From be30984366d537aa1cb98956c1c204928d0d628e Mon Sep 17 00:00:00 2001 From: danisan Date: Thu, 23 Dec 2021 11:59:05 -0300 Subject: [PATCH 1/5] Add: Add new analysisd test test_predecoder_stage --- .../data/syslog_socket_input.yaml | 71 +++++++++++ .../test_predecoder_stage.py | 112 ++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml create mode 100644 tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py diff --git a/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml b/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml new file mode 100644 index 0000000000..b517510b32 --- /dev/null +++ b/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml @@ -0,0 +1,71 @@ +--- +- + name: "Syslog date format 1" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Dec 29 10:00:01 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"Dec 29 10:00:01","hostname":"linux-agent"}' +- + name: "Syslog date format 2" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2015 Dec 29 10:00:01 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"2015 Dec 29 10:00:01"}' +- + name: "Syslog date format for rsyslog" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2009-05-22T09:36:46.214994-07:00 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"2009-05-22T09:36:46.214994-07:00"}' +- + name: "Syslog date format for proftpd 1.3.5" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2015-04-16 21:51:02,805 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"2015-04-16 21:51:02,80"}' +- + name: "Syslog date format for xferlog date format" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Mon Apr 17 18:27:14 2006 1 64.160.42.130 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"timestamp":"Mon Apr 17 18:27:14 2006"}' +- + name: "Syslog date format for snort date format" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "01/28-09:13:16.240702 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"timestamp":"01/28-09:13:16.240702"}' +- + name: "Syslog date format for suricata date format" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "01/28/1979-09:13:16.240702 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"timestamp":"01/28/1979-09:13:16.240702"}' +- + name: "Syslog date format for apache log format" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "[Fri Feb 11 18:06:35 2004] [warn] linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"timestamp":"Fri Feb 11 18:06:35 2004"}' +- + name: "Syslog date format for macos ULS --syslog output" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "2021-04-21 10:16:09.404756-0700 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"2021-04-21 10:16:09.404756-0700"}' +- + name: "Syslog Umlaut date format" + description: "Check valid input" + test_case: + - + input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Mär 02 17:30:52 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' + output: '{"program_name":"sshd","timestamp":"Mär 02 17:30:5"}' \ No newline at end of file diff --git a/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py new file mode 100644 index 0000000000..1f4b9d0245 --- /dev/null +++ b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py @@ -0,0 +1,112 @@ +''' +copyright: Copyright (C) 2015-2021, Wazuh Inc. + + Created by Wazuh, Inc. . + + This program is free software; you can redistribute it and/or modify it under the terms of GPLv2 + +type: integration + +brief: The 'wazuh-analysisd' daemon receives the log messages and compares them to the rules. + It then creates an alert when a log message matches an applicable rule. + Specifically, these tests will verify if the pre-decoding stage of 'wazuh-analysisd' daemon correctly handles + syslog formats. + +tier: 2 + +modules: + - analysisd + +components: + - manager + +daemons: + - wazuh-analysisd + +os_platform: + - linux + +os_version: + - Arch Linux + - Amazon Linux 2 + - Amazon Linux 1 + - CentOS 8 + - CentOS 7 + - CentOS 6 + - Ubuntu Focal + - Ubuntu Bionic + - Ubuntu Xenial + - Ubuntu Trusty + - Debian Buster + - Debian Stretch + - Debian Jessie + - Debian Wheezy + - Red Hat 8 + - Red Hat 7 + - Red Hat 6 + +references: + - https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html + +''' + +import os + +import pytest +import yaml +import json +from wazuh_testing.tools