Пример #1
0
        public void VerifyIsNullOperator()
        {
            var falseIsNullObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    ContentHash = "HASH"
                }
            };
            var trueIsNullObject = new CompareResult()
            {
                Base = new FileSystemObject("NotAnApp.pdf")
            };

            var isNullRule = new AsaRule("Is Null Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("ContentHash", OPERATION.IS_NULL)
                }
            };

            var isNullAnalyzer = new AsaAnalyzer();
            var ruleList       = new List <Rule>()
            {
                isNullRule
            };;

            Assert.IsTrue(isNullAnalyzer.Analyze(ruleList, trueIsNullObject).Any());
            Assert.IsFalse(isNullAnalyzer.Analyze(ruleList, falseIsNullObject).Any());
        }
        public void VerifyNot()
        {
            var RuleName = "NotRule";
            var notRule  = new AsaRule(RuleName)
            {
                Expression = "NOT 0",
                Target     = "FileSystemObject",
                Flag       = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses    = new List <Clause>()
                {
                    new Clause("Path", OPERATION.EQ)
                    {
                        Label = "0",
                        Data  = new List <string>()
                        {
                            TestPathOne
                        }
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                notRule
            };

            Assert.IsTrue(!analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName));
        }
Пример #3
0
        public void VerifyIsTrueOperator()
        {
            var trueIsTrueObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    IsExecutable = true
                }
            };
            var falseIsTrueObject = new CompareResult()
            {
                Base = new FileSystemObject("NotAnApp.pdf")
            };

            var isTrueRule = new AsaRule("Is True Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("IsExecutable", OPERATION.IS_TRUE)
                }
            };

            var isTrueAnalyzer = new AsaAnalyzer();
            var ruleList       = new List <Rule>()
            {
                isTrueRule
            };;

            Assert.IsTrue(isTrueAnalyzer.Analyze(ruleList, trueIsTrueObject).Any());
            Assert.IsFalse(isTrueAnalyzer.Analyze(ruleList, falseIsTrueObject).Any());
        }
Пример #4
0
        public void VerifyWasModifiedOperator()
        {
            var falseModifiedObject = new CompareResult()
            {
                Base = new FileSystemObject("TestPathHere")
            };

            var alsoFalseModifiedObject = new CompareResult()
            {
                Base    = new FileSystemObject("TestPathHere"),
                Compare = new FileSystemObject("TestPathHere")
                {
                    IsDirectory = true
                }
            };

            var trueModifiedObject = new CompareResult()
            {
                Base = new FileSystemObject("Directory/File")
                {
                    IsExecutable = true
                },
                Compare = new FileSystemObject("Directory/File")
            };

            var wasModifiedRule = new AsaRule("Was Modified Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("IsExecutable", OPERATION.WAS_MODIFIED)
                }
            };

            var regexAnalyzer = new AsaAnalyzer();
            var ruleList      = new List <Rule>()
            {
                wasModifiedRule
            };;

            Assert.IsTrue(regexAnalyzer.Analyze(ruleList, trueModifiedObject).Any());
            Assert.IsFalse(regexAnalyzer.Analyze(ruleList, falseModifiedObject).Any());
            Assert.IsFalse(regexAnalyzer.Analyze(ruleList, alsoFalseModifiedObject).Any());

            var trueAlgDict = new CompareResult()
            {
                Base = new TpmObject("TestLocal")
                {
                    PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>()
                    {
                        { (TpmAlgId.Sha, 1), new byte[5] {
                              1, 2, 3, 4, 5
                          } }
                    }
                },
Пример #5
0
        public void VerifyContainsKeyOperator()
        {
            var trueAlgDict = new CompareResult()
            {
                Base = new TpmObject("TestLocal")
                {
                    PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>()
                    {
                        { (TpmAlgId.Sha, 1), Array.Empty <byte>() }
                    }
                }
            };

            var falseAlgDict = new CompareResult()
            {
                Base = new TpmObject("TestLocal")
                {
                    PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>()
                    {
                        { (TpmAlgId.Sha, 15), Array.Empty <byte>() }
                    }
                }
            };

            var algDictContains = new AsaRule("Alg Dict Changed PCR 1")
            {
                Target  = "TpmObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("PCRs", OPERATION.CONTAINS_KEY)
                    {
                        Data = new List <string>()
                        {
                            "(Sha, 1)"
                        }
                    }
                }
            };

            var algDictAnalyzer = new AsaAnalyzer();
            var ruleList        = new List <Rule>()
            {
                algDictContains
            };;

