def test5_check_status_attributes_not_matching(self):
"""
In this test case the second log line has different attributes than expected.
An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this
test case.
"""
description = "Test5TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(
time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data,
ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data,
ParserMatch(self.match_element2_different), t + 1,
self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(
self.output_stream.getvalue(),
self._expected_string_different_attributes %
(datetime.fromtimestamp(t).strftime(
self.datetime_format_string), self.correlation_rule.rule_id,
description, 1, self.match_element1.get_match_string().decode(),
self.a_class_selector.action_id, 22500, 22501))
def test2_check_status_not_found_error(self):
"""In this test case the second log line is not found and an appropriate error message is expected from the check_status-method.
The output of the do_timer-method is also tested in this test case. """
description = "Test2TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(time_correlation_violation_detector, component_name=description)
t = time.time()
log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self)
time_correlation_violation_detector.receive_atom(log_atom1)
r = self.correlation_rule.check_status(t + 2)
self.assertEqual(r[0], 'FAIL: B-Event for "%s" (%s) was not found in time!\n' % (
self.match_element1.get_match_string().decode(), self.a_class_selector.action_id))
def test1_check_status_ok(self):
"""In this test case the status is OK after receiving the expected data and no error message is returned. The output of the
do_timer-method is also tested in this test case. """
description = "Test1TimeCorrelationViolationDetector"
time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules,
[self.stream_printer_event_handler])
self.analysis_context.register_component(time_correlation_violation_detector, component_name=description)
log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), time.time(), self)
time_correlation_violation_detector.receive_atom(log_atom1)
log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), time.time() + 1, self)
time_correlation_violation_detector.receive_atom(log_atom2)
time_correlation_violation_detector.do_timer(time.time())
self.assertEqual(self.output_stream.getvalue(), "")
def run_time_correlation_violation_detector(self, chance):
results = [None] * self.iterations
avg = 0
z = 0
while z < self.iterations:
correlation_rule = CorrelationRule('Correlation',
0,
chance,
max_artefacts_a_for_single_b=1,
artefact_match_parameters=[
('/integer/d0',
'/integer/d1')
])
a_class_selector = EventClassSelector('Selector1',
[correlation_rule], None)
b_class_selector = EventClassSelector('Selector2', None,
[correlation_rule])
rules = [
Rules.PathExistsMatchRule('/integer/d0', a_class_selector),
Rules.PathExistsMatchRule('/integer/d1', b_class_selector)
]
time_correlation_violation_detector = TimeCorrelationViolationDetector(
self.analysis_context.aminer_config, rules,
[self.stream_printer_event_handler])
seconds = time.time()
s = seconds
i = 0
decimal_integer_value_me = DecimalIntegerValueModelElement(
'd0', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
while int(time.time() - seconds) < self.waiting_time:
integer = '/integer'
p = process_time()
r = random.randint(1, 100)
seconds = seconds + process_time() - p
decimal_integer_value_me1 = DecimalIntegerValueModelElement(
'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE,
DecimalIntegerValueModelElement.PAD_TYPE_NONE)
match_context = MatchContext(str(i).encode())
match_element = decimal_integer_value_me.get_match_element(
integer, match_context)
log_atom = LogAtom(match_element.match_string,
ParserMatch(match_element), s,
time_correlation_violation_detector)
time_correlation_violation_detector.receive_atom(log_atom)
match_context = MatchContext(str(i).encode())
match_element = decimal_integer_value_me1.get_match_element(
integer, match_context)
log_atom = LogAtom(match_element.match_string,
ParserMatch(match_element), s + r / 100,
time_correlation_violation_detector)
time_correlation_violation_detector.receive_atom(log_atom)
s = s + r / 100
if r / 100 >= chance:
p = process_time()
match_context = MatchContext(str(i).encode())
match_element = decimal_integer_value_me.get_match_element(
integer, match_context)
log_atom = LogAtom(match_element.match_string,
ParserMatch(match_element), s,
time_correlation_violation_detector)
time_correlation_violation_detector.receive_atom(log_atom)
seconds = seconds + process_time() - p
time_correlation_violation_detector.do_timer(s)
i = i + 1
results[z] = i
z = z + 1
avg = avg + i
avg = avg / self.iterations
type(self).result = self.result + self.result_string % (
time_correlation_violation_detector.__class__.__name__, avg,
results, '%d%% chance of not finding an element' %
((1 - chance) * 100))