public void OnBeforeProcessRecordInput_IfContextHeaderInfoIsNull_ReturnNextInstructionDo()
{
//Arrange
var context = new SyslogRecorderContext(_aruba, ProtocolType.Udp, "192.168.1.25")
{
HeaderInfo = null
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<ArubaUnifiedRecorder, NextInstruction>("OnBeforeProcessRecordInput", _aruba, new object[] { context });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(NextInstruction.Do, actual);
}
public void OnFieldMatch_IfMatchIsSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("192.168.2.80:45924 : local1.info Feb 17 14:28:25 brightmail ecelerity: 1297945705|c0a80250-b7b6bae000000e0e-f8-4d5d1460c093|DELIVERY_FAILURE|550 5.4.4 [internal] null mx domain does not accept mail|[email protected]", @"(?<DATETIME>[a-zA-Z]+\s*[0-9]+\s[0-9\:]+)\s*(?<SCANNER_HOST>[^\s]+)\s*(?<PROCESS>[^\:]+):\s*(((?<EPOCH>[^\|]+)\|(?<UID>[^\|]+)\|(?<EVENT>[^\|]+)))");
string field = null;
var context = new SyslogRecorderContext(_symantecBrigtmail, ProtocolType.Udp, "192.168.1.25");
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SymantecBrightmailUnifiedRecorder, NextInstruction>("OnFieldMatch", _symantecBrigtmail, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void OnFieldMatch_IfMatchIsNotSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("lorem ipsum sit amet", @"(.*\s)(.*)");
string field = null;
var context = new SyslogRecorderContext(_symantecBrigtmail, ProtocolType.Udp, "192.168.1.25");
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SymantecBrightmailUnifiedRecorder, NextInstruction>("OnFieldMatch", _symantecBrigtmail, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void OnBeforeProcessRecordInput_IfContextHeaderInfoIsNotNull_ReturnNextInstructionDo()
{
//Arrange
var context = new SyslogRecorderContext(_symantecBrigtmail, ProtocolType.Udp, "192.168.1.25")
{
HeaderInfo = new DataMappingInfo()
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SymantecBrightmailUnifiedRecorder, NextInstruction>("OnBeforeProcessRecordInput", _symantecBrigtmail, new object[] { context });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Do);
}
public void OnFieldMatch_IfMatchIsNotSuccess_ReturnNextInstructionSkip()
{
//Arrange
var context = new SyslogRecorderContext(_mcafeeıps, ProtocolType.Udp, syslogAddress: "192.168.1.25");
var match = Regex.Match("deneme", "[\"]+");
string field = null;
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<McAfeeIpsUnifiedRecorder, NextInstruction>("OnFieldMatch", _mcafeeıps, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Skip);
}
public void OnFieldMatch_IfMatchAndContextSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("Jun 5 15:28:06 SyslogAlertForwarder: 2012-06-05 15:28:05 EEST | P2P: Windows Mesh Traffic Detected | Medium | 65.55.236.179:443 | 10.1.1.11:25949 |PolicyViolation ", @"^.*?:\s*(?<DATE>[0-9\-]*\s*[0-9\:]*\s*[a-zA-Z]*)\s*\|\s*((?<THREAD_CODE>[^:]*):\s*(?<THREAT>[^\|]*))\s*\|\s*(?<SEVERITY>[^\|]*)\s*\|\s*((?<TARGET_IP>[^:]*):(?<TARGET_PORT>[^\|]*))\s*\|\s*((?<SRC_IP>[^:]*):(?<SRC_PORT>[^\|]*))\s*\|\s*(?<RULE>.[^\|]*)\s*");
const string field = "Jun 5 15:28:06 SyslogAlertForwarder: 2012-06-05 15:28:05 EEST | P2P: Windows Mesh Traffic Detected | Medium | 65.55.236.179:443 | 10.1.1.11:25949 |PolicyViolation";