            Assert.IsTrue(algDictAnalyzer.Analyze(ruleList, trueAlgDict).Any());
            Assert.IsFalse(algDictAnalyzer.Analyze(ruleList, falseAlgDict).Any());
        }
Пример #6
0
        public void VerifyIsExpiredOperator()
        {
            var trueIsExpiredObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    SignatureStatus = new Signature(true)
                    {
                        SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.MinValue, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty)
                    }
                }
            };

            var falseIsExpiredObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    SignatureStatus = new Signature(true)
                    {
                        SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.MaxValue, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty)
                    }
                }
            };

            var isExpiredRule = new AsaRule("Is Expired Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_EXPIRED)
                }
            };

            var isExpiredAnalyzer = new AsaAnalyzer();
            var ruleList          = new List <Rule>()
            {
                isExpiredRule
            };;

            Assert.IsTrue(isExpiredAnalyzer.Analyze(ruleList, trueIsExpiredObject).Any());
            Assert.IsFalse(isExpiredAnalyzer.Analyze(ruleList, falseIsExpiredObject).Any());
        }
        public void VerifyAsaRuleResultType()
        {
            var RuleName = "XorRule";
            var xorRule  = new AsaRule(RuleName)
            {
                Expression = "0 XOR 1",
                // This test tests that creating an AsaRule with ResultType instead of Target works.
                ResultType = RESULT_TYPE.FILE,
                Flag       = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses    = new List <Clause>()
                {
                    new Clause("Path", OPERATION.EQ)
                    {
                        Label = "0",
                        Data  = new List <string>()
                        {
                            TestPathOne
                        }
                    },
                    new Clause("IsExecutable", OPERATION.IS_TRUE)
                    {
                        Label = "1"
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                xorRule
            };

            Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(!analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(!analyzer.Analyze(ruleList, testPathOneExecutableObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoExecutableObject).Any(x => x.Name == RuleName));
        }
Пример #8
0
        public void VerifyEndsWithOperator()
        {
            var trueEndsWithObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
            };
            var falseEndsWithObject = new CompareResult()
            {
                Base = new FileSystemObject("App.pdf")
            };

            var endsWithRule = new AsaRule("Ends With Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Path", OPERATION.ENDS_WITH)
                    {
                        Data = new List <string>()
                        {
                            ".exe"
                        }
                    }
                }
            };

            var endsWithAnalyzer = new AsaAnalyzer();
            var ruleList         = new List <Rule>()
            {
                endsWithRule
            };;

            Assert.IsTrue(endsWithAnalyzer.Analyze(ruleList, trueEndsWithObject).Any());
            Assert.IsFalse(endsWithAnalyzer.Analyze(ruleList, falseEndsWithObject).Any());
        }
Пример #9
0
        public void VerifyRegexOperator()
        {
            var falseRegexObject = new CompareResult()
            {
                Base = new FileSystemObject("TestPathHere")
            };
            var trueRegexObject = new CompareResult()
            {
                Base = new FileSystemObject("Directory/File")
            };

            var regexRule = new AsaRule("Regex Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Path", OPERATION.REGEX)
                    {
                        Data = new List <string>()
                        {
                            ".+\\/.+"
                        }
                    }
                }
            };

            var regexAnalyzer = new AsaAnalyzer();
            var ruleList      = new List <Rule>()
            {
                regexRule
            };;

            Assert.IsTrue(regexAnalyzer.Analyze(ruleList, trueRegexObject).Any());
            Assert.IsFalse(regexAnalyzer.Analyze(ruleList, falseRegexObject).Any());
        }
        public void VerifyOr()
        {
            var RuleName = "OrRule";
            var orRule   = new AsaRule(RuleName)
            {
                Expression = "0 OR 1",
                Target     = "FileSystemObject",
                Flag       = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses    = new List <Clause>()
                {
                    new Clause("Path", OPERATION.EQ)
                    {
                        Label = "0",
                        Data  = new List <string>()
                        {
                            "TestPath1"
                        }
                    },
                    new Clause("IsExecutable", OPERATION.IS_TRUE)
                    {
                        Label = "1"
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                orRule
            };

            Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(!analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneExecutableObject).Any(x => x.Name == RuleName));
            Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoExecutableObject).Any(x => x.Name == RuleName));
        }
        public void VerifyBareObjectQuery()
        {
            var RuleName       = "BareObjectRule";
            var bareObjectRule = new AsaRule(RuleName)
            {
                Target  = "string",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause(OPERATION.EQ)
                    {
                        Data = new List <string>()
                        {
                            TestPathOne
                        }
                    }
                }
            };

            var bareObjectRuleNoTarget = new AsaRule(RuleName)
            {
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause(OPERATION.EQ)
                    {
                        Data = new List <string>()
                        {
                            TestPathOne
                        }
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                bareObjectRule, bareObjectRuleNoTarget
            };

            Assert.IsTrue(analyzer.Analyze(ruleList, TestPathOne).Count() == 2);
        }
        public void VerifyCustom()
        {
            var RuleName   = "CustomRule";
            var customRule = new AsaRule(RuleName)
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Path", OPERATION.CUSTOM)
                    {
                        CustomOperation = "RETURN_TRUE",
                        Data            = new List <string>()
                        {
                            "TestPath1"
                        }
                    },
                }
            };

            var analyzer = new AsaAnalyzer();

            analyzer.CustomOperationDelegate = (clause, listValues, dictionaryValues) =>
            {
                if (clause.Operation == OPERATION.CUSTOM)
                {
                    if (clause.CustomOperation == "RETURN_TRUE")
                    {
                        return(true);
                    }
                }
                return(false);
            };

            var ruleList = new List <Rule>()
            {
                customRule
            };

            Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName));
        }
        public void VerifyAccessSubproperties()
        {
            var regObj = new CompareResult()
            {
                Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Values = new Dictionary <string, string>()
                    {
                        { "One", "Two" }
                    }
                }
            };

            var RuleName     = "ContainsRule";
            var containsRule = new AsaRule(RuleName)
            {
                Target  = "RegistryObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Values.One", OPERATION.EQ)
                    {
                        Label = "0",
                        Data  = new List <string>()
                        {
                            "Two"
                        }
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                containsRule
            };

            Assert.IsTrue(analyzer.Analyze(ruleList, regObj).Any(x => x.Name == RuleName));
        }
Пример #14
0
        public void VerifyContainsOperator()
        {
            var trueStringObject = new CompareResult()
            {
                Base = new FileSystemObject("ContainsStringObject")
            };

            var falseStringObject = new CompareResult()
            {
                Base = new FileSystemObject("StringObject")
            };

            var superFalseStringObject = new CompareResult()
            {
                Base = new FileSystemObject("NothingInCommon")
            };

            var stringContains = new AsaRule("String Contains Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Path", OPERATION.CONTAINS)
                    {
                        Data = new List <string>()
                        {
                            "Contains",
                            "String",
                            "Object"
                        }
                    }
                }
            };

            var stringAnalyzer = new AsaAnalyzer();
            var ruleList       = new List <Rule>()
            {
                stringContains
            };;

            Assert.IsTrue(stringAnalyzer.Analyze(ruleList, trueStringObject).Any());
            Assert.IsFalse(stringAnalyzer.Analyze(ruleList, falseStringObject).Any());
            Assert.IsFalse(stringAnalyzer.Analyze(ruleList, superFalseStringObject).Any());

            var trueListObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Subkeys = new List <string>()
                    {
                        "One",
                        "Two",
                        "Three"
                    }
                }
            };

            var falseListObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Subkeys = new List <string>()
                    {
                        "One",
                        "Two",
                    }
                }
            };

            var superFalseListObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32)
            };

            var listContains = new AsaRule("List Contains Rule")
            {
                Target  = "RegistryObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Subkeys", OPERATION.CONTAINS)
                    {
                        Data = new List <string>()
                        {
                            "One",
                            "Two",
                            "Three"
                        }
                    }
                }
            };

            var listAnalyzer = new AsaAnalyzer();

            ruleList = new List <Rule>()
            {
                listContains
            };;

