTypeDetector(analysis_context.aminer_config,
anomaly_event_handlers)
analysis_context.register_component(etd,
component_name="EventTypeDetector")
atom_filter.add_handler(etd)
from aminer.analysis.VariableTypeDetector import VariableTypeDetector
vtd = VariableTypeDetector(analysis_context.aminer_config,
anomaly_event_handlers,
etd,
silence_output_except_indicator=False,
output_log_line=False)
analysis_context.register_component(vtd,
component_name="VariableTypeDetector")
atom_filter.add_handler(vtd)
from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector
vtd = VariableCorrelationDetector(analysis_context.aminer_config,
anomaly_event_handlers,
etd,
disc_div_thres=0.5)
analysis_context.register_component(
vtd, component_name="VariableCorrelationDetector")
atom_filter.add_handler(vtd)
from aminer.analysis import EventCorrelationDetector
ecd = EventCorrelationDetector(analysis_context.aminer_config,
anomaly_event_handlers,
check_rules_flag=True,
hypothesis_max_delta_time=1.0,
auto_include_flag=True)
analysis_context.register_component(
ecd, component_name="EventCorrelationDetector")
atom_filter.add_handler(ecd)
from aminer.analysis import MatchFilter
match_filter = MatchFilter(analysis_context.aminer_config,
['/model/Random'],
anomaly_event_handlers,
target_value_list=[1, 10, 100],
output_log_line=True)
analysis_context.register_component(match_filter,
component_name="MatchFilter")
atom_filter.add_handler(match_filter)
from aminer.analysis import NewMatchPathDetector
new_match_path_detector = NewMatchPathDetector(
analysis_context.aminer_config,
anomaly_event_handlers,
auto_include_flag=True,
output_log_line=True)
analysis_context.register_component(new_match_path_detector,
component_name="NewMatchPath")
atom_filter.add_handler(new_match_path_detector)
def tuple_transformation_function(match_value_list):
"""Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element."""
extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(
tuple(match_value_list))
if extra_data is not None:
mod = 10
if (extra_data[2] + 1) % mod == 0:
enhanced_new_match_path_value_combo_detector.auto_include_flag = False
else:
enhanced_new_match_path_value_combo_detector.auto_include_flag = True
return match_value_list
from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector
enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(
analysis_context.aminer_config,
['/model/DailyCron/UName', '/model/DailyCron/JobNumber'],
anomaly_event_handlers,
auto_include_flag=True,
tuple_transformation_function=tuple_transformation_function,
output_log_line=True)
analysis_context.register_component(
enhanced_new_match_path_value_combo_detector,
component_name="EnhancedNewValueCombo")
atom_filter.add_handler(enhanced_new_match_path_value_combo_detector)
from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \
PathDependentHistogramAnalysis
modulo_time_bin_definition = ModuloTimeBinDefinition(
86400, 3600, 0, 1, 24, True)
linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True)
histogram_analysis = HistogramAnalysis(
analysis_context.aminer_config,
[('/model/RandomTime/Random', modulo_time_bin_definition),
('/model/Random', linear_numeric_bin_definition)],
10,
anomaly_event_handlers,
output_log_line=True)
analysis_context.register_component(histogram_analysis,
component_name="HistogramAnalysis")
atom_filter.add_handler(histogram_analysis)
path_dependent_histogram_analysis = PathDependentHistogramAnalysis(
analysis_context.aminer_config,
'/model/RandomTime',
modulo_time_bin_definition,
10,
anomaly_event_handlers,
output_log_line=True)
analysis_context.register_component(
path_dependent_histogram_analysis,
component_name="PathDependentHistogramAnalysis")
atom_filter.add_handler(path_dependent_histogram_analysis)
from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector
match_value_average_change_detector = MatchValueAverageChangeDetector(
analysis_context.aminer_config,
anomaly_event_handlers,
None, ['/model/Random'],
100,
10,
output_log_line=True)
analysis_context.register_component(
match_value_average_change_detector,
component_name="MatchValueAverageChange")
atom_filter.add_handler(match_value_average_change_detector)
import sys
from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter
match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [
'/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload',
