def run_test(self, create_filter, input_blobs=None, expected_output_blobs=None): """Mocks out stdin, stdout, and config then runs input lines through an OutputFilter. Args: create_filter: A callable that returns an OutputFilter. input_blobs: An array of dicts to pass to OutputFilter. These will be serialized into strings and passed as stdin. expected_output_blobs: An array of dicts the output of the OutputFilter must match. """ if not input_blobs: input_blobs = [] input_lines = '\n'.join([simplejson.dumps(blob) for blob in input_blobs]) with nested( patch('sys.stdin', StringIO(input_lines)), patch('sys.stdout', new_callable=StringIO), patch('osxcollector.output_filters.util.config._config_file_path', return_value='./tests/output_filters/data/test_osxcollector_config.yaml') ) as ( mock_stdin, mock_stdout, __ ): output_filter = create_filter() run_filter(output_filter) output_lines = [line for line in mock_stdout.getvalue().split('\n') if len(line)] output_blobs = [simplejson.loads(line) for line in output_lines] if expected_output_blobs: T.assert_equal(len(output_blobs), len(expected_output_blobs)) for expected_blob, actual_blob in zip(expected_output_blobs, output_blobs): assert_equal_sorted(expected_blob, actual_blob) return output_blobs
def main(): parser = OptionParser(usage='usage: %prog [options]') parser.add_option('-f', '--file-term', dest='file_terms', default=[], action='append', help='[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.') parser.add_option('-d', '--domain', dest='domain_terms', default=[], action='append', help='[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.') parser.add_option('-i', '--ip', dest='ip_terms', default=[], action='append', help='[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.') options, _ = parser.parse_args() run_filter(AnalyzeFilter(initial_file_terms=options.file_terms, initial_domains=options.domain_terms, initial_ips=options.ip_terms))
def run_test(self, create_filter, input_blobs=None, expected_output_blobs=None): """Mocks out stdin, stdout, and config then runs input lines through an OutputFilter. Args: create_filter: A callable that returns an OutputFilter. input_blobs: An array of dicts to pass to OutputFilter. These will be serialized into strings and passed as stdin. expected_output_blobs: An array of dicts the output of the OutputFilter must match. """ if not input_blobs: input_blobs = [] input_lines = '\n'.join( [simplejson.dumps(blob) for blob in input_blobs]) with nested( patch('sys.stdin', StringIO(input_lines)), patch('sys.stdout', new_callable=StringIO), patch( 'osxcollector.output_filters.util.config._config_file_path', return_value= './tests/output_filters/data/test_osxcollector_config.yaml' )) as (mock_stdin, mock_stdout, __): output_filter = create_filter() run_filter(output_filter) output_lines = [ line for line in mock_stdout.getvalue().split('\n') if len(line) ] output_blobs = [simplejson.loads(line) for line in output_lines] if expected_output_blobs: T.assert_equal(len(output_blobs), len(expected_output_blobs)) for expected_blob, actual_blob in zip(expected_output_blobs, output_blobs): assert_equal_sorted(expected_blob, actual_blob) return output_blobs
def main(): parser = ArgumentParser() parser.add_argument('-f', '--file-term', dest='file_terms', default=[], action='append', help='[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.') parser.add_argument('-d', '--domain', dest='domain_terms', default=[], action='append', help='[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.') parser.add_argument('-i', '--ip', dest='ip_terms', default=[], action='append', help='[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.') parser.add_argument('--related-domains-generations', dest='related_domains_generations', default=DEFAULT_RELATED_DOMAINS_GENERATIONS, help='[OPTIONAL] How many generations of related domains to lookup with OpenDNS') parser.add_argument('--readout', dest='readout', action='store_true', default=False, help='[OPTIONAL] Skip the analysis and just output really readable analysis') parser.add_argument('-M', '--monochrome', dest='monochrome', action='store_true', default=False, help='[OPTIONAL] Output monochrome analysis') parser.add_argument('--no-opendns', dest='no_opendns', action='store_true', default=False, help='[OPTIONAL] Don\'t run