def CreateTestEventObjects():
"""Creates the event objects for testing.
Returns:
A list of event objects (instances of EventObject).
"""
event_objects = []
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Value': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-05-02 13:43:26.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39')
text_dict = {
u'hostname':
u'nomachine',
u'text':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'username':
u'johndoe'
}
event_object = text_events.TextEvent(timemstamp, 12, text_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
return event_objects
def CreateEvent(self, timestamp, offset, attributes):
"""Creates an event.
This function should be overwritten by text parsers that required
the generation of specific event object type, the default event
type is TextEvent.
Args:
timestamp: the timestamp time value. The timestamp contains the
number of microseconds since Jan 1, 1970 00:00:00 UTC.
offset: the offset of the event.
attributes: a dictionary that contains the event's attributes.
Returns:
An event object (instance of TextEvent).
"""
return text_events.TextEvent(timestamp, offset, attributes)
def CreateTestEvents():
"""Creates events for testing.
Returns:
list[EventObject]: events.
"""
test_events = []
hostname = u'MYHOSTNAME'
data_type = u'test:event'
event_object = events.EventObject()
event_object.username = u'joesmith'
event_object.filename = u'c:/Users/joesmith/NTUSER.DAT'
event_object.hostname = hostname
event_object.timestamp = 0
event_object.data_type = data_type
event_object.text = u''
test_events.append(event_object)
filetime = dfdatetime_filetime.Filetime()
# TODO: move this to a WindowsRegistryEvent unit test.
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Run': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime,
u'MY AutoRun key',
values_dict)
event_object.hostname = hostname
test_events.append(event_object)
filetime.CopyFromString(u'2012-04-20 23:56:46.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime, u'HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict)
event_object.hostname = hostname
test_events.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46.000000')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime, u'HKCU\\Windows\\Normal', values_dict)
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
attributes = {u'text': u'This log line reads ohh so much.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
attributes = {u'text': u'Nothing of interest here, move on.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
attributes = {
u'text': u'Mr. Evil just logged into the machine and got root.'
}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
text_dict = {
u'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'hostname':
u'nomachine',
u'username':
u'johndoe'
}
# TODO: move this to a TextEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
event_object = text_events.TextEvent(timestamp, 12, text_dict)
event_object.text = event_object.body
event_object.hostname = hostname
event_object.filename = filename
test_events.append(event_object)
return test_events