'/model/Sensors/DTM'
], b';', b'')
analysis_context.register_component(
match_value_stream_writer, component_name="MatchValueStreamWriter")
atom_filter.add_handler(match_value_stream_writer)
from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector
new_match_path_value_combo_detector = NewMatchPathValueComboDetector(
analysis_context.aminer_config,
['/model/IPAddresses/Username', '/model/IPAddresses/IP'],
anomaly_event_handlers,
output_log_line=True,
auto_include_flag=True)
analysis_context.register_component(
new_match_path_value_combo_detector,
component_name="NewMatchPathValueCombo")
atom_filter.add_handler(new_match_path_value_combo_detector)
from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector
new_match_id_value_combo_detector = NewMatchIdValueComboDetector(
analysis_context.aminer_config,
['/model/type/path/name', '/model/type/syscall/syscall'],
anomaly_event_handlers,
id_path_list=['/model/type/path/id', '/model/type/syscall/id'],
min_allowed_time_diff=5,
auto_include_flag=True,
allow_missing_values_flag=True,
output_log_line=True)
analysis_context.register_component(
new_match_id_value_combo_detector,
component_name="NewMatchIdValueComboDetector")
atom_filter.add_handler(new_match_id_value_combo_detector)
from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector
new_match_path_value_detector = NewMatchPathValueDetector(
analysis_context.aminer_config,
['/model/DailyCron/JobNumber', '/model/IPAddresses/Username'],
anomaly_event_handlers,
auto_include_flag=True,
output_log_line=True)
analysis_context.register_component(new_match_path_value_detector,
component_name="NewMatchPathValue")
atom_filter.add_handler(new_match_path_value_detector)
from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector
missing_match_path_value_detector = MissingMatchPathValueDetector(
analysis_context.aminer_config,
'/model/DiskReport/Space',
anomaly_event_handlers,
auto_include_flag=True,
default_interval=2,
realert_interval=5,
output_log_line=True)
analysis_context.register_component(missing_match_path_value_detector,
component_name="MissingMatch")
atom_filter.add_handler(missing_match_path_value_detector)
from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector
time_correlation_detector = TimeCorrelationDetector(
analysis_context.aminer_config,
anomaly_event_handlers,
2,
min_rule_attributes=1,
max_rule_attributes=5,
record_count_before_event=10000,
output_log_line=True)
analysis_context.register_component(
time_correlation_detector, component_name="TimeCorrelationDetector")
atom_filter.add_handler(time_correlation_detector)
from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector
cron_job_announcement = CorrelationRule(
'CronJobAnnouncement',
5,
6,
max_artefacts_a_for_single_b=1,
artefact_match_parameters=[('/model/CronAnnouncement/JobNumber',
'/model/CronExecution/JobNumber')])
a_class_selector = EventClassSelector('Announcement',
[cron_job_announcement], None)
b_class_selector = EventClassSelector('Execution', None,
[cron_job_announcement])
rules = [
Rules.PathExistsMatchRule('/model/CronAnnouncement/Run',
a_class_selector),
Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)
]
time_correlation_violation_detector = TimeCorrelationViolationDetector(
analysis_context.aminer_config,
rules,
anomaly_event_handlers,
output_log_line=True)
analysis_context.register_component(
time_correlation_violation_detector,
component_name="TimeCorrelationViolationDetector")
atom_filter.add_handler(time_correlation_violation_detector)
def get_model():
"""Return a model to parse Suricata Event logs from the AIT-LDS."""
conn = SequenceModelElement('conn', [
FixedDataModelElement('src_ip_str', b'"src_ip":"'),
FirstMatchModelElement('ip', [
SequenceModelElement('ipv4', [
IpAddressDataModelElement('src_ip'),
FixedDataModelElement('src_port_str', b'","src_port":'),
DecimalIntegerValueModelElement('src_port'),
FixedDataModelElement('dest_ip_str', b',"dest_ip":"'),
IpAddressDataModelElement('dest_ip'),
FixedDataModelElement('dest_port_str', b'","dest_port":'),
DecimalIntegerValueModelElement('dest_port'),
FixedDataModelElement('proto_str', b',"proto":"'),
DelimitedDataModelElement('proto', b'"'),
FixedDataModelElement('quote', b'"')
]),
SequenceModelElement('ipv6', [
DelimitedDataModelElement('src_ip', b'"'),
FixedDataModelElement('dest_ip_str', b'","dest_ip":"'),
