LEFT | RIGHT |
1 #!/usr/bin/python | 1 #!/usr/bin/env python |
2 # -*- coding: utf-8 -*- | 2 # -*- coding: utf-8 -*- |
3 """Tests for the Trend Micro AV Log parser.""" | 3 """Tests for the Trend Micro AV Log parser.""" |
4 | 4 |
5 from __future__ import unicode_literals | 5 from __future__ import unicode_literals |
6 | 6 |
7 import unittest | 7 import unittest |
8 | 8 |
9 from plaso.formatters import trendmicroav as _ # pylint: disable=unused-import | 9 from plaso.formatters import trendmicroav as _ # pylint: disable=unused-import |
10 from plaso.lib import timelib | |
11 from plaso.parsers import trendmicroav | 10 from plaso.parsers import trendmicroav |
12 | 11 |
13 from tests import test_lib as shared_test_lib | 12 from tests import test_lib as shared_test_lib |
14 from tests.parsers import test_lib | 13 from tests.parsers import test_lib |
15 | 14 |
16 | 15 |
17 class TrendMicroUnitTest(test_lib.ParserTestCase): | 16 class TrendMicroUnitTest(test_lib.ParserTestCase): |
18 """Tests for the Trend Micro AV Log parser.""" | 17 """Tests for the Trend Micro AV Log parser.""" |
19 | 18 |
20 @shared_test_lib.skipUnlessHasTestFile(['pccnt35.log']) | 19 @shared_test_lib.skipUnlessHasTestFile(['pccnt35.log']) |
21 def testParse(self): | 20 def testParse(self): |
22 """Tests the Parse function.""" | 21 """Tests the Parse function.""" |
23 parser = trendmicroav.OfficeScanVirusDetectionParser() | 22 parser = trendmicroav.OfficeScanVirusDetectionParser() |
24 storage_writer = self._ParseFile(['pccnt35.log'], parser) | 23 storage_writer = self._ParseFile(['pccnt35.log'], parser) |
25 | 24 |
26 # The file contains 3 lines which results in 3 events. | 25 # The file contains 3 lines which results in 3 events. |
27 self.assertEqual(storage_writer.number_of_events, 3) | 26 self.assertEqual(storage_writer.number_of_events, 3) |
28 | 27 |
29 # The order in which DSVParser generates events is nondeterministic | 28 # The order in which DSVParser generates events is nondeterministic |
30 # hence we sort the events. | 29 # hence we sort the events. |
31 events = list(storage_writer.GetSortedEvents()) | 30 events = list(storage_writer.GetSortedEvents()) |
32 | 31 |
33 event = events[1] | 32 event = events[1] |
34 expected_timestamp = timelib.Timestamp.CopyFromString( | 33 self.CheckTimestamp(event.timestamp, '2018-01-30 14:45:32.000000') |
35 '2018-01-30 14:45:32') | |
36 self.assertEqual(event.timestamp, expected_timestamp) | |
37 | 34 |
38 # The third and last event has been edited to match the older, documented | 35 # The third and last event has been edited to match the older, documented |
39 # format for log lines (without a Unix timestamp). | 36 # format for log lines (without a Unix timestamp). |
40 event = events[2] | 37 event = events[2] |
41 expected_timestamp = timelib.Timestamp.CopyFromString( | 38 self.CheckTimestamp(event.timestamp, '2018-01-30 14:46:00.000000') |
42 '2018-01-30 14:46:00') | |
43 self.assertEqual(event.timestamp, expected_timestamp) | |
44 | 39 |
45 # Test the third event. | 40 # Test the third event. |
46 | 41 |
47 self.assertEqual(event.path, 'C:\\temp\\') | 42 self.assertEqual(event.path, 'C:\\temp\\') |
48 self.assertEqual(event.filename, 'eicar.com_.gstmp') | 43 self.assertEqual(event.filename, 'eicar.com_.gstmp') |
49 | 44 |
50 expected_message = ( | 45 expected_message = ( |
51 r'Path: C:\temp\ File name: eicar.com_.gstmp ' | 46 r'Path: C:\temp\ File name: eicar.com_.gstmp ' |
