#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright 2012 The Plaso Project Authors. # Please see the AUTHORS file for details on individual authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """This file contains a unit test for the EventObject. This is an implementation of an unit test for EventObject storage mechanism for plaso. The test consists of creating six EventObjects. Error handling. The following tests are performed for error handling: + Access attributes that are not set. """ import unittest from plaso.events import text_events from plaso.events import windows_events from plaso.lib import event from plaso.lib import timelib_test class TestEvent1(event.EventObject): """A test event object.""" DATA_TYPE = 'test:event1' def __init__(self, timestamp, attributes): """Initializes the test event object.""" super(TestEvent1, self).__init__() self.timestamp = timestamp self.timestamp_desc = 'Some time in the future' for attribute, value in attributes.iteritems(): setattr(self, attribute, value) class FailEvent(event.EventObject): """An test event object without the minimal required initialization.""" def GetEventObjects(): """Returns a list of test event objects.""" event_objects = [] hostname = 'MYHOSTNAME' data_type = 'test:event1' event_a = event.EventObject() event_a.username = 'joesmith' event_a.filename = 'c:/Users/joesmith/NTUSER.DAT' event_a.hostname = hostname event_a.timestamp = 0 event_a.data_type = data_type # TODO: move this to a WindowRegistrysEvent unit test. timestamp = timelib_test.CopyStringToTimestamp( '2012-04-20 22:38:46.929596') event_b = windows_events.WindowsRegistryEvent( timestamp, u'MY AutoRun key', {u'Run': u'c:/Temp/evil.exe'}) event_b.hostname = hostname event_objects.append(event_b) timestamp = timelib_test.CopyStringToTimestamp( '2012-04-20 23:56:46.929596') event_c = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key', {u'Value': u'send all the exes to the other world'}) event_c.hostname = hostname event_objects.append(event_c) timestamp = timelib_test.CopyStringToTimestamp( '2012-04-20 16:44:46.000000') event_d = windows_events.WindowsRegistryEvent( timestamp, u'//HKCU/Windows/Normal', {u'Value': u'run all the benign stuff'}) event_d.hostname = hostname event_objects.append(event_d) event_objects.append(event_a) timestamp = timelib_test.CopyStringToTimestamp( '2012-04-30 10:29:47.929596') filename = 'c:/Temp/evil.exe' event_e = TestEvent1(timestamp, { 'text': 'This log line reads ohh so much.'}) event_e.filename = filename event_e.hostname = hostname event_objects.append(event_e) timestamp = timelib_test.CopyStringToTimestamp( '2012-04-30 10:29:47.929596') event_f = TestEvent1(timestamp, { 'text': 'Nothing of interest here, move on.'}) event_f.filename = filename event_f.hostname = hostname event_objects.append(event_f) timestamp = timelib_test.CopyStringToTimestamp( '2012-04-30 13:06:47.939596') event_g = TestEvent1(timestamp, { 'text': 'Mr. Evil just logged into the machine and got root.'}) event_g.filename = filename event_g.hostname = hostname event_objects.append(event_g) text_dict = {'body': ( u'This is a line by someone not reading the log line properly. And ' u'since this log line exceeds the accepted 80 chars it will be ' u'shortened.'), 'hostname': u'nomachine', 'username': u'johndoe'} # TODO: move this to a TextEvent unit test. timestamp = timelib_test.CopyStringToTimestamp( '2012-06-05 22:14:19.000000') event_h = text_events.TextEvent(timestamp, 12, text_dict) event_h.text = event_h.body event_h.hostname = hostname event_h.filename = filename event_objects.append(event_h) return event_objects class EventObjectTest(unittest.TestCase): """Tests for the event object.""" def testSameEvent(self): """Test the EventObject comparison.""" event_a = event.EventObject() event_b = event.EventObject() event_c = event.EventObject() event_d = event.EventObject() event_e = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = u'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.inode = 124 event_a.filename = u'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_a.metadata = { u'author': u'Some Random Dude', u'version': 1245L, u'last_changed': u'Long time ago'} event_a.strings = [ u'This ', u'is a ', u'long string'] event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.inode = 124 event_b.filename = 'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False