def test_new_version_new_rules_same_objects(self, mock_table: mock.MagicMock):
"""A previously analyzed binary matches a new YARA rule - create DB entry and alert."""
match_table = analyzer_aws_lib.DynamoMatchTable(MOCK_DYNAMO_TABLE_NAME)
match_table._table.query = lambda **kwargs: {
'Items': [
{
'AnalyzerVersion': 1,
'MatchedRules': {'file.yara:rule_name'},
'S3Objects': {'S3:test-bucket:test-key'}
}
]
}
self._binary.yara_matches.append(
yara_mocks.YaraMatchMock('new_file.yara', 'different_rule_name'))
needs_alert = match_table.save_matches(self._binary, 2)
self.assertTrue(needs_alert)
mock_table.assert_has_calls([
mock.call.Table().put_item(Item={
'SHA256': 'Computed_SHA',
'AnalyzerVersion': 2,
'MatchedRules': {'new_file.yara:different_rule_name', 'file.yara:rule_name'},
'MD5': 'Computed_MD5',
'S3LastModified': 'time:right_now',
'S3Metadata': {'test-filename': 'test.txt'},
'S3Objects': {'S3:test-bucket:test-key'}})
])
def setUp(self):
"""Before each test, setup a BinaryInfo."""
self._binary = binary_info.BinaryInfo('test-bucket', 'test-key', None)
self._binary.s3_last_modified = 'time:right_now'
self._binary.s3_metadata = {'test-filename': 'test.txt'}
self._binary.computed_md5 = 'Computed_MD5'
self._binary.computed_sha = 'Computed_SHA'
self._binary.yara_matches = [yara_mocks.YaraMatchMock('file.yara', 'rule_name')]
def test_old_version(self):
"""Analyze with an older version of the Lambda function - update DB but do not alert."""
self._add_item()
self._binary.yara_matches.append(
yara_mocks.YaraMatchMock('new_file.yara', 'better_rule_name'))
needs_alert = self._match_table.save_matches(self._binary, 0)
self.assertFalse(needs_alert) # Don't alert even if there was a change
self.assertEqual([(self._binary.computed_sha, '0'),
(self._binary.computed_sha, '1')],
sorted(self._mock_dynamo_table.items))
def test_new_version_new_rules_same_objects(self):
"""A previously analyzed binary matches a new YARA rule - create DB entry and alert."""
self._add_item()
self._binary.yara_matches.append(
yara_mocks.YaraMatchMock('new_file.yara', 'better_rule_name'))
needs_alert = self._match_table.save_matches(self._binary, 2)
self.assertTrue(needs_alert)
stored_item = self._mock_dynamo_table.items[(self._binary.computed_sha,
'2')]
self.assertTrue(
'new_file.yara' in str(stored_item.key_value_dict.values()))
def setUp(self):
"""Before each test, create the mock environment."""
# Create a mock Dynamo table.
self._mock_dynamo_client = boto3_mocks.MockDynamoDBClient(
MOCK_DYNAMO_TABLE_NAME, HASH_KEY, RANGE_KEY)
self._mock_dynamo_table = self._mock_dynamo_client.tables[
MOCK_DYNAMO_TABLE_NAME]
# Setup mocks.
boto3.client = mock.MagicMock(return_value=self._mock_dynamo_client)
self._binary = binary_info.BinaryInfo('Bucket', 'Key', None)
self._binary.reported_md5 = 'Original_MD5'
self._binary.observed_path = '/bin/path/run.exe'
self._binary.yara_matches = [
yara_mocks.YaraMatchMock('file.yara', 'rule_name')
]
self._binary.computed_sha = 'Computed_SHA'
self._binary.computed_md5 = 'Computed_MD5'
self._match_table = analyzer_aws_lib.DynamoMatchTable(
MOCK_DYNAMO_TABLE_NAME)
def test_old_version(self, mock_logger: mock.MagicMock, mock_table: mock.MagicMock):
"""Analyze with an older version of the Lambda function - update DB but do not alert."""
match_table = analyzer_aws_lib.DynamoMatchTable(MOCK_DYNAMO_TABLE_NAME)
match_table._table.query = lambda **kwargs: {
'Items': [
{
'AnalyzerVersion': 1,
'MatchedRules': {'file.yara:rule_name'},
'S3Objects': {'S3:test-bucket:test-key'}
}
]
}
self._binary.yara_matches.append(
yara_mocks.YaraMatchMock('new_file.yara', 'different_rule_name'))
needs_alert = match_table.save_matches(self._binary, 0)
self.assertFalse(needs_alert) # Don't alert even if there was a change
mock_logger.assert_has_calls([
mock.call.warning(
'Current Lambda version %d is < version %d from previous analysis', 0, 1
)
])
mock_table.assert_has_calls([mock.call.Table().put_item(Item=mock.ANY)])