var context = new SyslogRecorderContext(_mcafeeıps, ProtocolType.Udp, syslogAddress: "192.168.1.25");
// ReSharper disable once ReturnValueOfPureMethodIsNotUsed
context.SourceHeaderInfo.ContainsKey("deneme");
// ReSharper restore ReturnValueOfPureMethodIsNotUsed
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<McAfeeIpsUnifiedRecorder, NextInstruction>("OnFieldMatch", _mcafeeıps, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void GetHeaderInfo_IfMappingInfosIsNull_ReturnNextInstructionDo()
{
//Arrange
var context = new SyslogRecorderContext(_mcafeeıps, ProtocolType.Udp, syslogAddress: "192.168.1.25");
Exception e = null;
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<McAfeeIpsUnifiedRecorder, NextInstruction>("GetHeaderInfo", _mcafeeıps, new object[] { context,e });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Do);
}
public void OnFieldMatch_IfMatchIsSuccuss_ReturnNextInstructionReturn()
{
//Arrange
// ReSharper disable AssignNullToNotNullAttribute
var match = Regex.Match("date=2012-11-29 time=12:29:57 timezone=\"EET\" device_name=\"CR1000i\" device_id=C010001334-8KGA74 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"a\" priority=Information fw_rule_id=0 user_name=\"[email protected]\" user_gp=\"UG_Ogrenci\" iap=12 category=\"SearchEngines\" category_type=\"Neutral\" url=\"sp.ask.com/toolbar/config/partner/vanilla/default_1.12wid/ie/PopupWidgetGamesFF.xml\" contenttype=\"text/xml\" httpresponsecode=\"\" src_ip=10.1.3.46 dst_ip=195.175.70.24 protocol=\"TCP\" src_port=2611 dst_port=80 sent_bytes=0 recv_bytes=6925 domain=sp.ask.com", "(date=(?<DATE>[0-9\\-][^\\s]*))?\\s*(time=(?<TIME>[0-9\\:][^\\s]*))?\\s*(timezone=\"(?<TIMEZONE>(.)|()[^\\\"]*)\")?\\s*(device_name=\"(?<DEVICE_NAME>(.)|()[^\\\"]*)\")?\\s*(device_id=(?<DEVICE_ID>.[^\\s]*))?\\s*(log_id=(?<LOG_ID>.[^\\s]*))?\\s*(log_type=\"(?<LOG_TYPE>(.)|()[^\\\"]*)\")?\\s*(log_component=\"(?<LOG_COMPONENT>(.)|()[^\\\"]*)\")?\\s*(log_subtype=\"(?<LOG_SUBTYPE>(.)|()[^\\\"]*)\")?\\s*(status=\"(?<STATUS>(.)|()[^\\\"]*)\")?\\s*(priority=(?<PRIORITY>.[^\\s]*))?\\s*(fw_rule_id=(?<FW_RULE_ID>.[^\\s]*))?\\s*(user_name=\"(?<USER_NAME>(.)|()[^\\\"]*)\")?\\s*(user_gp=\"(?<USER_GP>(.)|()[^\\\"]*)\")?\\s*(iap=(?<IAP>.[^\\s]*))?\\s*(category=\"(?<CATEGORY>(.)|()[^\\\"]*)\")?\\s*(category_type=\"(?<CATEGORY_TYPE>(.)|()[^\\\"]*)\")?\\s*(url=\"(?<URL>(.)|()[^\\\"]*)\")?\\s*(contenttype=\"(?<CONTENT_TYPE>(.)|()[^\\\"]*)\")?\\s*(httpresponsecode=\"(?<HTTP_RESPONSE_CODE>(.)|()[^\\\"]*)\")?\\s*(src_ip=(?<SRC_IP>[0-9\\.][^\\s]*))?\\s*(dst_ip=(?<DST_IP>[0-9\\.][^\\s]*))?\\s*(protocol=\"(?<PROTOCOL>(.)|()[^\\\"]*)\")?\\s*(src_port=(?<SRC_PORT>[0-9][^\\s]*))?\\s*(dst_port=(?<DST_PORT>[0-9][^\\s]*))?\\s*(sent_bytes=(?<SEND_BYTES>[0-9][^\\s]*))?\\s*(recv_bytes=(?<RECV_BYTES>[0-9][^\\s]*))?\\s*(domain=(?<DOMAIN>.[^\\n]*))?");
// ReSharper restore AssignNullToNotNullAttribute
string field = null;
var context = new SyslogRecorderContext(_squidsys, ProtocolType.Udp, syslogAddress: "192.168.1.25")
{
SourceHeaderInfo = new Dictionary<string, int> { { "date", 0 }, { " time", 1 }, { "timezone", 2 } }
