def testValidIPv6(self):
"""Test valid IPv6 addresses result in new attributes"""
analyzer = MaxMindDbGeoIPAnalyzer('test', 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
IP_FIELDS = [
'ip', 'host_ip', 'src_ip', 'dst_ip', 'source_ip', 'dest_ip',
'ip_address', 'client_ip', 'address', 'saddr', 'daddr',
'requestMetadata_callerIp', 'a_answer'
]
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={
ip_field: '2001:4860:4860::8888'
for ip_field in IP_FIELDS
})
message = analyzer.run()
event = analyzer.datastore.event_store['0']
for ip_field in IP_FIELDS:
self.assertTrue(
'{0}_latitude'.format(ip_field) in event['_source'])
self.assertTrue(
'{0}_longitude'.format(ip_field) in event['_source'])
self.assertTrue(
'{0}_iso_code'.format(ip_field) in event['_source'])
self.assertTrue('{0}_city'.format(ip_field) in event['_source'])
self.assertEqual(message, 'Found 1 IP address(es).')
def test_event_type(self):
"""Test the mocking of events returns an event stream that matches the
query for the analyzer."""
index = 'test_index'
sketch_id = 1
analyzer = WebActivitySessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore,
0,
2,
source_attrs={'source_short': 'WEBHIST'})
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
event1 = datastore.event_store['0']
self.assertEqual(event1['_source']['source_short'], 'WEBHIST')
self.assertEqual(event1['_source']['session_id'],
{analyzer.session_type: 1})
event2 = datastore.event_store['101']
self.assertEqual(event2['_source']['source_short'], 'WEBHIST')
self.assertEqual(event2['_source']['session_id'],
{analyzer.session_type: 1})
def test_event_type(self):
"""Test the mocking of events returns an event stream that matches the
query for the analyzer."""
index = 'test_index'
sketch_id = 1
analyzer = self.analyzer_class(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore,
0,
2,
source_attrs={'source_short': 'WEBHIST'})
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
# pylint: disable=unexpected-keyword-arg
event1 = datastore.get_event('test_index', '0', stored_events=True)
self.assertEqual(event1['_source']['source_short'], 'WEBHIST')
self.assertEqual(event1['_source']['session_id'],
{analyzer.session_type: 1})
event2 = datastore.get_event('test_index', '101', stored_events=True)
self.assertEqual(event2['_source']['source_short'], 'WEBHIST')
self.assertEqual(event2['_source']['session_id'],
{analyzer.session_type: 1})
def test_event_type(self):
"""Test the mocking of events returns an event stream that matches the
query for the analyzer."""
index = 'test_index'
sketch_id = 1
analyzer = SSHBruteforceSessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(
datastore,
0,
2,
source_attrs={'reporter': 'sshd',
'message': '[sshd] [0]: Invalid user ' \
'NoSuchUser from 0.0.0.0 port 0'})
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
test_message = '[sshd] [0]: Invalid user NoSuchUser from 0.0.0.0 ' \
'port 0'
# pylint: disable=unexpected-keyword-arg
event1 = datastore.event_store['0']
self.assertEqual(event1['_source']['reporter'], 'sshd')
self.assertEqual(event1['_source']['message'], test_message)
self.assertEqual(event1['_source']['session_id'],
{analyzer.session_type: 1})
event2 = datastore.event_store['1']
self.assertEqual(event2['_source']['reporter'], 'sshd')
self.assertEqual(event2['_source']['message'], test_message)
self.assertEqual(event2['_source']['session_id'],
{analyzer.session_type: 1})
def test_zero_events(self):
"""Test the behaviour of the sessionizer when given zero events."""
index = "test_index"
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 0)
message = analyzer.run()
self.assertEqual(
message, "Sessionizing completed, number of session created: 0")
def test_one_event(self):
"""Test the behaviour of the sessionizer when given one event."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 1)
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
event1 = datastore.event_store['0']
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
def test_zero_time_diff(self):
"""Test events with no time difference between them are allocated
correctly."""
