coverage improvement

mengualp · Sep 5, 2022 · 0853e08 · 0853e08
1 parent e78e9c8
commit 0853e08
Show file tree

Hide file tree

Showing 3 changed files with 115 additions and 43 deletions.
diff --git a/.github/coverage/badge.svg b/.github/coverage/badge.svg
diff --git a/.github/coverage/coverage.txt b/.github/coverage/coverage.txt
@@ -1,37 +1,37 @@
-ok  	github.com/0xrawsec/whids/agent	56.091s	coverage: 61.6% of statements
-ok  	github.com/0xrawsec/whids/agent/config	9.639s	coverage: 77.5% of statements
-ok  	github.com/0xrawsec/whids/agent/sysinfo	1.232s	coverage: 95.2% of statements
-ok  	github.com/0xrawsec/whids/api/server	186.360s	coverage: 65.8% of statements
-ok  	github.com/0xrawsec/whids/event	59.857s	coverage: 75.3% of statements
-ok  	github.com/0xrawsec/whids/ioc	37.663s	coverage: 73.3% of statements
-ok  	github.com/0xrawsec/whids/logger	45.202s	coverage: 76.7% of statements
-ok  	github.com/0xrawsec/whids/sysmon	15.094s	coverage: 83.1% of statements
-ok  	github.com/0xrawsec/whids/utils	12.055s	coverage: 13.6% of statements
-ok  	github.com/0xrawsec/whids/utils/command	0.725s	coverage: 100.0% of statements
+ok  	github.com/0xrawsec/whids/agent	73.715s	coverage: 67.7% of statements
+ok  	github.com/0xrawsec/whids/agent/config	19.089s	coverage: 77.5% of statements
+ok  	github.com/0xrawsec/whids/agent/sysinfo	2.004s	coverage: 95.2% of statements
+ok  	github.com/0xrawsec/whids/api/server	215.335s	coverage: 65.8% of statements
+ok  	github.com/0xrawsec/whids/event	77.036s	coverage: 75.3% of statements
+ok  	github.com/0xrawsec/whids/ioc	52.133s	coverage: 73.3% of statements
+ok  	github.com/0xrawsec/whids/logger	51.316s	coverage: 76.7% of statements
+ok  	github.com/0xrawsec/whids/sysmon	9.181s	coverage: 83.1% of statements
+ok  	github.com/0xrawsec/whids/utils	18.214s	coverage: 13.6% of statements
+ok  	github.com/0xrawsec/whids/utils/command	0.896s	coverage: 100.0% of statements
 github.com/0xrawsec/whids/agent/actions.go:71:				NewActionHandler		100.0%
-github.com/0xrawsec/whids/agent/actions.go:80:				dumpname			0.0%
-github.com/0xrawsec/whids/agent/actions.go:85:				prepare				0.0%
+github.com/0xrawsec/whids/agent/actions.go:80:				dumpname			100.0%
+github.com/0xrawsec/whids/agent/actions.go:85:				prepare				100.0%
 github.com/0xrawsec/whids/agent/actions.go:93:				shouldDump			100.0%
-github.com/0xrawsec/whids/agent/actions.go:98:				writeReader			0.0%
-github.com/0xrawsec/whids/agent/actions.go:103:				dumpAsJson			0.0%
-github.com/0xrawsec/whids/agent/actions.go:116:				dumpBinFile			0.0%
-github.com/0xrawsec/whids/agent/actions.go:120:				dumpFile			0.0%
-github.com/0xrawsec/whids/agent/actions.go:155:				listFilesFromCommandLine	0.0%
-github.com/0xrawsec/whids/agent/actions.go:178:				filedumpSet			0.0%
-github.com/0xrawsec/whids/agent/actions.go:231:				filedump			0.0%
+github.com/0xrawsec/whids/agent/actions.go:98:				writeReader			100.0%
+github.com/0xrawsec/whids/agent/actions.go:103:				dumpAsJson			66.7%
+github.com/0xrawsec/whids/agent/actions.go:116:				dumpBinFile			100.0%
+github.com/0xrawsec/whids/agent/actions.go:120:				dumpFile			77.8%
+github.com/0xrawsec/whids/agent/actions.go:155:				listFilesFromCommandLine	81.8%
