class testQueryCountSounds(object):
TWIN = 4
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestCountSounds")
self.cep.define_event('SoundGroup', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String }
)
self.cep.define_event('CountSounds', {
'mac': java.lang.String,
'nsg': java.lang.Long }
)
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryCountSounds(self.TWIN)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testCountSounds(self):
#Test Countsounds (met 0, 1 en 3 events)
time.sleep(self.TWIN + 0.5)
self.cep.send_event({
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'}, 'SoundGroup')
time.sleep(self.TWIN + 0.5)
self.cep.send_event({
'timestamp': 'msg',
'mac': 'mac2',
'soundlevel': '0.5'}, 'SoundGroup')
self.cep.send_event({
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'}, 'SoundGroup')
self.cep.send_event({
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'}, 'SoundGroup')
self.cep.send_event({
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'}, 'SoundGroup')
time.sleep(self.TWIN + 0.5)
print self.mocklisten.mock_calls
results = re.findall("nsg': (.*?)L",
str(self.mocklisten.mock_calls))
assert results[0] == '1' # mac1 in second window
assert results[1] == '0' # mac1 out of first window
assert results[2] == '1' # mac2 in third window
assert results[3] == '3' # mac1 in third window
assert results[4] == '0' # mac2 out of second window
assert results[5] == '1' # mac1 out of second window
class TestQueryAnomalous(object):
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestAnomalous")
self.cep.define_event('Anomalous_Sound', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String }
)
self.cep.define_event('SoundGroup', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String }
)
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryAnomalousSound()
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testAnomalous(self):
#Test SoundGroup (mac1 wel msg1,msg3, geen msg2, mac2 wel msg1, msg2)
self.cep.send_event({
'timestamp': 'msg1',
'mac': 'mac1',
'soundlevel': '0.5'}, 'Anomalous_Sound')
self.cep.send_event({
'timestamp': 'msg1',
'mac': 'mac2',
'soundlevel': '0.6'}, 'Anomalous_Sound')
time.sleep(2.1)
self.cep.send_event({
'timestamp': 'msg2',
'mac': 'mac2',
'soundlevel': '0.7'}, 'Anomalous_Sound')
self.cep.send_event({
'timestamp': 'msg2',
'mac': 'mac1',
'soundlevel': '0.8'}, 'Anomalous_Sound')
time.sleep(0.1)
self.cep.send_event({
'timestamp': 'msg3',
'mac': 'mac1',
'soundlevel': '0.9'}, 'Anomalous_Sound')
time.sleep(2.1)
print self.mocklisten.mock_calls
results = re.findall("soundlevel': u'(.*?)'",
str(self.mocklisten.mock_calls))
assert results[0] == '0.5'
assert results[1] == '0.6'
assert results[2] == '0.7'
assert results[3] == '0.9'
class TestQueryFacecount(object):
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestAvgFacecount")
self.cep.define_event(
'Facecount',
{
'timestamp': java.lang.String, # ISO 8601
'mac': java.lang.String,
'facecount': java.lang.Float
})
self.cep.define_event('AvgFacecount', {
'facecount': java.lang.Float,
'avgfacecount': java.lang.Double
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryFacecount(4)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testFacecount1(self):
#Test AvgFacecount (met 0, 1 en 3 berichten)
self.cep.send_event(
{
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 10.
}, 'Facecount')
time.sleep(5)
self.cep.send_event(
{
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 1
}, 'Facecount')
self.cep.send_event(
{
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 3
}, 'Facecount')
self.cep.send_event(
{
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 8
}, 'Facecount')
time.sleep(4)
print self.mocklisten.mock_calls
# Possibly simpler with json.loads
results = re.findall("avgfacecount': (.*?)}",
str(self.mocklisten.mock_calls))
assert results[0] == '10.0'
assert results[2] == '4.0'
class TestQueryFacecount(object):
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestAvgFacecount")
self.cep.define_event('Facecount', {
'timestamp': java.lang.String, # ISO 8601
'mac': java.lang.String,
'facecount': java.lang.Float }
)
self.cep.define_event('AvgFacecount', {
'facecount': java.lang.Float,
'avgfacecount': java.lang.Double
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryFacecount(4)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testFacecount1(self):
#Test AvgFacecount (met 0, 1 en 3 berichten)
self.cep.send_event({
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 10.}, 'Facecount')
time.sleep(5)
self.cep.send_event({
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 1}, 'Facecount')
self.cep.send_event({
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 3}, 'Facecount')
self.cep.send_event({
'timestamp': '2014-07-07T11:22:33',
'mac': 'macf',
'facecount': 8}, 'Facecount')
time.sleep(4)
print self.mocklisten.mock_calls
# Possibly simpler with json.loads
results = re.findall("avgfacecount': (.*?)}",
str(self.mocklisten.mock_calls))
assert results[0] == '10.0'
assert results[2] == '4.0'
class testQueryBusy(object):
def setup(self): # Run independently for every testcase
self.cep = EsperEngine("TestBusy")
self.cep.define_event(
'Busy', {
'avgfacecount': java.lang.Double,
'nsg1': java.lang.Long,
'nsg2': java.lang.Long,
'busylevel': java.lang.Double
})
self.cep.define_event('AvgFacecount', {
'facecount': java.lang.Float,
'avgfacecount': java.lang.Double
})
self.cep.define_event('CountSounds', {
'mac': java.lang.String,
'nsg': java.lang.Long
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryBusy(100)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testBusy(self):
#Test Busy (met 1,1,1 en 3,49,99)
self.cep.send_event({
'facecount': 4.,
'avgfacecount': 1.
