def test_start_stop(self): collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('started Hunt Manager(test_query)', 1) # verify the rule was loaded self.assertEquals(log_count('loading hunt from'), 1) self.assertEquals(log_count('loaded Hunt(query_test_1[test_query])'), 1) # wait for the hunt to execute wait_for_log_count('executing query', 1) # we should have sqlite update for both the last_executed_time and last_end_time fields with open_hunt_db('test_query') as db: c = db.cursor() c.execute( "SELECT last_executed_time, last_end_time FROM hunt WHERE hunt_name = ?", ('query_test_1', )) row = c.fetchone() self.assertIsNotNone(row) self.assertTrue(isinstance( row[0], datetime.datetime)) # last_executed_time self.assertTrue(isinstance(row[1], datetime.datetime)) # last_end_time collector.stop_service() collector.wait_service()
def manager_kwargs(): return { 'collector': HunterCollector(), 'hunt_type': 'splunk', 'rule_dirs': [ 'hunts/test/splunk', ], 'hunt_cls': SplunkHunt, 'concurrency_limit': 1, 'persistence_dir': os.path.join(saq.DATA_DIR, saq.CONFIG['collection']['persistence_dir'])}
def test_reload_hunts_on_sighup(self): collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 1) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 1) os.kill(os.getpid(), signal.SIGHUP) wait_for_log_count('received signal to reload hunts', 1) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 2) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 2) collector.stop_service() collector.wait_service()
def test_hunt_execution(self): collector = HunterCollector() collector.start_service(threaded=True) # testing that the execution order works wait_for_log_count('unit test execute marker: Hunt(unit_test_2[test])', 4) self.assertEquals( log_count('unit test execute marker: Hunt(unit_test_1[test])'), 1) self.assertTrue(log_count('next hunt is Hunt(unit_test_2[test])') > 0) collector.stop_service() collector.wait_service()
def test_reload_hunts_on_deleted(self): saq.CONFIG['service_hunter']['update_frequency'] = '1' collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 1) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 1) os.remove(os.path.join(self.temp_rules_dir, 'test_1.ini')) wait_for_log_count('detected modification to', 1, 5) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 2) self.assertTrue(log_count('loaded Hunt(unit_test_1[test]) from') == 1) collector.stop_service() collector.wait_service()
def test_reload_hunts_on_modified(self): saq.CONFIG['service_hunter']['update_frequency'] = '1' collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 1) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 1) with open(os.path.join(self.temp_rules_dir, 'test_1.ini'), 'a') as fp: fp.write('\n\n; modified') wait_for_log_count('detected modification to', 1, 5) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 2) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 2) collector.stop_service() collector.wait_service()
def manager_kwargs(): return { 'collector': HunterCollector(), 'hunt_type': 'test_query', 'rule_dirs': [ 'hunts/test/query', ], 'hunt_cls': TestQueryHunt, 'concurrency_limit': 1, 'persistence_dir': os.path.join(saq.DATA_DIR, saq.CONFIG['collection']['persistence_dir']), 'update_frequency': 60 }
def manager_kwargs(self): return { 'collector': HunterCollector(), 'hunt_type': 'test', 'rule_dirs': [ self.temp_rules_dir, ], 'hunt_cls': TestHunt, 'concurrency_limit': 1, 'persistence_dir': os.path.join(saq.DATA_DIR, saq.CONFIG['collection']['persistence_dir']), 'update_frequency': 60 }
def test_reload_hunts_on_new(self): saq.CONFIG['service_hunter']['update_frequency'] = '1' collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 1) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 1) with open(os.path.join(self.temp_rules_dir, 'test_3.ini'), 'a') as fp: fp.write(""" [rule] enabled = yes name = unit_test_3 description = Unit Test Description 3 type = test frequency = 00:00:10 tags = tag1, tag2""") wait_for_log_count('detected new hunt ini', 1, 5) wait_for_log_count('loaded Hunt(unit_test_1[test]) from', 2) wait_for_log_count('loaded Hunt(unit_test_2[test]) from', 2) wait_for_log_count('loaded Hunt(unit_test_3[test]) from', 1) collector.stop_service() collector.wait_service()
def test_start_stop(self): collector = HunterCollector() collector.start_service(threaded=True) wait_for_log_count('started Hunt Manager(test)', 1) collector.stop_service() collector.wait_service()