+github.com/0xrawsec/whids/agent/actions.go:178:				filedumpSet			44.4%
+github.com/0xrawsec/whids/agent/actions.go:231:				filedump			80.0%
 github.com/0xrawsec/whids/agent/actions.go:241:				memdump				0.0%
-github.com/0xrawsec/whids/agent/actions.go:270:				regdump				0.0%
+github.com/0xrawsec/whids/agent/actions.go:270:				regdump				26.7%
 github.com/0xrawsec/whids/agent/actions.go:301:				suspend_process			0.0%
 github.com/0xrawsec/whids/agent/actions.go:311:				kill_process			0.0%
 github.com/0xrawsec/whids/agent/actions.go:324:				Queue				100.0%
-github.com/0xrawsec/whids/agent/actions.go:334:				HandleActions			6.5%
-github.com/0xrawsec/whids/agent/actions.go:407:				queueCompression		0.0%
-github.com/0xrawsec/whids/agent/actions.go:413:				compressionLoop			54.5%
+github.com/0xrawsec/whids/agent/actions.go:334:				HandleActions			58.1%
+github.com/0xrawsec/whids/agent/actions.go:407:				queueCompression		100.0%
+github.com/0xrawsec/whids/agent/actions.go:413:				compressionLoop			81.8%
 github.com/0xrawsec/whids/agent/actions.go:433:				handleActionsLoop		100.0%
 github.com/0xrawsec/whids/agent/agent.go:106:				newActionnableEngine		100.0%
 github.com/0xrawsec/whids/agent/agent.go:125:				NewAgent			100.0%
 github.com/0xrawsec/whids/agent/agent.go:135:				Initialize			100.0%
-github.com/0xrawsec/whids/agent/agent.go:158:				Prepare				69.6%
+github.com/0xrawsec/whids/agent/agent.go:158:				Prepare				73.9%
 github.com/0xrawsec/whids/agent/agent.go:217:				initEnvVariables		100.0%
 github.com/0xrawsec/whids/agent/agent.go:221:				initDB				66.7%
 github.com/0xrawsec/whids/agent/agent.go:230:				initEventProvider		71.4%
@@ -46,10 +46,10 @@ github.com/0xrawsec/whids/agent/agent.go:480:				fetchIoCsFromManager		69.2%
 github.com/0xrawsec/whids/agent/agent.go:533:				loadContainers			66.7%
 github.com/0xrawsec/whids/agent/agent.go:565:				updateSystemInfo		88.9%
 github.com/0xrawsec/whids/agent/agent.go:593:				updateSysmonBin			30.0%
-github.com/0xrawsec/whids/agent/agent.go:639:				updateSysmonConfig		66.7%
+github.com/0xrawsec/whids/agent/agent.go:639:				updateSysmonConfig		63.0%
 github.com/0xrawsec/whids/agent/agent.go:699:				updateAgentConfig		36.0%
 github.com/0xrawsec/whids/agent/agent.go:749:				cleanup				33.3%
-github.com/0xrawsec/whids/agent/agent.go:765:				IsHIDSEvent			93.8%
+github.com/0xrawsec/whids/agent/agent.go:765:				IsHIDSEvent			100.0%
 github.com/0xrawsec/whids/agent/agent.go:799:				Report				100.0%
 github.com/0xrawsec/whids/agent/agent.go:826:				Run				68.0%
 github.com/0xrawsec/whids/agent/agent.go:943:				LogStats			100.0%
@@ -96,13 +96,13 @@ github.com/0xrawsec/whids/agent/cron.go:39:				uncontainCmd			0.0%
 github.com/0xrawsec/whids/agent/cron.go:48:				handleManagerCommand		0.0%
 github.com/0xrawsec/whids/agent/cron.go:307:				taskCommandRunner		55.0%
 github.com/0xrawsec/whids/agent/cron.go:342:				scheduleCleanArchivedTask	42.1%
-github.com/0xrawsec/whids/agent/cron.go:382:				taskUploadDumps			7.4%
+github.com/0xrawsec/whids/agent/cron.go:382:				taskUploadDumps			66.7%
 github.com/0xrawsec/whids/agent/cron.go:436:				updateTools			51.6%
 github.com/0xrawsec/whids/agent/cron.go:506:				scheduleTasks			84.0%
