def testSizeAndRegexFiltersWithDifferentActions(self): expected_files = [] non_expected_files = ["dpkg.log", "dpkg_false.log", "auth.log"] size_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.SIZE, size=rdfvalue.FileFinderSizeFilter(max_file_size=626)) regex_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue.FileFinderContentsRegexMatchFilter( mode=rdfvalue.FileFinderContentsRegexMatchFilter.Mode.ALL_HITS, regex="session opened for user .*?john")) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[size_filter, regex_filter], expected_files=expected_files, non_expected_files=non_expected_files) # Check that order of filters doesn't influence results for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[regex_filter, size_filter], expected_files=expected_files, non_expected_files=non_expected_files)
def FiltersToFileFinderFilters(self, filters): result = [] for f in filters: if f.filter_type == MemoryScannerFilter.Type.LITERAL_MATCH: result.append(rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_LITERAL_MATCH, contents_literal_match=f.literal_match)) elif f.filter_type == MemoryScannerFilter.Type.REGEX_MATCH: result.append(rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH, contents_regex_match=f.regex_match)) else: raise ValueError("Unknown filter type: %s", f.filter_type) return result
def Grep(self, collector, pathtype): """Grep files in path_list for any matches to content_regex_list.""" path_list = self.InterpolateList(collector.args.get("path_list", [])) content_regex_list = self.InterpolateList( collector.args.get("content_regex_list", [])) filters = [] for regex in content_regex_list: regexfilter = rdfvalue.FileFinderContentsRegexMatchFilter( regex=regex, bytes_before=0, bytes_after=0) file_finder_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type. CONTENTS_REGEX_MATCH, contents_regex_match=regexfilter) filters.append(file_finder_filter) self.CallFlow("FileFinder", paths=path_list, filters=filters, action=rdfvalue.FileFinderAction(), pathtype=pathtype, request_data={ "artifact_name": self.current_artifact_name, "collector": collector.ToPrimitiveDict() }, next_state="ProcessCollected")
def testRegexMatchFilterWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_REGEX_MATCH, contents_regex_match=rdfvalue.FileFinderContentsRegexMatchFilter( mode=rdfvalue.FileFinderContentsRegexMatchFilter.Mode.ALL_HITS, regex="session opened for user .*?john")) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[regex_filter], expected_files=expected_files, non_expected_files=non_expected_files) fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testSizeFilterWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] size_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.SIZE, size=rdfvalue.FileFinderSizeFilter(max_file_size=626)) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[size_filter], expected_files=expected_files, non_expected_files=non_expected_files)
def testAppliesLiteralFilterWhenMemoryPathTypeIsUsed(self): vfs.VFS_HANDLERS[ rdfvalue.PathSpec.PathType.OS] = test_lib.ClientTestDataVFSFixture vfs.VFS_HANDLERS[rdfvalue.PathSpec.PathType. MEMORY] = test_lib.ClientTestDataVFSFixture paths = [ os.path.join(os.path.dirname(self.base_path), "auth.log"), os.path.join(os.path.dirname(self.base_path), "dpkg.log") ] literal_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.CONTENTS_LITERAL_MATCH, contents_literal_match=rdfvalue. FileFinderContentsLiteralMatchFilter( mode=rdfvalue.FileFinderContentsLiteralMatchFilter.Mode. ALL_HITS, literal="session opened for user dearjohn")) # Check this filter with all the actions. This makes sense, as we may # download memeory or send it to the socket. for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): for _ in test_lib.TestFlowHelper( "FileFinder", self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdfvalue.PathSpec.PathType.MEMORY, filters=[literal_filter], action=rdfvalue.FileFinderAction(action_type=action), token=self.token, output=self.output_path): pass self.CheckFilesInCollection(["auth.log"]) fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path), aff4_type="RDFValueCollection", token=self.token) self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(), paths[0]) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testInodeChangeTimeFilterWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] inode_change_time_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.INODE_CHANGE_TIME, inode_change_time=rdfvalue.FileFinderInodeChangeTimeFilter( min_last_inode_change_time=rdfvalue.RDFDatetime( ).FromSecondsFromEpoch(1444444440))) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[inode_change_time_filter], expected_files=expected_files, non_expected_files=non_expected_files)
def testAccessTimeFilterWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] access_time_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.ACCESS_TIME, access_time=rdfvalue.FileFinderAccessTimeFilter( min_last_access_time=rdfvalue.RDFDatetime( ).FromSecondsFromEpoch(1444444440))) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[access_time_filter], expected_files=expected_files, non_expected_files=non_expected_files)
def testModificationTimeFilterWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] modification_time_filter = rdfvalue.FileFinderFilter( filter_type=rdfvalue.FileFinderFilter.Type.MODIFICATION_TIME, modification_time=rdfvalue.FileFinderModificationTimeFilter( min_last_modified_time=rdfvalue.RDFDatetime( ).FromSecondsFromEpoch(1444444440))) for action in sorted( rdfvalue.FileFinderAction.Action.enum_dict.values()): self.RunFlowAndCheckResults(action=action, filters=[modification_time_filter], expected_files=expected_files, non_expected_files=non_expected_files)