def testTwoRegexMatchConditionsWithDifferentActions2(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition1 = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS,
regex="session opened for user .*?john"))
regex_condition2 = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT,
regex=".*"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition1, regex_condition2],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 2)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
self.assertEqual(fd[0].matches[1].offset, 0)
self.assertEqual(fd[0].matches[1].length, 770)
def StartRequests(self):
"""Generate and send the Find requests."""
client = aff4.FACTORY.Open(self.client_id, token=self.token)
if self.runner.output is not None:
self.runner.output.Set(
self.runner.output.Schema.DESCRIPTION("CacheGrep for {0}".format(
self.args.data_regex)))
usernames = ["%s\\%s" % (u.domain, u.username) for u in self.state.users]
usernames = [u.lstrip("\\") for u in usernames] # Strip \\ if no domain.
condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
regex=self.args.data_regex,
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.FIRST_HIT))
for path in self.state.all_paths:
full_paths = flow_utils.InterpolatePath(path, client, users=usernames)
for full_path in full_paths:
self.CallFlow(
"FileFinder",
paths=[os.path.join(full_path, "**5")],
pathtype=self.state.args.pathtype,
conditions=[condition],
action=rdfvalue.FileFinderAction(
action_type=rdfvalue.FileFinderAction.Action.DOWNLOAD),
next_state="HandleResults")
def testFindsKeyIfItMatchesRegexMatchCondition(self):
value_regex_match = rdfvalue.FileFinderContentsRegexMatchCondition(
regex="Windows.+\\.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(
results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdfvalue.PathSpec.PathType.REGISTRY)
def Grep(self, source, pathtype):
"""Grep files in paths for any matches to content_regex_list.
Args:
source: artifact source
pathtype: pathspec path type
When multiple regexes are supplied, combine them into a single regex as an
OR match so that we check all regexes at once.
"""
path_list = self.InterpolateList(source.attributes.get("paths", []))
content_regex_list = self.InterpolateList(
source.attributes.get("content_regex_list", []))
regex_condition = rdfvalue.FileFinderContentsRegexMatchCondition(
regex=self._CombineRegex(content_regex_list),
bytes_before=0,
bytes_after=0)
file_finder_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.
CONTENTS_REGEX_MATCH,
contents_regex_match=regex_condition)
self.CallFlow("FileFinder",
paths=path_list,
conditions=[file_finder_condition],
action=rdfvalue.FileFinderAction(),
pathtype=pathtype,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = rdfvalue.FileFinderContentsRegexMatchCondition(
regex=".*CanNotFindMe.*")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
self.AssertNoResults()
def testMemoryImageRegexMatchConditionWithNoAction(self):
regex_condition = rdfvalue.MemoryCollectorCondition(
condition_type=rdfvalue.MemoryCollectorCondition.Type.REGEX_MATCH,
regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
regex="session opened for user .*?john"))
self.RunWithNoAction(conditions=[regex_condition])
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
def testSizeAndRegexConditionsWithDifferentActions(self):
files_over_size_limit = ["auth.log"]
filtered_files = ["dpkg.log", "dpkg_false.log"]
expected_files = []
non_expected_files = files_over_size_limit + filtered_files
sizes = [os.stat(os.path.join(self.base_path, f)).st_size
for f in files_over_size_limit]
size_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.SIZE,
size=rdfvalue.FileFinderSizeCondition(
max_file_size=min(sizes) - 1))
regex_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_REGEX_MATCH,
contents_regex_match=rdfvalue.FileFinderContentsRegexMatchCondition(
mode=rdfvalue.FileFinderContentsRegexMatchCondition.Mode.ALL_HITS,
regex="session opened for user .*?john"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[size_condition, regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that order of conditions doesn't influence results
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition, size_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)