/* * Copyright 2013 Eediom Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.araqne.logparser.krsyslog.winstechnet; import static org.junit.Assert.*; import java.util.HashMap; import java.util.Map; import org.junit.Test; public class SniperLogParserTest { @Test public void testNewSkp() { String log = "[SNIPER-0005] [Attack_Name=(30076)UDR_ATTACK_MYSQL_login_success_1269_120323], " + "[Time=2014/12/12 14:33:46], [Hacker=175.126.56.99], [Victim=10.202.215.101], [Protocol=tcp/59939], [Risk=Medium], [Handling=Alarm], [Information=], [SrcPort=3306], [HackType=02401]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("Medium", m.get("risk")); assertEquals("tcp/59939", m.get("protocol")); assertEquals("02401", m.get("hacktype")); assertEquals("10.202.215.101", m.get("victim")); assertEquals("(30076)UDR_ATTACK_MYSQL_login_success_1269_120323", m.get("attack_name")); assertEquals(3306, m.get("src_port")); assertEquals("175.126.56.99", m.get("hacker")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals("SNIPER-0005", m.get("host_name")); assertEquals("2014/12/12 14:33:46", m.get("time")); } @Test public void testPocSample1() { String log = "<36>[SNIPER-2000] [Attack_Name=(1181)MS WINS Server Registration Spoofing Vuln-2[Req](UDP-137)], " + "[Time=2013/05/14 14:26:27], [Hacker=130.1.11.115], [Victim=130.1.11.255], [Protocol=udp/137], " + "[Risk=High], [Handling=Alarm], [Information=], [SrcPort=137]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("2013/05/14 14:26:27", m.get("time")); assertEquals("(1181)MS WINS Server Registration Spoofing Vuln-2[Req](UDP-137)", m.get("attack_name")); assertEquals("130.1.11.115", m.get("hacker")); assertEquals("130.1.11.255", m.get("victim")); assertEquals("udp/137", m.get("protocol")); assertEquals("High", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(137, m.get("src_port")); } @Test public void testPocSample2() { String log = "<36>[SNIPER-2000] [Attack_Name=(0023)UDP Check Sum Error], [Time=2013/05/14 14:32:05], " + "[Hacker=130.1.254.133], [Victim=130.1.213.10], [Protocol=udp/514], [Risk=Medium], " + "[Handling=Alarm], [Information=], [SrcPort=514]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0023)UDP Check Sum Error", m.get("attack_name")); assertEquals("2013/05/14 14:32:05", m.get("time")); assertEquals("130.1.254.133", m.get("hacker")); assertEquals("130.1.213.10", m.get("victim")); assertEquals("udp/514", m.get("protocol")); assertEquals("Medium", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(514, m.get("src_port")); } @Test public void testPocSample3() { String log = "<36>[SNIPER-2000] [Attack_Name=(0183)SNMP Sweep (community string)], " + "[Time=2013/05/14 14:28:03], [Hacker=130.1.1.230], [Victim=130.1.168.231], " + "[Protocol=udp/161], [Risk=High], [Handling=Alarm], [Information=], [SrcPort=44732]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0183)SNMP Sweep (community string)", m.get("attack_name")); assertEquals("2013/05/14 14:28:03", m.get("time")); assertEquals("130.1.1.230", m.get("hacker")); assertEquals("130.1.168.231", m.get("victim")); assertEquals("udp/161", m.get("protocol")); assertEquals("High", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(44732, m.get("src_port")); } @Test public void testPocSample4() { String log = "<36>[SNIPER-2000] [Attack_Name=(0240)ARP Reply Poison(havoc)], " + "[Time=2013/05/14 14:32:14], [Hacker=0.0.0.0], [Victim=0.0.0.0], [Protocol=etc/0], " + "[Risk=High], [Handling=Alarm], [Information=], [SrcPort=0]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0240)ARP Reply Poison(havoc)", m.get("attack_name")); assertEquals("2013/05/14 14:32:14", m.get("time")); assertEquals("0.0.0.0", m.get("hacker")); assertEquals("0.0.0.0", m.get("victim")); assertEquals("etc/0", m.get("protocol")); assertEquals("High", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(0, m.get("src_port")); } @Test public void testPocSample5() { String log = "<36>[SNIPER-2000] [Attack_Name=(0400)SMB Service connect(tcp-445)], " + "[Time=2013/05/14 14:32:06], [Hacker=140.1.184.80], [Victim=130.1.2.17], " + "[Protocol=tcp/445], [Risk=Medium], [Handling=Alarm], [Information=], [SrcPort=3238]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0400)SMB Service connect(tcp-445)", m.get("attack_name")); assertEquals("2013/05/14 14:32:06", m.get("time")); assertEquals("140.1.184.80", m.get("hacker")); assertEquals("130.1.2.17", m.get("victim")); assertEquals("tcp/445", m.get("protocol")); assertEquals("Medium", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(3238, m.get("src_port")); } @Test public void testPocSample6() { String log = "<36>[SNIPER-2000] [Attack_Name=(0062)FTP