def testRegexMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition = file_finder.FileFinderCondition(
condition_type=(
file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition(
mode=(file_finder.FileFinderContentsRegexMatchCondition.Mode.
ALL_HITS),
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john"))
for action in sorted(file_finder.FileFinderAction.Action.enum_dict.values(
)):
self.RunFlowAndCheckResults(action=action,
conditions=[regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
fd = aff4.FACTORY.Open(
self.client_id.Add(self.output_path),
aff4_type=collects.RDFValueCollection,
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testFindsKeyIfItMatchesRegexMatchCondition(self):
value_regex_match = file_finder.FileFinderContentsRegexMatchCondition(
bytes_before=10,
bytes_after=10,
regex="Windows.+\\.exe")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def Grep(self, source, pathtype):
"""Grep files in paths for any matches to content_regex_list.
Args:
source: artifact source
pathtype: pathspec path type
When multiple regexes are supplied, combine them into a single regex as an
OR match so that we check all regexes at once.
"""
path_list = self.InterpolateList(source.attributes.get("paths", []))
content_regex_list = self.InterpolateList(
source.attributes.get("content_regex_list", []))
regex_condition = file_finder.FileFinderContentsRegexMatchCondition(
regex=self._CombineRegex(content_regex_list),
bytes_before=0,
bytes_after=0,
mode="ALL_HITS")
file_finder_condition = file_finder.FileFinderCondition(
condition_type=(
file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=regex_condition)
self.CallFlow("FileFinder",
paths=path_list,
conditions=[file_finder_condition],
action=file_finder.FileFinderAction(),
pathtype=pathtype,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def StartRequests(self):
"""Generate and send the Find requests."""
client = aff4.FACTORY.Open(self.client_id, token=self.token)
if self.runner.output is not None:
self.runner.output.Set(
self.runner.output.Schema.DESCRIPTION("CacheGrep for {0}".format(
self.args.data_regex)))
usernames = ["%s\\%s" % (u.domain, u.username) for u in self.state.users]
usernames = [u.lstrip("\\") for u in usernames] # Strip \\ if no domain.
condition = file_finder.FileFinderCondition(
condition_type=
file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition(
regex=self.args.data_regex,
mode=
file_finder.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT))
for path in self.state.all_paths:
full_paths = flow_utils.InterpolatePath(path, client, users=usernames)
for full_path in full_paths:
self.CallFlow(
"FileFinder",
paths=[os.path.join(full_path, "**5")],
pathtype=self.state.args.pathtype,
conditions=[condition],
action=file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD),
next_state="HandleResults")
def testRegexMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition = file_finder.FileFinderCondition(
condition_type=(
file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition(
mode=(
file_finder.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS
),
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john"))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
fd = aff4.FACTORY.Open(
self.last_session_id.Add(flow_runner.RESULTS_SUFFIX),
aff4_type=sequential_collection.GeneralIndexedCollection,
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = file_finder.FileFinderContentsRegexMatchCondition(
regex=".*CanNotFindMe.*")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)])
self.AssertNoResults()
def testMemoryImageRegexMatchConditionWithNoAction(self):
regex_condition = memory.MemoryCollectorCondition(
condition_type=memory.MemoryCollectorCondition.Type.REGEX_MATCH,
regex_match=file_finder.FileFinderContentsRegexMatchCondition(
mode=file_finder.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
regex="session opened for user .*?john"))
self.RunWithNoAction(conditions=[regex_condition])
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(
output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
def testSizeAndRegexConditionsWithDifferentActions(self):
files_over_size_limit = ["auth.log"]
filtered_files = ["dpkg.log", "dpkg_false.log"]
expected_files = []
non_expected_files = files_over_size_limit + filtered_files
sizes = [
os.stat(os.path.join(self.fixture_path, f)).st_size
for f in files_over_size_limit
]
size_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(max_file_size=min(sizes) - 1))
regex_condition = file_finder.FileFinderCondition(
condition_type=(
file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=file_finder.FileFinderContentsRegexMatchCondition(
mode=(
file_finder.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS
),
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john"))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition, regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of conditions doesn't influence results
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition, size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