DelimitedDataModelElement('dest_ip', b'"'),
FixedDataModelElement('proto_str', b'","proto":"'),
DelimitedDataModelElement('proto', b'"'),
FixedDataModelElement('icmp_type_str', b'","icmp_type":'),
DecimalIntegerValueModelElement('icmp_type'),
FixedDataModelElement('icmp_code_str', b',"icmp_code":'),
DecimalIntegerValueModelElement('icmp_code'),
]),
])
])
http = SequenceModelElement('http', [
FixedDataModelElement('hostname_str', b',"http":{"hostname":"'),
DelimitedDataModelElement('hostname', b'"'),
FixedDataModelElement('url_str', b'","url":"'),
DelimitedDataModelElement('url', b'"', escape=b'\\'),
FixedDataModelElement('http_user_agent_str', b'","http_user_agent":"'),
DelimitedDataModelElement('http_user_agent', b'"'),
OptionalMatchModelElement(
'content_type', SequenceModelElement('content_type', [
FixedDataModelElement('http_content_type_str', b'","http_content_type":"'),
DelimitedDataModelElement('http_content_type', b'"'),
])),
OptionalMatchModelElement(
'http_refer', SequenceModelElement('http_refer', [
FixedDataModelElement('http_refer_str', b'","http_refer":"'),
DelimitedDataModelElement('http_refer', b'"'),
])),
FixedDataModelElement('http_method_str', b'","http_method":"'),
DelimitedDataModelElement('http_method', b'"'),
FixedDataModelElement('protocol_str', b'","protocol":"'),
DelimitedDataModelElement('protocol', b'"'),
FixedDataModelElement('quote_str', b'"'),
OptionalMatchModelElement(
'status', SequenceModelElement('status', [
FixedDataModelElement('status_str', b',"status":'),
DecimalIntegerValueModelElement('status'),
])),
OptionalMatchModelElement(
'redirect', SequenceModelElement('redirect', [
FixedDataModelElement('redirect_str', b',"redirect":"'),
DelimitedDataModelElement('redirect', b'"'),
FixedDataModelElement('quote_str', b'"')
])),
FixedDataModelElement('length_str', b',"length":'),
DecimalIntegerValueModelElement('length'),
FixedDataModelElement('brack_str', b'}')
])
model = SequenceModelElement('model', [
FixedDataModelElement('time_str', b'{"timestamp":"'),
DateTimeModelElement('time', b'%Y-%m-%dT%H:%M:%S.%f'),
FixedDataModelElement('plus_sign', b'+'),
DecimalIntegerValueModelElement('tz'),
FixedDataModelElement('comma_str', b'",'),
OptionalMatchModelElement(
'flow_id', SequenceModelElement('flow_id', [
FixedDataModelElement('flow_id_str', b'"flow_id":'),
DecimalIntegerValueModelElement('flow_id'),
FixedDataModelElement('comma_str', b',')])),
OptionalMatchModelElement(
'in_iface', SequenceModelElement('in_iface', [
FixedDataModelElement('in_iface_str', b'"in_iface":"'),
DelimitedDataModelElement('in_iface', b'"'),
FixedDataModelElement('comma_str', b'",')])),
FixedDataModelElement('event_type_str', b'"event_type":"'),
FirstMatchModelElement('event_type', [
SequenceModelElement('dns', [
FixedDataModelElement('dns_str', b'dns",'),
conn,
SequenceModelElement('dns', [
FixedDataModelElement('type_str', b',"dns":{"type":"'),
DelimitedDataModelElement('type', b'"'),
FixedDataModelElement('id_str', b'","id":'),
DecimalIntegerValueModelElement('id'),
OptionalMatchModelElement(
'rcode', SequenceModelElement('rcode', [
FixedDataModelElement('rcode_str', b',"rcode":"'),
DelimitedDataModelElement('rcode', b'"'),
FixedDataModelElement('quote_str', b'"')])),
FixedDataModelElement('rrname_str', b',"rrname":"'),
DelimitedDataModelElement('rrname', b'"'),
OptionalMatchModelElement('rrtype', SequenceModelElement('rrtype', [
FixedDataModelElement('rrtype_str', b'","rrtype":"'),
DelimitedDataModelElement('rrtype', b'"')])),
FixedDataModelElement('quote', b'"'),
OptionalMatchModelElement(
'tx_id', SequenceModelElement('tx_id', [
FixedDataModelElement('tx_id_str', b',"tx_id":'),
DecimalIntegerValueModelElement('tx_id')])),
OptionalMatchModelElement('ttl', SequenceModelElement('ttl', [
FixedDataModelElement('ttl_str', b',"ttl":'),
DecimalIntegerValueModelElement('ttl')])),
OptionalMatchModelElement(
'rdata', SequenceModelElement('rdata', [
FixedDataModelElement('rdata_str', b',"rdata":"'),
DelimitedDataModelElement('rdata', b'"'),
FixedDataModelElement('quote_str', b'"')])),
FixedDataModelElement('brack_str', b'}}')
]),
]),
SequenceModelElement('flow', [
FixedDataModelElement('flow_str', b'flow",'),
conn,
OptionalMatchModelElement(
'app_proto', SequenceModelElement('app_proto', [
FixedDataModelElement('app_proto_str', b',"app_proto":"'),
DelimitedDataModelElement('app_proto', b'"'),
