def testRegexMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex="session opened for user .*?john"))) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults(action=action, conditions=[regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) fd = flow.GRRFlow.ResultCollectionForFID(self.last_session_id) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testFindsKeyIfItMatchesRegexMatchCondition(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex="Windows.+\\.exe") session_id = self.RunFlow( [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, "ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual(results[0].stat_entry.AFF4Path(self.client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.path, "/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/" "CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def Grep(self, source, pathtype): """Grep files in paths for any matches to content_regex_list. Args: source: artifact source pathtype: pathspec path type When multiple regexes are supplied, combine them into a single regex as an OR match so that we check all regexes at once. """ path_list = self.InterpolateList(source.attributes.get("paths", [])) content_regex_list = self.InterpolateList( source.attributes.get("content_regex_list", [])) regex_condition = rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=self._CombineRegex(content_regex_list), bytes_before=0, bytes_after=0, mode="ALL_HITS") file_finder_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=regex_condition) self.CallFlow("FileFinder", paths=path_list, conditions=[file_finder_condition], action=rdf_file_finder.FileFinderAction(), pathtype=pathtype, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state="ProcessCollected")
def testRegexMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex="session opened for user .*?john"))) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults(action=action, conditions=[regex_condition], expected_files=expected_files, non_expected_files=non_expected_files) fd = aff4.FACTORY.Open( self.last_session_id.Add(flow_runner.RESULTS_SUFFIX), aff4_type=sequential_collection.GeneralIndexedCollection, token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testFindsNothingIfRegexMatchesNothing(self): value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition( bytes_before=10, bytes_after=10, regex=".*CanNotFindMe.*") session_id = self.RunFlow([self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_REGEX_MATCH, value_regex_match=value_regex_match) ]) self.AssertNoResults(session_id)
def testTwoRegexMatchConditionsWithDifferentActions1(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] regex_condition1 = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex="session opened for user .*?john"))) regex_condition2 = rdf_file_finder.FileFinderCondition( condition_type=( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match=( rdf_file_finder.FileFinderContentsRegexMatchCondition( mode="ALL_HITS", bytes_before=10, bytes_after=10, regex="format.*should"))) for action in self.CONDITION_TESTS_ACTIONS: self.RunFlowAndCheckResults( action=action, conditions=[regex_condition1, regex_condition2], expected_files=expected_files, non_expected_files=non_expected_files) # Check the output file is created fd = flow.GRRFlow.ResultCollectionForFID(self.last_session_id, token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(len(fd[0].matches), 2) self.assertEqual(fd[0].matches[0].offset, 350) self.assertEqual( fd[0].matches[0].data, "session): session opened for user dearjohn by (uid=0") self.assertEqual(fd[0].matches[1].offset, 513) self.assertEqual(fd[0].matches[1].data, "rong line format.... should not be he")