}, 'AvgFacecount')
self.cep.send_event({'mac': 'mac1', 'nsg': 1}, 'CountSounds')
self.cep.send_event({'mac': 'mac2', 'nsg': 1}, 'CountSounds')
time.sleep(4.5)
self.cep.send_event({
'facecount': 4.,
'avgfacecount': 3.
}, 'AvgFacecount')
self.cep.send_event({'mac': 'mac1', 'nsg': 49}, 'CountSounds')
self.cep.send_event({'mac': 'mac2', 'nsg': 99}, 'CountSounds')
time.sleep(0.5)
print self.mocklisten.mock_calls
results = re.findall("busylevel': (.*?)}",
str(self.mocklisten.mock_calls))
assert results[0] == '50000.0'
#datagen.append(bogusd.Point('P1'))
#datagen.append(bogusd.Point('P2'))
#datagen.append(bogusd.Point('P3'))
#datagen.append(bogusd.Point('P4'))
def callback(data_new, data_old):
print("New Data:" + str(data_new))
print("Old Data:" + str(data_old))
def endcallback():
print('Input terminated')
stmt = cep.create_query('select * from BogusEvent(P2 > 2.0).win:length(3)')
stmt.addListener(EventListener(callback))
cep.send_event({"P1": 1.1, "P2": 1.2, "P3": 1.3, "P4": 1.4},
"BogusEvent")
cep.send_event({"P1": 2.1, "P2": 2.2, "P3": 2.3, "P4": 2.4},
"BogusEvent")
cep.send_event({"P1": 3.1, "P2": 3.2, "P3": 3.3, "P4": 3.4},
"BogusEvent")
cep.send_event({"P1": 4.1, "P2": 4.2, "P3": 4.3, "P4": 4.4},
"BogusEvent")
cep.send_event({"P1": 5.1, "P2": 5.2, "P3": 5.3, "P4": 5.4},
"BogusEvent")
cep.send_event({"P1": 6.1, "P2": 6.2, "P3": 6.3, "P4": 6.4},
"BogusEvent")
cep.send_event({"P1": 7.1, "P2": 7.2, "P3": 7.3, "P4": 7.4},
"BogusEvent")
cep.send_event({"P1": 8.1, "P2": 8.2, "P3": 8.3, "P4": 8.4},
"BogusEvent")
class testQueryBusy(object):
def setup(self): # Run independently for every testcase
self.cep = EsperEngine("TestBusy")
self.cep.define_event('Busy', {
'avgfacecount': java.lang.Double,
'nsg1': java.lang.Long,
'nsg2': java.lang.Long,
'busylevel': java.lang.Double
})
self.cep.define_event('AvgFacecount', {
'facecount': java.lang.Float,
'avgfacecount': java.lang.Double
})
self.cep.define_event('CountSounds', {
'mac': java.lang.String,
'nsg': java.lang.Long
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryBusy(100)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testBusy(self):
#Test Busy (met 1,1,1 en 3,49,99)
self.cep.send_event({
'facecount': 4.,
'avgfacecount': 1.}, 'AvgFacecount')
self.cep.send_event({
'mac': 'mac1',
'nsg': 1}, 'CountSounds')
self.cep.send_event({
'mac': 'mac2',
'nsg': 1}, 'CountSounds')
time.sleep(4.5)
self.cep.send_event({
'facecount': 4.,
'avgfacecount': 3.}, 'AvgFacecount')
self.cep.send_event({
'mac': 'mac1',
'nsg': 49}, 'CountSounds')
self.cep.send_event({
'mac': 'mac2',
'nsg': 99}, 'CountSounds')
time.sleep(0.5)
print self.mocklisten.mock_calls
results = re.findall("busylevel': (.*?)}",
str(self.mocklisten.mock_calls))
assert results[0] == '50000.0'
class TestQueryAnomalous(object):
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestAnomalous")
self.cep.define_event(
'Anomalous_Sound', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String
})
self.cep.define_event(
'SoundGroup', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryAnomalousSound()
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testAnomalous(self):
#Test SoundGroup (mac1 wel msg1,msg3, geen msg2, mac2 wel msg1, msg2)
self.cep.send_event(
{
'timestamp': 'msg1',
'mac': 'mac1',
'soundlevel': '0.5'
}, 'Anomalous_Sound')
self.cep.send_event(
{
'timestamp': 'msg1',