import WAZUH_PATH + +# Marks +pytestmark = [pytest.mark.linux, pytest.mark.tier(level=2), pytest.mark.server] + +# Configurations + +test_data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'data') +messages_path = os.path.join(test_data_path, 'syslog_socket_input.yaml') +with open(messages_path) as f: + test_cases = yaml.safe_load(f) + +# Variables + +logtest_path = os.path.join(os.path.join(WAZUH_PATH, 'queue', 'sockets', 'logtest')) +receiver_sockets_params = [(logtest_path, 'AF_UNIX', 'TCP')] +receiver_sockets = None # Set in the fixtures + + +# Tests + +@pytest.mark.parametrize('test_case', + [test_case['test_case'] for test_case in test_cases], + ids=[test_case['name'] for test_case in test_cases]) +def test_precoder_supported_formats(connect_to_sockets_function, test_case: list): + ''' + description: + + wazuh_min_version: + + parameters: + - connect_to_sockets_function: + type: fixture + brief: Function scope version of 'connect_to_sockets' which connects to the specified sockets for the test. + - test_case: + type: list + brief: List of tests to be performed. + + assertions: + - Verify that the output logs are consistent with the predecoder received. + + input_description: Different test cases that are contained in an external YAML file (syslog_socket_input.yaml) + that includes syslog events data and the expected precoder output. + + expected_output: + - Multiple messages (event logs) corresponding to each test case, + located in the external input data file. + ''' + stage = test_case[0] + + receiver_sockets[0].send(stage['input'], size=True) + + result = json.loads(receiver_sockets[0].receive(size=True).rstrip(b'\x00').decode()) + + assert json.loads(stage['output']) == result["data"]["output"]["predecoder"],'Failed test case stage {}: the receved precoded is: {} but was expected to be {}'.format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output']) \ No newline at end of file From 7c60329b4e0556a43c775fe552ed69e82aa7300d Mon Sep 17 00:00:00 2001 From: danisan Date: Fri, 24 Dec 2021 12:38:14 -0300 Subject: [PATCH 2/5] Fix: Suggested changes applied --- .../data/syslog_socket_input.yaml | 2 +- .../test_predecoder_stage.py | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml b/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml index b517510b32..761b859149 100644 --- a/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml +++ b/tests/integration/test_analysisd/test_predecoder_stage/data/syslog_socket_input.yaml @@ -68,4 +68,4 @@ test_case: - input: '{"version": 1, "origin": {"name": "wazuh-logtest", "module": "wazuh-logtest"}, "command": "log_processing", "parameters": {"location":"master->/var/log/syslog", "log_format": "syslog", "event": "Mär 02 17:30:52 linux-agent sshd[29205]: Invalid user blimey from 18.18.18.18 port 48928", "token": "21218e6b"}}' - output: '{"program_name":"sshd","timestamp":"Mär 02 17:30:5"}' \ No newline at end of file + output: '{"program_name":"sshd","timestamp":"Mär 02 17:30:5"}' diff --git a/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py index 1f4b9d0245..35473fbf16 100644 --- a/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py +++ b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py @@ -81,9 +81,11 @@ ids=[test_case['name'] for test_case in test_cases]) def test_precoder_supported_formats(connect_to_sockets_function, test_case: list): ''' - description: - - wazuh_min_version: + description: Check that the predecoder returns the correct fields when receives different sets of syslog formats. + To do this, it receives syslog format and checks that the predecoder JSON responses + are the same that the loaded ouput for each test case from the 'syslog_socket_input.yaml' file. + + wazuh_min_version: 4.3.0 parameters: - connect_to_sockets_function: @@ -94,14 +96,13 @@ def test_precoder_supported_formats(connect_to_sockets_function, test_case: list brief: List of tests to be performed. assertions: - - Verify that the output logs are consistent with the predecoder received. + - Checks that the predecoder gives the expected output. input_description: Different test cases that are contained in an external YAML file (syslog_socket_input.yaml) that includes syslog events data and the expected precoder output. expected_output: - - Multiple