def testTwoRegexMatchConditionsWithDifferentActions2(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition1 = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS,
regex="session opened for user .*?john"))
regex_condition2 = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT,
regex=".*"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition1, regex_condition2],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 2)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
self.assertEqual(fd[0].matches[1].offset, 0)
self.assertEqual(fd[0].matches[1].length, 770)
def StartRequests(self):
"""Generate and send the Find requests."""
client = aff4.FACTORY.Open(self.client_id, token=self.token)
if self.runner.output is not None:
self.runner.output.Set(
self.runner.output.Schema.DESCRIPTION("CacheGrep for {0}".format(
self.args.data_regex)))
usernames = ["%s\\%s" % (u.domain, u.username) for u in self.state.users]
usernames = [u.lstrip("\\") for u in usernames] # Strip \\ if no domain.
condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
regex=self.args.data_regex,
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT))
for path in self.state.all_paths:
full_paths = flow_utils.InterpolatePath(path, client, users=usernames)
for full_path in full_paths:
self.CallFlow(
"FileFinder",
paths=[os.path.join(full_path, "**5")],
pathtype=self.state.args.pathtype,
conditions=[condition],
action=rdfvalue.FileFinderAction(
action_type=rdfvalue.FileFinderAction.Action.DOWNLOAD),
next_state="HandleResults")
def testLiteralMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
literal_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_LITERAL_MATCH,
contents_literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[literal_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that the results' matches fields are correctly filled.
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def Grep(self, source, pathtype):
"""Grep files in paths for any matches to content_regex_list.
Args:
source: artifact source
pathtype: pathspec path type
When multiple regexes are supplied, combine them into a single regex as an
OR match so that we check all regexes at once.
"""
path_list = self.InterpolateList(source.attributes.get("paths", []))
content_regex_list = self.InterpolateList(
source.attributes.get("content_regex_list", []))
regex_condition = rdfvalue.FileFinderContentsRegexMatchCondition(
regex=self._CombineRegex(content_regex_list),
bytes_before=0,
bytes_after=0)
file_finder_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.
CONTENTS_REGEX_MATCH,
contents_regex_match=regex_condition)
self.CallFlow("FileFinder",
paths=path_list,
conditions=[file_finder_condition],
action=rdfvalue.FileFinderAction(),
pathtype=pathtype,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testSizeAndRegexConditionsWithDifferentActions(self):
files_over_size_limit = ["auth.log"]
filtered_files = ["dpkg.log", "dpkg_false.log"]
expected_files = []
non_expected_files = files_over_size_limit + filtered_files
sizes = [
os.stat(os.path.join(self.base_path, f)).st_size
for f in files_over_size_limit
]
size_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.SIZE,
size=rdfvalue.FileFinderSizeCondition(max_file_size=min(sizes) -
1))
regex_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.
CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.
FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.
ALL_HITS,
regex="session opened for user .*?john"))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition, regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of conditions doesn't influence results
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition, size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def ConditionsToFileFinderConditions(self, conditions):
ff_condition_type_cls = rdfvalue.FileFinderCondition.Type
result = []
for c in conditions:
if c.condition_type == MemoryCollectorCondition.Type.LITERAL_MATCH:
result.append(
rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.
CONTENTS_LITERAL_MATCH,
contents_literal_match=c.literal_match))
elif c.condition_type == MemoryCollectorCondition.Type.REGEX_MATCH:
result.append(
rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.
CONTENTS_REGEX_MATCH,
contents_regex_match=c.regex_match))
else:
raise ValueError("Unknown condition type: %s",
c.condition_type)
return result
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self):
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler
vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType.
MEMORY] = test_lib.FakeTestDataVFSHandler
paths = [
os.path.join(os.path.dirname(self.base_path), "auth.log"),
os.path.join(os.path.dirname(self.base_path), "dpkg.log")
]
literal_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=rdfvalue.
FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
literal="session opened for user dearjohn"))
# Check this condition with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
for _ in test_lib.TestFlowHelper(
"FileFinder",
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdfvalue.PathSpec.PathType.MEMORY,
conditions=[literal_condition],
action=rdfvalue.FileFinderAction(action_type=action),
token=self.token,
output=self.output_path):
pass
self.CheckFilesInCollection(["auth.log"])
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def ConditionsToFileFinderConditions(self, conditions):
ff_condition_type_cls = rdfvalue.FileFinderCondition.Type
result = []
for c in conditions:
if c.condition_type == RegistryFinderCondition.Type.MODIFICATION_TIME:
result.append(rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.MODIFICATION_TIME,
modification_time=c.modification_time))
elif c.condition_type == RegistryFinderCondition.Type.VALUE_LITERAL_MATCH:
result.append(rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.CONTENTS_LITERAL_MATCH,
contents_literal_match=c.value_literal_match))
elif c.condition_type == RegistryFinderCondition.Type.VALUE_REGEX_MATCH:
result.append(rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.CONTENTS_REGEX_MATCH,
contents_regex_match=c.value_regex_match))
elif c.condition_type == RegistryFinderCondition.Type.SIZE:
result.append(rdfvalue.FileFinderCondition(
condition_type=ff_condition_type_cls.SIZE,
size=c.size))
else:
raise ValueError("Unknown condition type: %s", c.condition_type)
return result
def testAccessTimeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
access_time_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.ACCESS_TIME,
access_time=rdfvalue.FileFinderAccessTimeCondition(
min_last_access_time=rdfvalue.RDFDatetime(
).FromSecondsFromEpoch(1444444440)))
for action in sorted(
rdfvalue.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(action=action,
conditions=[access_time_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testInodeChangeTimeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440)
inode_change_time_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.INODE_CHANGE_TIME,
inode_change_time=rdfvalue.FileFinderInodeChangeTimeCondition(
min_last_inode_change_time=change_time))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[inode_change_time_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testModificationTimeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440)
modification_time_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.MODIFICATION_TIME,
modification_time=rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=change_time))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[modification_time_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
def testSizeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
sizes = [os.stat(os.path.join(self.base_path, f)).st_size
for f in expected_files]
size_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.SIZE,
size=rdfvalue.FileFinderSizeCondition(max_file_size=max(sizes) + 1))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
