def CreateTestEventObjects():
"""Creates the event objects for testing.
Returns:
A list of event objects (instances of EventObject).
"""
event_objects = []
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Value': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-05-02 13:43:26.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39')
text_dict = {
u'hostname':
u'nomachine',
u'text':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'username':
u'johndoe'
}
event_object = text_events.TextEvent(timemstamp, 12, text_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
return event_objects
def CreateEvent(self, timestamp, offset, attributes):
"""Creates an event.
This function should be overwritten by text parsers that require
to generate specific event object type, the default is TextEvent.
Args:
timestamp: The timestamp time value. The timestamp contains the
number of microseconds since Jan 1, 1970 00:00:00 UTC.
offset: The offset of the event.
attributes: A dict that contains the events attributes.
Returns:
An event object (instance of TextEvent).
"""
return text_events.TextEvent(timestamp, offset, attributes)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._event_objects = []
event_1 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596'),
u'MY AutoRun key', {u'Value': u'c:/Temp/evil.exe'})
event_1.parser = 'UNKNOWN'
event_2 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-05-02 13:43:26.929596'),
u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
{u'Value': u'send all the exes to the other world'})
event_2.parser = 'UNKNOWN'
event_3 = windows_events.WindowsRegistryEvent(
timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000'),
u'\\HKCU\\Windows\\Normal',
{u'Value': u'run all the benign stuff'})
event_3.parser = 'UNKNOWN'
text_dict = {
'text':
('This is a line by someone not reading the log line properly. And '
'since this log line exceeds the accepted 80 chars it will be '
'shortened.'),
'hostname':
'nomachine',
'username':
'******'
}
event_4 = text_events.TextEvent(
timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39.000000'),
12, text_dict)
event_4.parser = 'UNKNOWN'
self._event_objects.append(event_1)
self._event_objects.append(event_2)
self._event_objects.append(event_3)
self._event_objects.append(event_4)
self._formatter_mediator = formatters_mediator.FormatterMediator()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._event_objects = []
# TODO: replace hardcoded timestamps by timelib_test.CopyStringToTimestamp.
event_1 = windows_events.WindowsRegistryEvent(
13349615269295969, u'MY AutoRun key',
{u'Value': u'c:/Temp/evil.exe'})
event_1.parser = 'UNKNOWN'
event_2 = windows_events.WindowsRegistryEvent(
13359662069295961, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
{u'Value': u'send all the exes to the other world'})
event_2.parser = 'UNKNOWN'
event_3 = windows_events.WindowsRegistryEvent(
13349402860000000, u'\\HKCU\\Windows\\Normal',
{u'Value': u'run all the benign stuff'})
event_3.parser = 'UNKNOWN'
text_dict = {
'text':
('This is a line by someone not reading the log line properly. And '
'since this log line exceeds the accepted 80 chars it will be '
'shortened.'),
'hostname':
'nomachine',
'username':
'******'
}
event_4 = text_events.TextEvent(12389344590000000, 12, text_dict)
event_4.parser = 'UNKNOWN'
self._event_objects.append(event_1)
self._event_objects.append(event_2)
self._event_objects.append(event_3)
self._event_objects.append(event_4)
def GetEventObjects():
"""Returns a list of test event objects."""
event_objects = []
hostname = u'MYHOSTNAME'
data_type = 'test:event'
event_a = event.EventObject()
event_a.username = u'joesmith'
event_a.filename = u'c:/Users/joesmith/NTUSER.DAT'
event_a.hostname = hostname
event_a.timestamp = 0
event_a.data_type = data_type
event_a.text = u''
# TODO: move this to a WindowsRegistryEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 22:38:46.929596')
event_b = windows_events.WindowsRegistryEvent(
timestamp, u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'})
event_b.hostname = hostname
event_objects.append(event_b)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 23:56:46.929596')
event_c = windows_events.WindowsRegistryEvent(
timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key',
{u'Value': u'send all the exes to the other world'})
event_c.hostname = hostname
event_objects.append(event_c)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-20 16:44:46.000000')
event_d = windows_events.WindowsRegistryEvent(
timestamp, u'//HKCU/Windows/Normal',
{u'Value': u'run all the benign stuff'})
event_d.hostname = hostname
event_objects.append(event_d)
event_objects.append(event_a)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
event_e = TestEvent(timestamp,
{u'text': u'This log line reads ohh so much.'})
event_e.filename = filename
event_e.hostname = hostname
event_objects.append(event_e)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
event_f = TestEvent(timestamp,
{u'text': u'Nothing of interest here, move on.'})
event_f.filename = filename
event_f.hostname = hostname
event_objects.append(event_f)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
event_g = TestEvent(
timestamp,
{u'text': u'Mr. Evil just logged into the machine and got root.'})
event_g.filename = filename
event_g.hostname = hostname
event_objects.append(event_g)
text_dict = {
u'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'hostname':
u'nomachine',
u'username':
u'johndoe'
}
# TODO: move this to a TextEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
event_h = text_events.TextEvent(timestamp, 12, text_dict)
event_h.text = event_h.body
event_h.hostname = hostname
event_h.filename = filename
event_objects.append(event_h)
return event_objects