1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
from common import RostTestClass
from pychrysalide.analysis.contents import MemoryContent
class TestRostFunctions(RostTestClass):
"""TestCases for the core functions of ROST."""
# Core
# ====
def testDatasize(self):
"""Handle the size of the provided data."""
cnt = MemoryContent(b'\x01\x02\x03\x04')
cases = [
'datasize == 4',
'uint16(0) == 0x201 and uint16(datasize - 2) == 0x0403',
]
for c in cases:
rule = '''
rule test {
condition:
%s
}
''' % c
self.check_rule_success(rule, cnt)
# Modules
# =======
def testConsole(self):
"""Ensure logging always returns true."""
rule = '''
rule test {
condition:
console.log()
}
'''
self.check_rule_success(rule)
def testMagic(self):
"""Scan text content with the Magic module."""
cnt = MemoryContent(b'aaaa')
cases = [
[ 'type', 'ASCII text, with no line terminators' ],
[ 'mime_encoding', 'us-ascii' ],
[ 'mime_type', 'text/plain' ],
]
for target, expected in cases:
rule = '''
rule test {
condition:
magic.%s() == "%s"
}
''' % (target, expected)
self.check_rule_success(rule, cnt)
def testTime(self):
"""Check current time."""
# Cf. https://www.epochconverter.com/
rule = '''
rule test {
condition:
time.make(2023, 8, 5, 22, 8, 41) == 0x64cec869
}
'''
self.check_rule_success(rule)
rule = '''
rule test {
condition:
time.now() >= 0x64cec874 and time.now() <= time.now()
}
'''
self.check_rule_success(rule)
|
