cef-parser/test/cef_parser/core_test.clj

50 lines
2.1 KiB
Clojure

(ns cef-parser.core-test
(:require [clojure.test :refer :all]
[cef-parser.core :refer :all]))
;; Most examples can be found in page 8 of
;; https://www.protect724.hpe.com/docs/DOC-1072
(deftest pipe-test
(let [cef (parse-cef
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\| in message|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1")]
(is (= (:name cef)
"detected a | in message"))))
(deftest backslash-test
(let [cef (parse-cef
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1")]
(is (= (get-in cef [:extension "act"])
"blocked a \\"))))
(deftest equal-sign-test
(let [cef (parse-cef
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1")]
(is (= (get-in cef [:extension "act"])
"blocked a ="))))
(deftest multi-line-ex-test
(let [cef (parse-cef
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a threat. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\\n No action needed.")]
(is (= (get-in cef [:extension "msg"])
"Detected a threat.\n No action needed."))))
(deftest tricky-CEF-test
(let [cef (parse-cef
(str "2016-07-04T10:09:33 CEF:0|Sec\\|urity|threat\\\\manager|1.0|100|worm successfully stopped|10|"
"src\\\\he=10.0.0.1 dst=2.1.2.2 spt=1232 filePath=/user/username/dir/my file name.txt "
"E\\=mc2=Einstein formula my\\ file=foo bar"))]
(is (= {:version "Sec|urity"
:device-vendor "threat\\manager"
:device-product "1.0"
:device_event_class_id "100"
:name "worm successfully stopped"
:severity "10"
:extension {"spt" "1232"
"dst" "2.1.2.2"
"filePath" "/user/username/dir/my file name.txt"
"src\\he" "10.0.0.1"
"my file" "foo bar"
"E=mc2" "Einstein formula"}}
cef))))