FixedDataModelElement('quote_str', b'"')
])
),
OptionalMatchModelElement(
'app_proto_tc', SequenceModelElement('app_proto_tc', [
FixedDataModelElement('app_proto_tc_str', b',"app_proto_tc":"'),
DelimitedDataModelElement('app_proto_tc', b'"'),
FixedDataModelElement('quote_str', b'"')
])
),
SequenceModelElement('flow', [
FixedDataModelElement('pkts_toserver_str', b',"flow":{"pkts_toserver":'),
DecimalIntegerValueModelElement('pkts_toserver'),
FixedDataModelElement('pkts_toclient_str', b',"pkts_toclient":'),
DecimalIntegerValueModelElement('pkts_toclient'),
FixedDataModelElement('bytes_toserver_str', b',"bytes_toserver":'),
DecimalIntegerValueModelElement('bytes_toserver'),
FixedDataModelElement('bytes_toclient_str', b',"bytes_toclient":'),
DecimalIntegerValueModelElement('bytes_toclient'),
FixedDataModelElement('start_str', b',"start":"'),
DelimitedDataModelElement('start', b'"'),
FixedDataModelElement('end_str', b'","end":"'),
DelimitedDataModelElement('end', b'"'),
FixedDataModelElement('age_str', b'","age":'),
DecimalIntegerValueModelElement('age'),
FixedDataModelElement('state_str', b',"state":"'),
DelimitedDataModelElement('state', b'"'),
FixedDataModelElement('reason_str', b'","reason":"'),
DelimitedDataModelElement('reason', b'"'),
FixedDataModelElement('alerted_str', b'","alerted":'),
FixedWordlistDataModelElement('alerted', [b'true', b'false']),
FixedDataModelElement('brack_str1', b'}'),
OptionalMatchModelElement(
'tcp', SequenceModelElement('tcp', [
FixedDataModelElement('tcp_flags_str', b',"tcp":{"tcp_flags":"'),
HexStringModelElement('tcp_flags'),
FixedDataModelElement('tcp_flags_ts_str', b'","tcp_flags_ts":"'),
HexStringModelElement('tcp_flags_ts'),
FixedDataModelElement('tcp_flags_tc_str', b'","tcp_flags_tc":"'),
HexStringModelElement('tcp_flags_tc'),
OptionalMatchModelElement(
'flags', SequenceModelElement('flags', [
FixedDataModelElement('syn_str', b'","syn":'),
FixedWordlistDataModelElement('syn', [b'true', b'false']),
OptionalMatchModelElement(
'fin', SequenceModelElement('fin', [
FixedDataModelElement('fin_str', b',"fin":'),
FixedWordlistDataModelElement('fin', [b'true', b'false']),
])
),
OptionalMatchModelElement(
'rst', SequenceModelElement('rst', [
FixedDataModelElement('rst_str', b',"rst":'),
FixedWordlistDataModelElement('rst', [b'true', b'false']),
])
),
OptionalMatchModelElement(
'psh', SequenceModelElement('psh', [
FixedDataModelElement('psh_str', b',"psh":'),
FixedWordlistDataModelElement('psh', [b'true', b'false']),
])
),
FixedDataModelElement('ack_str', b',"ack":'),
FixedWordlistDataModelElement('ack', [b'true', b'false']),
FixedDataModelElement('tcp_state_str', b',"state":"'),
DelimitedDataModelElement('tcp_state', b'"'),
])
),
FixedDataModelElement('tcp_brack_str', b'"}'),
])
),
FixedDataModelElement('brack_str2', b'}')
]),
]),
SequenceModelElement('http', [
FixedDataModelElement('http_str', b'http",'),
conn,
FixedDataModelElement('tx_id_str', b',"tx_id":'),
DecimalIntegerValueModelElement('tx_id'),
http,
FixedDataModelElement('brack_str', b'}')
]),
SequenceModelElement('fileinfo', [
FixedDataModelElement('fileinfo_str', b'fileinfo",'),
conn,
http,
FixedDataModelElement('app_proto_str', b',"app_proto":"'),
DelimitedDataModelElement('app_proto', b'"'),
SequenceModelElement('fileinfo', [
FixedDataModelElement('fileinfo_str', b'","fileinfo":{'),
OptionalMatchModelElement(
'filename', SequenceModelElement('filename', [
FixedDataModelElement('filename_str', b'"filename":"'),
DelimitedDataModelElement('filename', b'"'),
FixedDataModelElement('quote_str', b'",')
])
),
FixedDataModelElement('state_str', b'"state":"'),
DelimitedDataModelElement('state', b'"'),
FixedDataModelElement('stored_str', b'","stored":'),
FixedWordlistDataModelElement('stored', [b'true', b'false']),
FixedDataModelElement('size_str', b',"size":'),
DecimalIntegerValueModelElement('size'),
FixedDataModelElement('tx_id_str', b',"tx_id":'),
DecimalIntegerValueModelElement('tx_id'),
FixedDataModelElement('brack_str', b'}}')
]),
]),
SequenceModelElement('stats', [
FixedDataModelElement('stats_str', b'stats",'),
FixedDataModelElement('uptime_str', b'"stats":{"uptime":'),
DecimalIntegerValueModelElement('uptime'),
SequenceModelElement('capture', [
FixedDataModelElement('capture_str', b',"capture":{'),
FixedDataModelElement('kernel_packets_str', b'"kernel_packets":'),