Login Fail], [Time=2013/05/14 14:32:25], " + "[Hacker=130.1.9.61], [Victim=130.1.1.133], [Protocol=tcp/21], [Risk=Medium], " + "[Handling=Alarm], [Information=userid [], passwd []], [SrcPort=64257]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0062)FTP Login Fail", m.get("attack_name")); assertEquals("2013/05/14 14:32:25", m.get("time")); assertEquals("130.1.9.61", m.get("hacker")); assertEquals("130.1.1.133", m.get("victim")); assertEquals("tcp/21", m.get("protocol")); assertEquals("Medium", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("userid [], passwd []", m.get("info")); assertEquals(64257, m.get("src_port")); } @Test public void testPocSample7() { String log = "<36>[SNIPER-2000] [Attack_Name=(0601)DHCP Discover Flooding], [Time=2013/05/14 14:29:04], " + "[Hacker=0.0.0.0], [Victim=255.255.255.255], [Protocol=udp/67], [Risk=Medium], " + "[Handling=Alarm], [Information=CMAC=00032E0803DB,], [SrcPort=68]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0601)DHCP Discover Flooding", m.get("attack_name")); assertEquals("2013/05/14 14:29:04", m.get("time")); assertEquals("0.0.0.0", m.get("hacker")); assertEquals("255.255.255.255", m.get("victim")); assertEquals("udp/67", m.get("protocol")); assertEquals("Medium", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("CMAC=00032E0803DB,", m.get("info")); assertEquals(68, m.get("src_port")); } @Test public void testPocSample8() { String log = "<36>[SNIPER-2000] [Attack_Name=(0003)FIN Port Scan], [Time=2013/05/14 14:31:59], " + "[Hacker=172.21.9.28], [Victim=130.1.1.84], [Protocol=tcp/63882], [Risk=Medium], " + "[Handling=Alarm], [Information=], [SrcPort=13724]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0003)FIN Port Scan", m.get("attack_name")); assertEquals("2013/05/14 14:31:59", m.get("time")); assertEquals("172.21.9.28", m.get("hacker")); assertEquals("130.1.1.84", m.get("victim")); assertEquals("tcp/63882", m.get("protocol")); assertEquals("Medium", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(13724, m.get("src_port")); } @Test public void testPocSample9() { String log = "<36>[SNIPER-2000] [Attack_Name=(0006)UDP Flooding], [Time=2013/05/14 14:32:24], " + "[Hacker=130.1.254.6], [Victim=130.1.2.142], [Protocol=udp/2376], [Risk=High], " + "[Handling=Alarm], [Information=], [SrcPort=161]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(0006)UDP Flooding", m.get("attack_name")); assertEquals("2013/05/14 14:32:24", m.get("time")); assertEquals("130.1.254.6", m.get("hacker")); assertEquals("130.1.2.142", m.get("victim")); assertEquals("udp/2376", m.get("protocol")); assertEquals("High", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("", m.get("info")); assertEquals(161, m.get("src_port")); } @Test public void testPocSample10() { String log = "<36>[SNIPER-2000] [Attack_Name=(5450)index.jsp (JSP Request Source Code Disclosure Vulnerability)], " + "[Time=2013/05/14 14:22:10], [Hacker=130.1.211.3], [Victim=130.1.2.86], [Protocol=tcp/80], " + "[Risk=Low], [Handling=Alarm], [Information=GET /sim/index.jsp HTTP/1.1], [SrcPort=37793]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(5450)index.jsp (JSP Request Source Code Disclosure Vulnerability)", m.get("attack_name")); assertEquals("2013/05/14 14:22:10", m.get("time")); assertEquals("130.1.211.3", m.get("hacker")); assertEquals("130.1.2.86", m.get("victim")); assertEquals("tcp/80", m.get("protocol")); assertEquals("Low", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("GET /sim/index.jsp HTTP/1.1", m.get("info")); assertEquals(37793, m.get("src_port")); } @Test public void testPocSample11() { String log = "<36>[SNIPER-2000] [Attack_Name=(5028)/cgi-bin/ HTTP (cgi-bin Directory view)], " + "[Time=2013/05/14 14:24:50], [Hacker=130.1.33.77], [Victim=130.1.2.25], " + "[Protocol=tcp/8080], [Risk=Low], [Handling=Alarm], " + "[Information=OPTIONS /cognos10/cgi-bin/ HTTP/1.1], [SrcPort=1311]"; SniperLogParser p = new SniperLogParser(); Map<String, Object> m = p.parse(line(log)); assertEquals("SNIPER-2000", m.get("host_name")); assertEquals("(5028)/cgi-bin/ HTTP (cgi-bin Directory view)", m.get("attack_name")); assertEquals("2013/05/14 14:24:50", m.get("time")); assertEquals("130.1.33.77", m.get("hacker")); assertEquals("130.1.2.25", m.get("victim")); assertEquals("tcp/8080", m.get("protocol")); assertEquals("Low", m.get("risk")); assertEquals("Alarm", m.get("handling")); assertEquals("OPTIONS /cognos10/cgi-bin/ HTTP/1.1", m.get("info")); assertEquals(1311, m.get("src_port")); } private Map<String, Object> line(String log) { Map<String, Object> m = new HashMap<String, Object>(); m.put("line", log); return m; } }