Skip to content

Instantly share code, notes, and snippets.

@nbareil
Created March 31, 2021 14:12
Show Gist options
  • Save nbareil/452845cc310557caa6e19a0379dc4ed5 to your computer and use it in GitHub Desktop.
Save nbareil/452845cc310557caa6e19a0379dc4ed5 to your computer and use it in GitHub Desktop.
import glob
import unittest
import re
from libads import ADS # Our Python library for parsing https://github.com/palantir/alerting-detection-strategy-framework
class ADSTester(unittest.TestCase):
def setUp(self):
self.filenames = glob.glob("S*.md")
def test_splunk_no_escaped_wildcard(self):
escaped_wildcard = re.compile(r"(?<!\\)\\\*")
for fn in self.filenames:
a = ADS(fn)
alerts = a.get_splunk_alerts()
for alert in alerts:
with self.subTest(filename=fn):
assert escaped_wildcard.search(alert.query) == None
def test_splunk_bad_string_escape(self):
esc_str = re.compile(r"(?<!\\)\\[a-zaA-Z0-9]+")
for fn in self.filenames:
a = ADS(fn)
alerts = a.get_splunk_alerts()
for alert in alerts:
with self.subTest(filename=fn):
for cmd in alert.query.split("|"):
if re.match(r"^\s*(regex|rex)\s", cmd):
# ignore real regexp commands
continue
assert not esc_str.search(cmd)
def test_splunk_unbalanced_quotes(self):
for fn in self.filenames:
a = ADS(fn)
alerts = a.get_splunk_alerts()
for alert in alerts:
count = 0
with self.subTest(filename=fn):
prev = alert.query[0]
for char in alert.query[1:]:
if char == '"' and prev != "\\":
count += 1
prev = char
assert (count % 2) == 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment