public void VerifyIsNullOperator() { var falseIsNullObject = new CompareResult() { Base = new FileSystemObject("App.exe") { ContentHash = "HASH" } }; var trueIsNullObject = new CompareResult() { Base = new FileSystemObject("NotAnApp.pdf") }; var isNullRule = new AsaRule("Is Null Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("ContentHash", OPERATION.IS_NULL) } }; var isNullAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { isNullRule };; Assert.IsTrue(isNullAnalyzer.Analyze(ruleList, trueIsNullObject).Any()); Assert.IsFalse(isNullAnalyzer.Analyze(ruleList, falseIsNullObject).Any()); }
public void VerifyIsTrueOperator() { var trueIsTrueObject = new CompareResult() { Base = new FileSystemObject("App.exe") { IsExecutable = true } }; var falseIsTrueObject = new CompareResult() { Base = new FileSystemObject("NotAnApp.pdf") }; var isTrueRule = new AsaRule("Is True Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("IsExecutable", OPERATION.IS_TRUE) } }; var isTrueAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { isTrueRule };; Assert.IsTrue(isTrueAnalyzer.Analyze(ruleList, trueIsTrueObject).Any()); Assert.IsFalse(isTrueAnalyzer.Analyze(ruleList, falseIsTrueObject).Any()); }
public void VerifyNot() { var RuleName = "NotRule"; var notRule = new AsaRule(RuleName) { Expression = "NOT 0", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { TestPathOne } } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { notRule }; Assert.IsTrue(!analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName)); Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName)); }
public void VerifyWasModifiedOperator() { var falseModifiedObject = new CompareResult() { Base = new FileSystemObject("TestPathHere") }; var alsoFalseModifiedObject = new CompareResult() { Base = new FileSystemObject("TestPathHere"), Compare = new FileSystemObject("TestPathHere") { IsDirectory = true } }; var trueModifiedObject = new CompareResult() { Base = new FileSystemObject("Directory/File") { IsExecutable = true }, Compare = new FileSystemObject("Directory/File") }; var wasModifiedRule = new AsaRule("Was Modified Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("IsExecutable", OPERATION.WAS_MODIFIED) } }; var regexAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { wasModifiedRule };; Assert.IsTrue(regexAnalyzer.Analyze(ruleList, trueModifiedObject).Any()); Assert.IsFalse(regexAnalyzer.Analyze(ruleList, falseModifiedObject).Any()); Assert.IsFalse(regexAnalyzer.Analyze(ruleList, alsoFalseModifiedObject).Any()); var trueAlgDict = new CompareResult() { Base = new TpmObject("TestLocal") { PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>() { { (TpmAlgId.Sha, 1), new byte[5] { 1, 2, 3, 4, 5 } } } },
private Analyzer GetAnalyzerForRule(AsaRule rule) { var file = new RuleFile() { AsaRules = new List <AsaRule>() { rule } }; return(new AsaAnalyzer()); }
public void VerifyFileMonitorAsFile() { var RuleName = "AndRule"; var andRule = new AsaRule(RuleName) { Expression = "0 AND 1", ResultType = RESULT_TYPE.FILE, Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause(Operation.Equals, "Path") { Label = "0", Data = new List <string>() { "TestPath1" } }, new Clause(Operation.IsTrue, "IsExecutable") { Label = "1" } } }; var analyzer = new AsaAnalyzer(); var opts = new CompareCommandOptions(null, "SecondRun") { ApplySubObjectRulesToMonitor = true }; var results = AttackSurfaceAnalyzerClient.AnalyzeMonitored(opts, analyzer, new MonitorObject[] { testPathOneObject }, new RuleFile() { AsaRules = new AsaRule[] { andRule } }); Assert.IsTrue(results.Any(x => x.Value.Any(y => y.Identity == testPathOneObject.Identity && y.Rules.Contains(andRule)))); opts = new CompareCommandOptions(null, "SecondRun") { ApplySubObjectRulesToMonitor = false }; results = AttackSurfaceAnalyzerClient.AnalyzeMonitored(opts, analyzer, new MonitorObject[] { testPathOneObject }, new RuleFile() { AsaRules = new AsaRule[] { andRule } }); Assert.IsFalse(results.Any(x => x.Value.Any(y => y.Identity == testPathOneObject.Identity && y.Rules.Contains(andRule)))); }
