(ns cef-parser.core-test (:require [clojure.test :refer :all] [cef-parser.core :refer :all])) ;; Most examples can be found in page 8 of ;; https://www.protect724.hpe.com/docs/DOC-1072 (deftest pipe-test (let [cef (parse-cef "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\| in message|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1")] (is (= (:name cef) "detected a | in message")))) (deftest backslash-test (let [cef (parse-cef "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1")] (is (= (get-in cef [:extension "act"]) "blocked a \\")))) (deftest equal-sign-test (let [cef (parse-cef "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1")] (is (= (get-in cef [:extension "act"]) "blocked a =")))) (deftest multi-line-ex-test (let [cef (parse-cef "Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a threat. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\\n No action needed.")] (is (= (get-in cef [:extension "msg"]) "Detected a threat.\n No action needed.")))) (deftest tricky-CEF-test (let [cef (parse-cef (str "2016-07-04T10:09:33 CEF:0|Sec\\|urity|threat\\\\manager|1.0|100|worm successfully stopped|10|" "src\\\\he=10.0.0.1 dst=2.1.2.2 spt=1232 filePath=/user/username/dir/my file name.txt " "E\\=mc2=Einstein formula my\\ file=foo bar"))] (is (= {:version "Sec|urity" :device-vendor "threat\\manager" :device-product "1.0" :device_event_class_id "100" :name "worm successfully stopped" :severity "10" :extension {"spt" "1232" "dst" "2.1.2.2" "filePath" "/user/username/dir/my file name.txt" "src\\he" "10.0.0.1" "my file" "foo bar" "E=mc2" "Einstein formula"}} cef))))