            Assert.IsTrue(listAnalyzer.Analyze(ruleList, trueListObject).Any());
            Assert.IsFalse(listAnalyzer.Analyze(ruleList, falseListObject).Any());
            Assert.IsFalse(listAnalyzer.Analyze(ruleList, superFalseListObject).Any());

            var trueStringDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Values = new Dictionary <string, string>()
                    {
                        { "One", "One" },
                        { "Two", "Two" },
                        { "Three", "Three" }
                    }
                }
            };

            var falseStringDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Values = new Dictionary <string, string>()
                    {
                        { "One", "One" },
                        { "Two", "Three" },
                    }
                }
            };

            var superFalseStringDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Values = new Dictionary <string, string>()
                    {
                        { "One", "Two" },
                        { "Three", "Four" },
                    }
                }
            };

            var stringDictContains = new AsaRule("String Dict Contains Rule")
            {
                Target  = "RegistryObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Values", OPERATION.CONTAINS)
                    {
                        DictData = new List <KeyValuePair <string, string> >()
                        {
                            new KeyValuePair <string, string>("One", "One"),
                            new KeyValuePair <string, string>("Two", "Two"),
                            new KeyValuePair <string, string>("Three", "Three")
                        }
                    }
                }
            };

            var stringDictAnalyzer = new AsaAnalyzer();

            ruleList = new List <Rule>()
            {
                stringDictContains
            };;

            Assert.IsTrue(stringDictAnalyzer.Analyze(ruleList, trueStringDictObject).Any());
            Assert.IsFalse(stringDictAnalyzer.Analyze(ruleList, falseStringDictObject).Any());
            Assert.IsFalse(stringDictAnalyzer.Analyze(ruleList, superFalseStringDictObject).Any());

            var trueListDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Permissions = new Dictionary <string, List <string> >()
                    {
                        {
                            "User", new List <string>()
                            {
                                "Read",
                                "Execute"
                            }
                        }
                    }
                }
            };

            var falseListDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Permissions = new Dictionary <string, List <string> >()
                    {
                        {
                            "User", new List <string>()
                            {
                                "Read",
                            }
                        }
                    }
                }
            };

            var alsoFalseListDictObject = new CompareResult()
            {
                Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32)
                {
                    Permissions = new Dictionary <string, List <string> >()
                    {
                        {
                            "Contoso", new List <string>()
                            {
                                "Read",
                                "Execute"
                            }
                        }
                    }
                }
            };

            var listDictContains = new AsaRule("List Dict Contains Rule")
            {
                Target  = "RegistryObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Permissions", OPERATION.CONTAINS)
                    {
                        DictData = new List <KeyValuePair <string, string> >()
                        {
                            new KeyValuePair <string, string>("User", "Execute"),
                            new KeyValuePair <string, string>("User", "Read"),
                        }
                    }
                }
            };

            var listDictAnalyzer = new AsaAnalyzer();

            ruleList = new List <Rule>()
            {
                listDictContains
            };;

            Assert.IsTrue(listDictAnalyzer.Analyze(ruleList, trueListDictObject).Any());
            Assert.IsFalse(listDictAnalyzer.Analyze(ruleList, falseListDictObject).Any());
            Assert.IsFalse(listDictAnalyzer.Analyze(ruleList, alsoFalseListDictObject).Any());
        }
Пример #15
0
        public void VerifyEqOperator()
        {
            var assertTrueObject = new CompareResult()
            {
                Base = new FileSystemObject("TestPath")
                {
                    IsDirectory = true,
                    Size        = 700
                }
            };

            var assertFalseObject = new CompareResult()
            {
                Base = new FileSystemObject("TestPath2")
                {
                    IsDirectory = false,
                    Size        = 701
                }
            };

            var stringEquals = new AsaRule("String Equals Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Path", OPERATION.EQ)
                    {
                        Data = new List <string>()
                        {
                            "TestPath"
                        }
                    }
                }
            };

            var boolEquals = new AsaRule("Bool Equals Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("IsDirectory", OPERATION.EQ)
                    {
                        Data = new List <string>()
                        {
                            "True"
                        }
                    }
                }
            };

            var intEquals = new AsaRule("Int Equals Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Size", OPERATION.EQ)
                    {
                        Data = new List <string>()
                        {
                            "700"
                        }
                    }
                }
            };

            var analyzer = new AsaAnalyzer();
            var ruleList = new List <Rule>()
            {
                boolEquals, intEquals, stringEquals
            };

            var trueObjectResults  = analyzer.Analyze(ruleList, assertTrueObject);
            var falseObjectResults = analyzer.Analyze(ruleList, assertFalseObject);