public void VerifyContainsKeyOperator() { var trueAlgDict = new CompareResult() { Base = new TpmObject("TestLocal") { PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>() { { (TpmAlgId.Sha, 1), Array.Empty <byte>() } } } }; var falseAlgDict = new CompareResult() { Base = new TpmObject("TestLocal") { PCRs = new Dictionary <(Tpm2Lib.TpmAlgId, uint), byte[]>() { { (TpmAlgId.Sha, 15), Array.Empty <byte>() } } } }; var algDictContains = new AsaRule("Alg Dict Changed PCR 1") { Target = "TpmObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("PCRs", OPERATION.CONTAINS_KEY) { Data = new List <string>() { "(Sha, 1)" } } } }; var algDictAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { algDictContains };; Assert.IsTrue(algDictAnalyzer.Analyze(ruleList, trueAlgDict).Any()); Assert.IsFalse(algDictAnalyzer.Analyze(ruleList, falseAlgDict).Any()); }
public void VerifyIsExpiredOperator() { var trueIsExpiredObject = new CompareResult() { Base = new FileSystemObject("App.exe") { SignatureStatus = new Signature(true) { SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.MinValue, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty) } } }; var falseIsExpiredObject = new CompareResult() { Base = new FileSystemObject("App.exe") { SignatureStatus = new Signature(true) { SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.MaxValue, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty) } } }; var isExpiredRule = new AsaRule("Is Expired Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_EXPIRED) } }; var isExpiredAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { isExpiredRule };; Assert.IsTrue(isExpiredAnalyzer.Analyze(ruleList, trueIsExpiredObject).Any()); Assert.IsFalse(isExpiredAnalyzer.Analyze(ruleList, falseIsExpiredObject).Any()); }
public void VerifyBareObjectQuery() { var RuleName = "BareObjectRule"; var bareObjectRule = new AsaRule(RuleName) { Target = "string", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause(OPERATION.EQ) { Data = new List <string>() { TestPathOne } } } }; var bareObjectRuleNoTarget = new AsaRule(RuleName) { Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause(OPERATION.EQ) { Data = new List <string>() { TestPathOne } } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { bareObjectRule, bareObjectRuleNoTarget }; Assert.IsTrue(analyzer.Analyze(ruleList, TestPathOne).Count() == 2); }
public void VerifyCustom() { var RuleName = "CustomRule"; var customRule = new AsaRule(RuleName) { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.CUSTOM) { CustomOperation = "RETURN_TRUE", Data = new List <string>() { "TestPath1" } }, } }; var analyzer = new AsaAnalyzer(); analyzer.CustomOperationDelegate = (clause, listValues, dictionaryValues) => { if (clause.Operation == OPERATION.CUSTOM) { if (clause.CustomOperation == "RETURN_TRUE") { return(true); } } return(false); }; var ruleList = new List <Rule>() { customRule }; Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName)); }
public void VerifyAccessSubproperties() { var regObj = new CompareResult() { Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32) { Values = new Dictionary <string, string>() { { "One", "Two" } } } }; var RuleName = "ContainsRule"; var containsRule = new AsaRule(RuleName) { Target = "RegistryObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Values.One", OPERATION.EQ) { Label = "0", Data = new List <string>() { "Two" } } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { containsRule }; Assert.IsTrue(analyzer.Analyze(ruleList, regObj).Any(x => x.Name == RuleName)); }
public void VerifyAsaRuleResultType() { var RuleName = "XorRule"; var xorRule = new AsaRule(RuleName) { Expression = "0 XOR 1", // This test tests that creating an AsaRule with ResultType instead of Target works. ResultType = RESULT_TYPE.FILE, Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { TestPathOne } }, new Clause("IsExecutable", OPERATION.IS_TRUE) { Label = "1" } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { xorRule }; Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName)); Assert.IsTrue(!analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName)); Assert.IsTrue(!analyzer.Analyze(ruleList, testPathOneExecutableObject).Any(x => x.Name == RuleName)); Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoExecutableObject).Any(x => x.Name == RuleName)); }