DecimalIntegerValueModelElement('kernel_packets'),
FixedDataModelElement('kernel_drops_str', b',"kernel_drops":'),
DecimalIntegerValueModelElement('kernel_drops'),
FixedDataModelElement('brack_str', b'}')
]),
SequenceModelElement('decoder', [
FixedDataModelElement('pkts_str', b',"decoder":{"pkts":'),
DecimalIntegerValueModelElement('pkts'),
FixedDataModelElement('bytes_str', b',"bytes":'),
DecimalIntegerValueModelElement('bytes'),
FixedDataModelElement('invalid_str', b',"invalid":'),
DecimalIntegerValueModelElement('invalid'),
FixedDataModelElement('ipv4_str', b',"ipv4":'),
DecimalIntegerValueModelElement('ipv4'),
FixedDataModelElement('ipv6_str', b',"ipv6":'),
DecimalIntegerValueModelElement('ipv6'),
FixedDataModelElement('ethernet_str', b',"ethernet":'),
DecimalIntegerValueModelElement('ethernet'),
FixedDataModelElement('raw_str', b',"raw":'),
DecimalIntegerValueModelElement('raw'),
FixedDataModelElement('null_str', b',"null":'),
DecimalIntegerValueModelElement('null'),
FixedDataModelElement('sll_str', b',"sll":'),
DecimalIntegerValueModelElement('sll'),
FixedDataModelElement('tcp_str', b',"tcp":'),
DecimalIntegerValueModelElement('tcp'),
FixedDataModelElement('udp_str', b',"udp":'),
DecimalIntegerValueModelElement('udp'),
FixedDataModelElement('sctp_str', b',"sctp":'),
DecimalIntegerValueModelElement('sctp'),
FixedDataModelElement('icmpv4_str', b',"icmpv4":'),
DecimalIntegerValueModelElement('icmpv4'),
FixedDataModelElement('icmpv6_str', b',"icmpv6":'),
DecimalIntegerValueModelElement('icmpv6'),
FixedDataModelElement('ppp_str', b',"ppp":'),
DecimalIntegerValueModelElement('ppp'),
FixedDataModelElement('pppoe_str', b',"pppoe":'),
DecimalIntegerValueModelElement('pppoe'),
FixedDataModelElement('gre_str', b',"gre":'),
DecimalIntegerValueModelElement('gre'),
FixedDataModelElement('vlan_str', b',"vlan":'),
DecimalIntegerValueModelElement('vlan'),
FixedDataModelElement('vlan_qinq_str', b',"vlan_qinq":'),
DecimalIntegerValueModelElement('vlan_qinq'),
FixedDataModelElement('teredo_str', b',"teredo":'),
DecimalIntegerValueModelElement('teredo'),
FixedDataModelElement('ipv4_in_ipv6_str', b',"ipv4_in_ipv6":'),
DecimalIntegerValueModelElement('ipv4_in_ipv6'),
FixedDataModelElement('ipv6_in_ipv6_str', b',"ipv6_in_ipv6":'),
DecimalIntegerValueModelElement('ipv6_in_ipv6'),
FixedDataModelElement('mpls_str', b',"mpls":'),
DecimalIntegerValueModelElement('mpls'),
FixedDataModelElement('avg_pkt_size_str', b',"avg_pkt_size":'),
DecimalIntegerValueModelElement('avg_pkt_size'),
FixedDataModelElement('max_pkt_size_str', b',"max_pkt_size":'),
DecimalIntegerValueModelElement('max_pkt_size'),
FixedDataModelElement('erspan_str', b',"erspan":'),
DecimalIntegerValueModelElement('erspan'),
SequenceModelElement('ipraw', [
FixedDataModelElement('invalid_ip_version_str', b',"ipraw":{"invalid_ip_version":'),
DecimalIntegerValueModelElement('invalid_ip_version'),
]),
SequenceModelElement('ltnull', [
FixedDataModelElement('ipraw_pkt_too_small_str', b'},"ltnull":{"pkt_too_small":'),
DecimalIntegerValueModelElement('ipraw_pkt_too_small'),
FixedDataModelElement('unsupported_type', b',"unsupported_type":'),
DecimalIntegerValueModelElement('unsupported_type'),
]),
SequenceModelElement('dce', [
FixedDataModelElement('dce_pkt_too_small_str', b'},"dce":{"pkt_too_small":'),
DecimalIntegerValueModelElement('dce_pkt_too_small'),
FixedDataModelElement('brack_str', b'}')
])
]),
SequenceModelElement('flow', [
FixedDataModelElement('memcap_str', b'},"flow":{"memcap":'),
DecimalIntegerValueModelElement('memcap'),
FixedDataModelElement('spare_str', b',"spare":'),
DecimalIntegerValueModelElement('spare'),
FixedDataModelElement('emerg_mode_entered_str', b',"emerg_mode_entered":'),
DecimalIntegerValueModelElement('emerg_mode_entered'),
FixedDataModelElement('emerg_mode_over_str', b',"emerg_mode_over":'),
DecimalIntegerValueModelElement('emerg_mode_over'),
FixedDataModelElement('tcp_reuse_str', b',"tcp_reuse":'),
DecimalIntegerValueModelElement('tcp_reuse'),
FixedDataModelElement('memuse_str', b',"memuse":'),
DecimalIntegerValueModelElement('memuse'),
]),
SequenceModelElement('defrag', [
SequenceModelElement('ipv4', [
FixedDataModelElement('fragments_str', b'},"defrag":{"ipv4":{"fragments":'),
DecimalIntegerValueModelElement('fragments'),
FixedDataModelElement('reassembled_str', b',"reassembled":'),
DecimalIntegerValueModelElement('reassembled_str'),
