Exemplo n.º 1
0
    def test_stateless_checks(self):
        """Check that :func:`~utils.is_stateful` is identifying stateless queries."""
        stateless_queries = [
            "process where true | filter command_line='* https://*' | tail 10",
            "process where user_name='system' | unique parent_process_name | head 500",
            "file where file_name='*.txt' and (process_name='cmd.exe' or parent_process_name='net.exe')",
            "registry where length(user_name) == 500",
            "network where string(destination_port) == '500' | unique process_name",
        ]

        for query in stateless_queries:
            ast = parse_query(query)
            self.assertFalse(
                is_stateful(ast),
                "{} was not recognized as stateless".format(query))
Exemplo n.º 2
0
    def test_stateful_checks(self):
        """Check that :func:`~utils.is_stateful` is identifying stateful queries."""
        stateful_queries = [
            "sequence [process where process_name='net.exe']  [process where process_name='net.exe']",
            "join [process where process_name='net.exe']  [process where process_name='net.exe']",
            "file where file_name='*.txt' and descendant of [process where pid=4]",
            "file where child of [process where pid=4]",
            "registry where event of [process where pid=4]",
            "process where true | unique_count process_name | filter count < 5",
            "any where true | count user_name",
        ]

        for query in stateful_queries:
            ast = parse_query(query)
            self.assertTrue(is_stateful(ast),
                            "{} was not recognized as stateful".format(query))