public void VerifyEndsWithOperator() { var trueEndsWithObject = new CompareResult() { Base = new FileSystemObject("App.exe") }; var falseEndsWithObject = new CompareResult() { Base = new FileSystemObject("App.pdf") }; var endsWithRule = new AsaRule("Ends With Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.ENDS_WITH) { Data = new List <string>() { ".exe" } } } }; var endsWithAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { endsWithRule };; Assert.IsTrue(endsWithAnalyzer.Analyze(ruleList, trueEndsWithObject).Any()); Assert.IsFalse(endsWithAnalyzer.Analyze(ruleList, falseEndsWithObject).Any()); }
public void VerifyRegexOperator() { var falseRegexObject = new CompareResult() { Base = new FileSystemObject("TestPathHere") }; var trueRegexObject = new CompareResult() { Base = new FileSystemObject("Directory/File") }; var regexRule = new AsaRule("Regex Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.REGEX) { Data = new List <string>() { ".+\\/.+" } } } }; var regexAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { regexRule };; Assert.IsTrue(regexAnalyzer.Analyze(ruleList, trueRegexObject).Any()); Assert.IsFalse(regexAnalyzer.Analyze(ruleList, falseRegexObject).Any()); }
public void VerifyOr() { var RuleName = "OrRule"; var orRule = new AsaRule(RuleName) { Expression = "0 OR 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath1" } }, new Clause("IsExecutable", OPERATION.IS_TRUE) { Label = "1" } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { orRule }; Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneObject).Any(x => x.Name == RuleName)); Assert.IsTrue(!analyzer.Analyze(ruleList, testPathTwoObject).Any(x => x.Name == RuleName)); Assert.IsTrue(analyzer.Analyze(ruleList, testPathOneExecutableObject).Any(x => x.Name == RuleName)); Assert.IsTrue(analyzer.Analyze(ruleList, testPathTwoExecutableObject).Any(x => x.Name == RuleName)); }
public void VerifyCustomRuleValidation() { var RuleName = "CustomRuleValidation"; var supportedCustomOperation = new AsaRule(RuleName) { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.CUSTOM) { CustomOperation = "FOO", Data = new List <string>() { TestPathOne } }, } }; var unsupportedCustomOperation = new AsaRule(RuleName) { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.CUSTOM) { CustomOperation = "BAR", Data = new List <string>() { TestPathOne } }, } }; var analyzer = new AsaAnalyzer(); analyzer.CustomOperationValidationDelegate = parseFooOperations; IEnumerable <Violation> parseFooOperations(Rule r, Clause c) { switch (c.CustomOperation) { case "FOO": if (!c.Data.Any()) { yield return(new Violation("FOO Operation expects data", r, c)); } break; default: yield return(new Violation($"{c.CustomOperation} is unexpected", r, c)); break; } }; Assert.IsTrue(analyzer.IsRuleValid(supportedCustomOperation)); Assert.IsFalse(analyzer.IsRuleValid(unsupportedCustomOperation)); }
public void VerifyContainsOperator() { var trueStringObject = new CompareResult() { Base = new FileSystemObject("ContainsStringObject") }; var falseStringObject = new CompareResult() { Base = new FileSystemObject("StringObject") }; var superFalseStringObject = new CompareResult() { Base = new FileSystemObject("NothingInCommon") }; var stringContains = new AsaRule("String Contains Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.CONTAINS) { Data = new List <string>() { "Contains", "String", "Object" } } } }; var stringAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { stringContains };; Assert.IsTrue(stringAnalyzer.Analyze(ruleList, trueStringObject).Any()); Assert.IsFalse(stringAnalyzer.Analyze(ruleList, falseStringObject).Any()); Assert.IsFalse(stringAnalyzer.Analyze(ruleList, superFalseStringObject).Any()); var trueListObject = new CompareResult() { Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32) { Subkeys = new List <string>() { "One", "Two", "Three" } } }; var falseListObject = new CompareResult() { Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32) { Subkeys = new List <string>() { "One", "Two", } } }; var superFalseListObject = new CompareResult() { Base = new