 github.com/0xrawsec/whids/agent/defaults.go:12:				BuildDefaultConfig		100.0%
 github.com/0xrawsec/whids/agent/filters.go:73:				NewFilter			100.0%
 github.com/0xrawsec/whids/agent/filters.go:81:				Match				100.0%
-github.com/0xrawsec/whids/agent/hookdefs.go:37:				hookSetImageSize		94.1%
+github.com/0xrawsec/whids/agent/hookdefs.go:37:				hookSetImageSize		82.4%
 github.com/0xrawsec/whids/agent/hookdefs.go:69:				hookImageLoad			95.0%
 github.com/0xrawsec/whids/agent/hookdefs.go:106:			trackSysmonProcessCreate	76.1%
 github.com/0xrawsec/whids/agent/hookdefs.go:227:			hookTrack			50.0%
@@ -125,7 +125,7 @@ github.com/0xrawsec/whids/agent/hooks.go:73:				Hook				100.0%
 github.com/0xrawsec/whids/agent/hooks.go:82:				RunHooksOn			93.8%
 github.com/0xrawsec/whids/agent/hookutils.go:13:			toString			100.0%
 github.com/0xrawsec/whids/agent/hookutils.go:17:			toHex				66.7%
-github.com/0xrawsec/whids/agent/hookutils.go:25:			terminate			0.0%
+github.com/0xrawsec/whids/agent/hookutils.go:25:			terminate			75.0%
 github.com/0xrawsec/whids/agent/hookutils.go:41:			isSysmonProcessTerminate	100.0%
 github.com/0xrawsec/whids/agent/iocs.go:17:				ruleHashIoC			100.0%
 github.com/0xrawsec/whids/agent/iocs.go:32:				ruleDomainIoC			100.0%
@@ -151,8 +151,8 @@ github.com/0xrawsec/whids/agent/ptrack.go:313:				sourceGUIDFromEvent		88.9%
 github.com/0xrawsec/whids/agent/ptrack.go:334:				targetGUIDFromEvent		70.0%
 github.com/0xrawsec/whids/agent/ptrack.go:376:				NewActivityTracker		100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:393:				delete				100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:406:				freeRtn				100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:444:				CheckDumpCountOrInc		50.0%
+github.com/0xrawsec/whids/agent/ptrack.go:406:				freeRtn				80.0%
+github.com/0xrawsec/whids/agent/ptrack.go:444:				CheckDumpCountOrInc		100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:458:				Add				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:469:				PS				100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:480:				Blacklist			0.0%
@@ -162,7 +162,7 @@ github.com/0xrawsec/whids/agent/ptrack.go:500:				TargetTrackFromEvent		80.0%
 github.com/0xrawsec/whids/agent/ptrack.go:512:				GetParentByGuid			0.0%
 github.com/0xrawsec/whids/agent/ptrack.go:521:				getByGuid			100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:530:				GetByGuid			100.0%
-github.com/0xrawsec/whids/agent/ptrack.go:539:				GetByPID			85.7%
+github.com/0xrawsec/whids/agent/ptrack.go:539:				GetByPID			100.0%
 github.com/0xrawsec/whids/agent/ptrack.go:554:				ContainsGuid			0.0%
 github.com/0xrawsec/whids/agent/ptrack.go:561:				ContainsPID			0.0%
 github.com/0xrawsec/whids/agent/ptrack.go:568:				Modules				100.0%
@@ -473,4 +473,4 @@ github.com/0xrawsec/whids/utils/windows.go:53:				ResolveCDrive			0.0%
 github.com/0xrawsec/whids/utils/windows.go:76:				RegValue			0.0%
 github.com/0xrawsec/whids/utils/windows.go:91:				RegJoin				0.0%
 github.com/0xrawsec/whids/utils/windows.go:98:				RegValueToString		0.0%
-total:									(statements)			62.4%
+total:									(statements)			64.8%
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -2,17 +2,21 @@ package agent
 
