Exemplo n.º 1
0
def test_build_win_tree():
    p_tree = ptutil.build_process_tree(testdf_win, show_progress=True)
    assert ptutil.get_summary_info(p_tree) == {
        "Processes": 1010,
        "RootProcesses": 10,
        "LeafProcesses": 815,
        "BranchProcesses": 185,
        "IsolatedProcesses": 0,
        "LargestTreeDepth": 7,
    }
Exemplo n.º 2
0
def test_build_lx_tree():
    p_tree_l = ptutil.build_process_tree(testdf_lx, show_progress=False)
    assert ptutil.get_summary_info(p_tree_l) == {
        "Processes": 1029,
        "RootProcesses": 29,
        "LeafProcesses": 497,
        "BranchProcesses": 503,
        "IsolatedProcesses": 0,
        "LargestTreeDepth": 5,
    }
Exemplo n.º 3
0
    def test_auditd_utils(self):
        input_file = os.path.join(_TEST_DATA, "linux_events.csv")
        input_df = pd.read_csv(input_file)

        input_df["AuditdMessage"] = input_df.apply(
            lambda x: ast.literal_eval(x.AuditdMessage), axis=1
        )
        output_df = extract_events_to_df(data=input_df)
        proc_events = get_event_subset(output_df, event_type="SYSCALL_EXECVE")

        proc_tree = generate_process_tree(proc_events)
        pt_summary = get_summary_info(proc_tree)
        self.assertGreaterEqual(len(proc_tree), 85)
        self.assertEqual(pt_summary["LargestTreeDepth"], 5)
Exemplo n.º 4
0
def test_tree_utils_win():
    p_tree = ptutil.build_process_tree(testdf_win, show_progress=True)

    assert len(ptutil.get_roots(p_tree)) == 10
    t_root = ptutil.get_roots(p_tree).iloc[4]
    full_tree = ptutil.get_descendents(p_tree, t_root)
    assert len(full_tree) == 25
    children = ptutil.get_children(p_tree, t_root)
    assert len(children) == 13

    depth = full_tree["path"].str.count("/").max() + 1
    bottom_desc = full_tree[full_tree["path"].str.count("/") == depth -
                            1].iloc[0]

    assert len(ptutil.get_ancestors(p_tree, bottom_desc)) == 3

    assert isinstance(ptutil.get_parent(p_tree, bottom_desc), pd.Series)
    assert (ptutil.get_process(
        p_tree, bottom_desc.name).dropna() == bottom_desc.dropna()).all()
    assert (ptutil.get_process(
        p_tree, bottom_desc).dropna() == bottom_desc.dropna()).all()
    assert ptutil.build_process_key(bottom_desc) == bottom_desc.name

    assert (ptutil.get_root(p_tree,
                            bottom_desc).dropna() == t_root.dropna()).all()

    children2 = ptutil.get_children(p_tree, t_root, include_source=False)
    assert len(children2) == len(
        ptutil.get_siblings(p_tree, children2.iloc[0], include_source=True))
    assert len(children2) == (len(
        ptutil.get_siblings(p_tree, children2.iloc[0], include_source=False)) +
                              1)
    assert ptutil.get_summary_info(p_tree) == {
        "Processes": 1010,
        "RootProcesses": 10,
        "LeafProcesses": 815,
        "BranchProcesses": 185,
        "IsolatedProcesses": 0,
        "LargestTreeDepth": 7,
    }

    assert ptutil.infer_schema(p_tree) == ptutil.WIN_EVENT_SCH