def test_1_of_them():
# Make sure 1
sigma = PySigma()
sigma.add_signature("""
title: sample signature
detection:
a: ["a"]
b: ["b"]
condition: 1 of them
""")
assert len(sigma.check_events([{'log': 'a', 'Data': []}])) == 1
assert len(sigma.check_events([{'log': 'b', 'Data': []}])) == 1
assert len(sigma.check_events([{'log': 'ab', 'Data': []}])) == 1
assert len(sigma.check_events([{'log': 'c', 'Data': []}])) == 0
def test_all_of_x():
# Make sure 1
sigma = PySigma()
sigma.add_signature("""
title: sample signature
detection:
aa: ["aa"]
ab: ["ab"]
ba: ["ba"]
bb: ["bb"]
condition: all of a*
""")
assert len(sigma.check_events([{'log': 'aa', 'Data': []}])) == 0
assert len(sigma.check_events([{'log': '1ab ba ca', 'Data': []}])) == 0
assert len(sigma.check_events([{'log': 'ba', 'Data': []}])) == 0
assert len(sigma.check_events([{'log': 'aabb', 'Data': []}])) == 1
def test_null_and_not_null():
sigma = PySigma()
sigma.add_signature("""
title: sample signature
detection:
forbid:
x: null
filter:
y: null
condition: forbid and not filter
""")
assert len(sigma.check_events([{'y': 'found', 'Data': []}])) == 1
assert len(sigma.check_events([{'z': 'found', 'Data': []}])) == 0
assert len(sigma.check_events([{
'y': 'found',
'x': 'also',
'Data': []
}])) == 0
def test_substrings():
# Is this what that part of the standard meant about list of strings anywhere?
sigma = PySigma()
sigma.add_signature("""
title: sample signature
detection:
signs:
- "red things"
- "blue things"
condition: signs
""")
assert len(
sigma.check_events([{
'log': 'all sorts of red things and blue things were there',
'Data': []
}])) == 1
def test_complicated_condition():
sigma = PySigma()
sigma.add_signature(complicated_condition)
assert len(sigma.check_events([event])) == 1
def test_and_search():
# Test a signature where the search block is just a map (and operation)
sigma = PySigma()
sigma.add_signature(base_signature + " condition: true_still_expected")
assert len(sigma.check_events([event])) == 1
def test_value_wildcard_search():
# has an example of the * wildcard embedded
sigma = PySigma()
sigma.add_signature(base_signature + " condition: true_cats_expected")
assert len(sigma.check_events([event])) == 1
def test_value_or_search():
# Test a signature where the search block has a list of values (or across those values)
sigma = PySigma()
sigma.add_signature(base_signature + " condition: true_also_expected")
assert len(sigma.check_events([event])) == 1
def test_or_search():
# Test a signature where the search block is just a list (or operation)
# Also has an example of the ? wildcard embedded
sigma = PySigma()
sigma.add_signature(base_signature + " condition: true_expected")
assert len(sigma.check_events([event])) == 1