MCPcopy Index your code
hub / github.com/rabbitstack/fibratus / TestSimpleSequenceMultiplePartials

Function TestSimpleSequenceMultiplePartials

pkg/rules/sequence_test.go:273–380  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

271}
272
273func TestSimpleSequenceMultiplePartials(t *testing.T) {
274 log.SetLevel(log.DebugLevel)
275
276 c := &config.FilterConfig{Name: "Command shell created a temp file"}
277 f := filter.New(`
278 sequence
279 maxspan 200ms
280 by ps.pid
281 |evt.name = 'CreateProcess' and ps.name = 'cmd.exe'|
282 |evt.name = 'CreateFile' and file.path icontains 'temp'|
283 `, &config.Config{EventSource: config.EventSourceConfig{EnableFileIOEvents: true}, Filters: &config.Filters{}})
284 require.NoError(t, f.Compile())
285
286 ss := newSequenceState(f, c, new(ps.SnapshotterMock))
287
288 // create random matches which don't satisfy the sequence link
289 for i, pid := range []uint32{2343, 1024, 11122, 3450, 12319} {
290 e1 := &event.Event{
291 Type: event.CreateProcess,
292 Timestamp: time.Now().Add(time.Duration(i) * time.Millisecond),
293 Name: "CreateProcess",
294 Tid: 2484,
295 PID: pid % 2,
296 PS: &pstypes.PS{
297 Name: "cmd.exe",
298 Exe: "C:\\Windows\\system32\\cmd.exe",
299 },
300 Params: event.Params{
301 params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: pid % 2},
302 },
303 Metadata: map[event.MetadataKey]any{"foo": "bar", "fooz": "barzz"},
304 }
305 e2 := &event.Event{
306 Type: event.CreateFile,
307 Timestamp: time.Now().Add(time.Duration(i) * time.Millisecond * 2),
308 Name: "CreateFile",
309 Tid: 2484,
310 PID: pid * 2,
311 Category: event.File,
312 PS: &pstypes.PS{
313 Name: "cmd.exe",
314 Exe: "C:\\Windows\\system32\\cmd.exe",
315 },
316 Params: event.Params{
317 params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-temp.exe"},
318 },
319 Metadata: map[event.MetadataKey]any{"foo": "bar", "fooz": "barzz"},
320 }
321 require.False(t, ss.runSequence(e1))
322 require.False(t, ss.runSequence(e2))
323 }
324
325 // expression matched multiple partials
326 assert.Len(t, ss.partials[0], 5)
327 assert.Len(t, ss.partials[1], 0)
328
329 e1 := &event.Event{
330 Seq: 20,

Callers

nothing calls this directly

Calls 8

NewFunction · 0.92
newSequenceStateFunction · 0.85
runSequenceMethod · 0.80
EqualMethod · 0.80
GetParamAsStringMethod · 0.80
CompileMethod · 0.65
AddMethod · 0.65
LenMethod · 0.45

Tested by

no test coverage detected