164 lines
5.7 KiB
Python
164 lines
5.7 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright 2013 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""This file contains a unit test for the event formatters."""
|
|
|
|
import unittest
|
|
|
|
from plaso.formatters import interface
|
|
from plaso.formatters import manager
|
|
from plaso.formatters import winreg # pylint: disable=unused-import
|
|
from plaso.lib import event_test
|
|
|
|
|
|
class TestEvent1Formatter(interface.EventFormatter):
|
|
"""Test event 1 formatter."""
|
|
DATA_TYPE = 'test:event1'
|
|
FORMAT_STRING = u'{text}'
|
|
|
|
SOURCE_SHORT = 'FILE'
|
|
SOURCE_LONG = 'Weird Log File'
|
|
|
|
|
|
class WrongEventFormatter(interface.EventFormatter):
|
|
"""A simple event formatter."""
|
|
DATA_TYPE = 'test:wrong'
|
|
FORMAT_STRING = u'This format string does not match {body}.'
|
|
|
|
SOURCE_SHORT = 'FILE'
|
|
SOURCE_LONG = 'Weird Log File'
|
|
|
|
|
|
class EventFormatterUnitTest(unittest.TestCase):
|
|
"""The unit test for the event formatter."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self._formatters_manager = manager.EventFormatterManager
|
|
self.event_objects = event_test.GetEventObjects()
|
|
|
|
def GetCSVLine(self, event_object):
|
|
"""Takes an EventObject and prints out a simple CSV line from it."""
|
|
try:
|
|
msg, _ = self._formatters_manager.GetMessageStrings(event_object)
|
|
source_short, source_long = self._formatters_manager.GetSourceStrings(
|
|
event_object)
|
|
except KeyError:
|
|
print event_object.GetAttributes()
|
|
return u'{0:d},{1:s},{2:s},{3:s}'.format(
|
|
event_object.timestamp, source_short, source_long, msg)
|
|
|
|
def testInitialization(self):
|
|
"""Test the initialization."""
|
|
self.assertTrue(TestEvent1Formatter())
|
|
|
|
def testAttributes(self):
|
|
"""Test if we can read the event attributes correctly."""
|
|
events = {}
|
|
for event_object in self.event_objects:
|
|
events[self.GetCSVLine(event_object)] = True
|
|
|
|
self.assertIn((
|
|
u'1334961526929596,REG,UNKNOWN key,[MY AutoRun key] Run: '
|
|
u'c:/Temp/evil.exe'), events)
|
|
|
|
self.assertIn(
|
|
(u'1334966206929596,REG,UNKNOWN key,[//HKCU/Secret/EvilEmpire/'
|
|
u'Malicious_key] Value: send all the exes to the other '
|
|
u'world'), events)
|
|
self.assertIn((u'1334940286000000,REG,UNKNOWN key,[//HKCU/Windows'
|
|
u'/Normal] Value: run all the benign stuff'), events)
|
|
self.assertIn((u'1335781787929596,FILE,Weird Log File,This log line reads '
|
|
u'ohh so much.'), events)
|
|
self.assertIn((u'1335781787929596,FILE,Weird Log File,Nothing of interest'
|
|
u' here, move on.'), events)
|
|
self.assertIn((u'1335791207939596,FILE,Weird Log File,Mr. Evil just logged'
|
|
u' into the machine and got root.'), events)
|
|
|
|
def testTextBasedEvent(self):
|
|
"""Test a text based event."""
|
|
for event_object in self.event_objects:
|
|
source_short, _ = self._formatters_manager.GetSourceStrings(event_object)
|
|
if source_short == 'LOG':
|
|
msg, msg_short = self._formatters_manager.GetMessageStrings(
|
|
event_object)
|
|
|
|
self.assertEquals(msg, (
|
|
u'This is a line by someone not reading the log line properly. And '
|
|
u'since this log line exceeds the accepted 80 chars it will be '
|
|
u'shortened.'))
|
|
self.assertEquals(msg_short, (
|
|
u'This is a line by someone not reading the log line properly. '
|
|
u'And since this l...'))
|
|
|
|
|
|
class ConditionalTestEvent1(event_test.TestEvent1):
|
|
DATA_TYPE = 'test:conditional_event1'
|
|
|
|
|
|
class ConditionalTestEvent1Formatter(interface.ConditionalEventFormatter):
|
|
"""Test event 1 conditional (event) formatter."""
|
|
DATA_TYPE = 'test:conditional_event1'
|
|
FORMAT_STRING_PIECES = [
|
|
u'Description: {description}',
|
|
u'Comment',
|
|
u'Value: 0x{numeric:02x}',
|
|
u'Optional: {optional}',
|
|
u'Text: {text}']
|
|
|
|
SOURCE_SHORT = 'LOG'
|
|
SOURCE_LONG = 'Some Text File.'
|
|
|
|
|
|
class BrokenConditionalEventFormatter(interface.ConditionalEventFormatter):
|
|
"""A broken conditional event formatter."""
|
|
DATA_TYPE = 'test:broken_conditional'
|
|
FORMAT_STRING_PIECES = [u'{too} {many} formatting placeholders']
|
|
|
|
SOURCE_SHORT = 'LOG'
|
|
SOURCE_LONG = 'Some Text File.'
|
|
|
|
|
|
class ConditionalEventFormatterUnitTest(unittest.TestCase):
|
|
"""The unit test for the conditional event formatter."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self.event_object = ConditionalTestEvent1(1335791207939596, {
|
|
'numeric': 12, 'description': 'this is beyond words',
|
|
'text': 'but we\'re still trying to say something about the event'})
|
|
|
|
def testInitialization(self):
|
|
"""Test the initialization."""
|
|
self.assertTrue(ConditionalTestEvent1Formatter())
|
|
with self.assertRaises(RuntimeError):
|
|
BrokenConditionalEventFormatter()
|
|
|
|
def testGetMessages(self):
|
|
"""Test get messages."""
|
|
event_formatter = ConditionalTestEvent1Formatter()
|
|
msg, _ = event_formatter.GetMessages(self.event_object)
|
|
|
|
expected_msg = (
|
|
u'Description: this is beyond words Comment Value: 0x0c '
|
|
u'Text: but we\'re still trying to say something about the event')
|
|
self.assertEquals(msg, expected_msg)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|