fidius-evasiondb 0.0.1

data/test/config/prelude.sql

@@ -0,0 +1,439 @@
+
+
+CREATE TABLE "Prelude_Action" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "description" varchar(255) DEFAULT NULL,
+  "category" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_AdditionalData" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "type" varchar(255) NOT NULL,
+  "meaning" varchar(255) DEFAULT NULL,
+  "data" blob NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Address" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "category" varchar(255) NOT NULL,
+  "vlan_name" varchar(255) DEFAULT NULL,
+  "vlan_num" int(10)  DEFAULT NULL,
+  "address" varchar(255) NOT NULL,
+  "netmask" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Alert" (
+  "_ident" bigint(20)  NOT NULL,
+  "messageid" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Alertident" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_index" int(11) NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "alertident" varchar(255) NOT NULL,
+  "analyzerid" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Analyzer" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) DEFAULT NULL,
+  "_index" tinyint(4) DEFAULT NULL,
+  "analyzerid" varchar(255) DEFAULT NULL,
+  "name" varchar(255) DEFAULT NULL,
+  "manufacturer" varchar(255) DEFAULT NULL,
+  "model" varchar(255) DEFAULT NULL,
+  "version" varchar(255) DEFAULT NULL,
+  "class" varchar(255) DEFAULT NULL,
+  "ostype" varchar(255) DEFAULT NULL,
+  "osversion" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_AnalyzerTime" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "time" datetime NOT NULL,
+  "usec" int(10)  NOT NULL,
+  "gmtoff" int(11) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Assessment" (
+  "_message_ident" bigint(20)  NOT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Checksum" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "algorithm" varchar(255) NOT NULL,
+  "value" varchar(255) NOT NULL,
+  "checksum_key" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_parent1_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Classification" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "text" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Confidence" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "confidence" float DEFAULT NULL,
+  "rating" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_CorrelationAlert" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "name" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_CreateTime" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "time" datetime NOT NULL,
+  "usec" int(10)  NOT NULL,
+  "gmtoff" int(11) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_DetectTime" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "time" datetime NOT NULL,
+  "usec" int(10)  DEFAULT NULL,
+  "gmtoff" int(11) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_File" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "path" varchar(255) NOT NULL,
+  "name" varchar(255) NOT NULL,
+  "category" varchar(255) DEFAULT NULL,
+  "create_time" datetime DEFAULT NULL,
+  "create_time_gmtoff" int(11) DEFAULT NULL,
+  "modify_time" datetime DEFAULT NULL,
+  "modify_time_gmtoff" int(11) DEFAULT NULL,
+  "access_time" datetime DEFAULT NULL,
+  "access_time_gmtoff" int(11) DEFAULT NULL,
+  "data_size" int(10)  DEFAULT NULL,
+  "disk_size" int(10)  DEFAULT NULL,
+  "fstype" varchar(255) DEFAULT NULL,
+  "file_type" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_FileAccess" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_parent1_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_FileAccess_Permission" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "_parent2_index" tinyint(4) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "permission" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_parent1_index","_parent2_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Heartbeat" (
+  "_ident" bigint(20)  NOT NULL,
+  "messageid" varchar(255) DEFAULT NULL,
+  "heartbeat_interval" int(11) DEFAULT NULL,
+  PRIMARY KEY ("_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Impact" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "description" text,
+  "severity" varchar(255) DEFAULT NULL,
+  "completion" varchar(255) DEFAULT NULL,
+  "type" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Inode" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "change_time" datetime DEFAULT NULL,
+  "change_time_gmtoff" int(11) DEFAULT NULL,
+  "number" int(10)  DEFAULT NULL,
+  "major_device" int(10)  DEFAULT NULL,
+  "minor_device" int(10)  DEFAULT NULL,
+  "c_major_device" int(10)  DEFAULT NULL,
+  "c_minor_device" int(10)  DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_parent1_index")
+);
+
+
+
+CREATE TABLE "Prelude_Linkage" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "category" varchar(255) NOT NULL,
+  "name" varchar(255) NOT NULL,
+  "path" varchar(255) NOT NULL,
+  PRIMARY KEY ("_message_ident","_parent0_index","_parent1_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Node" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "category" varchar(255) DEFAULT NULL,
+  "location" varchar(255) DEFAULT NULL,
+  "name" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_OverflowAlert" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "program" varchar(255) NOT NULL,
+  "size" int(10)  DEFAULT NULL,
+  "buffer" blob,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_Process" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "name" varchar(255) NOT NULL,
+  "pid" int(10)  DEFAULT NULL,
+  "path" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_ProcessArg" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL DEFAULT 'A',
+  "_parent0_index" smallint(6) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "arg" varchar(255) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_ProcessEnv" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "env" varchar(255) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Reference" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "origin" varchar(255) NOT NULL,
+  "name" varchar(255) NOT NULL,
+  "url" varchar(255) NOT NULL,
+  "meaning" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Service" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) DEFAULT NULL,
+  "_parent0_index" smallint(6) DEFAULT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "ip_version" tinyint(3)  DEFAULT NULL,
+  "name" varchar(255) DEFAULT NULL,
+  "port" smallint(5)  DEFAULT NULL,
+  "iana_protocol_number" tinyint(3)  DEFAULT NULL,
+  "iana_protocol_name" varchar(255) DEFAULT NULL,
+  "portlist" varchar(255) DEFAULT NULL,
+  "protocol" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_SnmpService" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "snmp_oid" varchar(255) DEFAULT NULL,
+  "message_processing_model" int(10)  DEFAULT NULL,
+  "security_model" int(10)  DEFAULT NULL,
+  "security_name" varchar(255) DEFAULT NULL,
+  "security_level" int(10)  DEFAULT NULL,
+  "context_name" varchar(255) DEFAULT NULL,
+  "context_engine_id" varchar(255) DEFAULT NULL,
+  "command" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_Source" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_index" smallint(6) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "spoofed" varchar(255) NOT NULL,
+  "interface" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_Target" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_index" smallint(6) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "decoy" varchar(255) NOT NULL,
+  "interface" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident","_index")
+);
+
+
+
+CREATE TABLE "Prelude_ToolAlert" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "name" varchar(255) NOT NULL,
+  "command" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_message_ident")
+);
+
+
+
+CREATE TABLE "Prelude_User" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "category" varchar(255) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_UserId" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_parent1_index" tinyint(4) NOT NULL,
+  "_parent2_index" tinyint(4) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "ident" varchar(255) DEFAULT NULL,
+  "type" varchar(255) NOT NULL,
+  "name" varchar(255) DEFAULT NULL,
+  "tty" varchar(255) DEFAULT NULL,
+  "number" int(10)  DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index","_parent1_index","_parent2_index","_index")
+);
+
+
+
+CREATE TABLE "Prelude_WebService" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "url" varchar(255) NOT NULL,
+  "cgi" varchar(255) DEFAULT NULL,
+  "http_method" varchar(255) DEFAULT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index")
+);
+
+
+
+CREATE TABLE "Prelude_WebServiceArg" (
+  "_message_ident" bigint(20)  NOT NULL,
+  "_parent_type" varchar(255) NOT NULL,
+  "_parent0_index" smallint(6) NOT NULL,
+  "_index" tinyint(4) NOT NULL,
+  "arg" varchar(255) NOT NULL,
+  PRIMARY KEY ("_parent_type","_message_ident","_parent0_index","_index")
+);
+
+
+
+CREATE TABLE "_format" (
+  "name" varchar(255) NOT NULL,
+  "version" varchar(255) NOT NULL
+);
+

