public void SearchSkimmer_NoDetectionWhenMatchIsEmpty() { var expression = new MatchExpression(); SearchDefinition definition = CreateDefaultSearchDefinition(expression); string scanTargetContents = definition.Id; var logger = new TestLogger(); var context = new AnalyzeContext { TargetUri = new Uri($"file:///c:/{definition.Name}.Fake.asc"), FileContents = $"{ definition.Id}", Logger = logger }; SearchSkimmer skimmer = CreateSkimmer(definition); skimmer.Analyze(context); logger.Results.Should().BeNull(); }
public void SearchSkimmer_DetectsFilePatternOnly() { string fileExtension = Guid.NewGuid().ToString(); MatchExpression expr = CreateFileDetectingMatchExpression(fileExtension: fileExtension); SearchDefinition definition = CreateDefaultSearchDefinition(expr); string scanTargetContents = definition.Id; var logger = new TestLogger(); var context = new AnalyzeContext { TargetUri = new Uri($"file:///c:/{definition.Name}.Fake.{fileExtension}"), FileContents = definition.Id, Logger = logger }; SearchSkimmer skimmer = CreateSkimmer(definition); skimmer.Analyze(context); ValidateResultsAgainstDefinition(logger.Results, definition, skimmer); }
public void SearchSkimmer_DetectsBase64EncodedPattern() { MatchExpression expr = CreateGuidDetectingMatchExpression(); SearchDefinition definition = CreateDefaultSearchDefinition(expr); string originalMessage = definition.Message; // We inject the well-known encoding name that reports with // 'plaintext' or 'base64-encoded' depending on how a match // was made. definition.Message = $"{{0:encoding}}:{definition.Message}"; string scanTargetContents = definition.Id; byte[] bytes = Encoding.UTF8.GetBytes(scanTargetContents); string base64Encoded = Convert.ToBase64String(bytes); var logger = new TestLogger(); var context = new AnalyzeContext { TargetUri = new Uri($"file:///c:/{definition.Name}.{definition.FileNameAllowRegex}"), FileContents = base64Encoded, Logger = logger }; SearchSkimmer skimmer = CreateSkimmer(definition); skimmer.Analyze(context); // Analyzing base64-encoded values with MatchLengthToDecode > 0 succeeds logger.Results.Count.Should().Be(1); logger.Results[0].RuleId.Should().Be(definition.Id); logger.Results[0].Level.Should().Be(definition.Level); logger.Results[0].GetMessageText(skimmer).Should().Be($"base64-encoded:{originalMessage}"); // Analyzing base64-encoded values with MatchLengthToDecode == 0 fails definition.MatchExpressions[0].MatchLengthToDecode = 0; logger.Results.Clear(); skimmer = CreateSkimmer(definition); skimmer.Analyze(context); logger.Results.Count.Should().Be(0); // Analyzing plaintext values with MatchLengthToDecode > 0 succeeds context.FileContents = scanTargetContents; logger.Results.Clear(); skimmer = CreateSkimmer(definition); skimmer.Analyze(context); // But we should see a change in encoding information in message. Note // that when emitting plaintext matches, we elide this information // entirely (i.e., we only explicitly report 'base64-encoded' and // report nothing for plaintext). logger.Results.Count.Should().Be(1); logger.Results[0].RuleId.Should().Be(definition.Id); logger.Results[0].Level.Should().Be(definition.Level); logger.Results[0].GetMessageText(skimmer).Should().Be($":{originalMessage}"); }