(t *testing.T)
| 271 | } |
| 272 | |
| 273 | func TestSimpleSequenceMultiplePartials(t *testing.T) { |
| 274 | log.SetLevel(log.DebugLevel) |
| 275 | |
| 276 | c := &config.FilterConfig{Name: "Command shell created a temp file"} |
| 277 | f := filter.New(` |
| 278 | sequence |
| 279 | maxspan 200ms |
| 280 | by ps.pid |
| 281 | |evt.name = 'CreateProcess' and ps.name = 'cmd.exe'| |
| 282 | |evt.name = 'CreateFile' and file.path icontains 'temp'| |
| 283 | `, &config.Config{EventSource: config.EventSourceConfig{EnableFileIOEvents: true}, Filters: &config.Filters{}}) |
| 284 | require.NoError(t, f.Compile()) |
| 285 | |
| 286 | ss := newSequenceState(f, c, new(ps.SnapshotterMock)) |
| 287 | |
| 288 | // create random matches which don't satisfy the sequence link |
| 289 | for i, pid := range []uint32{2343, 1024, 11122, 3450, 12319} { |
| 290 | e1 := &event.Event{ |
| 291 | Type: event.CreateProcess, |
| 292 | Timestamp: time.Now().Add(time.Duration(i) * time.Millisecond), |
| 293 | Name: "CreateProcess", |
| 294 | Tid: 2484, |
| 295 | PID: pid % 2, |
| 296 | PS: &pstypes.PS{ |
| 297 | Name: "cmd.exe", |
| 298 | Exe: "C:\\Windows\\system32\\cmd.exe", |
| 299 | }, |
| 300 | Params: event.Params{ |
| 301 | params.ProcessID: {Name: params.ProcessID, Type: params.PID, Value: pid % 2}, |
| 302 | }, |
| 303 | Metadata: map[event.MetadataKey]any{"foo": "bar", "fooz": "barzz"}, |
| 304 | } |
| 305 | e2 := &event.Event{ |
| 306 | Type: event.CreateFile, |
| 307 | Timestamp: time.Now().Add(time.Duration(i) * time.Millisecond * 2), |
| 308 | Name: "CreateFile", |
| 309 | Tid: 2484, |
| 310 | PID: pid * 2, |
| 311 | Category: event.File, |
| 312 | PS: &pstypes.PS{ |
| 313 | Name: "cmd.exe", |
| 314 | Exe: "C:\\Windows\\system32\\cmd.exe", |
| 315 | }, |
| 316 | Params: event.Params{ |
| 317 | params.FilePath: {Name: params.FilePath, Type: params.UnicodeString, Value: "C:\\Windows\\system32\\svchost-temp.exe"}, |
| 318 | }, |
| 319 | Metadata: map[event.MetadataKey]any{"foo": "bar", "fooz": "barzz"}, |
| 320 | } |
| 321 | require.False(t, ss.runSequence(e1)) |
| 322 | require.False(t, ss.runSequence(e2)) |
| 323 | } |
| 324 | |
| 325 | // expression matched multiple partials |
| 326 | assert.Len(t, ss.partials[0], 5) |
| 327 | assert.Len(t, ss.partials[1], 0) |
| 328 | |
| 329 | e1 := &event.Event{ |
| 330 | Seq: 20, |
nothing calls this directly
no test coverage detected