RegistryObject("ContainsListObject", Microsoft.Win32.RegistryView.Registry32) }; var listContains = new AsaRule("List Contains Rule") { Target = "RegistryObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Subkeys", OPERATION.CONTAINS) { Data = new List <string>() { "One", "Two", "Three" } } } }; var listAnalyzer = new AsaAnalyzer(); ruleList = new List <Rule>() { listContains };; Assert.IsTrue(listAnalyzer.Analyze(ruleList, trueListObject).Any()); Assert.IsFalse(listAnalyzer.Analyze(ruleList, falseListObject).Any()); Assert.IsFalse(listAnalyzer.Analyze(ruleList, superFalseListObject).Any()); var trueStringDictObject = new CompareResult() { Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32) { Values = new Dictionary <string, string>() { { "One", "One" }, { "Two", "Two" }, { "Three", "Three" } } } }; var falseStringDictObject = new CompareResult() { Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32) { Values = new Dictionary <string, string>() { { "One", "One" }, { "Two", "Three" }, } } }; var superFalseStringDictObject = new CompareResult() { Base = new RegistryObject("ContainsStringDictObject", Microsoft.Win32.RegistryView.Registry32) { Values = new Dictionary <string, string>() { { "One", "Two" }, { "Three", "Four" }, } } }; var stringDictContains = new AsaRule("String Dict Contains Rule") { Target = "RegistryObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Values", OPERATION.CONTAINS) { DictData = new List <KeyValuePair <string, string> >() { new KeyValuePair <string, string>("One", "One"), new KeyValuePair <string, string>("Two", "Two"), new KeyValuePair <string, string>("Three", "Three") } } } }; var stringDictAnalyzer = new AsaAnalyzer(); ruleList = new List <Rule>() { stringDictContains };; Assert.IsTrue(stringDictAnalyzer.Analyze(ruleList, trueStringDictObject).Any()); Assert.IsFalse(stringDictAnalyzer.Analyze(ruleList, falseStringDictObject).Any()); Assert.IsFalse(stringDictAnalyzer.Analyze(ruleList, superFalseStringDictObject).Any()); var trueListDictObject = new CompareResult() { Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32) { Permissions = new Dictionary <string, List <string> >() { { "User", new List <string>() { "Read", "Execute" } } } } }; var falseListDictObject = new CompareResult() { Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32) { Permissions = new Dictionary <string, List <string> >() { { "User", new List <string>() { "Read", } } } } }; var alsoFalseListDictObject = new CompareResult() { Base = new RegistryObject("ContainsListDictObject", Microsoft.Win32.RegistryView.Registry32) { Permissions = new Dictionary <string, List <string> >() { { "Contoso", new List <string>() { "Read", "Execute" } } } } }; var listDictContains = new AsaRule("List Dict Contains Rule") { Target = "RegistryObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Permissions", OPERATION.CONTAINS) { DictData = new List <KeyValuePair <string, string> >() { new KeyValuePair <string, string>("User", "Execute"), new KeyValuePair <string, string>("User", "Read"), } } } }; var listDictAnalyzer = new AsaAnalyzer(); ruleList = new List <Rule>() { listDictContains };; Assert.IsTrue(listDictAnalyzer.Analyze(ruleList, trueListDictObject).Any()); Assert.IsFalse(listDictAnalyzer.Analyze(ruleList, falseListDictObject).Any()); Assert.IsFalse(listDictAnalyzer.Analyze(ruleList, alsoFalseListDictObject).Any()); }
public void VerifyEqOperator() { var assertTrueObject = new CompareResult() { Base = new FileSystemObject("TestPath") { IsDirectory = true, Size = 700 } }; var assertFalseObject = new CompareResult() { Base = new FileSystemObject("TestPath2") { IsDirectory = false, Size = 701 } }; var stringEquals = new AsaRule("String Equals Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Data = new List <string>() { "TestPath" } } } }; var boolEquals = new AsaRule("Bool Equals Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("IsDirectory", OPERATION.EQ) { Data = new List <string>() { "True" } } } }; var intEquals = new AsaRule("Int Equals Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Size", OPERATION.EQ) { Data = new List <string>() { "700" } } } }; var analyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { boolEquals, intEquals, stringEquals }; var trueObjectResults = analyzer.Analyze(ruleList, assertTrueObject); var falseObjectResults = analyzer.Analyze(ruleList, assertFalseObject); Assert.IsTrue(trueObjectResults.Any(x => x.Name == "Bool Equals Rule")); Assert.IsTrue(trueObjectResults.Any(x => x.Name == "Int Equals Rule")); Assert.IsTrue(trueObjectResults.Any(x => x.Name == "String Equals Rule")); Assert.IsFalse(falseObjectResults.Any(x => x.Name == "Bool Equals Rule")); Assert.IsFalse(falseObjectResults.Any(x => x.Name == "Int Equals Rule")); Assert.IsFalse(falseObjectResults.Any(x => x.Name == "String Equals Rule")); }
