def testParse(self):
"""Tests the Parse function."""
parser = mcafeeav.McafeeAccessProtectionParser()
storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser)
self.assertEqual(storage_writer.number_of_events, 14)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'av:mcafee:accessprotectionlog',
'date_time': '2013-09-27 14:42:26'
}
self.CheckEventValues(storage_writer, events[10],
expected_event_values)
# TODO: Test that the UTF-8 byte order mark gets removed from
# the first line.
# Test this entry:
# 9/27/2013 2:42:26 PM Blocked by Access Protection rule
# SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files
# (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard
# Protection:Prevent termination of McAfee processes Action blocked :
# Terminate
expected_event_values = {
'action':
'Action blocked : Terminate',
'data_type':
'av:mcafee:accessprotectionlog',
'date_time':
'2013-09-27 14:42:39',
'filename':
'C:\\Windows\\System32\\procexp64.exe',
'rule':
('Common Standard Protection:Prevent termination of McAfee '
'processes'),
# Note that the trailing space is part of the status event value.
'status':
'Blocked by Access Protection rule ',
'trigger_location':
('C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame'
'workService.exe'),
'username':
'******'
}
self.CheckEventValues(storage_writer, events[11],
expected_event_values)
def testParse(self):
"""Tests the Parse function."""
parser = mcafeeav.McafeeAccessProtectionParser()
storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser)
# The file contains 14 lines which results in 14 events.
self.assertEqual(storage_writer.number_of_events, 14)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
event = events[10]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-09-27 14:42:26')
self.assertEqual(event.timestamp, expected_timestamp)
# TODO: Test that the UTF-8 byte order mark gets removed from
# the first line.
# Test this entry:
# 9/27/2013 2:42:26 PM Blocked by Access Protection rule
# SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files
# (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard
# Protection:Prevent termination of McAfee processes Action blocked :
# Terminate
event = events[11]
expected_timestamp = timelib.Timestamp.CopyFromString(
'2013-09-27 14:42:39')
self.assertEqual(event.timestamp, expected_timestamp)
self.assertEqual(event.username, 'SOMEDOMAIN\\someUser')
self.assertEqual(event.filename,
'C:\\Windows\\System32\\procexp64.exe')
expected_message = (
'File Name: C:\\Windows\\System32\\procexp64.exe '
'User: SOMEDOMAIN\\someUser '
'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame'
'workService.exe '
'Blocked by Access Protection rule '
'Common Standard Protection:Prevent termination of McAfee processes '
'Action blocked : Terminate')
expected_short_message = ('C:\\Windows\\System32\\procexp64.exe '
'Action blocked : Terminate')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testParse(self):
"""Tests the Parse function."""
parser = mcafeeav.McafeeAccessProtectionParser()
storage_writer = self._ParseFile(['AccessProtectionLog.txt'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 14)
# The order in which DSVParser generates events is nondeterministic
# hence we sort the events.
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'timestamp': '2013-09-27 14:42:26.000000'}
self.CheckEventValues(storage_writer, events[10], expected_event_values)
# TODO: Test that the UTF-8 byte order mark gets removed from
# the first line.
# Test this entry:
# 9/27/2013 2:42:26 PM Blocked by Access Protection rule
# SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files
# (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard
# Protection:Prevent termination of McAfee processes Action blocked :
# Terminate
expected_event_values = {
'filename': 'C:\\Windows\\System32\\procexp64.exe',
'timestamp': '2013-09-27 14:42:39.000000',
'username': '******'}
self.CheckEventValues(storage_writer, events[11], expected_event_values)
expected_message = (
'File Name: C:\\Windows\\System32\\procexp64.exe '
'User: SOMEDOMAIN\\someUser '
'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame'
'workService.exe '
'Blocked by Access Protection rule '
'Common Standard Protection:Prevent termination of McAfee processes '
'Action blocked : Terminate')
expected_short_message = (
'C:\\Windows\\System32\\procexp64.exe '
'Action blocked : Terminate')
event_data = self._GetEventDataOfEvent(storage_writer, events[11])
self._TestGetMessageStrings(
event_data, expected_message, expected_short_message)
def testParse(self):
"""Tests the Parse function."""
parser_object = mcafeeav.McafeeAccessProtectionParser()
test_file = self._GetTestFilePath([u'AccessProtectionLog.txt'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
# The file contains 14 lines which results in 14 event objects.
self.assertEqual(len(event_objects), 14)
# Test that the UTF-8 byte order mark gets removed from the first line.
event_object = event_objects[0]
self.assertEqual(event_object.timestamp, 1380292946000000)
# Test this entry:
# 9/27/2013 2:42:26 PM Blocked by Access Protection rule
# SOMEDOMAIN\someUser C:\Windows\System32\procexp64.exe C:\Program Files
# (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard
# Protection:Prevent termination of McAfee processes Action blocked :
# Terminate
event_object = event_objects[1]
self.assertEqual(event_object.timestamp, 1380292959000000)
self.assertEqual(event_object.username, u'SOMEDOMAIN\\someUser')
self.assertEqual(event_object.full_path,
u'C:\\Windows\\System32\\procexp64.exe')
expected_msg = (
u'File Name: C:\\Windows\\System32\\procexp64.exe '
u'User: SOMEDOMAIN\\someUser '
u'C:\\Program Files (x86)\\McAfee\\Common Framework\\Frame'
u'workService.exe '
u'Blocked by Access Protection rule '
u'Common Standard Protection:Prevent termination of McAfee processes '
u'Action blocked : Terminate')
expected_msg_short = (u'C:\\Windows\\System32\\procexp64.exe '
u'Action blocked : Terminate')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = mcafeeav.McafeeAccessProtectionParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() self._parser = mcafeeav.McafeeAccessProtectionParser(pre_obj)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = mcafeeav.McafeeAccessProtectionParser()