data/test/helper.rb

@@ -0,0 +1,50 @@
+require 'rubygems'
+require 'sqlite3'
+
+TEST_DIR = File.dirname(File.expand_path(__FILE__))
+LIB_DIR = File.expand_path(File.join File.dirname(__FILE__),"..","lib") #File.join File.dirname(__FILE__),"..","lib"
+begin
+  require 'simplecov'
+  SimpleCov.add_group 'Core', "./lib/evasion-db"
+  SimpleCov.add_group 'Knowledge', "./lib/evasion-db/knowledge/*"
+  SimpleCov.add_group 'Fetchers', "./lib/evasion-db/idmef-fetchers/*"
+  SimpleCov.add_group 'Recorders', "./lib/evasion-db/recorders/*"
+
+  SimpleCov.add_filter "./lib/db/*"
+  SimpleCov.start
+rescue
+  # do nothing
+  puts "Coverage not possible:#{$!.message}"
+end
+require 'test/unit'
+require "#{LIB_DIR}/fidius-evasiondb"
+require "#{LIB_DIR}/db/db-install"
+require "#{TEST_DIR}/preludedb_helper.rb"
+
+module FIDIUS
+  module EvasionDB
+    
+    def self.prepare_tests
+      $config_file = File.join(TEST_DIR, 'config', 'database.yml')
+      $yml_config = YAML.load(File.read($config_file))
+      self.prepare_test_db
+      FIDIUS::EvasionDB.config($config_file)
+      self.fill_db_with_values
+    end
+
+    def self.prepare_test_db
+      File.delete($yml_config["evasion_db"]["database"]) if File.exists?($yml_config["evasion_db"]["database"])
+      db_config_path = File.join(TEST_DIR, 'config')
+      migrations_path = File.join(LIB_DIR, 'db', 'migrations')
+      #delete and migrate new test db
+      migrate(migrations_path, db_config_path)
+    end
+
+
+    def self.fill_db_with_values
+      # fill db with example values (use previous tests?)
+    end
+  end
+end
+include FIDIUS::EvasionDB
+FIDIUS::EvasionDB.prepare_tests

