-
Notifications
You must be signed in to change notification settings - Fork 72
/
sequence_test.go
264 lines (251 loc) · 19.3 KB
/
sequence_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
// Copyright (c) 2014 Dataence, LLC. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// +build ignore
package sequence
import (
"testing"
"github.com/stretchr/testify/require"
)
var (
seqAnalyzeTests = []struct {
msg string
seq Sequence
}{
{
"Jan 12 06:49:42 irc sshd[7034]: Failed password for root from 218.161.81.238 port 4228 ssh2", Sequence{
Token{Tag: TagMsgTime, Type: TokenTime, Value: "Jan 12 06:49:42", isKey: false, isValue: false},
Token{Tag: TagAppHost, Type: TokenString, Value: "irc", isKey: false, isValue: false},
Token{Tag: TagAppName, Type: TokenString, Value: "sshd", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "[", isKey: false, isValue: false},
Token{Tag: TagSessionID, Type: TokenInteger, Value: "7034", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "]", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagStatus, Type: TokenString, Value: "failed", isKey: false, isValue: false},
Token{Tag: TagMethod, Type: TokenString, Value: "password", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "for", isKey: true, isValue: false},
Token{Tag: TagSrcUser, Type: TokenString, Value: "root", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "from", isKey: true, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "218.161.81.238", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "port", isKey: true, isValue: false},
Token{Tag: TagSrcPort, Type: TokenInteger, Value: "4228", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "ssh2", isKey: false, isValue: false},
},
},
{
"Jan 12 06:49:42 irc sshd[7034]: Accepted password for root from 218.161.81.238 port 4228 ssh2", Sequence{
Token{Tag: TagMsgTime, Type: TokenTime, Value: "Jan 12 06:49:42", isKey: false, isValue: false},
Token{Tag: TagAppHost, Type: TokenString, Value: "irc", isKey: false, isValue: false},
Token{Tag: TagAppName, Type: TokenString, Value: "sshd", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "[", isKey: false, isValue: false},
Token{Tag: TagSessionID, Type: TokenInteger, Value: "7034", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "]", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagStatus, Type: TokenString, Value: "accepted", isKey: false, isValue: false},
Token{Tag: TagMethod, Type: TokenString, Value: "password", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "for", isKey: true, isValue: false},
Token{Tag: TagSrcUser, Type: TokenString, Value: "root", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "from", isKey: true, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "218.161.81.238", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "port", isKey: true, isValue: false},
Token{Tag: TagSrcPort, Type: TokenInteger, Value: "4228", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "ssh2", isKey: false, isValue: false},
},
},
{
"Jan 12 14:44:48 jlz sshd[11084]: Accepted publickey for jlz from 76.21.0.16 port 36609 ssh2", Sequence{
Token{Tag: TagMsgTime, Type: TokenTime, Value: "Jan 12 14:44:48", isKey: false, isValue: false},
Token{Tag: TagAppHost, Type: TokenString, Value: "jlz", isKey: false, isValue: false},
Token{Tag: TagAppName, Type: TokenString, Value: "sshd", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "[", isKey: false, isValue: false},
Token{Tag: TagSessionID, Type: TokenInteger, Value: "11084", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "]", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagStatus, Type: TokenString, Value: "accepted", isKey: false, isValue: false},
Token{Tag: TagMethod, Type: TokenString, Value: "publickey", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "for", isKey: true, isValue: false},
Token{Tag: TagSrcUser, Type: TokenString, Value: "jlz", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "from", isKey: true, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "76.21.0.16", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "port", isKey: true, isValue: false},
Token{Tag: TagSrcPort, Type: TokenInteger, Value: "36609", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "ssh2", isKey: false, isValue: false},
},
},
{
"209.36.88.3 - - [03/may/2004:01:19:07 +0000] \"get http://npkclzicp.xihudohtd.ngm.au/abramson/eiyscmeqix.ac;jsessionid=b0l0v000u0?sid=00000000&sy=afr&kw=goldman&pb=fin&dt=selectrange&dr=0month&so=relevance&st=nw&ss=afr&sf=article&rc=00&clspage=0&docid=fin0000000r0jl000d00 http/1.0\" 200 27981", Sequence{
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "209.36.88.3", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "-", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "-", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "[", isKey: false, isValue: false},
Token{Tag: TagMsgTime, Type: TokenTime, Value: "03/may/2004:01:19:07 +0000", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "]", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "\"", isKey: false, isValue: false},
Token{Tag: TagAction, Type: TokenString, Value: "get", isKey: false, isValue: false},
Token{Tag: TagObject, Type: TokenString, Value: "http://npkclzicp.xihudohtd.ngm.au/abramson/eiyscmeqix.ac;jsessionid=b0l0v000u0?sid=00000000&sy=afr&kw=goldman&pb=fin&dt=selectrange&dr=0month&so=relevance&st=nw&ss=afr&sf=article&rc=00&clspage=0&docid=fin0000000r0jl000d00", isKey: false, isValue: false},
Token{Tag: TagProtocol, Type: TokenString, Value: "http/1.0", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "\"", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "200", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "27981", isKey: false, isValue: false},
},
},
{
"2012-04-05 17:54:47 local4.info 172.23.0.1 %asa-6-302015: built outbound udp connection 1315679 for outside:193.0.14.129/53 (193.0.14.129/53) to inside:172.23.0.10/64048 (10.32.0.1/52130)", Sequence{
Token{Tag: TagMsgTime, Type: TokenTime, Value: "2012-04-05 17:54:47", isKey: false, isValue: false},
Token{Tag: TagSrcHost, Type: TokenString, Value: "local4.info", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenIPv4, Value: "172.23.0.1", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "%asa-6-302015", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagAction, Type: TokenString, Value: "built", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "outbound", isKey: false, isValue: false},
Token{Tag: TagProtocol, Type: TokenString, Value: "udp", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "connection", isKey: true, isValue: false},
Token{Tag: TagSessionID, Type: TokenInteger, Value: "1315679", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "for", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "outside", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "193.0.14.129", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "/", isKey: false, isValue: false},