with mock.patch.object(SessionizerSketchPlugin,
'event_stream',
return_value=_create_mock_event(0,
2,
time_diffs=[0
])):
index = 'test_index'
sketch_id = 1
analyser = SessionizerSketchPlugin(index, sketch_id)
message = analyser.run()
self.assertEqual(
message,
'Sessionizing completed, number of session created: 1')
ds = MockDataStore('test', 0)
event1 = (ds.get_event('test_index', '0', stored_events=True))
self.assertEqual(event1['_source']['session_id'],
{'all_events': 1})
event1 = (ds.get_event('test_index', '100', stored_events=True))
self.assertEqual(event1['_source']['session_id'],
{'all_events': 1})
event2 = (ds.get_event('test_index', '101', stored_events=True))
self.assertEqual(event2['_source']['session_id'],
{'all_events': 1})
def test_multiple_sessions(self):
"""Test multiple events, two of which are in the same session and
one in a different session."""
with mock.patch.object(SessionizerSketchPlugin,
'event_stream',
return_value=_create_mock_event(
0, 3, time_diffs=[3000, 400000000])):
index = 'test_index'
sketch_id = 1
analyser = SessionizerSketchPlugin(index, sketch_id)
message = analyser.run()
self.assertEqual(
message,
'Sessionizing completed, number of session created: 2')
ds = MockDataStore('test', 0)
event1 = (ds.get_event('test_index', '0', stored_events=True))
self.assertEqual(event1['_source']['session_id'],
{'all_events': 1})
event2 = (ds.get_event('test_index', '101', stored_events=True))
self.assertEqual(event2['_source']['session_id'],
{'all_events': 1})
event3 = (ds.get_event('test_index', '202', stored_events=True))
self.assertEqual(event3['_source']['session_id'],
{'all_events': 2})
self._check_surrounding_events([202], 'all_events')
def test_one_event(self):
"""Test the behaviour of the sessionizer when given one event."""
index = "test_index"
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 1)
message = analyzer.run()
self.assertEqual(
message, "Sessionizing completed, number of session created: 1")
event1 = datastore.event_store["0"]
self.assertEqual(event1["_source"]["session_id"], {"all_events": 1})
def test_one_event(self):
"""Test the behaviour of the sessionizer when given one event."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 1)
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
# pylint: disable=unexpected-keyword-arg
event1 = datastore.get_event('test_index', '0', stored_events=True)
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
def testValidIPv6(self):
"""Test valid IPv6 addresses result in new attributes"""
analyzer = MaxMindDbWebIPAnalyzer("test", 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
IP_FIELDS = [
"ip",
"host_ip",
"src_ip",
"dst_ip",
"source_ip",
"dest_ip",
"ip_address",
"client_ip",
"address",
"saddr",
"daddr",
"requestMetadata_callerIp",
"a_answer",
]
_create_mock_event(
analyzer.datastore,
0,
1,
source_attrs={
ip_field: "2001:4860:4860::8888"
for ip_field in IP_FIELDS
},
)
message = analyzer.run()
event = analyzer.datastore.event_store["0"]
for ip_field in IP_FIELDS:
self.assertTrue(
"{0}_latitude".format(ip_field) in event["_source"])
self.assertTrue(
"{0}_longitude".format(ip_field) in event["_source"])
self.assertTrue(
"{0}_iso_code".format(ip_field) in event["_source"])
self.assertTrue("{0}_city".format(ip_field) in event["_source"])
self.assertEqual(message, "Found 1 IP address(es).")
def testInvalidIPv4(self):
"""Test invalid IP address"""
analyzer = MaxMindDbWebIPAnalyzer('test', 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={'ip_address': None})
message = analyzer.run()
event = analyzer.datastore.event_store['0']
self.assertTrue('ip_address_latitude' not in event['_source'])
self.assertTrue('ip_address_longitude' not in event['_source'])
self.assertTrue('ip_address_iso_code' not in event['_source'])
self.assertTrue('ip_address_city' not in event['_source'])
self.assertEqual(message, 'Found 0 IP address(es).')