public void VerifyGtOperator() { var trueGtObject = new CompareResult() { Base = new OpenPortObject(1025, TRANSPORT.TCP, ADDRESS_FAMILY.InterNetwork) }; var falseGtObject = new CompareResult() { Base = new OpenPortObject(1023, TRANSPORT.TCP, ADDRESS_FAMILY.InterNetwork) }; var gtRule = new AsaRule("Gt Rule") { Target = "OpenPortObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Port", OPERATION.GT) { Data = new List <string>() { "1024" } } } }; var badGtRule = new AsaRule("Bad Gt Rule") { Target = "OpenPortObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Port", OPERATION.GT) { Data = new List <string>() { "CONTOSO" } } } }; var gtAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { gtRule };; Assert.IsTrue(gtAnalyzer.Analyze(ruleList, trueGtObject).Any()); Assert.IsFalse(gtAnalyzer.Analyze(ruleList, falseGtObject).Any()); var badGtAnalyzer = new AsaAnalyzer(); ruleList = new List <Rule>() { badGtRule };; Assert.IsFalse(badGtAnalyzer.Analyze(ruleList, trueGtObject).Any()); Assert.IsFalse(badGtAnalyzer.Analyze(ruleList, falseGtObject).Any()); }
public void VerifyValidRuleDetection() { var validRule = new AsaRule("Regular Rule") { Expression = "0 AND 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.EQ) { Label = "1", Data = new List <string>() { "True" } } } }; var analyzer = new AsaAnalyzer(); Assert.IsTrue(analyzer.IsRuleValid(validRule)); validRule = new AsaRule("Extraneous Parenthesis") { Expression = "(0 AND 1)", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.EQ) { Label = "1", Data = new List <string>() { "True" } } } }; Assert.IsTrue(analyzer.IsRuleValid(validRule)); validRule = new AsaRule("Deeply Nested Expression") { Expression = "(0 AND 1) OR (2 XOR (3 AND (4 NAND 5)) OR 6)", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.EQ) { Label = "1", Data = new List <string>() { "True" } }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "2" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "3" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "4" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "5" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "6" } } }; Assert.IsTrue(analyzer.IsRuleValid(validRule)); validRule = new AsaRule("StringsForClauseLabels") { Expression = "FOO AND BAR OR BA$_*", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "FOO" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "BAR" }, new Clause("IsExecutable", OPERATION.IS_NULL) { Label = "BA$_*" } } }; Assert.IsTrue(analyzer.IsRuleValid(validRule)); }
public void VerifyIsBeforeOperator() { var trueIsBeforeObject = new CompareResult() { Base = new FileSystemObject("App.exe") { SignatureStatus = new Signature(true) { SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.Now, NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty) } } }; var falseIsBeforeObject = new CompareResult() { Base = new FileSystemObject("App.exe") { SignatureStatus = new Signature(true) { SigningCertificate = new SerializableCertificate(Thumbprint: string.Empty, Subject: string.Empty, PublicKey: string.Empty, NotAfter: DateTime.Now.AddYears(1), NotBefore: DateTime.Now, Issuer: string.Empty, SerialNumber: string.Empty, CertHashString: string.Empty, Pkcs7: string.Empty) } } }; var isBeforeRule = new AsaRule("Is Before Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_BEFORE) { Data = new List <string>() { DateTime.Now.AddDays(1).ToString() } } } }; var isBeforeAnalyzer = new AsaAnalyzer(); var ruleList = new List <Rule>() { isBeforeRule };; Assert.IsTrue(isBeforeAnalyzer.Analyze(ruleList, trueIsBeforeObject).Any()); Assert.IsFalse(isBeforeAnalyzer.Analyze(ruleList, falseIsBeforeObject).Any()); var isBeforeShortRule = new AsaRule("Is Before Short Rule") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("SignatureStatus.SigningCertificate.NotAfter", OPERATION.IS_BEFORE) { Data = new List <string>() { DateTime.Now.AddDays(1).ToShortDateString() } } } }; var isBeforeShortAnalyzer = new AsaAnalyzer(); ruleList = new List <Rule>() { isBeforeShortRule };; Assert.IsTrue(isBeforeShortAnalyzer.Analyze(ruleList, trueIsBeforeObject).Any()); Assert.IsFalse(isBeforeShortAnalyzer.Analyze(ruleList, falseIsBeforeObject).Any()); }