data/test/preludedb_helper.rb

@@ -0,0 +1,70 @@
+module PreludeDBHelper
+  def self.setup_prelude_db(config)
+    File.delete(config["database"]) if File.exists?(config["database"])
+    FIDIUS::PreludeDB::Connection.establish_connection config
+    sql = File.read(File.join(TEST_DIR,"config","prelude.sql"))
+    sql.split(';').each do |sql_statement|
+      sql_statement = sql_statement.lstrip
+      if sql_statement != ""
+        FIDIUS::PreludeDB::Connection.connection.execute sql_statement
+      end
+    end
+  end
+
+  def self.insert_event(ident,text,analyzer)
+      a = FIDIUS::PreludeDB::Alert.new
+      a.messageid = "00042a60-1fd5-11df-ad31"
+      a._ident=ident
+      a.save
+      c = FIDIUS::PreludeDB::Classification.new
+      c.text = text
+      c._message_ident = ident
+      c.save
+
+      a = FIDIUS::PreludeDB::Address.new
+      a.category = "ipv4-addr"
+      a._parent0_index = 1
+      a._index = 1
+      a._message_ident = ident
+      a._parent_type = "T"
+      a.address = "127.0.0.1"
+      a.save      
+      a = FIDIUS::PreludeDB::Address.new
+      a.category = "ipv4-addr"
+      a._parent0_index = 1
+      a._index = 1
+      a._message_ident = ident
+      a._parent_type = "S"
+      a.address = "127.0.0.1"
+      a.save      
+
+      i = FIDIUS::PreludeDB::Impact.new
+      i._message_ident = ident
+      i.severity = "high"
+      i.save
+
+      a = FIDIUS::PreludeDB::Analyzer.new
+      a._message_ident = ident
+      a.model = analyzer
+      a.name = analyzer
+      a.save
+
+      t = FIDIUS::PreludeDB::DetectTime.new
+      t.time = Time.now
+      t._message_ident = ident
+      t.save
+
+      s = FIDIUS::PreludeDB::Service.new
+      s._message_ident = ident
+      s._parent_type = "S"
+      s.port = 445
+      s.save
+
+      s = FIDIUS::PreludeDB::Service.new
+      s._message_ident = ident
+      s._parent_type = "T"
+      s.port = 446
+      s.save
+
+  end
+end

data/test/test_fetchers.rb

@@ -0,0 +1,34 @@
+require 'helper'
+
+class TestFetchers < Test::Unit::TestCase
+  def test_prelude_event_fetcher
+    PreludeDBHelper.setup_prelude_db($yml_config["ids_db"])
+    PreludeDBHelper.insert_event(223,"BadExploit","snort")
+
+    FIDIUS::EvasionDB.use_fetcher "PreludeDB"
+    FIDIUS::EvasionDB::current_fetcher.begin_record
+    FIDIUS::EvasionDB.current_fetcher.local_ip = "127.0.0.1"
+    PreludeDBHelper.insert_event(224,"BadExploit1","snort")
+    PreludeDBHelper.insert_event(225,"BadExploit2","snort")
+    PreludeDBHelper.insert_event(226,"BadExploit3","snort")
+    events = FIDIUS::EvasionDB::current_fetcher.fetch_events
+    assert_equal 4,FIDIUS::PreludeDB::Alert.all.size
+    assert_equal 3, events.size
+  end
+
+  def test_overwrites
+    fetcher = FIDIUS::EvasionDB::Fetcher.new("a") do
+
+    end
+    assert_raises RuntimeError do
+      fetcher.config("a")
+    end
+    assert_raises RuntimeError do
+      fetcher.begin_record
+    end
+    assert_raises RuntimeError do
+      fetcher.fetch_events
+    end
+
+  end
+end

