50 lines
2.1 KiB
Clojure
50 lines
2.1 KiB
Clojure
(ns cef-parser.core-test
|
|
(:require [clojure.test :refer :all]
|
|
[cef-parser.core :refer :all]))
|
|
|
|
;; Most examples can be found in page 8 of
|
|
;; https://www.protect724.hpe.com/docs/DOC-1072
|
|
|
|
(deftest pipe-test
|
|
(let [cef (parse-cef
|
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\| in message|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1")]
|
|
(is (= (:name cef)
|
|
"detected a | in message"))))
|
|
|
|
(deftest backslash-test
|
|
(let [cef (parse-cef
|
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1")]
|
|
(is (= (get-in cef [:extension "act"])
|
|
"blocked a \\"))))
|
|
|
|
(deftest equal-sign-test
|
|
(let [cef (parse-cef
|
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1")]
|
|
(is (= (get-in cef [:extension "act"])
|
|
"blocked a ="))))
|
|
|
|
(deftest multi-line-ex-test
|
|
(let [cef (parse-cef
|
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a threat. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\\n No action needed.")]
|
|
(is (= (get-in cef [:extension "msg"])
|
|
"Detected a threat.\n No action needed."))))
|
|
|
|
(deftest tricky-CEF-test
|
|
(let [cef (parse-cef
|
|
(str "2016-07-04T10:09:33 CEF:0|Sec\\|urity|threat\\\\manager|1.0|100|worm successfully stopped|10|"
|
|
"src\\\\he=10.0.0.1 dst=2.1.2.2 spt=1232 filePath=/user/username/dir/my file name.txt "
|
|
"E\\=mc2=Einstein formula my\\ file=foo bar"))]
|
|
(is (= {:version "Sec|urity"
|
|
:device-vendor "threat\\manager"
|
|
:device-product "1.0"
|
|
:device_event_class_id "100"
|
|
:name "worm successfully stopped"
|
|
:severity "10"
|
|
:extension {"spt" "1232"
|
|
"dst" "2.1.2.2"
|
|
"filePath" "/user/username/dir/my file name.txt"
|
|
"src\\he" "10.0.0.1"
|
|
"my file" "foo bar"
|
|
"E=mc2" "Einstein formula"}}
|
|
cef))))
|