Token{Tag: TagSrcPort, Type: TokenInteger, Value: "53", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "(", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenIPv4, Value: "193.0.14.129", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "/", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "53", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ")", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "to", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "inside", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagDstIPv4, Type: TokenIPv4, Value: "172.23.0.10", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "/", isKey: false, isValue: false},
Token{Tag: TagDstPort, Type: TokenInteger, Value: "64048", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "(", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenIPv4, Value: "10.32.0.1", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "/", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "52130", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ")", isKey: false, isValue: false},
},
},
{
"Jan 15 05:14:39 irc sshd[8134]: Address 123.30.182.178 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!", Sequence{
Token{Tag: TagMsgTime, Type: TokenTime, Value: "Jan 15 05:14:39", isKey: false, isValue: false},
Token{Tag: TagAppHost, Type: TokenString, Value: "irc", isKey: false, isValue: false},
Token{Tag: TagAppName, Type: TokenString, Value: "sshd", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "[", isKey: false, isValue: false},
Token{Tag: TagSessionID, Type: TokenInteger, Value: "8134", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "]", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ":", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "address", isKey: false, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "123.30.182.178", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "maps", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "to", isKey: true, isValue: false},
Token{Tag: TagDstHost, Type: TokenString, Value: "static.vdc.vn", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: ",", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "but", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "this", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "does", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "not", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "map", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "back", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "to", isKey: true, isValue: false},
Token{Tag: TagDstUser, Type: TokenString, Value: "the", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "address", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "-", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "possible", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "break-in", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "attempt", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "!", isKey: false, isValue: false},
},
},
{
"id=firewall time=\"2005-03-18 14:01:46\" fw=TOPSEC priv=6 recorder=kernel type=conn policy=414 proto=TCP rule=accept src=61.167.71.244 sport=35223 dst=210.82.119.211 dport=25 duration=27 inpkt=37 outpkt=39 sent=1770 rcvd=20926 smac=00:04:c1:8b:d8:82 dmac=00:0b:5f:b2:1d:80", Sequence{
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "id", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenString, Value: "firewall", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "time", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "\"", isKey: false, isValue: false},
Token{Tag: TagMsgTime, Type: TokenTime, Value: "2005-03-18 14:01:46", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "\"", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "fw", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenString, Value: "TOPSEC", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "priv", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "6", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "recorder", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenString, Value: "kernel", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "type", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenString, Value: "conn", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "policy", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "414", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "proto", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagProtocol, Type: TokenString, Value: "TCP", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "rule", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenString, Value: "accept", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "src", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagSrcIPv4, Type: TokenIPv4, Value: "61.167.71.244", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "sport", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagSrcPort, Type: TokenInteger, Value: "35223", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "dst", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagDstIPv4, Type: TokenIPv4, Value: "210.82.119.211", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "dport", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagDstPort, Type: TokenInteger, Value: "25", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "duration", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagDuration, Type: TokenInteger, Value: "27", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "inpkt", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "37", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "outpkt", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "39", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "sent", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "1770", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "rcvd", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagUnknown, Type: TokenInteger, Value: "20926", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "smac", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagSrcMac, Type: TokenMac, Value: "00:04:c1:8b:d8:82", isKey: false, isValue: true},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "dmac", isKey: true, isValue: false},
Token{Tag: TagUnknown, Type: TokenLiteral, Value: "=", isKey: false, isValue: false},
Token{Tag: TagDstMac, Type: TokenMac, Value: "00:0b:5f:b2:1d:80", isKey: false, isValue: true},
},
},
}
)
func TestAnalyzeSequence(t *testing.T) {
scanner := NewScanner()
for _, tc := range seqAnalyzeTests {
seq, err := scanner.Scan(tc.msg)
require.NoError(t, err)
seq = analyzeSequence(seq)
//glog.Debugln(seq.PrintTokens())
for i, tok := range seq {
if tok != tc.seq[i] {
require.FailNow(t, tok.String()+" != "+tc.seq[i].String()+"\n"+tc.msg)
}
}
require.Equal(t, tc.seq, seq, tc.msg)
}
}