event_b.metadata = { 'author': 'Some Random Dude', 'version': 1245L, 'last_changed': 'Long time ago'} event_b.strings = [ 'This ', 'is a ', 'long string'] event_c.timestamp = 123 event_c.timestamp_desc = 'LAST UPDATED' event_c.data_type = 'mock:nothing' event_c.inode = 124 event_c.filename = 'c:/bull/skrytinmappa/skra.txt' event_c.another_attribute = False event_d.timestamp = 14523 event_d.timestamp_desc = 'LAST WRITTEN' event_d.data_type = 'mock:nothing' event_d.inode = 124 event_d.filename = 'c:/bull/skrytinmappa/skra.txt' event_d.another_attribute = False event_e.timestamp = 123 event_e.timestamp_desc = 'LAST WRITTEN' event_e.data_type = 'mock:nothing' event_e.inode = 623423 event_e.filename = 'c:/afrit/onnurskra.txt' event_e.another_attribute = False event_e.metadata = { 'author': 'Some Random Dude', 'version': 1245, 'last_changed': 'Long time ago'} event_e.strings = [ 'This ', 'is a ', 'long string'] self.assertEquals(event_a, event_b) self.assertNotEquals(event_a, event_c) self.assertEquals(event_a, event_e) self.assertNotEquals(event_c, event_d) def testEqualityString(self): """Test the EventObject EqualityString.""" event_a = event.EventObject() event_b = event.EventObject() event_c = event.EventObject() event_d = event.EventObject() event_e = event.EventObject() event_f = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = 'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.inode = 124 event_a.filename = 'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.inode = 124 event_b.filename = 'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False event_c.timestamp = 123 event_c.timestamp_desc = 'LAST UPDATED' event_c.data_type = 'mock:nothing' event_c.inode = 124 event_c.filename = 'c:/bull/skrytinmappa/skra.txt' event_c.another_attribute = False event_d.timestamp = 14523 event_d.timestamp_desc = 'LAST WRITTEN' event_d.data_type = 'mock:nothing' event_d.inode = 124 event_d.filename = 'c:/bull/skrytinmappa/skra.txt' event_d.another_attribute = False event_e.timestamp = 123 event_e.timestamp_desc = 'LAST WRITTEN' event_e.data_type = 'mock:nothing' event_e.inode = 623423 event_e.filename = 'c:/afrit/öñṅûŗ₅ḱŖūα.txt' event_e.another_attribute = False event_f.timestamp = 14523 event_f.timestamp_desc = 'LAST WRITTEN' event_f.data_type = 'mock:nothing' event_f.inode = 124 event_f.filename = 'c:/bull/skrytinmappa/skra.txt' event_f.another_attribute = False event_f.weirdness = 'I am a potato' self.assertEquals(event_a.EqualityString(), event_b.EqualityString()) self.assertNotEquals(event_a.EqualityString(), event_c.EqualityString()) self.assertEquals(event_a.EqualityString(), event_e.EqualityString()) self.assertNotEquals(event_c.EqualityString(), event_d.EqualityString()) self.assertNotEquals(event_d.EqualityString(), event_f.EqualityString()) def testEqualityFileStatParserMissingInode(self): """Test that FileStatParser files with missing inodes are distinct""" event_a = event.EventObject() event_b = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = 'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.parser = 'filestat' event_a.filename = 'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.parser = 'filestat' event_b.filename = 'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False self.assertNotEquals(event_a, event_b) def testEqualityStringFileStatParserMissingInode(self): """Test that FileStatParser files with missing inodes are distinct""" event_a = event.EventObject() event_b = event.EventObject() event_a.timestamp = 123 event_a.timestamp_desc = 'LAST WRITTEN' event_a.data_type = 'mock:nothing' event_a.parser = 'filestat' event_a.filename = 'c:/bull/skrytinmappa/skra.txt' event_a.another_attribute = False event_b.timestamp = 123 event_b.timestamp_desc = 'LAST WRITTEN' event_b.data_type = 'mock:nothing' event_b.parser = 'filestat' event_b.filename = 'c:/bull/skrytinmappa/skra.txt' event_b.another_attribute = False self.assertNotEquals(event_a.EqualityString(), event_b.EqualityString()) def testNotInEventAndNoParent(self): """Call to an attribute that does not exist.""" event_object = TestEvent1(0, {}) with self.assertRaises(AttributeError): getattr(event_object, 'doesnotexist') def testFailEvent(self): """Calls to format_string_short that has not been defined.""" e = FailEvent() with self.assertRaises(AttributeError): getattr(e, 'format_string_short') if __name__ == '__main__': unittest.main()