def testBasicConversion(self):
conn1 = rdf_client_network.NetworkConnection(
state=rdf_client_network.NetworkConnection.State.LISTEN,
type=rdf_client_network.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client_network.NetworkEndpoint(ip="0.0.0.0",
port=22),
remote_address=rdf_client_network.NetworkEndpoint(ip="0.0.0.0",
port=0),
pid=2136,
ctime=0)
conn2 = rdf_client_network.NetworkConnection(
state=rdf_client_network.NetworkConnection.State.LISTEN,
type=rdf_client_network.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client_network.NetworkEndpoint(ip="192.168.1.1",
port=31337),
remote_address=rdf_client_network.NetworkEndpoint(ip="1.2.3.4",
port=6667),
pid=1,
ctime=0)
proc = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083,
connections=[conn1, conn2])
converter = process.ProcessToExportedNetworkConnectionConverter()
results = list(converter.Convert(self.metadata, proc))
self.assertLen(results, 2)
self.assertEqual(results[0].state,
rdf_client_network.NetworkConnection.State.LISTEN)
self.assertEqual(results[0].type,
rdf_client_network.NetworkConnection.Type.SOCK_STREAM)
self.assertEqual(results[0].local_address.ip, "0.0.0.0")
self.assertEqual(results[0].local_address.port, 22)
self.assertEqual(results[0].remote_address.ip, "0.0.0.0")
self.assertEqual(results[0].remote_address.port, 0)
self.assertEqual(results[0].pid, 2136)
self.assertEqual(results[0].ctime, 0)
self.assertEqual(results[1].state,
rdf_client_network.NetworkConnection.State.LISTEN)
self.assertEqual(results[1].type,
rdf_client_network.NetworkConnection.Type.SOCK_STREAM)
self.assertEqual(results[1].local_address.ip, "192.168.1.1")
self.assertEqual(results[1].local_address.port, 31337)
self.assertEqual(results[1].remote_address.ip, "1.2.3.4")
self.assertEqual(results[1].remote_address.port, 6667)
self.assertEqual(results[1].pid, 1)
self.assertEqual(results[1].ctime, 0)
def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self):
client_id = self.SetupClient(0)
p1 = rdf_client.Process(
pid=2, ppid=1, cmdline=["test_img.dd"], ctime=1333718907167083)
p2 = rdf_client.Process(
pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(
family="INET", state="ESTABLISHED")
])
client_mock = action_mocks.ListProcessesMock([p1, p2])
session_id = flow_test_lib.TestFlowHelper(
flow_processes.ListProcesses.__name__,
client_mock,
fetch_binaries=True,
client_id=client_id,
connection_states=["LISTEN"],
creator=self.test_username)
# No output matched.
processes = flow_test_lib.GetFlowResults(client_id, session_id)
self.assertEmpty(processes)
def Start(cls, args):
for proc in psutil.process_iter():
try:
connections = proc.connections()
except (psutil.NoSuchProcess, psutil.AccessDenied):
continue
for conn in connections:
if args.listening_only and conn.status != "LISTEN":
continue
res = rdf_client_network.NetworkConnection()
res.pid = proc.pid
res.process_name = proc.name()
res.family = conn.family
res.type = conn.type
try:
if conn.status:
res.state = conn.status
except ValueError:
logging.warn("Encountered unknown connection status (%s).",
conn.status)
res.local_address.ip, res.local_address.port = conn.laddr
if conn.raddr:
res.remote_address.ip, res.remote_address.port = conn.raddr
yield res
def testPaginationNavigation(self):
flow_args = network.NetstatArgs(listening_only=True)
flow_id = flow_test_lib.StartFlow(
network.Netstat,
creator=self.test_username,
client_id=self.client_id,
flow_args=flow_args)
self.Open(f"/v2/clients/{self.client_id}")
self.WaitUntil(self.IsElementPresent,
"css=result-accordion .title:contains('Listening only')")
flow_test_lib.AddResultsToFlow(self.client_id, flow_id, [
rdf_client_network.NetworkConnection(process_name=f"process{i}")
for i in range(15)
])
self.Click("css=result-accordion .title:contains('Listening only')")
for i in range(10):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 10)
