Пример #1
0
 def get_queries(self) -> OneOrMany[IpcQuery]:
     return (IpcQuery().with_ipc_creator(ProcessQuery().with_bin_file(
         FileQuery().with_file_path(eq=[
             Not("/usr/bin/ssh-add"),
             Not("/bin/ssh"),
             Not("/usr/bin/ssh")
         ]))).with_ipc_recipient(ProcessQuery().with_process_name(
             eq='ssh-agent').with_process_name(eq='sshd')))
Пример #2
0
    def test_process_query_view_miss(self, process_props: ProcessProps) -> None:
        local_client = DgraphClient(DgraphClientStub("localhost:9080"))

        created_proc = get_or_create_process(self, local_client, process_props)

        assert (
            created_proc.process_id is not None
            and created_proc.arguments is not None
            and created_proc.created_timestamp is not None
            and created_proc.terminate_time is not None
            and created_proc.image_name is not None
            and created_proc.process_name is not None
        )
        queried_proc = (
            ProcessQuery()
            .with_node_key(eq=created_proc.node_key)
            .with_process_id(eq=Not(created_proc.process_id))
            .with_arguments(eq=Not(created_proc.arguments))
            .with_created_timestamp(eq=Not(created_proc.created_timestamp))
            .with_terminate_time(eq=Not(created_proc.terminate_time))
            .with_image_name(eq=Not(created_proc.image_name))
            .with_process_name(eq=Not(created_proc.process_name))
            .query_first(local_client)
        )

        assert not queried_proc
Пример #3
0
    def get_queries(self) -> OneOrMany[ProcessQuery]:
        invalid_parents = [
            Not("services.exe"),
            Not("smss.exe"),
            Not("ngentask.exe"),
            Not("userinit.exe"),
            Not("GoogleUpdate.exe"),
            Not("conhost.exe"),
            Not("MpCmdRun.exe"),
        ]

        return (ProcessQuery().with_process_name(
            eq=invalid_parents).with_children(
                ProcessQuery().with_process_name(eq="svchost.exe")))
Пример #4
0
    def test_process_query_view_miss(
        self,
        node_key,
        process_id,
        created_timestamp,
        asset_id,
        terminate_time,
        image_name,
        process_name,
        arguments,
    ):
        node_key = "test_process_query_view_miss" + str(node_key)
        local_client = DgraphClient(DgraphClientStub("localhost:9080"))
        process = {
            "process_id": process_id,
            "arguments": arguments,
            "created_timestamp": created_timestamp,
            "asset_id": asset_id,
            "terminate_time": terminate_time,
            "image_name": image_name,
            "process_name": process_name,
        }  # type: Dict[str, Property]

        process_view = cast(ProcessView,
                            upsert(local_client, "Process", ProcessView,
                                   node_key, process))  # type: ProcessView

        queried_proc = (ProcessQuery().with_node_key(
            eq=node_key).with_process_id(eq=Not(process_id)).with_arguments(
                eq=Not(arguments)).with_created_timestamp(
                    eq=Not(created_timestamp)).with_asset_id(
                        eq=Not(asset_id)).with_terminate_time(
                            eq=Not(terminate_time)).with_image_name(
                                eq=Not(image_name)).with_process_name(eq=Not(
                                    process_name)).query_first(local_client))

        assert not queried_proc