52 r'Eicar_test_1 -> Failure (clean), moved (Real-time scan)') | 47 r'Eicar_test_1 : Failure (clean), moved (Real-time scan)') |
53 expected_short_message = r'C:\temp\ eicar.com_.gstmp Failure (clean), moved' | 48 expected_short_message = r'C:\temp\ eicar.com_.gstmp Failure (clean), moved' |
54 | 49 |
55 self._TestGetMessageStrings(event, expected_message, expected_short_message) | 50 self._TestGetMessageStrings(event, expected_message, expected_short_message) |
56 | 51 |
57 @shared_test_lib.skipUnlessHasTestFile(['OfcUrlf.log']) | 52 @shared_test_lib.skipUnlessHasTestFile(['OfcUrlf.log']) |
58 def testWebReputationParse(self): | 53 def testWebReputationParse(self): |
59 """Tests the Parse function.""" | 54 """Tests the Parse function.""" |
60 parser = trendmicroav.OfficeScanWebReputationParser() | 55 parser = trendmicroav.OfficeScanWebReputationParser() |
61 storage_writer = self._ParseFile(['OfcUrlf.log'], parser) | 56 storage_writer = self._ParseFile(['OfcUrlf.log'], parser) |
62 | 57 |
63 # The file contains 3 lines which results in 3 events. | 58 # The file contains 3 lines which results in 3 events. |
64 self.assertEqual(storage_writer.number_of_events, 4) | 59 self.assertEqual(storage_writer.number_of_events, 4) |
65 | 60 |
66 # The order in which DSVParser generates events is nondeterministic | 61 # The order in which DSVParser generates events is nondeterministic |
67 # hence we sort the events. | 62 # hence we sort the events. |
68 events = list(storage_writer.GetSortedEvents()) | 63 events = list(storage_writer.GetSortedEvents()) |
69 | 64 |
70 event = events[1] | 65 event = events[1] |
71 expected_timestamp = timelib.Timestamp.CopyFromString( | 66 self.CheckTimestamp(event.timestamp, '2018-01-23 13:16:22.000000') |
72 '2018-01-23 13:16:22') | |
73 self.assertEqual(event.timestamp, expected_timestamp) | |
74 | 67 |
75 # Test the third event. | 68 # Test the third event. |
76 event = events[2] | 69 event = events[2] |
77 self.assertEqual(event.url, 'http://www.eicar.org/download/eicar.com') | 70 self.assertEqual(event.url, 'http://www.eicar.org/download/eicar.com') |
78 self.assertEqual(event.group_code, '4E') | 71 self.assertEqual(event.group_code, '4E') |
79 self.assertEqual(event.cred_score, 49) | 72 self.assertEqual(event.cred_score, 49) |
80 | 73 |
81 expected_message = ( | 74 expected_message = ( |
82 'http://www.eicar.org/download/eicar.com ' | 75 'http://www.eicar.org/download/eicar.com ' |
83 'Group: Malware Accomplice 4E Mode: Whitelist only Policy ID: 1 ' | 76 'Group: Malware Accomplice 4E Mode: Whitelist only Policy ID: 1 ' |
84 'Credibility rating: 1 Credibility score: 49 Threshold value: 0 ' | 77 'Credibility rating: 1 Credibility score: 49 Threshold value: 0 ' |
85 'Accessed by: C:\\Users\\user\\Downloads\\wget.exe') | 78 'Accessed by: C:\\Users\\user\\Downloads\\wget.exe') |
86 expected_short_message = ( | 79 expected_short_message = ( |
87 'http://www.eicar.org/download/eicar.com Malware Accomplice') | 80 'http://www.eicar.org/download/eicar.com Malware Accomplice') |
88 | 81 |
89 self._TestGetMessageStrings(event, expected_message, expected_short_message) | 82 self._TestGetMessageStrings(event, expected_message, expected_short_message) |
90 | 83 |
91 if __name__ == '__main__': | 84 if __name__ == '__main__': |
92 unittest.main() | 85 unittest.main() |
LEFT | RIGHT |