# Navigation works in both top and bottom paginators.
self.Click("css=.top-paginator .mat-paginator-navigation-last")
for i in range(10, 15):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 5)
self.ScrollToBottom()
self.Click("css=.bottom-paginator .mat-paginator-navigation-previous")
for i in range(10):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 10)
def testSorting(self):
flow_args = network.NetstatArgs(listening_only=True)
flow_id = flow_test_lib.StartFlow(
network.Netstat,
creator=self.test_username,
client_id=self.client_id,
flow_args=flow_args)
self.Open(f"/v2/clients/{self.client_id}")
self.WaitUntil(self.IsElementPresent,
"css=result-accordion .title:contains('Listening only')")
flow_test_lib.AddResultsToFlow(self.client_id, flow_id, [
rdf_client_network.NetworkConnection(process_name=f"process{i}")
for i in range(3)
])
self.Click("css=result-accordion .title:contains('Listening only')")
for i in range(3):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.Click("css=.mat-sort-header:contains('Process Name')")
for i in [0, 1, 2]: # reordered results asc
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.Click("css=.mat-sort-header:contains('Process Name')")
for i in [2, 1, 0]: # reordered results desc
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
def ListNetworkConnectionsFromClient(args):
"""Gather open network connection stats.
Args:
args: An `rdf_client_action.ListNetworkConnectionArgs` instance.
Yields:
`rdf_client_network.NetworkConnection` instances.
"""
for proc in psutil.process_iter():
try:
connections = proc.connections()
except (psutil.NoSuchProcess, psutil.AccessDenied):
continue
for conn in connections:
if args.listening_only and conn.status != "LISTEN":
continue
res = rdf_client_network.NetworkConnection()
res.pid = proc.pid
res.process_name = proc.name()
res.family = conn.family
res.type = conn.type
try:
if conn.status:
res.state = conn.status
except ValueError:
logging.warn("Encountered unknown connection status (%s).", conn.status)
res.local_address.ip, res.local_address.port = conn.laddr
if conn.raddr:
res.remote_address.ip, res.remote_address.port = conn.raddr
yield res
def testProcessListingFilterConnectionState(self):
client_id = self.SetupClient(0)
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(
family="INET", state="CLOSED")
])
p2 = rdf_client.Process(pid=3,
ppid=1,
cmdline=["cmd2.exe"],
exe="c:\\windows\\cmd2.exe",
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(
family="INET", state="LISTEN")
])
p3 = rdf_client.Process(pid=4,
ppid=1,
cmdline=["missing_exe.exe"],
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(
family="INET", state="ESTABLISHED")
])
client_mock = action_mocks.ListProcessesMock([p1, p2, p3])
flow_urn = flow.StartFlow(
client_id=client_id,
flow_name=flow_processes.ListProcesses.__name__,
connection_states=["ESTABLISHED", "LISTEN"],
token=self.token)
session_id = flow_test_lib.TestFlowHelper(flow_urn,
client_mock,
client_id=client_id,
token=self.token)
processes = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(processes), 2)
states = set()
for process in processes:
states.add(str(process.connections[0].state))
self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def Listener(ip, port, family):
conn = rdf_client_network.NetworkConnection()
conn.state = rdf_client_network.NetworkConnection.State.LISTEN
conn.family = family
conn.type = rdf_client_network.NetworkConnection.Type.SOCK_STREAM
conn.local_address.ip = ip
conn.port = port
return conn
def AddListener(self, ip, port, family="INET", sock_type="SOCK_STREAM"): """Create a network connection.""" conn = rdf_client_network.NetworkConnection() conn.state = "LISTEN" conn.family = family conn.type = sock_type conn.local_address = rdf_client_network.NetworkEndpoint(ip=ip, port=port) return conn
def testProcessListingFilterConnectionState(self):
client_id = self.SetupClient(0)
p1 = rdf_client.Process(
pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(family="INET", state="CLOSED")
])
p2 = rdf_client.Process(
pid=3,
ppid=1,
cmdline=["cmd2.exe"],
exe="c:\\windows\\cmd2.exe",
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(family="INET", state="LISTEN")
])
p3 = rdf_client.Process(
pid=4,
ppid=1,
cmdline=["missing_exe.exe"],
ctime=1333718907167083,
connections=[
rdf_client_network.NetworkConnection(
family="INET", state="ESTABLISHED")
])
client_mock = action_mocks.ListProcessesMock([p1, p2, p3])
session_id = flow_test_lib.TestFlowHelper(
compatibility.GetName(flow_processes.ListProcesses),
client_mock,
client_id=client_id,
creator=self.test_username,
connection_states=["ESTABLISHED", "LISTEN"])
processes = flow_test_lib.GetFlowResults(client_id, session_id)
self.assertLen(processes, 2)
states = set()
for process in processes:
states.add(str(process.connections[0].state))
self.assertCountEqual(states, ["ESTABLISHED", "LISTEN"])
def ListNetworkConnections(self, _):
"""Returns fake connections."""