public void VerifyInvalidRuleDetection() { var invalidRule = new AsaRule("Unbalanced Parentheses") { Expression = "( 0 AND 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.EQ) { Label = "1", Data = new List <string>() { "True" } } } }; var analyzer = new AsaAnalyzer(); Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("ClauseInParenthesesLabel") { Expression = "WITH(PARENTHESIS)", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "WITH(PARENTHESIS)" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("CharactersBetweenParentheses") { Expression = "(W(I", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "W(I" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("CharactersBeforeOpenParentheses") { Expression = "W(I", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "W(I" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("CharactersBetweenClosedParentheses") { Expression = "(0 AND W)I)", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "W)I" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("CharactersAfterClosedParentheses") { Expression = "0 AND W)I", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "W)I" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("MultipleConsecutiveNots") { Expression = "0 AND NOT NOT 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "1" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("CloseParenthesesWithNot") { Expression = "(0 AND NOT) 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "1" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("WhiteSpaceLabel") { Expression = "0 AND ", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("InvalidOperator") { Expression = "0 XAND 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "1" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("InvalidNotOperator") { Expression = "0 NOT AND 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "1" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("EndsWithOperator") { Expression = "0 AND", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("UnusedLabel") { Expression = "0", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "1" }, new Clause("Path", OPERATION.IS_NULL) { Label = "0" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("MissingLabel") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "0" }, new Clause("Path", OPERATION.IS_NULL) } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("ExpressionRequiresLabels") { Expression = "0 AND 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL), new Clause("Path", OPERATION.IS_NULL) } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("OutOfOrder") { Expression = "0 1 AND", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.IS_TRUE) { Label = "1" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("StartWithOperator") { Expression = "OR 0 1", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.EQ) { Label = "0", Data = new List <string>() { "TestPath2" } }, new Clause("IsExecutable", OPERATION.EQ) { Label = "1", Data = new List <string>() { "True" } } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("Case Sensitivity") { Expression = "Variable", Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.IS_NULL) { Label = "VARIABLE" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); invalidRule = new AsaRule("OPERATION.Custom without CustomOperation") { Target = "FileSystemObject", Flag = ANALYSIS_RESULT_TYPE.FATAL, Clauses = new List <Clause>() { new Clause("Path", OPERATION.CUSTOM) { Label = "VARIABLE" } } }; Assert.IsFalse(analyzer.IsRuleValid(invalidRule)); }