OpenDNS filters') parser.add_argument('--no-virustotal', dest='no_virustotal', action='store_true', default=False, help='[OPTIONAL] Don\'t run VirusTotal filters') parser.add_argument('--no-shadowserver', dest='no_shadowserver', action='store_true', default=False, help='[OPTIONAL] Don\'t run ShadowServer filters') parser.add_argument('--input-file', dest='input_file', default=None, help='[OPTIONAL] Path to OSXCollector output to read. Defaults to stdin otherwise.') args = parser.parse_args() if not args.readout: output_filter = AnalyzeFilter(initial_file_terms=args.file_terms, initial_domains=args.domain_terms, initial_ips=args.ip_terms, related_domains_generations=args.related_domains_generations, monochrome=args.monochrome, no_opendns=args.no_opendns, no_virustotal=args.no_virustotal, no_shadowserver=args.no_shadowserver) else: output_filter = _VeryReadableOutputFilter(monochrome=args.monochrome) if args.input_file: with(open(args.input_file, 'r')) as fp_in: run_filter(output_filter, input_stream=fp_in) else: run_filter(output_filter)
def main(): run_filter(FindBlacklistedFilter())
def main(): run_filter(LookupURLsFilter())
def main(): run_filter(RelatedDomainsFilter())
def main(): run_filter(LookupDomainsFilter())
def main(): run_filter(FirefoxHistoryFilter())
def main(): run_filter(LookupHashesFilter())
def main(): run_filter(FindDomainsFilter())
def main(): run_filter(SortHistoryFilter())
def main(): run_filter(FindExtensionsFilter())
def main(): run_filter(ChromeHistoryFilter())
def main(): parser = ArgumentParser() parser.add_argument( '-f', '--file-term', dest='file_terms', default=[], action='append', help= '[OPTIONAL] Suspicious terms to use in pivoting through file names. May be specified more than once.' ) parser.add_argument( '-d', '--domain', dest='domain_terms', default=[], action='append', help= '[OPTIONAL] Suspicious domains to use for pivoting. May be specified more than once.' ) parser.add_argument( '-i', '--ip', dest='ip_terms', default=[], action='append', help= '[OPTIONAL] Suspicious IP to use for pivoting. May be specified more than once.' ) parser.add_argument( '--related-domains-generations', dest='related_domains_generations', default=DEFAULT_RELATED_DOMAINS_GENERATIONS, help= '[OPTIONAL] How many generations of related domains to lookup with OpenDNS' ) parser.add_argument( '--readout', dest='readout', action='store_true', default=False, help= '[OPTIONAL] Skip the analysis and just output really readable analysis' ) parser.add_argument('-M', '--monochrome', dest='monochrome', action='store_true', default=False, help='[OPTIONAL] Output monochrome analysis') parser.add_argument('--no-opendns', dest='no_opendns', action='store_true', default=False, help='[OPTIONAL] Don\'t run OpenDNS filters') parser.add_argument('--no-virustotal', dest='no_virustotal', action='store_true', default=False, help='[OPTIONAL] Don\'t run VirusTotal filters') parser.add_argument('--no-shadowserver', dest='no_shadowserver', action='store_true', default=False, help='[OPTIONAL] Don\'t run ShadowServer filters') parser.add_argument( '--show-signature-chain', dest='show_signature_chain', action='store_true', default=False, help='[OPTIONAL] Output unsigned startup items and kexts.') parser.add_argument( '--show-browser-ext', dest='show_browser_ext', action='store_true', default=False, help='[OPTIONAL] Output the list of installed browser extensions.') parser.add_argument( '--input-file', dest='input_file', default=None, help= '[OPTIONAL] Path to OSXCollector output to read. Defaults to stdin otherwise.' ) args = parser.parse_args() if not args.readout: output_filter = AnalyzeFilter( initial_file_terms=args.file_terms, initial_domains=args.domain_terms, initial_ips=args.ip_terms, related_domains_generations=args.related_domains_generations, monochrome=args.monochrome, no_opendns=args.no_opendns, no_virustotal=args.no_virustotal, no_shadowserver=args.no_shadowserver, show_signature_chain=args.show_signature_chain, show_browser_ext=args.show_browser_ext) else: output_filter = _VeryReadableOutputFilter( monochrome=args.monochrome, show_signature_chain=args.show_signature_chain, show_browser_ext=args.show_browser_ext) if args.input_file: with (open(args.input_file, 'r')) as fp_in: run_filter(output_filter, input_stream=fp_in) else: run_filter(output_filter)