def testRegexMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=(
rdf_file_finder.FileFinderContentsRegexMatchCondition(
mode="ALL_HITS",
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john")))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(action=action,
conditions=[regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
fd = flow.GRRFlow.ResultCollectionForFID(self.last_session_id)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testFindsKeyIfItMatchesRegexMatchCondition(self):
value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition(
bytes_before=10, bytes_after=10, regex="Windows.+\\.exe")
session_id = self.RunFlow(
[self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(results[0].stat_entry.AFF4Path(self.client_id),
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def Grep(self, source, pathtype):
"""Grep files in paths for any matches to content_regex_list.
Args:
source: artifact source
pathtype: pathspec path type
When multiple regexes are supplied, combine them into a single regex as an
OR match so that we check all regexes at once.
"""
path_list = self.InterpolateList(source.attributes.get("paths", []))
content_regex_list = self.InterpolateList(
source.attributes.get("content_regex_list", []))
regex_condition = rdf_file_finder.FileFinderContentsRegexMatchCondition(
regex=self._CombineRegex(content_regex_list),
bytes_before=0,
bytes_after=0,
mode="ALL_HITS")
file_finder_condition = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=regex_condition)
self.CallFlow("FileFinder",
paths=path_list,
conditions=[file_finder_condition],
action=rdf_file_finder.FileFinderAction(),
pathtype=pathtype,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testRegexMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=(
rdf_file_finder.FileFinderContentsRegexMatchCondition(
mode="ALL_HITS",
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john")))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(action=action,
conditions=[regex_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
fd = aff4.FACTORY.Open(
self.last_session_id.Add(flow_runner.RESULTS_SUFFIX),
aff4_type=sequential_collection.GeneralIndexedCollection,
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition(
bytes_before=10, bytes_after=10, regex=".*CanNotFindMe.*")
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
self.AssertNoResults(session_id)
def testTwoRegexMatchConditionsWithDifferentActions1(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
regex_condition1 = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=(
rdf_file_finder.FileFinderContentsRegexMatchCondition(
mode="ALL_HITS",
bytes_before=10,
bytes_after=10,
regex="session opened for user .*?john")))
regex_condition2 = rdf_file_finder.FileFinderCondition(
condition_type=(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match=(
rdf_file_finder.FileFinderContentsRegexMatchCondition(
mode="ALL_HITS",
bytes_before=10,
bytes_after=10,
regex="format.*should")))
for action in self.CONDITION_TESTS_ACTIONS:
self.RunFlowAndCheckResults(
action=action,
conditions=[regex_condition1, regex_condition2],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check the output file is created
fd = flow.GRRFlow.ResultCollectionForFID(self.last_session_id,
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 2)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
self.assertEqual(fd[0].matches[1].offset, 513)
self.assertEqual(fd[0].matches[1].data,
"rong line format.... should not be he")