def testPrivateIPv4(self):
"""Test private IPv4 address does not result in new attributes"""
analyzer = MaxMindDbGeoIPAnalyzer('test', 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={'ip_address': '127.0.0.1'})
message = analyzer.run()
event = analyzer.datastore.event_store['0']
self.assertTrue('ip_address_latitude' not in event['_source'])
self.assertTrue('ip_address_longitude' not in event['_source'])
self.assertTrue('ip_address_iso_code' not in event['_source'])
self.assertTrue('ip_address_city' not in event['_source'])
self.assertEqual(message, 'Found 0 IP address(es).')
def testInvalidIPv4(self):
"""Test invalid IP address"""
analyzer = MaxMindDbWebIPAnalyzer("test", 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={"ip_address": None})
message = analyzer.run()
event = analyzer.datastore.event_store["0"]
self.assertTrue("ip_address_latitude" not in event["_source"])
self.assertTrue("ip_address_longitude" not in event["_source"])
self.assertTrue("ip_address_iso_code" not in event["_source"])
self.assertTrue("ip_address_city" not in event["_source"])
self.assertEqual(message, "Found 0 IP address(es).")
def testPrivateIPv4(self):
"""Test private IPv4 address does not result in new attributes"""
analyzer = MaxMindDbGeoIPAnalyzer("test", 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={"ip_address": "127.0.0.1"})
message = analyzer.run()
event = analyzer.datastore.event_store["0"]
self.assertTrue("ip_address_latitude" not in event["_source"])
self.assertTrue("ip_address_longitude" not in event["_source"])
self.assertTrue("ip_address_iso_code" not in event["_source"])
self.assertTrue("ip_address_city" not in event["_source"])
self.assertEqual(message, "Found 0 IP address(es).")
def testMultipleValidIPv4(self):
"""Test valid IPv4 addresses result in new attributes"""
analyzer = MaxMindDbWebIPAnalyzer('test', 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(analyzer.datastore,
0,
1,
source_attrs={'ip_address': ['8.8.8.8', '8.8.4.4']})
message = analyzer.run()
event = analyzer.datastore.event_store['0']
self.assertTrue('ip_address_latitude' in event['_source'])
self.assertTrue('ip_address_longitude' in event['_source'])
self.assertTrue('ip_address_iso_code' in event['_source'])
self.assertTrue('ip_address_city' in event['_source'])
self.assertEqual(message, 'Found 2 IP address(es).')
def test_zero_time_diff(self):
"""Test events with no time difference between them are allocated
correctly."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 2, time_diffs=[0])
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
event1 = datastore.event_store['0']
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
event2 = datastore.event_store['100']
self.assertEqual(event2['_source']['session_id'], {'all_events': 1})
event3 = datastore.event_store['101']
self.assertEqual(event3['_source']['session_id'], {'all_events': 1})
def test_zero_events(self):
"""Test the behaviour of the sessionizer when given zero events."""
with mock.patch.object(SessionizerSketchPlugin,
'event_stream',
return_value=_create_mock_event(0, 0)):
index = 'test_index'
sketch_id = 1
analyser = SessionizerSketchPlugin(index, sketch_id)
message = analyser.run()
self.assertEqual(
message,
'Sessionizing completed, number of session created: 0')
def test_zero_time_diff(self):
"""Test events with no time difference between them are allocated
correctly."""