FixedDataModelElement('timeouts_str', b',"timeouts":'),
DecimalIntegerValueModelElement('timeouts'),
]),
SequenceModelElement('ipv6', [
FixedDataModelElement('fragments_str', b'},"ipv6":{"fragments":'),
DecimalIntegerValueModelElement('fragments'),
FixedDataModelElement('reassembled_str', b',"reassembled":'),
DecimalIntegerValueModelElement('reassembled_str'),
FixedDataModelElement('timeouts_str', b',"timeouts":'),
DecimalIntegerValueModelElement('timeouts'),
]),
FixedDataModelElement('max_frag_hits_str', b'},"max_frag_hits":'),
DecimalIntegerValueModelElement('max_frag_hits'),
]),
SequenceModelElement('tcp', [
FixedDataModelElement('sessions_str', b'},"tcp":{"sessions":'),
DecimalIntegerValueModelElement('sessions'),
FixedDataModelElement('ssn_memcap_drop_str', b',"ssn_memcap_drop":'),
DecimalIntegerValueModelElement('ssn_memcap_drop'),
FixedDataModelElement('pseudo_str', b',"pseudo":'),
DecimalIntegerValueModelElement('pseudo'),
FixedDataModelElement('pseudo_failed_str', b',"pseudo_failed":'),
DecimalIntegerValueModelElement('pseudo_failed'),
FixedDataModelElement('invalid_checksum_str', b',"invalid_checksum":'),
DecimalIntegerValueModelElement('invalid_checksum'),
FixedDataModelElement('no_flow_str', b',"no_flow":'),
DecimalIntegerValueModelElement('no_flow'),
FixedDataModelElement('syn_str', b',"syn":'),
DecimalIntegerValueModelElement('syn'),
FixedDataModelElement('synack_str', b',"synack":'),
DecimalIntegerValueModelElement('synack'),
FixedDataModelElement('rst_str', b',"rst":'),
DecimalIntegerValueModelElement('rst'),
FixedDataModelElement('segment_memcap_drop_str', b',"segment_memcap_drop":'),
DecimalIntegerValueModelElement('segment_memcap_drop'),
FixedDataModelElement('stream_depth_reached_str', b',"stream_depth_reached":'),
DecimalIntegerValueModelElement('stream_depth_reached'),
FixedDataModelElement('reassembly_gap_str', b',"reassembly_gap":'),
DecimalIntegerValueModelElement('reassembly_gap'),
FixedDataModelElement('memuse_str', b',"memuse":'),
DecimalIntegerValueModelElement('memuse'),
FixedDataModelElement('reassembly_memuse_str', b',"reassembly_memuse":'),
DecimalIntegerValueModelElement('reassembly_memuse'),
]),
SequenceModelElement('detect', [
FixedDataModelElement('alert_str', b'},"detect":{"alert":'),
DecimalIntegerValueModelElement('alert')
]),
SequenceModelElement('app_layer', [
SequenceModelElement('flow', [
FixedDataModelElement('http_str', b'},"app_layer":{"flow":{"http":'),
DecimalIntegerValueModelElement('http'),
FixedDataModelElement('ftp_str', b',"ftp":'),
DecimalIntegerValueModelElement('ftp'),
FixedDataModelElement('smtp_str', b',"smtp":'),
DecimalIntegerValueModelElement('smtp'),
FixedDataModelElement('tls_str', b',"tls":'),
DecimalIntegerValueModelElement('tls'),
FixedDataModelElement('ssh_str', b',"ssh":'),
DecimalIntegerValueModelElement('ssh'),
FixedDataModelElement('imap_str', b',"imap":'),
DecimalIntegerValueModelElement('imap'),
FixedDataModelElement('msn_str', b',"msn":'),
DecimalIntegerValueModelElement('msn'),
FixedDataModelElement('smb_str', b',"smb":'),
DecimalIntegerValueModelElement('smb'),
FixedDataModelElement('dcerpc_tcp_str', b',"dcerpc_tcp":'),
DecimalIntegerValueModelElement('dcerpc_tcp'),
FixedDataModelElement('dns_tcp_str', b',"dns_tcp":'),
DecimalIntegerValueModelElement('dns_tcp'),
FixedDataModelElement('failed_tcp_str', b',"failed_tcp":'),
DecimalIntegerValueModelElement('failed_tcp'),
FixedDataModelElement('dcerpc_udp_str', b',"dcerpc_udp":'),
DecimalIntegerValueModelElement('dcerpc_udp'),
FixedDataModelElement('dns_udp_str', b',"dns_udp":'),
DecimalIntegerValueModelElement('dns_udp'),
FixedDataModelElement('failed_udp_str', b',"failed_udp":'),
DecimalIntegerValueModelElement('failed_udp'),
]),
SequenceModelElement('tx', [
FixedDataModelElement('http_str', b'},"tx":{"http":'),
DecimalIntegerValueModelElement('http'),
FixedDataModelElement('smtp_str', b',"smtp":'),
DecimalIntegerValueModelElement('smtp'),
FixedDataModelElement('tls_str', b',"tls":'),
DecimalIntegerValueModelElement('tls'),
FixedDataModelElement('dns_tcp_str', b',"dns_tcp":'),
DecimalIntegerValueModelElement('dns_tcp'),
FixedDataModelElement('dns_udp_str', b',"dns_udp":'),
DecimalIntegerValueModelElement('dns_udp'),
])
]),
SequenceModelElement('flow_mgr', [
FixedDataModelElement('closed_pruned_str', b'}},"flow_mgr":{"closed_pruned":'),