conn1 = rdf_client_network.NetworkConnection(
state=rdf_client_network.NetworkConnection.State.CLOSED,
type=rdf_client_network.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client_network.NetworkEndpoint(ip="0.0.0.0", port=22),
remote_address=rdf_client_network.NetworkEndpoint(ip="0.0.0.0", port=0),
pid=2136,
ctime=0)
conn2 = rdf_client_network.NetworkConnection(
state=rdf_client_network.NetworkConnection.State.LISTEN,
type=rdf_client_network.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client_network.NetworkEndpoint(
ip="192.168.1.1", port=31337),
remote_address=rdf_client_network.NetworkEndpoint(
ip="1.2.3.4", port=6667),
pid=1,
ctime=0)
return [conn1, conn2]
def testFiltering(self):
flow_id = flow_test_lib.StartFlow(
network.Netstat, creator=self.test_username, client_id=self.client_id)
self.Open(f"/v2/clients/{self.client_id}")
self.WaitUntil(self.IsElementPresent,
"css=result-accordion .title:contains('All connections')")
flow_test_lib.AddResultsToFlow(self.client_id, flow_id, [
rdf_client_network.NetworkConnection(process_name=f"process{i}")
for i in range(10)
])
self.Click("css=result-accordion .title:contains('All connections')")
for i in range(10):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.Type("css=.filter-input input", "process0")
self.WaitUntil(self.IsElementPresent, "css=td:contains('process0')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 1)
def testPaginationSize(self):
flow_args = network.NetstatArgs(listening_only=False)
flow_id = flow_test_lib.StartFlow(
network.Netstat,
creator=self.test_username,
client_id=self.client_id,
flow_args=flow_args)
self.Open(f"/v2/clients/{self.client_id}")
self.WaitUntil(self.IsElementPresent,
"css=result-accordion .title:contains('All connections')")
flow_test_lib.AddResultsToFlow(self.client_id, flow_id, [
rdf_client_network.NetworkConnection(process_name=f"process{i}")
for i in range(15)
])
self.Click("css=result-accordion .title:contains('All connections')")
for i in range(10):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 10)
# Select one paginator updates the other paginator as well as the displayed
# rows.
self.MatSelect("css=.bottom-paginator mat-select", "50")
self.WaitUntilContains("50", self.GetText, "css=.top-paginator mat-select")
self.WaitUntilContains("50", self.GetText,
"css=.bottom-paginator mat-select")
for i in range(15):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 15)
self.MatSelect("css=.top-paginator mat-select", "10")
self.WaitUntilContains("10", self.GetText, "css=.top-paginator mat-select")
self.WaitUntilContains("10", self.GetText,
"css=.bottom-paginator mat-select")
for i in range(10):
self.WaitUntil(self.IsElementPresent, f"css=td:contains('process{i}')")
self.assertEqual(self.GetCssCount("css=td:contains('process')"), 10)