'mac': 'mac2',
'soundlevel': '0.6'
}, 'Anomalous_Sound')
time.sleep(2.1)
self.cep.send_event(
{
'timestamp': 'msg2',
'mac': 'mac2',
'soundlevel': '0.7'
}, 'Anomalous_Sound')
self.cep.send_event(
{
'timestamp': 'msg2',
'mac': 'mac1',
'soundlevel': '0.8'
}, 'Anomalous_Sound')
time.sleep(0.1)
self.cep.send_event(
{
'timestamp': 'msg3',
'mac': 'mac1',
'soundlevel': '0.9'
}, 'Anomalous_Sound')
time.sleep(2.1)
print self.mocklisten.mock_calls
results = re.findall("soundlevel': u'(.*?)'",
str(self.mocklisten.mock_calls))
assert results[0] == '0.5'
assert results[1] == '0.6'
assert results[2] == '0.7'
assert results[3] == '0.9'
class testQueryCountSounds(object):
TWIN = 4
def setup(self): # Run independently for every testcast
self.cep = EsperEngine("TestCountSounds")
self.cep.define_event(
'SoundGroup', {
'timestamp': java.lang.String,
'mac': java.lang.String,
'soundlevel': java.lang.String
})
self.cep.define_event('CountSounds', {
'mac': java.lang.String,
'nsg': java.lang.Long
})
self.mocklisten = Mock()
self.qman = QueryManager(self.cep)
qa = queries.QueryCountSounds(self.TWIN)
self.qman.addQuery(qa.getQueries(), self.mocklisten)
def testCountSounds(self):
#Test Countsounds (met 0, 1 en 3 events)
time.sleep(self.TWIN + 0.5)
self.cep.send_event(
{
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'
}, 'SoundGroup')
time.sleep(self.TWIN + 0.5)
self.cep.send_event(
{
'timestamp': 'msg',
'mac': 'mac2',
'soundlevel': '0.5'
}, 'SoundGroup')
self.cep.send_event(
{
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'
}, 'SoundGroup')
self.cep.send_event(
{
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'
}, 'SoundGroup')
self.cep.send_event(
{
'timestamp': 'msg',
'mac': 'mac1',
'soundlevel': '0.5'
}, 'SoundGroup')
time.sleep(self.TWIN + 0.5)
print self.mocklisten.mock_calls
results = re.findall("nsg': (.*?)L", str(self.mocklisten.mock_calls))
assert results[0] == '1' # mac1 in second window
assert results[1] == '0' # mac1 out of first window
assert results[2] == '1' # mac2 in third window
assert results[3] == '3' # mac1 in third window
assert results[4] == '0' # mac2 out of second window
assert results[5] == '1' # mac1 out of second window
"syslog_message": jstr,
"syslog_hostname": jstr,
"syslog_program": jstr})
def callback(stmtname, data_new, data_old):
print "#" * 30
print "\n%s" % stmtname
if data_old:
print("Old Data:" + str(data_old))
if data_new:
print("New Data:" + str(data_new))
stmtname = 'EventLog: Bruteforce blocked accounts'
stmt = cep.create_query('select * from Events(eventlog_id = 4776 and Status = "0xc0000234").win:time(120 sec) GROUP BY TargetUserName HAVING count(eventlog_id) > 5')
stmt.addListener(EventListener(callback, stmtname))
stmtname = 'EventLog: Account blocked multiple times (5)'
stmt = cep.create_query('select * from Events(eventlog_id = 4740).win:time(24 hours) GROUP BY TargetUserName HAVING count(eventlog_id) > 5')
stmt.addListener(EventListener(callback, stmtname))
stmtname = 'Syslog: Linux SSH bruteforce'
stmt = cep.create_query('select * from Events(syslog_message like "Failed password for%").win:time(120 sec) GROUP BY syslog_hostname HAVING count(syslog_message) > 5')
stmt.addListener(EventListener(callback, stmtname))
while True:
for item in pubsub.listen():
if item['type'] != 'subscribe':
event = json.loads(item['data'])
cep.send_event(event, "Events")
