Increased test coverage

* more tests * removed unneeded code * increased coverage fail threshold
xfixic · Oct 23, 2017 · 65e1f8e · 65e1f8e
1 parent 3389656
commit 65e1f8e
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 59 deletions.
diff --git a/Makefile b/Makefile
@@ -28,10 +28,14 @@ test-sigmac:
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/not_existing.yml > /dev/null
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_yaml.yml > /dev/null
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_identifiers.yml > /dev/null
+	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-no_condition.yml > /dev/null
+	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
+	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-invalid_aggregation.yml > /dev/null
+	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs tests/invalid_sigma-wrong_identifier_definition.yml > /dev/null
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs rules/windows/builtin/win_susp_failed_logons_single_source.yml
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml 
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=tools/* tools/sigmac.py -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
 	! coverage run -a --include=tools/* tools/sigmac.py -rvI -c tools/config/elk-defaultindex.yml -t kibana rules/ > /dev/null
-	coverage report --fail-under=80
+	coverage report --fail-under=90
diff --git a/tests/invalid_sigma-invalid_aggregation.yml b/tests/invalid_sigma-invalid_aggregation.yml
@@ -0,0 +1,7 @@
+title: Parse error in aggregation
+logsource:
+    product: linux
+detection:
+    foo: 
+        - test
+    condition: foo | foo bar
diff --git a/tests/invalid_sigma-invalid_identifier_reference.yml b/tests/invalid_sigma-invalid_identifier_reference.yml
@@ -0,0 +1,7 @@
+title: Missing identifiers in detection section
+logsource:
+    product: linux
+detection:
+    foo:
+        - test
+    condition: bar
diff --git a/tests/invalid_sigma-no_condition.yml b/tests/invalid_sigma-no_condition.yml
@@ -0,0 +1,6 @@
+title: Missing condition
+logsource:
+    product: linux
+detection:
+    expression:
+        - test
diff --git a/tests/invalid_sigma-wrong_identifier_definition.yml b/tests/invalid_sigma-wrong_identifier_definition.yml
@@ -0,0 +1,6 @@
+title: Wrong identifier value type
+logsource:
+    product: linux
+detection:
+    foo: test
+    condition: foo
diff --git a/tools/backends.py b/tools/backends.py
@@ -56,61 +56,6 @@ def print(self, *args, **kwargs):
     def close(self):
         self.fd.close()
 
-class MultiOutput:
-    """
-    Multiple file output
-
-    Prepares multiple SingleOutput instances with basename + suffix as file names, on for each suffix.
-    The switch() method is used to switch between these outputs.
-
-    This class must be inherited and suffixes must be a dict as follows: file id -> suffix
-    """
-    suffixes = None
-
-    def __init__(self, basename):
-        """Initializes all outputs with basename and corresponding suffix as SingleOutput object."""
-        if suffixes == None:
-            raise NotImplementedError("OutputMulti must be derived, at least suffixes must be set")
-        if type(basename) != str:
-            raise TypeError("OutputMulti constructor basename parameter must be string")
-
-        self.outputs = dict()
-        self.output = None
-        for name, suffix in self.suffixes:
-            self.outputs[name] = SingleOutput(basename + suffix)
-
-    def select(self, name):
-        """Select an output as current output"""
-        self.output = self.outputs[name]
-
-    def print(self, *args, **kwargs):
-        self.output.print(*args, **kwargs)
-
-    def close(self):
-        for out in self.outputs:
-            out.close()
-
-class StringOutput(SingleOutput):
-    """Collect input silently and return resulting string."""
-    def __init__(self, filename=None):
-        self.out = ""
-
-    def print(self, *args, **kwargs):
-        try:
-            del kwargs['file']
-        except KeyError:
-            pass
-        print(*args, file=self, **kwargs)
-
-    def write(self, s):
-        self.out += s
-
-    def result(self):
-        return self.out
-
-    def close(self):
-        pass
-
 ### Generic backend base classes and mixins
 class BaseBackend:
     """Base class for all backends"""

diff --git a/tools/sigma.py b/tools/sigma.py
@@ -19,8 +19,6 @@ def __init__(self, sigma, config):
     def parse_sigma(self):
         try:    # definition uniqueness check
             for definitionName, definition in self.parsedyaml["detection"].items():
-                if definitionName in self.definitions:
-                    raise SigmaParseError("Definition '%s' was already defined" % (definitionName))
                 self.definitions[definitionName] = definition
                 self.extract_values(definition)     # builds key-values-table in self.values
         except KeyError:
@@ -45,7 +43,7 @@ def parse_definition_byname(self, definitionName, condOverride=None):
         try:
             definition = self.definitions[definitionName]
         except KeyError as e:
-            raise SigmaParseError("Unknown definition '%s'" % (definitionName)) from e
+            raise SigmaParseError("Unknown definition '%s'" % definitionName) from e
         return self.parse_definition(definition, condOverride)
 
     def parse_definition(self, definition, condOverride=None):