public void when_values_differ_in_case_iequals_should_match() { var data = "Test"; var query = "TEST"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.IEquals(PowerShellEvent.UserData, query); Assert.IsTrue(predicate.Test(record)); }
public void when_values_are_same_is_should_match() { var data = "Test"; var query = data; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.Is(PowerShellEvent.UserData, query); Assert.IsTrue(predicate.Test(record)); }
public void when_data_contains_query_contains_should_match() { var data = "Foo Bar Baz"; var query = "Bar"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query); Assert.IsTrue(predicate.Test(record)); }
public void when_values_differ_other_than_case_iequals_should_not_match() { var data = "Test"; var query = "Foobar"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.Is(PowerShellEvent.UserData, query); Assert.IsFalse(predicate.Test(record)); }
public void when_data_contains_query_but_differs_in_case_contains_should_not_match() { var data = "Foo Bar Baz"; var query = "BAR"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query); Assert.IsFalse(predicate.Test(record)); }
public void when_data_does_not_start_with_query_istartswith_should_not_match() { var data = "Foo Bar Baz"; var query = "Bar"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.IStartsWith(PowerShellEvent.UserData, query); Assert.IsFalse(predicate.Test(record)); }
public void when_data_starts_with_query_but_differs_in_case_istartswith_should_match() { var data = "Foo Bar Baz"; var query = "FOO"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate = UnicodeString.IStartsWith(PowerShellEvent.UserData, query); Assert.IsTrue(predicate.Test(record)); }
public void not_operator_predicate_should_not_match_if_predicate_true() { var data = "Test"; var query = data; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate = predicate1.op_LogicalNot(); Assert.IsFalse(predicate.Test(record)); }
public void or_operator_predicate_should_match_if_either_predicate_false() { var data = "Test"; var query = data; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, "Not Found"); var predicate = predicate1.op_LogicalOr(predicate2); Assert.IsTrue(predicate.Test(record)); }
public void and_predicate_should_match_if_both_predicates_true() { var data = "Test"; var query = data; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate = predicate1.And(predicate2); Assert.IsTrue(predicate.Test(record)); }
public void or_predicate_should_not_match_if_both_predicates_false() { var data = "Test"; var query = "Not Found"; var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty); var predicate1 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate2 = UnicodeString.Is(PowerShellEvent.UserData, query); var predicate = predicate1.Or(predicate2); Assert.IsFalse(predicate.Test(record)); }
public void it_should_not_raise_OnEvent_for_not_matching_event_filter() { var called = false; var filter = new EventFilter(Filter.Not(Filter.AnyEvent())); var proxy = new Proxy(filter); filter.OnEvent += e => { called = true; }; proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload")); Assert.IsFalse(called, "proxy call raised on event"); }
public void it_should_read_event_id() { var provider = new Provider(PowerShellEvent.ProviderId); provider.OnEvent += e => { Assert.AreEqual(PowerShellEvent.EventId, e.Id); }; trace.Enable(provider); proxy.PushEvent(PowerShellEvent.CreateRecord( String.Empty, String.Empty, String.Empty)); }
public void it_should_raise_OnEvent_for_raw_provider_on_user_trace() { var called = false; var trace = new UserTrace(); var proxy = new Proxy(trace); var provider = new RawProvider(PowerShellEvent.ProviderId); provider.OnEvent += e => { called = true; }; trace.Enable(provider); proxy.PushEvent(PowerShellEvent.CreateRecord("user data", "context info", "payload")); Assert.IsTrue(called, "proxy call raised on event"); }
public void it_should_marshal_user_data() { var data = "This is some user data"; var provider = new Provider(PowerShellEvent.ProviderId); provider.OnEvent += e => { var bytes = e.CopyUserData(); var str = Encoding.Unicode.GetString(bytes); Assert.IsTrue(str.Contains(data)); Assert.AreEqual(e.UserDataLength, bytes.Length); }; trace.Enable(provider); proxy.PushEvent(PowerShellEvent.CreateRecord( data, String.Empty, String.Empty)); }
public void it_should_parse_unicode_strings() { var data = "This is some user data"; var prop = PowerShellEvent.UserData; var provider = new Provider(PowerShellEvent.ProviderId); provider.OnEvent += e => { Assert.AreEqual(data, e.GetUnicodeString(prop)); Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty)); string result; Assert.IsTrue(e.TryGetUnicodeString(prop, out result)); Assert.AreEqual(data, result); }; trace.Enable(provider); proxy.PushEvent(PowerShellEvent.CreateRecord( data, String.Empty, String.Empty)); }
public void it_should_parse_unicode_strings() { var data = "file.exe"; var prop = ImageLoadEvent.FileName; var provider = new ImageLoadProvider(); provider.OnEvent += e => { Assert.AreEqual(data, e.GetUnicodeString(prop)); Assert.AreEqual(data, e.GetUnicodeString(prop, String.Empty)); string result; Assert.IsTrue(e.TryGetUnicodeString(prop, out result)); Assert.AreEqual(data, result); }; trace.Enable(provider); proxy.PushEvent(PowerShellEvent.CreateRecord( data, String.Empty, String.Empty)); }
public void schema_not_found_should_raise_onerror_on_event_filter() { var onEventCalled = false; var onErrorCalled = false; var filter = new EventFilter(Filter.AnyEvent()); var proxy = new Proxy(filter); filter.OnEvent += e => { onEventCalled = true; }; filter.OnError += e => { onErrorCalled = true; }; var record = PowerShellEvent.CreateRecord("user data", "context info", "payload"); // munge the event so the schema can't be found record.Id = (ushort)1234; proxy.PushEvent(record); Assert.IsFalse(onEventCalled, "schema not found raised OnEvent"); Assert.IsTrue(onErrorCalled, "schema not found raised OnError"); }
public void schema_not_found_should_raise_onerror_on_user_trace() { var onEventCalled = false; var onErrorCalled = false; var trace = new UserTrace(); var proxy = new Proxy(trace); var provider = new Provider(PowerShellEvent.ProviderId); provider.OnEvent += e => { onEventCalled = true; }; provider.OnError += e => { onErrorCalled = true; }; var record = PowerShellEvent.CreateRecord("user data", "context info", "payload"); // munge the event so the schema can't be found record.Id = (ushort)1234; trace.Enable(provider); proxy.PushEvent(record); Assert.IsFalse(onEventCalled, "schema not found raised OnEvent"); Assert.IsTrue(onErrorCalled, "schema not found raised OnError"); }