 import (
 	"bytes"
+	"context"
 	"encoding/xml"
 	"errors"
 	"fmt"
 	"math/rand"
 	"os"
 	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/0xrawsec/gene/v2/engine"
-	"github.com/0xrawsec/golang-utils/datastructs"
+	"github.com/0xrawsec/golang-etw/etw"
 	"github.com/0xrawsec/toast"
 	"github.com/0xrawsec/whids/agent/config"
 	"github.com/0xrawsec/whids/api"
@@ -24,6 +28,7 @@ import (
 	"github.com/0xrawsec/whids/sysmon"
 	"github.com/0xrawsec/whids/tools"
 	"github.com/0xrawsec/whids/utils"
+	"github.com/0xrawsec/whids/utils/command"
 )
 
 var (
@@ -109,8 +114,38 @@ var (
 	// tools deployment
 	osqueryBin         []byte
 	osqueryTestBinPath = filepath.Join("data", fmt.Sprintf("%s.%s%s", los.OS, tools.ToolOSQueryi, los.ExecExt))
+
+	wmicPidRe = regexp.MustCompile(`ProcessId\s=\s\d+`)
 )
 
+func wmicCreateProcess(cmdLine string) int {
+	var out []byte
+	var err error
+	var s, spid string
+	var ok bool
+	var pid int64
+
+	cmd := command.CommandTimeout(time.Second*5, "cmd", "/c", fmt.Sprintf(`wmic process call create '%s'`, cmdLine))
+	if out, err = cmd.CombinedOutput(); err != nil {
+		panic(fmt.Sprintf("%s:\n%s", err, string(out)))
+	}
+
+	if s = wmicPidRe.FindString(string(out)); s == "" {
+		panic(fmt.Sprintf("pid not found in:\n%s", string(out)))
+	}
+
+	if _, spid, ok = strings.Cut(s, "="); !ok {
+		panic(fmt.Sprintf("could not split %s", s))
+	}
+
+	spid = strings.Trim(spid, " \t")
+	if pid, err = strconv.ParseInt(spid, 0, 32); err != nil {
+		panic(err)
+	}
+
+	return int(pid)
+}
+
 func init() {
 	var err error
 
@@ -120,11 +155,36 @@ func init() {
 
 }
 
+func drainOldAutologgerEvents(t *testing.T) {
+	tt := toast.FromT(t)
+
+	t.Log("Draining out Autologger trace from old events")
+
+	cnt := 0
+	c := etw.NewRealTimeConsumer(context.Background())
+	// name of the edr trace
+	c.FromTraceNames(config.EdrTraceName)
+
+	tt.CheckErr(c.Start())
+
+	now := time.Now()
+	for e := range c.Events {
+		if e.System.TimeCreated.SystemTime.After(now) {
+			break
+		}
+		cnt++
+	}
+
+	tt.CheckErr(c.Stop())
+	t.Logf("Drained %d old events from autologger", cnt)
+}
+
 func testingRule() (r engine.Rule) {
 	r = engine.NewRule()
 	r.Name = "Testing:MatchAllSysmon"
 	// FileCreate, FileDeleted and FileDeletedDetected
 	r.Meta.Events = map[string][]int64{"Microsoft-Windows-Sysmon/Operational": {}}
+	r.Actions = append(r.Actions, ActionFiledump, ActionRegdump, ActionBrief, ActionReport)
 	r.Meta.Criticality = 10
 	return r
 }
@@ -269,6 +329,9 @@ func testHook(h *Agent, e *event.EdrEvent) {
 }
 
 func TestAgent(t *testing.T) {
+	// draining old events from autologger
+	drainOldAutologgerEvents(t)
+
 	tt := toast.FromT(t)
 	defer cleanup()
 
@@ -286,7 +349,7 @@ func TestAgent(t *testing.T) {
 
 	c := BuildDefaultConfig(tmp)
 	// make logger log to stdout
-	c.Logfile = ""
+	c.Logfile = "whids.log"
 	c.FwdConfig.Local = false
 	c.FwdConfig.Client = clConf
 	// enable audit policy to trigger FileSystem events hooks
@@ -321,17 +384,20 @@ func TestAgent(t *testing.T) {
 	a.preHooks.Hook(func(h *Agent, e *event.EdrEvent) {
 		if e.Channel() == sysmonChannel {
 			gotSysmonEvent = true
+			switch e.EventID() {
+			case SysmonDNSQuery, SysmonNetworkConnect:
+				t.Log(utils.PrettyJsonOrPanic(e.Event))
+			}
 		}
 		if isSysmonProcessTerminate(e) {
 			gotProcessTermination = true
 		}
-		// create fake detection to cover action
-		d := engine.NewDetection(true, true)
-		// enable all actions
-		//d.Actions = datastructs.NewInitSet(datastructs.ToInterfaceSlice(AvailableActions)...)
-		d.Actions = datastructs.NewInitSet(ActionFiledump, ActionRegdump, ActionBrief, ActionReport)
-		d.Criticality = 6
-		e.SetDetection(d)
+	}, fltAnyEvent)
+
+	a.postHooks.Hook(func(h *Agent, e *event.EdrEvent) {
+		/*if e.IsDetection() {
+			t.Log(e.GetDetection().Actions.Slice())
+		}*/
 	}, fltAnyEvent)
 
 	tt.TimeIt(
@@ -340,7 +406,13 @@ func TestAgent(t *testing.T) {
 	)
 
 	tt.CheckErr(err)
+	// we start running the agent
 	a.Run()
+	// generate fake network trafic not originating from edr
+	pid := wmicCreateProcess("powershell -Command while(1){powershell -Command wget https://www.google.com;sleep 1}")
+	// terminate wmic process
+	defer terminate(pid)
+
 	time.Sleep(20 * time.Second)
 	a.Stop()