#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright 2013 The Plaso Project Authors. # Please see the AUTHORS file for details on individual authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """This file contains a unit test for the event formatters.""" import unittest from plaso.formatters import interface from plaso.formatters import manager from plaso.formatters import winreg # pylint: disable=unused-import from plaso.lib import event_test class TestEvent1Formatter(interface.EventFormatter): """Test event 1 formatter.""" DATA_TYPE = 'test:event1' FORMAT_STRING = u'{text}' SOURCE_SHORT = 'FILE' SOURCE_LONG = 'Weird Log File' class WrongEventFormatter(interface.EventFormatter): """A simple event formatter.""" DATA_TYPE = 'test:wrong' FORMAT_STRING = u'This format string does not match {body}.' SOURCE_SHORT = 'FILE' SOURCE_LONG = 'Weird Log File' class EventFormatterUnitTest(unittest.TestCase): """The unit test for the event formatter.""" def setUp(self): """Sets up the needed objects used throughout the test.""" self._formatters_manager = manager.EventFormatterManager self.event_objects = event_test.GetEventObjects() def GetCSVLine(self, event_object): """Takes an EventObject and prints out a simple CSV line from it.""" try: msg, _ = self._formatters_manager.GetMessageStrings(event_object) source_short, source_long = self._formatters_manager.GetSourceStrings( event_object) except KeyError: print event_object.GetAttributes() return u'{0:d},{1:s},{2:s},{3:s}'.format( event_object.timestamp, source_short, source_long, msg) def testInitialization(self): """Test the initialization.""" self.assertTrue(TestEvent1Formatter()) def testAttributes(self): """Test if we can read the event attributes correctly.""" events = {} for event_object in self.event_objects: events[self.GetCSVLine(event_object)] = True self.assertIn(( u'1334961526929596,REG,UNKNOWN key,[MY AutoRun key] Run: ' u'c:/Temp/evil.exe'), events) self.assertIn( (u'1334966206929596,REG,UNKNOWN key,[//HKCU/Secret/EvilEmpire/' u'Malicious_key] Value: send all the exes to the other ' u'world'), events) self.assertIn((u'1334940286000000,REG,UNKNOWN key,[//HKCU/Windows' u'/Normal] Value: run all the benign stuff'), events) self.assertIn((u'1335781787929596,FILE,Weird Log File,This log line reads ' u'ohh so much.'), events) self.assertIn((u'1335781787929596,FILE,Weird Log File,Nothing of interest' u' here, move on.'), events) self.assertIn((u'1335791207939596,FILE,Weird Log File,Mr. Evil just logged' u' into the machine and got root.'), events) def testTextBasedEvent(self): """Test a text based event.""" for event_object in self.event_objects: source_short, _ = self._formatters_manager.GetSourceStrings(event_object) if source_short == 'LOG': msg, msg_short = self._formatters_manager.GetMessageStrings( event_object) self.assertEquals(msg, ( u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.')) self.assertEquals(msg_short, ( u'This is a line by someone not reading the log line properly. ' u'And since this l...')) class ConditionalTestEvent1(event_test.TestEvent1): DATA_TYPE = 'test:conditional_event1' class ConditionalTestEvent1Formatter(interface.ConditionalEventFormatter): """Test event 1 conditional (event) formatter.""" DATA_TYPE = 'test:conditional_event1' FORMAT_STRING_PIECES = [ u'Description: {description}', u'Comment', u'Value: 0x{numeric:02x}', u'Optional: {optional}', u'Text: {text}'] SOURCE_SHORT = 'LOG' SOURCE_LONG = 'Some Text File.' class BrokenConditionalEventFormatter(interface.ConditionalEventFormatter): """A broken conditional event formatter.""" DATA_TYPE = 'test:broken_conditional' FORMAT_STRING_PIECES = [u'{too} {many} formatting placeholders'] SOURCE_SHORT = 'LOG' SOURCE_LONG = 'Some Text File.' class ConditionalEventFormatterUnitTest(unittest.TestCase): """The unit test for the conditional event formatter.""" def setUp(self): """Sets up the needed objects used throughout the test.""" self.event_object = ConditionalTestEvent1(1335791207939596, { 'numeric': 12, 'description': 'this is beyond words', 'text': 'but we\'re still trying to say something about the event'}) def testInitialization(self): """Test the initialization.""" self.assertTrue(ConditionalTestEvent1Formatter()) with self.assertRaises(RuntimeError): BrokenConditionalEventFormatter() def testGetMessages(self): """Test get messages.""" event_formatter = ConditionalTestEvent1Formatter() msg, _ = event_formatter.GetMessages(self.event_object) expected_msg = ( u'Description: this is beyond words Comment Value: 0x0c ' u'Text: but we\'re still trying to say something about the event') self.assertEquals(msg, expected_msg) if __name__ == '__main__': unittest.main()