messages (event logs) corresponding to each test case, - located in the external input data file. + - Precoder JSON with the correct fields (timestamp, program name, etc) corresponding to each test case. ''' stage = test_case[0] @@ -109,4 +110,4 @@ def test_precoder_supported_formats(connect_to_sockets_function, test_case: list result = json.loads(receiver_sockets[0].receive(size=True).rstrip(b'\x00').decode()) - assert json.loads(stage['output']) == result["data"]["output"]["predecoder"],'Failed test case stage {}: the receved precoded is: {} but was expected to be {}'.format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output']) \ No newline at end of file + assert json.loads(stage['output']) == result["data"]["output"]["predecoder"],'Failed test case stage {}: the receved precoded is: {} but was expected to be {}'.format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output']) From 7ec0e206378103cdd47e6ec2cdf85976e7c42f14 Mon Sep 17 00:00:00 2001 From: danisan Date: Mon, 17 Jan 2022 16:51:24 -0300 Subject: [PATCH 3/5] style: Style format changed following the PEP8 guidelines --- .../test_predecoder_stage/test_predecoder_stage.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py index 35473fbf16..756c718664 100644 --- a/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py +++ b/tests/integration/test_analysisd/test_predecoder_stage/test_predecoder_stage.py @@ -84,7 +84,7 @@ def test_precoder_supported_formats(connect_to_sockets_function, test_case: list description: Check that the predecoder returns the correct fields when receives different sets of syslog formats. To do this, it receives syslog format and checks that the predecoder JSON responses are the same that the loaded ouput for each test case from the 'syslog_socket_input.yaml' file. - + wazuh_min_version: 4.3.0 parameters: @@ -110,4 +110,6 @@ def test_precoder_supported_formats(connect_to_sockets_function, test_case: list result = json.loads(receiver_sockets[0].receive(size=True).rstrip(b'\x00').decode()) - assert json.loads(stage['output']) == result["data"]["output"]["predecoder"],'Failed test case stage {}: the receved precoded is: {} but was expected to be {}'.format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output']) + assert json.loads(stage['output']) == result["data"]["output"]["predecoder"], \ + 'Failed test case stage {}: the receved precoded is: {} but was expected to be {}' \ + .format(test_case.index(stage) + 1, result["data"]["output"]["predecoder"], stage['output']) From ff15b5529e2cef72e574cb324d56d6c0746718b5 Mon Sep 17 00:00:00 2001 From: danisan Date: Tue, 18 Jan 2022 08:34:05 -0300 Subject: [PATCH 4/5] doc: Test added to CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff68bdb6d1..0b8331391a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. ## [v1.0.0] ### Added - +- Add a test to check the pre-decoding stage of analysisd [#2406](https://github.com/wazuh/wazuh-qa/pull/2406) ### Changed - Refactor: FIM `test_synchronization` according to new standard. Phase 1. ([#2358](https://github.com/wazuh/wazuh-qa/pull/2358)) From 58d4b5c82c701cc6a7ec301c4ba319ffb1454ecc Mon Sep 17 00:00:00 2001 From: jmv74211 Date: Tue, 18 Jan 2022 16:06:18 +0100 Subject: [PATCH 5/5] fix: Fix version validation in qa-ctl config generator --- .../wazuh_testing/qa_ctl/configuration/config_generator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/wazuh_testing/wazuh_testing/qa_ctl/configuration/config_generator.py b/deps/wazuh_testing/wazuh_testing/qa_ctl/configuration/config_generator.py index d29cd189ef..43ee9ae91f 100644 --- a/deps/wazuh_testing/wazuh_testing/qa_ctl/configuration/config_generator.py +++ b/deps/wazuh_testing/wazuh_testing/qa_ctl/configuration/config_generator.py @@ -231,7 +231,7 @@ def _check_validate(check, test_info, allowed_values): # Validate version requirements if parse(str(test_info['tests'][0]['wazuh_min_version'])) > parse(str(self.wazuh_version)): error_message = f"The minimal version of wazuh to launch the {test_info['test_name']} is " \ - f"{test_info['wazuh_min_version']} and you are using {self.wazuh_version}" + f"{test_info['tests'][0]['wazuh_min_version']} and you are using {self.wazuh_version}" raise QAValueError(error_message, QACTLConfigGenerator.LOGGER.error, QACTL_LOGGER) return True