def test_convert_complex_matches(self):
"""Multiple rule matches, with offsets and more rule metadata."""
yextend = _YEXTEND_MATCH[0]
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend', {'scan_type': 'Scan1'},
{'$a', '$b', '$c'}),
yara_analyzer.YaraMatch(
'Rule3', 'yextend', {
'author': 'Airbnb',
'description': 'Hello, YARA world',
'scan_type': 'Scan3'
}, {'$longer_string_name'})
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))
def test_convert_one_match(self):
"""One simple Yextend YARA match is converted into a YaraMatch tuple."""
yextend = {
'scan_results': [{
"child_file_name": "child/file/path.txt",
"parent_file_name": "archive.tar.gz",
"scan_type": "ScanType1",
"yara_matches_found": True,
"yara_rule_id": "Rule1"
}],
'yara_matches_found':
True
}
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend',
{'scan_type': 'ScanType1'}, set())
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))
def test_convert_complex_matches(self):
"""Multiple rule matches, with offsets and more rule metadata."""
yextend = {
'scan_results': [{
"detected offsets":
["0x30:$a", "0x59:$a", "0x12b3:$b", "0x7078:$c"],
"scan_type":
"Scan1",
"yara_matches_found":
True,
"yara_rule_id":
"Rule1"
}, {
"scan_type": "Scan2",
"yara_matches_found": False,
}, {
"author": "Airbnb",
"detected offsets": ["0x0:$longer_string_name"],
"description": "Hello, YARA world",
"scan_type": "Scan3",
"yara_matches_found": True,
"yara_rule_id": "Rule3"
}],
'yara_matches_found':
True
}
expected = [
yara_analyzer.YaraMatch('Rule1', 'yextend', {'scan_type': 'Scan1'},
{'$a', '$b', '$c'}),
yara_analyzer.YaraMatch(
'Rule3', 'yextend', {
'author': 'Airbnb',
'description': 'Hello, YARA world',
'scan_type': 'Scan3'
}, {'$longer_string_name'})
]
self.assertEqual(expected,
yara_analyzer._convert_yextend_to_yara_match(yextend))