def assertOutput(self, original, output):
q = query.Query(original)
actual_output = asdottysql.asdottysql(q)
self.assertEqual(output, actual_output)
actual_root = query.Query(actual_output).root
self.assertEqual(q.root, actual_root)
def assertOutput(self, original, output):
q = query.Query(original)
actual_output = asdottysql.asdottysql(q)
self.assertEqual(output, actual_output)
actual_root = query.Query(actual_output).root
self.assertEqual(q.root, actual_root)
def assertOutput(self, original, output):
if isinstance(original, six.string_types):
q = query.Query(original)
else:
q = query.Query(original)
actual_output = asdottysql.asdottysql(q)
self.assertEqual(output, actual_output)
def render(self, renderer):
# Do we have a query?
if not self.query:
return self.render_error(renderer)
renderer.section("Query Analysis (As supplied)", width=140)
self.render_query(renderer, self.query)
renderer.section("Query Analysis (Using canonical syntax)", width=140)
self.render_query(renderer, q.Query(asdottysql.asdottysql(self.query)))
def render_query_analysis(self, renderer):
"""Render query analysis if the input is a regular query.
A non-regular query could be the user asking us to explain (e.g.) a
struct.
"""
if not self.input_is_regular_query:
return
original_query = self.query.source
canonical_query = asdottysql.asdottysql(self.query)
renderer.section("Query Analysis", width=140)
self.render_query(renderer, self.query)
if canonical_query != original_query:
renderer.section("Query Analysis (Using canonical syntax)",
width=140)
self.render_query(renderer, q.Query(canonical_query))
def render_query_analysis(self, renderer):
"""Render query analysis if the input is a regular query.
A non-regular query could be the user asking us to explain (e.g.) a
struct.
"""
if not self.input_is_regular_query:
return
original_query = self.query.source
canonical_query = asdottysql.asdottysql(self.query)
renderer.section("Query Analysis", width=140)
self.render_query(renderer, self.query)
if canonical_query != original_query:
renderer.section("Query Analysis (Using canonical syntax)",
width=140)
self.render_query(renderer, q.Query(canonical_query))
def main():
parser = argparse.ArgumentParser(description="Convert a tafile to DottySQL")
parser.add_argument("path", type=str)
args = parser.parse_args()
with open(args.path, "r") as fd:
tag_rules = query.Query(fd, syntax="tagfile")
# What does the query look like as DottySQL?
dottysql = asdottysql.asdottysql(tag_rules)
print("# Tagfile %r converted:\n\n%s" % (args.path, dottysql))
# How will the query tag this event?
event = {
"data_type": "windows:evtx:record",
"timestamp_desc": "",
"strings": ("foo", "bar"),
"source_name": "Microsoft-Windows-Kernel-Power",
"event_identifier": 42
}
tags = api.apply(tag_rules, vars=event)
print("\n# Tagfile %r returned %r." % (args.path, list(tags)))
def main():
parser = argparse.ArgumentParser(
description="Convert a tafile to DottySQL")
parser.add_argument("path", type=str)
args = parser.parse_args()
with open(args.path, "r") as fd:
tag_rules = query.Query(fd, syntax="tagfile")
# What does the query look like as DottySQL?
dottysql = asdottysql.asdottysql(tag_rules)
print("# Tagfile %r converted:\n\n%s" % (args.path, dottysql))
# How will the query tag this event?
event = {
"data_type": "windows:evtx:record",
"timestamp_desc": "",
"strings": ("foo", "bar"),
"source_name": "Microsoft-Windows-Kernel-Power",
"event_identifier": 42
}
tags = api.apply(tag_rules, vars=event)
print("\n# Tagfile %r returned %r." % (args.path, list(tags)))
def testReducer(self):
q = query.Query(("reducer", ("var", "count"), ("var", "x")))
self.assertEqual(asdottysql.asdottysql(q),
"<Subexpression cannot be formatted as DottySQL.>")
def testReducer(self):
q = query.Query(("reducer", ("var", "count"), ("var", "x")))
self.assertEqual(asdottysql.asdottysql(q),
"<Subexpression cannot be formatted as DottySQL.>")
