def Netstat(self, _):
"""Returns fake connections."""
conn1 = rdf_client.NetworkConnection(
state=rdf_client.NetworkConnection.State.LISTEN,
type=rdf_client.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client.NetworkEndpoint(
ip="0.0.0.0",
port=22),
remote_address=rdf_client.NetworkEndpoint(
ip="0.0.0.0",
port=0),
pid=2136,
ctime=0)
conn2 = rdf_client.NetworkConnection(
state=rdf_client.NetworkConnection.State.LISTEN,
type=rdf_client.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client.NetworkEndpoint(
ip="192.168.1.1",
port=31337),
remote_address=rdf_client.NetworkEndpoint(
ip="1.2.3.4",
port=6667),
pid=1,
ctime=0)
return [conn1, conn2]
def Run(self, unused_args):
netstat = []
for proc in psutil.process_iter():
try:
netstat.append((proc.pid, proc.connections()))
except (psutil.NoSuchProcess, psutil.AccessDenied):
pass
for pid, connections in netstat:
for conn in connections:
res = rdf_client.NetworkConnection()
res.pid = pid
res.family = conn.family
res.type = conn.type
try:
if conn.status:
res.state = conn.status
except ValueError:
logging.warn("Encountered unknown connection status (%s).",
conn.status)
res.local_address.ip, res.local_address.port = conn.local_address
if conn.remote_address:
res.remote_address.ip, res.remote_address.port = conn.remote_address
self.SendReply(res)
def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self):
client_id = test_lib.TEST_CLIENT_ID
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["test_img.dd"],
ctime=long(1333718907.167083 * 1e6))
p2 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = action_mocks.ListProcessesMock([p1, p2])
for s in flow_test_lib.TestFlowHelper(
flow_processes.ListProcesses.__name__,
client_mock,
fetch_binaries=True,
client_id=client_id,
connection_states=["LISTEN"],
token=self.token):
session_id = s
# No output matched.
processes = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(processes), 0)
def Run(self, unused_args):
for proc in psutil.process_iter():
try:
connections = proc.connections()
except (psutil.NoSuchProcess, psutil.AccessDenied):
continue
for conn in connections:
res = rdf_client.NetworkConnection()
res.pid = proc.pid
res.process_name = proc.name()
res.family = conn.family
res.type = conn.type
try:
if conn.status:
res.state = conn.status
except ValueError:
logging.warn("Encountered unknown connection status (%s).",
conn.status)
res.local_address.ip, res.local_address.port = conn.laddr
if conn.raddr:
res.remote_address.ip, res.remote_address.port = conn.raddr
self.SendReply(res)
def AddListener(self, ip, port, family="INET", sock_type="SOCK_STREAM"):
conn = rdf_client.NetworkConnection()
conn.state = "LISTEN"
conn.family = family
conn.type = sock_type
conn.local_address = rdf_client.NetworkEndpoint(ip=ip, port=port)
return conn
def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self):
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["test_img.dd"],
ctime=long(1333718907.167083 * 1e6))
p2 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = ListProcessesMock([p1, p2])
for s in test_lib.TestFlowHelper("ListProcesses",
client_mock,
fetch_binaries=True,
client_id=self.client_id,
connection_states=["LISTEN"],
token=self.token):
session_id = s
# No output matched.
results = aff4.FACTORY.Open(
session_id.Add(flow_runner.RESULTS_SUFFIX),
aff4_type=sequential_collection.GeneralIndexedCollection,
token=self.token)
self.assertEqual(len(results), 0)
def testProcessListingFilterConnectionState(self):
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="CLOSED"))
p2 = rdf_client.Process(pid=3,
ppid=1,
cmdline=["cmd2.exe"],
exe="c:\\windows\\cmd2.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="LISTEN"))
p3 = rdf_client.Process(pid=4,
ppid=1,
cmdline=["missing_exe.exe"],
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = ListProcessesMock([p1, p2, p3])
flow_urn = flow.GRRFlow.StartFlow(
client_id=self.client_id,
flow_name="ListProcesses",
connection_states=["ESTABLISHED", "LISTEN"],
token=self.token)
for s in test_lib.TestFlowHelper(flow_urn,
client_mock,
client_id=self.client_id,
token=self.token):
session_id = s
processes = aff4.FACTORY.Open(session_id.Add(
flow_runner.RESULTS_SUFFIX),
token=self.token)
self.assertEqual(len(processes), 2)
states = set()
for process in processes:
states.add(str(process.connections[0].state))
self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def testProcessListingFilterConnectionState(self):
client_id = test_lib.TEST_CLIENT_ID
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="CLOSED"))
p2 = rdf_client.Process(pid=3,
ppid=1,
cmdline=["cmd2.exe"],
exe="c:\\windows\\cmd2.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="LISTEN"))
p3 = rdf_client.Process(pid=4,
ppid=1,
cmdline=["missing_exe.exe"],
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = action_mocks.ListProcessesMock([p1, p2, p3])
flow_urn = flow.GRRFlow.StartFlow(
client_id=client_id,
flow_name=flow_processes.ListProcesses.__name__,
connection_states=["ESTABLISHED", "LISTEN"],
token=self.token)
for s in flow_test_lib.TestFlowHelper(flow_urn,
client_mock,
client_id=client_id,
token=self.token):
session_id = s
processes = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(processes), 2)
states = set()
for process in processes:
states.add(str(process.connections[0].state))
self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def testFileViewDoesNotHaveExportTabWhenCollectionHasNoFiles(self):
collection_urn = "aff4:/C.0000000000000001/analysis/SomeFlow/results"
with self.ACLChecksDisabled():
with aff4.FACTORY.Create(collection_urn,
"RDFValueCollection",
token=self.token) as fd:
fd.Add(rdf_client.NetworkConnection(pid=42))
self.GrantClientApproval("C.0000000000000001")
self.Open("/#c=C.0000000000000001")
self.Click("css=a:contains('Browse Virtual Filesystem')")
self.Click("css=li[path='/analysis'] > a")
self.Click("css=li[path='/analysis/SomeFlow'] > a")
self.Click("css=tr:contains('results')")
# The Results tab should appear, but the "Export" tab should be
# disabled since we only display export hint when we have collections of
# StatEntries or FileFinderResults.
self.WaitUntil(self.IsElementPresent, "css=#Export.disabled")
def Start(self): self.SendReply(rdf_client.NetworkConnection(pid=42))