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SquidSyslogUnifiedRecorder, NextInstruction>("OnFieldMatch", _squidsys, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void OnFieldMatch_IfMatchIsNullPattern_ReturnNextInstructionSkip()
{
//Arrange
// ReSharper disable AssignNullToNotNullAttribute
var match = Regex.Match("deneme", null);
// ReSharper restore AssignNullToNotNullAttribute
string field = null;
var context = new SyslogRecorderContext(_squidsys, ProtocolType.Udp, syslogAddress: "192.168.1.25");
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SquidSyslogUnifiedRecorder, NextInstruction>("OnFieldMatch", _squidsys, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Skip);
}
public void OnFieldMatch_IfMatchIsSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("deneme", "(.*)");
string field = null;
var context = new SyslogRecorderContext(_watchguard, ProtocolType.Udp, syslogAddress: "192.168.1.25");
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<WatchGuardUnifiedRecorder, NextInstruction>("OnFieldMatch", _watchguard, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void GetHeaderInfo_IfContextHeaderInfoIsNull_ReturnNextInstructionDo()
{
//Arrange
var context = new SyslogRecorderContext(_apacheaccess, ProtocolType.Udp, "192.168.1.25")
{
HeaderInfo = null
};
Exception e = null;
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<ApacheAccessUnifiedRecorder, NextInstruction>("GetHeaderInfo", _apacheaccess, new object[] { context, e });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(NextInstruction.Do, actual);
}
public void OnFieldMatch_IfMatchIsNullInput_ReturnNextInstructionSkip()
{
//Arrange
// ReSharper disable AssignNullToNotNullAttribute
var match = Regex.Match(null, ".*");
// ReSharper restore AssignNullToNotNullAttribute
string field = null;
var context = new SyslogRecorderContext(_zyxelZywall, ProtocolType.Udp, "192.168.1.25");
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<ZyxelZywallUsgUnifiedRecorder, NextInstruction>("OnFieldMatch", _zyxelZywall, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Skip);
}
public void OnFieldMatch_IfMatchIsSuccuss_ReturnNextInstructionSkip()
{
//Arrange
// ReSharper disable AssignNullToNotNullAttribute
var match = Regex.Match("192.0.0.110:29813 : local0.notice TUYAP_MERKEZ_FW: NetScreen device_id=TUYAP_MERKEZ_FW [Root]system-notification-00257(traffic): start_time=\"2011-05-27 11:01:53\" duration=0 policy_id=29 service=proto:41/port:1 proto=41 srczone=Trust dstzone=ADSL action=Deny sent=0 rcvd=0 src=192.0.0.72 dst=192.88.99.1 session_id=0 ", "(?<SOURCE_NAME>[0-9\\.:]+)\\s*:\\s*[\\w\\.]+\\s*(?<FIREWALL_NAME>[^:]+):\\s*[a-zA-Z]+\\s*device_id=(?<DEVICE_ID>[^\\s]+)\\s*.[^\\]]+\\](?<EVENT_TYPE>[^:]+):\\s*(start_time=\"(?<START_TIME>[0-9-]+\\s*[0-9:]+)\")?\\s*(duration=(?<DURATION>[0-9]+))?\\s*(policy_id=(?<POLICY_ID>[0-9]+))?\\s*(service=(?<SERVICE>[^\\s]+))?\\s*(proto=(?<PROTO>[0-9]+))?\\s*(srczone=(?<SRC_ZONE>[^\\s]+))?\\s*(dstzone=(?<DST_ZONE>[^\\s]+))?\\s*(src_port=(?<SRC_PORT>[0-9]+))?\\s*(dst_port=(?<DST_PORT>[0-9]+))?\\s*(action=(?<ACTION>[^\\s]+))?\\s*\r\n(sent=(?<SENT>[0-9]+))?\\s*(rcvd=(?<RCVD>[0-9]+))?\\s*\r\n(icmp\\stype=(?<ICMP_TYPE>[0-9]+))?\\s*(src=(?<SRC>[0-9\\.]+))?\\s*\r\n(dst=(?<DST>[0-9\\.]+))?\\s*(src-xlated-ip=(?<SRC_XLATED>[^\\s]+))?\\s*\r\n(dst-xlated-ip=(?<DST_XLATED>[^\\s]+))?\\s*(session_id=(?<SESSION_ID>[0-9]+))?\\s");
