def test_stateless_checks(self):
"""Check that :func:`~utils.is_stateful` is identifying stateless queries."""
stateless_queries = [
"process where true | filter command_line='* https://*' | tail 10",
"process where user_name='system' | unique parent_process_name | head 500",
"file where file_name='*.txt' and (process_name='cmd.exe' or parent_process_name='net.exe')",
"registry where length(user_name) == 500",
"network where string(destination_port) == '500' | unique process_name",
]
for query in stateless_queries:
ast = parse_query(query)
self.assertFalse(
is_stateful(ast),
"{} was not recognized as stateless".format(query))
def test_stateful_checks(self):
"""Check that :func:`~utils.is_stateful` is identifying stateful queries."""
stateful_queries = [
"sequence [process where process_name='net.exe'] [process where process_name='net.exe']",
"join [process where process_name='net.exe'] [process where process_name='net.exe']",
"file where file_name='*.txt' and descendant of [process where pid=4]",
"file where child of [process where pid=4]",
"registry where event of [process where pid=4]",
"process where true | unique_count process_name | filter count < 5",
"any where true | count user_name",
]
for query in stateful_queries:
ast = parse_query(query)
self.assertTrue(is_stateful(ast),
"{} was not recognized as stateful".format(query))