            Assert.IsTrue(trueObjectResults.Any(x => x.Name == "Bool Equals Rule"));
            Assert.IsTrue(trueObjectResults.Any(x => x.Name == "Int Equals Rule"));
            Assert.IsTrue(trueObjectResults.Any(x => x.Name == "String Equals Rule"));

            Assert.IsFalse(falseObjectResults.Any(x => x.Name == "Bool Equals Rule"));
            Assert.IsFalse(falseObjectResults.Any(x => x.Name == "Int Equals Rule"));
            Assert.IsFalse(falseObjectResults.Any(x => x.Name == "String Equals Rule"));
        }
Пример #16
0
        public void VerifyGtOperator()
        {
            var trueGtObject = new CompareResult()
            {
                Base = new OpenPortObject(1025, TRANSPORT.TCP, ADDRESS_FAMILY.InterNetwork)
            };
            var falseGtObject = new CompareResult()
            {
                Base = new OpenPortObject(1023, TRANSPORT.TCP, ADDRESS_FAMILY.InterNetwork)
            };

            var gtRule = new AsaRule("Gt Rule")
            {
                Target  = "OpenPortObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Port", OPERATION.GT)
                    {
                        Data = new List <string>()
                        {
                            "1024"
                        }
                    }
                }
            };

            var badGtRule = new AsaRule("Bad Gt Rule")
            {
                Target  = "OpenPortObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("Port", OPERATION.GT)
                    {
                        Data = new List <string>()
                        {
                            "CONTOSO"
                        }
                    }
                }
            };

            var gtAnalyzer = new AsaAnalyzer();
            var ruleList   = new List <Rule>()
            {
                gtRule
            };;

            Assert.IsTrue(gtAnalyzer.Analyze(ruleList, trueGtObject).Any());
            Assert.IsFalse(gtAnalyzer.Analyze(ruleList, falseGtObject).Any());

            var badGtAnalyzer = new AsaAnalyzer();

            ruleList = new List <Rule>()
            {
                badGtRule
            };;

            Assert.IsFalse(badGtAnalyzer.Analyze(ruleList, trueGtObject).Any());
            Assert.IsFalse(badGtAnalyzer.Analyze(ruleList, falseGtObject).Any());
        }
Пример #17
0
        public void VerifyIsBeforeOperator()
        {
            var trueIsBeforeObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    SignatureStatus = new Signature(true)
                    {
                        SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.Now, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty)
                    }
                }
            };

            var falseIsBeforeObject = new CompareResult()
            {
                Base = new FileSystemObject("App.exe")
                {
                    SignatureStatus = new Signature(true)
                    {
                        SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.Now.AddYears(1), NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty)
                    }
                }
            };

            var isBeforeRule = new AsaRule("Is Before Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_BEFORE)
                    {
                        Data = new List <string>()
                        {
                            DateTime.Now.AddDays(1).ToString()
                        }
                    }
                }
            };

            var isBeforeAnalyzer = new AsaAnalyzer();
            var ruleList         = new List <Rule>()
            {
                isBeforeRule
            };;

            Assert.IsTrue(isBeforeAnalyzer.Analyze(ruleList, trueIsBeforeObject).Any());
            Assert.IsFalse(isBeforeAnalyzer.Analyze(ruleList, falseIsBeforeObject).Any());

            var isBeforeShortRule = new AsaRule("Is Before Short Rule")
            {
                Target  = "FileSystemObject",
                Flag    = ANALYSIS_RESULT_TYPE.FATAL,
                Clauses = new List <Clause>()
                {
                    new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_BEFORE)
                    {
                        Data = new List <string>()
                        {
                            DateTime.Now.AddDays(1).ToShortDateString()
                        }
                    }
                }
            };

            var isBeforeShortAnalyzer = new AsaAnalyzer();

            ruleList = new List <Rule>()
            {
                isBeforeShortRule
            };;

            Assert.IsTrue(isBeforeShortAnalyzer.Analyze(ruleList, trueIsBeforeObject).Any());
            Assert.IsFalse(isBeforeShortAnalyzer.Analyze(ruleList, falseIsBeforeObject).Any());
        }