// ReSharper restore AssignNullToNotNullAttribute
const string field = "192.0.0.110:29813 : local0.notice TUYAP_MERKEZ_FW: NetScreen device_id=TUYAP_MERKEZ_FW [Root]system-notification-00257(traffic): start_time=\"2011-05-27 11:01:53\" duration=0 policy_id=29 service=proto:41/port:1 proto=41 srczone=Trust dstzone=ADSL action=Deny sent=0 rcvd=0 src=192.0.0.72 dst=192.88.99.1 session_id=0 ";
var context = new SyslogRecorderContext(_junipersyslog, ProtocolType.Udp, syslogAddress: "192.168.1.25")
{
SourceHeaderInfo = new Dictionary<string, int> { { "source_name", 0 }, { " firewall_name", 1 }, { "device_id", 2 } }
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<JuniperSyslogV6UnifiedRecorder, NextInstruction>("OnFieldMatch", _junipersyslog, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void GetContextPosition_LastRecordDate_Return()
{
//Arrange
RecorderContext context = new SyslogRecorderContext(_syslogRecorderBase,ProtocolType.Udp, "", 514);
context.LastRecordDate = "22.09.2014";
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<SyslogRecorderBase, string>("GetContextPosition", _syslogRecorderBase, new object[] { context });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, "22.09.2014");
}
public void OnFieldMatch_IfMatchAndContextSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("Jun 5 15:28:06 SyslogAlertForwarder: 2012-06-05 15:28:05 EEST | P2P: Windows Mesh Traffic Detected | Medium | 65.55.236.179:443 | 10.1.1.11:25949 |PolicyViolation ", @"^.*?:\s*(?<DATE>[0-9\-]*\s*[0-9\:]*\s*[a-zA-Z]*)\s*\|\s*((?<THREAD_CODE>[^:]*):\s*(?<THREAT>[^\|]*))\s*\|\s*(?<SEVERITY>[^\|]*)\s*\|\s*((?<TARGET_IP>[^:]*):(?<TARGET_PORT>[^\|]*))\s*\|\s*((?<SRC_IP>[^:]*):(?<SRC_PORT>[^\|]*))\s*\|\s*(?<RULE>.[^\|]*)\s*");
const string field = "Jun 5 15:28:06 SyslogAlertForwarder: 2012-06-05 15:28:05 EEST | P2P: Windows Mesh Traffic Detected | Medium | 65.55.236.179:443 | 10.1.1.11:25949 |PolicyViolation";
var context = new SyslogRecorderContext(_trendmicrounified, ProtocolType.Udp, syslogAddress: "192.168.1.25")
{
SourceHeaderInfo = new Dictionary<string, int> { { "DATE", 0 }, { "THREAD_CODE", 1 }, { "THREAT", 2 } }
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<TrendMicroSafeSyncUnifiedRecorder, NextInstruction>("OnFieldMatch", _trendmicrounified, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Return);
}
public void OnFieldMatch_IfMatchIsSuccess_ReturnNextInstructionReturn()
{
//Arrange
var match = Regex.Match("deneme", "(.*)");
string field = null;
var context = new SyslogRecorderContext(_tippingpoint, ProtocolType.Udp, "192.168.1.25")
{
SourceHeaderInfo = new Dictionary<string, int> { { "date", 0 }, { " time", 1 }, { "timezone", 2 } }
};
//Act
// ReSharper disable ExpressionIsAlwaysNull
var actual = MethodTestHelper.RunInstanceMethod<TippingPointIpsRecorder, NextInstruction>("OnFieldMatch", _tippingpoint, new object[] { context, field, match });
// ReSharper restore ExpressionIsAlwaysNull
//Assert
Assert.AreEqual(actual, NextInstruction.Abort);
}
