|
13 | 13 | ########################## |
14 | 14 | # FAILING SEQUENCE TESTS # |
15 | 15 | ########################## |
16 | | -[[queries]] |
17 | | -case_sensitive = true |
18 | | -case_insensitive = true |
19 | | -note = "Sequence: many-1 match." |
20 | | -query = ''' |
21 | | -sequence |
22 | | - [process where serial_event_id < 5] |
23 | | - [process where serial_event_id = 5] |
24 | | -''' |
25 | | -expected_event_ids = [4, 5] |
26 | | - |
27 | 16 | [[queries]] |
28 | 17 | case_sensitive = true |
29 | 18 | case_insensitive = true |
@@ -209,6 +198,74 @@ sequence by user_name |
209 | 198 | ''' |
210 | 199 | expected_event_ids = [61, 62] |
211 | 200 |
|
| 201 | +[[queries]] |
| 202 | +case_sensitive = true |
| 203 | +case_insensitive = true |
| 204 | +query = ''' |
| 205 | +sequence |
| 206 | + [process where opcode == 1] by unique_pid |
| 207 | + [file where opcode == 0] by unique_pid |
| 208 | + [file where opcode == 0] by unique_pid |
| 209 | + [file where opcode == 0] by unique_pid |
| 210 | +''' |
| 211 | +expected_event_ids = [54, 55, 61, 67] |
| 212 | + |
| 213 | +[[queries]] |
| 214 | +case_sensitive = true |
| 215 | +case_insensitive = true |
| 216 | +query = ''' |
| 217 | +sequence |
| 218 | + [process where opcode == 1] by unique_pid, process_path |
| 219 | + [file where opcode == 0] by unique_pid, process_path |
| 220 | + [file where opcode == 0] by unique_pid, process_path |
| 221 | + [file where opcode == 0] by unique_pid, process_path |
| 222 | +''' |
| 223 | +expected_event_ids = [54, 55, 61, 67] |
| 224 | + |
| 225 | +[[queries]] |
| 226 | +case_sensitive = true |
| 227 | +case_insensitive = true |
| 228 | +query = ''' |
| 229 | +sequence |
| 230 | + [process where opcode == 1] by unique_pid |
| 231 | + [file where opcode == 0] by unique_pid |
| 232 | + [file where opcode == 0] by unique_pid |
| 233 | + [file where opcode == 0] by unique_pid |
| 234 | +until |
| 235 | + [file where opcode == 2] by unique_pid |
| 236 | +''' |
| 237 | +expected_event_ids = [] |
| 238 | + |
| 239 | +[[queries]] |
| 240 | +case_sensitive = true |
| 241 | +case_insensitive = true |
| 242 | +query = ''' |
| 243 | +sequence |
| 244 | + [process where opcode == 1] by unique_pid |
| 245 | + [file where opcode == 0] by unique_pid |
| 246 | + [file where opcode == 0] by unique_pid |
| 247 | + [file where opcode == 0] by unique_pid |
| 248 | +until |
| 249 | + [file where opcode == 200] by unique_pid |
| 250 | +''' |
| 251 | +expected_event_ids = [54, 55, 61, 67] |
| 252 | + |
| 253 | +[[queries]] |
| 254 | +case_sensitive = true |
| 255 | +case_insensitive = true |
| 256 | +query = ''' |
| 257 | +sequence |
| 258 | + [process where opcode == 1] by unique_pid, process_path |
| 259 | + [file where opcode == 0] by unique_pid, process_path |
| 260 | + [file where opcode == 0] by unique_pid, process_path |
| 261 | + [file where opcode == 0] by unique_pid, process_path |
| 262 | +until |
| 263 | + [file where opcode == 200] by unique_pid, process_path |
| 264 | +''' |
| 265 | +expected_event_ids = [54, 55, 61, 67] |
| 266 | + |
| 267 | + |
| 268 | + |
212 | 269 | ############################# |
213 | 270 | # NOT (YET) SUPPORTED TESTS # |
214 | 271 | ############################# |
@@ -566,71 +623,6 @@ process where true |
566 | 623 | | sort serial_event_id |
567 | 624 | ''' |
568 | 625 |
|
569 | | -[[queries]] |
570 | | -case_sensitive = true |
571 | | -case_insensitive = true |
572 | | -query = ''' |
573 | | -sequence |
574 | | - [process where opcode == 1] by unique_pid |
575 | | - [file where opcode == 0] by unique_pid |
576 | | - [file where opcode == 0] by unique_pid |
577 | | - [file where opcode == 0] by unique_pid |
578 | | -''' |
579 | | -expected_event_ids = [54, 55, 61, 67] |
580 | | - |
581 | | -[[queries]] |
582 | | -case_sensitive = true |
583 | | -case_insensitive = true |
584 | | -query = ''' |
585 | | -sequence |
586 | | - [process where opcode == 1] by unique_pid, process_path |
587 | | - [file where opcode == 0] by unique_pid, process_path |
588 | | - [file where opcode == 0] by unique_pid, process_path |
589 | | - [file where opcode == 0] by unique_pid, process_path |
590 | | -''' |
591 | | -expected_event_ids = [54, 55, 61, 67] |
592 | | - |
593 | | -[[queries]] |
594 | | -case_sensitive = true |
595 | | -case_insensitive = true |
596 | | -query = ''' |
597 | | -sequence |
598 | | - [process where opcode == 1] by unique_pid |
599 | | - [file where opcode == 0] by unique_pid |
600 | | - [file where opcode == 0] by unique_pid |
601 | | - [file where opcode == 0] by unique_pid |
602 | | -until |
603 | | - [file where opcode == 2] by unique_pid |
604 | | -''' |
605 | | -expected_event_ids = [] |
606 | | - |
607 | | -[[queries]] |
608 | | -case_sensitive = true |
609 | | -case_insensitive = true |
610 | | -query = ''' |
611 | | -sequence |
612 | | - [process where opcode == 1] by unique_pid |
613 | | - [file where opcode == 0] by unique_pid |
614 | | - [file where opcode == 0] by unique_pid |
615 | | - [file where opcode == 0] by unique_pid |
616 | | -until |
617 | | - [file where opcode == 200] by unique_pid |
618 | | -''' |
619 | | -expected_event_ids = [54, 55, 61, 67] |
620 | | - |
621 | | -[[queries]] |
622 | | -case_sensitive = true |
623 | | -case_insensitive = true |
624 | | -query = ''' |
625 | | -sequence |
626 | | - [process where opcode == 1] by unique_pid, process_path |
627 | | - [file where opcode == 0] by unique_pid, process_path |
628 | | - [file where opcode == 0] by unique_pid, process_path |
629 | | - [file where opcode == 0] by unique_pid, process_path |
630 | | -until |
631 | | - [file where opcode == 200] by unique_pid, process_path |
632 | | -''' |
633 | | - |
634 | 626 |
|
635 | 627 | [[queries]] |
636 | 628 | case_sensitive = true |
|
0 commit comments