def testParseTaggingFile(self):
"""Tests the _ParseTaggingFile function."""
plugin = tagging.TaggingAnalysisPlugin()
test_path = self._GetTestFilePath([self._TEST_TAG_FILE_NAME])
tag_expression = plugin._ParseTaggingFile(test_path)
self.assertEqual(len(tag_expression.children), 5)
plugin = tagging.TaggingAnalysisPlugin()
test_path = self._GetTestFilePath([self._INVALID_TEST_TAG_FILE_NAME])
tag_expression = plugin._ParseTaggingFile(test_path)
self.assertEqual(len(tag_expression.children), 2)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
test_file = self._GetTestFilePath(['tagging_file', 'valid.txt'])
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(test_file)
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(storage_writer.number_of_event_tags, 4)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = 'Tagging plugin produced 4 tags.\n'
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 5)
# This is from a tag rule declared in objectfilter syntax.
self.assertIn('application_execution', labels)
# This is from a tag rule declared in dotty syntax.
self.assertIn('login_attempt', labels)
# This is from a rule using the "contains" operator
self.assertIn('text_contains', labels)
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
options.tagging_file = self._GetTestFilePath(
['tagging_file', 'valid.txt'])
analysis_plugin = tagging.TaggingAnalysisPlugin()
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, None)
options.tagging_file = None
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
options.tagging_file = self._GetTestFilePath(
['tagging_file', 'invalid_syntax.txt'])
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
options.tagging_file = self._GetTestFilePath(
['tagging_file', 'invalid_encoding.txt'])
with self.assertRaises(errors.BadConfigOption):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
test_events = []
for event_dictionary in self._TEST_EVENTS:
event = self._CreateTestEventObject(event_dictionary)
test_events.append(event)
test_file = self._GetTestFilePath([self._TEST_TAG_FILE_NAME])
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(test_file)
storage_writer = self._AnalyzeEvents(test_events, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(len(storage_writer.event_tags), 4)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
expected_text = u'Tagging plugin produced 4 tags.\n'
self.assertEqual(report.text, expected_text)
labels = []
for event_tag in storage_writer.event_tags:
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 5)
# This is from a tag rule declared in objectfilter syntax.
self.assertIn(u'application_execution', labels)
# This is from a tag rule declared in dotty syntax.
self.assertIn(u'login_attempt', labels)
# This is from a rule using the "contains" operator
self.assertIn(u'text_contains', labels)
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_file_path)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(test_file_path)
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
self.assertEqual(len(storage_writer.analysis_reports), 1)
self.assertEqual(storage_writer.number_of_event_tags, 4)
report = storage_writer.analysis_reports[0]
self.assertIsNotNone(report)
self.assertIsNotNone(report.analysis_counter)
self.assertEqual(report.analysis_counter['event_tags'], 4)
self.assertEqual(report.analysis_counter['application_execution'], 1)
self.assertEqual(report.analysis_counter['file_downloaded'], 1)
self.assertEqual(report.analysis_counter['login_attempt'], 1)
self.assertEqual(report.analysis_counter['security_event'], 1)
self.assertEqual(report.analysis_counter['text_contains'], 1)
labels = []
for event_tag in storage_writer.GetEventTags():
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 5)
expected_labels = [
'application_execution', 'file_downloaded', 'login_attempt',
'security_event', 'text_contains'
]
self.assertEqual(sorted(labels), expected_labels)
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object,
data_location=shared_test_lib.TEST_DATA_PATH)
output_mediator_object.SetPreferredLanguageIdentifier('en-US')
output_module = null.NullOutputModule(output_mediator_object)
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugins = {'tagging': analysis_plugin}
# TODO: set tag file.
configuration = configurations.ProcessingConfiguration()
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer, output_module,
data_location,
analysis_plugins,
configuration)
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT, session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testParseOptions(self):
"""Tests the ParseOptions function."""
options = cli_test_lib.TestOptions()
analysis_plugin = tagging.TaggingAnalysisPlugin()
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, analysis_plugin)
with self.assertRaises(errors.BadConfigObject):
tagging_analysis.TaggingAnalysisArgumentsHelper.ParseOptions(
options, None)
def testAnalyzeEvents(self):
"""Tests the AnalyzeEvents function."""
storage_file_path = self._GetTestFilePath(['psort_test.json.plaso'])
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
formatter_mediator = formatters_mediator.FormatterMediator()
formatter_mediator.SetPreferredLanguageIdentifier('en-US')
output_mediator_object = output_mediator.OutputMediator(
knowledge_base_object, formatter_mediator)
output_module = null.NullOutputModule(output_mediator_object)
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugins = {'tagging': analysis_plugin}
# TODO: set tag file.
test_engine = psort.PsortMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer, output_module,
data_location,
analysis_plugins)
# TODO: assert if tests were successful.
_ = counter
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(storage_file_path, temp_file)
storage_writer = storage_zip_file.ZIPStorageFileWriter(
session, temp_file)
counter = test_engine.AnalyzeEvents(knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
event_filter=test_filter)
# TODO: assert if tests were successful.
_ = counter
def testAnalyzeEventsWithEventFilter(self):
"""Tests the AnalyzeEvents function with an event filter."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath(
['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
data_location = ''
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
test_filter = filters_test_lib.TestEventFilter()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
storage_writer.Open(path=temp_file)
try:
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 2)
test_engine.AnalyzeEvents(session,
knowledge_base_object,
storage_writer,
data_location,
analysis_plugins,
configuration,
event_filter=test_filter,
storage_file_path=temp_directory)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 3)
finally:
storage_writer.Close()
def testInternalAnalyzeEvents(self):
"""Tests the _AnalyzeEvents function."""
test_file_path = self._GetTestFilePath(['psort_test.plaso'])
self._SkipIfPathNotExists(test_file_path)
test_tagging_file_path = self._GetTestFilePath([
'tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_tagging_file_path)
session = sessions.Session()
knowledge_base_object = knowledge_base.KnowledgeBase()
analysis_plugin = tagging.TaggingAnalysisPlugin()
analysis_plugin.SetAndLoadTagFile(test_tagging_file_path)
analysis_plugins = {'tagging': analysis_plugin}
configuration = configurations.ProcessingConfiguration()
test_engine = analysis_engine.AnalysisMultiProcessEngine()
with shared_test_lib.TempDirectory() as temp_directory:
temp_file = os.path.join(temp_directory, 'storage.plaso')
shutil.copyfile(test_file_path, temp_file)
self._ReadSessionConfiguration(temp_file, knowledge_base_object)
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
definitions.DEFAULT_STORAGE_FORMAT)
test_engine._processing_configuration = configuration
test_engine._session = session
test_engine._storage_file_path = temp_directory
test_engine._StartTaskStorage(definitions.STORAGE_FORMAT_SQLITE)
test_engine._StartAnalysisProcesses(analysis_plugins)
storage_writer.Open(path=temp_file)
try:
events_counter = test_engine._AnalyzeEvents(
storage_writer, analysis_plugins)
finally:
storage_writer.Close()
test_engine._StopAnalysisProcesses()
self.assertIsNotNone(events_counter)
self.assertEqual(events_counter['Events filtered'], 0)
self.assertEqual(events_counter['Events processed'], 38)
def _TagEvent(self, event, event_data, event_data_stream):
"""Tags an event.
Args:
event (Event): event.
event_data (EventData): event data.
event_data_stream (EventDataStream): event data stream.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the tag file does not exist.
"""
tag_file_path = self._GetDataFilePath([self._TAG_FILE])
self._SkipIfPathNotExists(tag_file_path)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter()
storage_writer.Open()
if event_data_stream:
storage_writer.AddAttributeContainer(event_data_stream)
event_data_stream_identifier = event_data_stream.GetIdentifier()
event_data.SetEventDataStreamIdentifier(
event_data_stream_identifier)
storage_writer.AddAttributeContainer(event_data)
event_data_identifier = event_data.GetIdentifier()
event.SetEventDataIdentifier(event_data_identifier)
storage_writer.AddAttributeContainer(event)
knowledge_base_object = knowledge_base.KnowledgeBase()
mediator = analysis_mediator.AnalysisMediator(session,
knowledge_base_object)
mediator.SetStorageWriter(storage_writer)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(tag_file_path)
plugin.ExamineEvent(mediator, event, event_data, event_data_stream)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAttributeContainer(analysis_report)
return storage_writer
def testExamineEventAndCompileReport(self):
"""Tests the ExamineEvent and CompileReport functions."""
test_file_path = self._GetTestFilePath(['tagging_file', 'valid.txt'])
self._SkipIfPathNotExists(test_file_path)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(test_file_path)
storage_writer = self._AnalyzeEvents(self._TEST_EVENTS, plugin)
number_of_reports = storage_writer.GetNumberOfAttributeContainers(
'analysis_report')
self.assertEqual(number_of_reports, 1)
analysis_report = storage_writer.GetAttributeContainerByIndex(
reports.AnalysisReport.CONTAINER_TYPE, 0)
self.assertIsNotNone(analysis_report)
self.assertEqual(analysis_report.plugin_name, 'tagging')
expected_analysis_counter = collections.Counter({
'application_execution': 1,
'event_tags': 4,
'file_downloaded': 1,
'login_attempt': 1,
'security_event': 1,
'text_contains': 1})
self.assertEqual(
analysis_report.analysis_counter, expected_analysis_counter)
number_of_event_tags = storage_writer.GetNumberOfAttributeContainers(
'event_tag')
self.assertEqual(number_of_event_tags, 4)
labels = []
for event_tag in storage_writer.GetAttributeContainers(
events.EventTag.CONTAINER_TYPE):
labels.extend(event_tag.labels)
self.assertEqual(len(labels), 5)
expected_labels = [
'application_execution', 'file_downloaded', 'login_attempt',
'security_event', 'text_contains']
self.assertEqual(sorted(labels), expected_labels)
def _TagEvent(self, event, event_data):
"""Tags an event.
Args:
event (Event): event.
event_data (EventData): event data.
Returns:
FakeStorageWriter: storage writer.
Raises:
SkipTest: if the tag file does not exist.
"""
tag_file_path = self._GetDataFilePath([self._TAG_FILE])
self._SkipIfPathNotExists(tag_file_path)
session = sessions.Session()
storage_writer = fake_writer.FakeStorageWriter(session)
storage_writer.Open()
storage_writer.AddEventData(event_data)
storage_writer.AddEvent(event)
knowledge_base_object = knowledge_base.KnowledgeBase()
mediator = analysis_mediator.AnalysisMediator(storage_writer,
knowledge_base_object)
plugin = tagging.TaggingAnalysisPlugin()
plugin.SetAndLoadTagFile(tag_file_path)
plugin.ExamineEvent(mediator, event, event_data)
analysis_report = plugin.CompileReport(mediator)
storage_writer.AddAnalysisReport(analysis_report)
return storage_writer