data/test/test_knowledge.rb

@@ -0,0 +1,102 @@
+require_relative 'helper'
+class TestKnowledge < Test::Unit::TestCase
+  include FIDIUS::EvasionDB::Knowledge
+
+  def test_options_hash_finder
+    AttackModule.destroy_all
+    5.times do
+      AttackModule.find_or_create_by_name_and_options("windows-exploit",{:a=>3,:b=>7})
+    end
+    assert_equal 1, AttackModule.all.size
+    assert_equal 2, AttackOption.all.size
+
+    5.times do
+      AttackModule.find_or_create_by_name_and_options("windows-exploit",{:a=>3,:b=>5})
+    end
+    assert_equal 2, AttackModule.all.size
+    assert_equal 4, AttackOption.all.size
+    5.times do
+      AttackModule.find_or_create_by_name_and_options("windows-exploit",{:a=>3,:b=>5,:c=>9})
+    end
+    assert_equal 3, AttackModule.all.size
+    assert_equal 7, AttackOption.all.size
+  end
+
+  def test_idmef_event
+    event_payload = "hallo"
+    event = IdmefEvent.create(:text=>"testexploit",:payload=>event_payload)
+    exploit = AttackModule.create(:name=>"exploit")
+    payload = AttackPayload.create(:name=>"meterpreter")
+    event.attack_module = exploit
+    event.attack_payload = payload
+    event.save
+
+    event = IdmefEvent.find(event.id)
+    assert_equal event_payload.size, event.payload_size
+    assert_equal event_payload, event.payload
+    assert_equal exploit.id, event.attack_module.id
+    assert_equal payload.id, event.attack_payload.id
+    event = IdmefEvent.create(:text=>"testexploit")
+    assert_equal 0, event.payload_size
+  end
+
+  def test_packet
+    payload = "hallo"
+    packet = Packet.create
+    assert_equal [], packet.payload
+    packet = Packet.create(:payload=>payload)
+    assert_equal payload, packet.payload
+  end
+
+  def test_finders
+    payload = "hallo"
+    AttackModule.destroy_all
+    Packet.destroy_all
+    IdmefEvent.destroy_all
+
+    exploit = AttackModule.create(:name=>"exploit")
+    packet = Packet.create(:payload=>payload)
+    event = IdmefEvent.create(:text=>"testexploit",:payload=>payload)
+
+    assert_equal 1,FIDIUS::EvasionDB::Knowledge.get_exploits.size
+    assert_equal packet, FIDIUS::EvasionDB::Knowledge.get_packet(packet.id)
+
+    assert_equal 1, FIDIUS::EvasionDB::Knowledge.get_events.size
+    assert_equal event, FIDIUS::EvasionDB::Knowledge.get_event(event.id)
+    assert_equal packet, FIDIUS::EvasionDB::Knowledge.get_packet(packet.id)
+
+    assert_equal event, FIDIUS::EvasionDB::Knowledge.get_event(event.id)
+    p = FIDIUS::EvasionDB::Knowledge.get_packet_for_event(event.id)
+    assert_equal packet, p[:packet]
+    assert_equal 5, p[:length]
+    assert_equal 0, p[:index]
+  end
+
+  def test_find_events_for_exploit
+    AttackModule.destroy_all
+    Packet.destroy_all
+    IdmefEvent.destroy_all
+    name = "windows/meterpreter/bind_tcp"
+    a = AttackModule.find_or_create_by_name_and_options(name,{"Payload"=>"windows/meterpreter/bind_tcp","RHOST"=>"10.20.20.1"})
+    a.idmef_events << IdmefEvent.create(:text=>"ET EXPLOIT x86 JmpCallAdditive Encoder")
+    a.idmef_events << IdmefEvent.create(:text=>"ET EXPLOIT x86 JmpCallAdditive Encoder")
+    a.idmef_events << IdmefEvent.create(:text=>"COMMUNITY SIP TCP/IP message flooding directed to SIP")
+    a.save
+    assert_equal 3, a.idmef_events.size
+    a = AttackModule.find_or_create_by_name_and_options(name,{"Payload"=>"windows/messagebox","RHOST"=>"10.20.20.1"})
+    a.idmef_events << IdmefEvent.create(:text=>"COMMUNITY SIP TCP/IP message flooding directed to SIP")
+    a.save
+    assert_equal 1, a.idmef_events.size
+
+    events = FIDIUS::EvasionDB::Knowledge.find_events_for_exploit(name)
+    assert_equal 1,events.size
+    assert_equal "COMMUNITY SIP TCP/IP message flooding directed to SIP", events.first.text
+
+    events = FIDIUS::EvasionDB::Knowledge.find_events_for_exploit(name,{},FIDIUS::EvasionDB::Knowledge::MAX_EVENTS)
+    assert_equal 3,events.size
+
+    events = FIDIUS::EvasionDB::Knowledge.find_events_for_exploit(name,{"Payload"=>"windows/messagebox"},FIDIUS::EvasionDB::Knowledge::MAX_EVENTS)
+    assert_equal 1,events.size
+
+  end
+end