DecimalIntegerValueModelElement('closed_pruned'),
FixedDataModelElement('new_pruned_str', b',"new_pruned":'),
DecimalIntegerValueModelElement('new_pruned'),
FixedDataModelElement('est_pruned_str', b',"est_pruned":'),
DecimalIntegerValueModelElement('est_pruned'),
FixedDataModelElement('bypassed_pruned_str', b',"bypassed_pruned":'),
DecimalIntegerValueModelElement('bypassed_pruned'),
FixedDataModelElement('flows_checked_str', b',"flows_checked":'),
DecimalIntegerValueModelElement('flows_checked'),
FixedDataModelElement('flows_notimeout_str', b',"flows_notimeout":'),
DecimalIntegerValueModelElement('flows_notimeout'),
FixedDataModelElement('flows_timeout_str', b',"flows_timeout":'),
DecimalIntegerValueModelElement('flows_timeout'),
FixedDataModelElement('flows_timeout_inuse_str', b',"flows_timeout_inuse":'),
DecimalIntegerValueModelElement('flows_timeout_inuse'),
FixedDataModelElement('flows_removed_str', b',"flows_removed":'),
DecimalIntegerValueModelElement('flows_removed'),
FixedDataModelElement('rows_checked_str', b',"rows_checked":'),
DecimalIntegerValueModelElement('rows_checked'),
FixedDataModelElement('rows_skipped_str', b',"rows_skipped":'),
DecimalIntegerValueModelElement('rows_skipped'),
FixedDataModelElement('rows_empty_str', b',"rows_empty":'),
DecimalIntegerValueModelElement('rows_empty'),
FixedDataModelElement('rows_busy_str', b',"rows_busy":'),
DecimalIntegerValueModelElement('rows_busy'),
FixedDataModelElement('rows_maxlen_str', b',"rows_maxlen":'),
DecimalIntegerValueModelElement('rows_maxlen'),
]),
SequenceModelElement('dns', [
FixedDataModelElement('memuse_str', b'},"dns":{"memuse":'),
DecimalIntegerValueModelElement('memuse'),
FixedDataModelElement('memcap_state_str', b',"memcap_state":'),
DecimalIntegerValueModelElement('memcap_state'),
FixedDataModelElement('memcap_global_str', b',"memcap_global":'),
DecimalIntegerValueModelElement('memcap_global'),
]),
SequenceModelElement('http', [
FixedDataModelElement('memuse_str', b'},"http":{"memuse":'),
DecimalIntegerValueModelElement('memuse'),
FixedDataModelElement('memcap_str', b',"memcap":'),
DecimalIntegerValueModelElement('memcap'),
]),
FixedDataModelElement('quote_str', b'}}}')
]),
SequenceModelElement('tls', [
FixedDataModelElement('tls_str', b'tls",'),
conn,
SequenceModelElement('tls', [
FixedDataModelElement('subject_str', b',"tls":{"subject":"'),
DelimitedDataModelElement('subject', b'"'),
FixedDataModelElement('issuerdn_str', b'","issuerdn":"'),
DelimitedDataModelElement('issuerdn', b'"'),
FixedDataModelElement('fingerprint_str', b'","fingerprint":"'),
DelimitedDataModelElement('fingerprint', b'"'),
OptionalMatchModelElement(
'sni', SequenceModelElement('sni', [
FixedDataModelElement('sni_str', b'","sni":"'),
DelimitedDataModelElement('sni', b'"'),
])
),
FixedDataModelElement('version_str', b'","version":"'),
DelimitedDataModelElement('version', b'"'),
FixedDataModelElement('notbefore_str', b'","notbefore":"'),
DelimitedDataModelElement('notbefore', b'"'),
FixedDataModelElement('notafter_str', b'","notafter":"'),
DelimitedDataModelElement('notafter', b'"'),
]),
FixedDataModelElement('brack_str', b'"}}')
]),
SequenceModelElement('alert', [
FixedDataModelElement('alert_str', b'alert",'),
conn,
OptionalMatchModelElement(
'tx_id', SequenceModelElement('tx_id', [
FixedDataModelElement('tx_id', b',"tx_id":'),
DecimalIntegerValueModelElement('tx_id'),
])),
SequenceModelElement('alert', [
FixedDataModelElement('action_str', b',"alert":{"action":"'),
DelimitedDataModelElement('action', b'"'),
FixedDataModelElement('gid_str', b'","gid":'),
DecimalIntegerValueModelElement('gid'),
FixedDataModelElement('signature_id_str', b',"signature_id":'),
DecimalIntegerValueModelElement('signature_id'),
FixedDataModelElement('rev_str', b',"rev":'),
DecimalIntegerValueModelElement('rev'),
FixedDataModelElement('signature_str', b',"signature":"'),
DelimitedDataModelElement('signature', b'"'),
FixedDataModelElement('category_str', b'","category":"'),
DelimitedDataModelElement('category', b'"'),
FixedDataModelElement('severity_str', b'","severity":'),
DecimalIntegerValueModelElement('severity'),
FixedDataModelElement('brack_str', b'}')
]),
http,
FixedDataModelElement('brack_str', b'}')
]),
])
])
return model
def get_model(user_name_model=None):
"""Return a model to parse a sshd information message after any standard logging preamble, e.g. from syslog."""
if user_name_model is None:
user_name_model = VariableByteDataModelElement(
'user', b'0123456789abcdefghijklmnopqrstuvwxyz.-')
from_str = b' from '
port = b' port '
preauth = b' [preauth]'
type_children = [
SequenceModelElement('accepted key', [
FixedDataModelElement('s0', b'Accepted publickey for '),
user_name_model,
FixedDataModelElement('s1', from_str),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s2', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s3', b' ssh2: RSA '),
VariableByteDataModelElement(
'fingerprint',
b'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/:'
)
]),
SequenceModelElement('btmp-perm', [
FixedDataModelElement(
's0',
b'Excess permission or bad ownership on file /var/log/btmp')
]),
SequenceModelElement('close-sess', [
FixedDataModelElement('s0', b'Close session: user '),
user_name_model,
FixedDataModelElement('s1', from_str),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s2', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s3', b' id '),
DecimalIntegerValueModelElement('userid')
]),
SequenceModelElement('closing', [
FixedDataModelElement('s0', b'Closing connection to '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', port),
DecimalIntegerValueModelElement('port')
]),
SequenceModelElement('closed', [
FixedDataModelElement('s0', b'Connection closed by '),
IpAddressDataModelElement('clientip')
]),
SequenceModelElement('connect', [
FixedDataModelElement('s0', b'Connection from '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s2', b' on '),
IpAddressDataModelElement('serverip'),
FixedDataModelElement('s3', port),
DecimalIntegerValueModelElement('sport')
]),
SequenceModelElement('disconnectreq', [
FixedDataModelElement('s0', b'Received disconnect from '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s2', b':'),
DecimalIntegerValueModelElement('session'),
FixedDataModelElement('s3', b': '),
FixedWordlistDataModelElement('reason', [b'disconnected by user'])
]),
SequenceModelElement('disconnected', [
FixedDataModelElement('s0', b'Disconnected from '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', port),
DecimalIntegerValueModelElement('port')
]),
SequenceModelElement('error-bind', [
FixedDataModelElement(
's0', b'error: bind: Cannot assign requested address')
]),
SequenceModelElement('error-channel-setup', [
FixedDataModelElement(
's0',
b'error: channel_setup_fwd_listener: cannot listen to port: '),
DecimalIntegerValueModelElement('port')
]),
SequenceModelElement('ident-missing', [
FixedDataModelElement(
's0', b'Did not receive identification string from '),
IpAddressDataModelElement('clientip')
]),
SequenceModelElement('invalid-user', [
FixedDataModelElement('s0', b'Invalid user '),
DelimitedDataModelElement('user', from_str),
FixedDataModelElement('s1', from_str),
IpAddressDataModelElement('clientip')
]),
SequenceModelElement('invalid-user-auth-req', [
FixedDataModelElement('s0',
b'input_userauth_request: invalid user '),
DelimitedDataModelElement('user', preauth),
FixedDataModelElement('s1', preauth)
]),
SequenceModelElement('postppk', [
FixedDataModelElement('s0', b'Postponed publickey for '),
user_name_model,
FixedDataModelElement('s1', from_str),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s2', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s3', b' ssh2 [preauth]')
]),
SequenceModelElement('readerr', [
FixedDataModelElement('s0', b'Read error from remote host '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', b': Connection timed out')
]),
SequenceModelElement('disconnect', [
FixedDataModelElement('s0', b'Received disconnect from '),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s1', b': 11: '),
FirstMatchModelElement('reason', [
FixedDataModelElement('disconnected', b'disconnected by user'),
SequenceModelElement('remotemsg', [
DelimitedDataModelElement('msg', preauth),
FixedDataModelElement('s0', preauth)
])
])
]),
SequenceModelElement('signal', [
FixedDataModelElement('s0', b'Received signal '),
DecimalIntegerValueModelElement('signal'),
FixedDataModelElement('s1', b'; terminating.')
]),
SequenceModelElement('server', [
FixedDataModelElement('s0', b'Server listening on '),
DelimitedDataModelElement('serverip', b' '),
FixedDataModelElement('s1', port),
DecimalIntegerValueModelElement('port'),
FixedDataModelElement('s2', b'.')
]),
SequenceModelElement('oom-adjust', [
FixedDataModelElement('s0', b'Set /proc/self/oom_score_adj '),
OptionalMatchModelElement(
'from', FixedDataModelElement('default', b'from 0 ')),
FixedDataModelElement('s1', b'to '),
DecimalIntegerValueModelElement(
'newval',
value_sign_type=DecimalIntegerValueModelElement.
SIGN_TYPE_OPTIONAL)
]),
SequenceModelElement('session-start', [
FixedDataModelElement('s0', b'Starting session: '),
FirstMatchModelElement('sess-info', [
SequenceModelElement('shell', [
FixedDataModelElement('s0', b'shell on '),
DelimitedDataModelElement('terminal', b' ')
]),
SequenceModelElement(
'subsystem',
[FixedDataModelElement('s0', b'subsystem \'sftp\'')]),
SequenceModelElement('forced-command', [
FixedDataModelElement('s0',
b'forced-command (key-option) \''),
DelimitedDataModelElement('command', b'\' for '),
FixedDataModelElement('s1', b'\'')
])
]),
FixedDataModelElement('s1', b' for '), user_name_model,
FixedDataModelElement('s2', from_str),
IpAddressDataModelElement('clientip'),
FixedDataModelElement('s3', port),
DecimalIntegerValueModelElement('port'),
OptionalMatchModelElement(
'idinfo',
SequenceModelElement('idinfo', [
FixedDataModelElement('s0', b' id '),
DecimalIntegerValueModelElement('id')
]))
]),
SequenceModelElement('transferred', [
FixedDataModelElement('s0', b'Transferred: sent '),
DecimalIntegerValueModelElement('sent'),
FixedDataModelElement('s1', b', received '),
DecimalIntegerValueModelElement('received'),
FixedDataModelElement('s1', b' bytes')
]),
SequenceModelElement('pam', [
FixedDataModelElement('s0', b'pam_unix(sshd:session): session '),
FixedWordlistDataModelElement('change', [b'opened', b'closed']),
FixedDataModelElement('s1', b' for user '), user_name_model,
OptionalMatchModelElement(
'openby', FixedDataModelElement('default', b' by (uid=0)'))
]),
SequenceModelElement('child', [
FixedDataModelElement('s0', b'User child is on pid '),
DecimalIntegerValueModelElement('pid')
])
]
model = SequenceModelElement('sshd', [
FixedDataModelElement('sname', b'sshd['),
DecimalIntegerValueModelElement('pid'),
FixedDataModelElement('s0', b']: '),
FirstMatchModelElement('msg', type_children)
])
return model