index = "test_index"
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 2, time_diffs=[0])
message = analyzer.run()
self.assertEqual(
message, "Sessionizing completed, number of session created: 1")
event1 = datastore.event_store["0"]
self.assertEqual(event1["_source"]["session_id"], {"all_events": 1})
event2 = datastore.event_store["100"]
self.assertEqual(event2["_source"]["session_id"], {"all_events": 1})
event3 = datastore.event_store["101"]
self.assertEqual(event3["_source"]["session_id"], {"all_events": 1})
def testMixedValidIP(self):
"""Test valid IPv4 addresses result in new attributes"""
analyzer = MaxMindDbWebIPAnalyzer("test", 1)
analyzer.GEOIP_CLIENT = MockReader
analyzer.datastore.client = mock.Mock()
_create_mock_event(
analyzer.datastore,
0,
1,
source_attrs={"ip_address": ["8.8.8.8", "2001:4860:4860::8844"]},
)
message = analyzer.run()
event = analyzer.datastore.event_store["0"]
self.assertTrue("ip_address_latitude" in event["_source"])
self.assertTrue("ip_address_longitude" in event["_source"])
self.assertTrue("ip_address_iso_code" in event["_source"])
self.assertTrue("ip_address_city" in event["_source"])
self.assertEqual(message, "Found 2 IP address(es).")
def test_zero_time_diff(self):
"""Test events with no time difference between them are allocated
correctly."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 2, time_diffs=[0])
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 1')
# pylint: disable=unexpected-keyword-arg
event1 = datastore.get_event('test_index', '0', stored_events=True)
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
event1 = datastore.get_event('test_index', '100', stored_events=True)
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
event2 = datastore.get_event('test_index', '101', stored_events=True)
self.assertEqual(event2['_source']['session_id'], {'all_events': 1})
def test_multiple_sessions(self):
"""Test multiple events, two of which are in the same session and
one in a different session."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 3, time_diffs=[3000, 400000000])
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 2')
event1 = datastore.event_store['0']
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
event2 = datastore.event_store['101']
self.assertEqual(event2['_source']['session_id'], {'all_events': 1})
event3 = datastore.event_store['202']
self.assertEqual(event3['_source']['session_id'], {'all_events': 2})
check_surrounding_events(self, datastore, [202], 'all_events')
def test_multiple_sessions(self):
"""Test multiple events, two of which are in the same session and
one in a different session."""
index = "test_index"
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 3, time_diffs=[3000, 400000000])
message = analyzer.run()
self.assertEqual(
message, "Sessionizing completed, number of session created: 2")
event1 = datastore.event_store["0"]
self.assertEqual(event1["_source"]["session_id"], {"all_events": 1})
event2 = datastore.event_store["101"]
self.assertEqual(event2["_source"]["session_id"], {"all_events": 1})
event3 = datastore.event_store["202"]
self.assertEqual(event3["_source"]["session_id"], {"all_events": 2})
check_surrounding_events(self, datastore, [202], "all_events")
def test_multiple_sessions(self):
"""Test multiple events, two of which are in the same session and
one in a different session."""
index = 'test_index'
sketch_id = 1
analyzer = SessionizerSketchPlugin(index, sketch_id)
analyzer.datastore.client = mock.Mock()
datastore = analyzer.datastore
_create_mock_event(datastore, 0, 3, time_diffs=[3000, 400000000])
message = analyzer.run()
self.assertEqual(
message, 'Sessionizing completed, number of session created: 2')
# pylint: disable=unexpected-keyword-arg
event1 = datastore.get_event('test_index', '0', stored_events=True)
self.assertEqual(event1['_source']['session_id'], {'all_events': 1})
event2 = datastore.get_event('test_index', '101', stored_events=True)
self.assertEqual(event2['_source']['session_id'], {'all_events': 1})
event3 = datastore.get_event('test_index', '202', stored_events=True)
self.assertEqual(event3['_source']['session_id'], {'all_events': 2})
self._check_surrounding_events(datastore, [202], 'all_events')
def test_one_event(self):
"""Test the behaviour of the sessionizer when given one event."""
with mock.patch.object(SessionizerSketchPlugin,
'event_stream',
return_value=_create_mock_event(0, 1)):
index = 'test_index'
sketch_id = 1
analyser = SessionizerSketchPlugin(index, sketch_id)
message = analyser.run()
self.assertEqual(
message,
'Sessionizing completed, number of session created: 1')
ds = MockDataStore('test', 0)
event1 = (ds.get_event('test_index', '0', stored_events=True))
self.assertEqual(event1['_source']['session_id'],
{'all_events': 1})
