[jira] [Commented] (DRILL-7484) Malware found with some antiviruses in the Drill test resources folder

ASF GitHub Bot (Jira) Sun, 15 Dec 2019 06:52:22 -0800


    [ 
https://issues.apache.org/jira/browse/DRILL-7484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16996761#comment-16996761
 ]


ASF GitHub Bot commented on DRILL-7484:
---------------------------------------

cgivre commented on pull request #1934: DRILL-7484: Malware found in the Drill 
test folder
URL: https://github.com/apache/drill/pull/1934#discussion_r357983929
 
 

 ##########
 File path: 
exec/java-exec/src/test/java/org/apache/drill/exec/store/pcap/TestSessionizePCAP.java
 ##########
 @@ -47,61 +55,129 @@ public static void setup() throws Exception {
 
   @Test
   public void testSessionizedStarQuery() throws Exception {
-    String sql = "SELECT * FROM cp.`/store/pcap/attack-trace.pcap` WHERE 
src_port=1821 AND dst_port=445";
-
-    testBuilder()
-      .sqlQuery(sql)
-      .ordered()
-      .baselineColumns("session_start_time", "session_end_time", 
"session_duration", "total_packet_count", "connection_time", "src_ip", 
"dst_ip", "src_port", "dst_port",
-        "src_mac_address", "dst_mac_address", "tcp_session", "is_corrupt", 
"data_from_originator", "data_from_remote", "data_volume_from_origin",
-        "data_volume_from_remote", "packet_count_from_origin", 
"packet_count_from_remote")
-      .baselineValues(LocalDateTime.parse("2009-04-20T03:28:28.374", 
formatter),
-        LocalDateTime.parse("2009-04-20T03:28:28.508", formatter),
-        Period.parse("PT0.134S"), 4,
-        Period.parse("PT0.119S"),
-        "98.114.205.102",
-        "192.150.11.111",
-        1821, 445,
-        "00:08:E2:3B:56:01",
-        "00:30:48:62:4E:4A",
-        -8791568836279708938L,
-        false,
-        "........I....>...>..........Ib...<...<..........I....>...>", "", 
62,0, 3, 1)
-      .go();
+    String sql = "SELECT * FROM cp.`/store/pcap/http.pcap`";
+    String dataFromRemote = 
readAFileIntoString(dirTestWatcher.getRootDir().getAbsolutePath() + 
"/store/pcap/dataFromRemote.txt");
+
+    QueryBuilder q = client.queryBuilder().sql(sql);
+    RowSet results = q.rowSet();
+
+    TupleMetadata expectedSchema = new SchemaBuilder()
+      .addNullable("src_ip", TypeProtos.MinorType.VARCHAR)
+      .addNullable("dst_ip", TypeProtos.MinorType.VARCHAR)
+      .addNullable("src_port", TypeProtos.MinorType.INT)
+      .addNullable("dst_port", TypeProtos.MinorType.INT)
+      .addNullable("src_mac_address", TypeProtos.MinorType.VARCHAR)
+      .addNullable("dst_mac_address", TypeProtos.MinorType.VARCHAR)
+      .addNullable("session_start_time", TypeProtos.MinorType.TIMESTAMP)
+      .addNullable("session_end_time", TypeProtos.MinorType.TIMESTAMP)
+      .addNullable("session_duration", TypeProtos.MinorType.INTERVAL)
+      .addNullable("total_packet_count", TypeProtos.MinorType.INT)
+      .addNullable("data_volume_from_origin", TypeProtos.MinorType.INT)
+      .addNullable("data_volume_from_remote", TypeProtos.MinorType.INT)
+      .addNullable("packet_count_from_origin", TypeProtos.MinorType.INT)
+      .addNullable("packet_count_from_remote", TypeProtos.MinorType.INT)
+      .addNullable("connection_time", TypeProtos.MinorType.INTERVAL)
+      .addNullable("tcp_session", TypeProtos.MinorType.BIGINT)
+      .addNullable("is_corrupt", TypeProtos.MinorType.BIT)
+      .addNullable("data_from_originator", TypeProtos.MinorType.VARCHAR)
+      .addNullable("data_from_remote", TypeProtos.MinorType.VARCHAR)
+      .buildSchema();
+
+    RowSet expected = new RowSetBuilder(client.allocator(), expectedSchema)
+      .addRow(
+        "145.254.160.237",
+        "65.208.228.223",
+        3372, 80,
+        "00:00:01:00:00:00",
+        "FE:FF:20:00:01:00",
+        1084443427311L,
+        1084443445216L,
+        Period.parse("PT17.905S"), 31,
+        437,18000,14, 17,
+        Period.parse("PT0.911S"),
+        -789689725566200012L, false,
+        "r-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) 
Gecko/20040113..Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1..Accept-Language:
 en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: 
ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 300..Connection: 
keep-alive..Referer: http://www.ethereal.com/[email protected]";,
+        dataFromRemote
+        )
+      .build();
+
+    new RowSetComparison(expected).verifyAndClearAll(results);
   }
 
   @Test
   public void testSessionizedSpecificQuery() throws Exception {
-    String sql = "SELECT session_start_time, 
session_end_time,session_duration, total_packet_count, connection_time, src_ip, 
dst_ip, src_port, dst_port, src_mac_address, dst_mac_address, tcp_session, " +
-      "is_corrupt, data_from_originator, data_from_remote, 
data_volume_from_origin, data_volume_from_remote, packet_count_from_origin, 
packet_count_from_remote " +
-      "FROM cp.`/store/pcap/attack-trace.pcap` WHERE src_port=1821 AND 
dst_port=445";
-
-    testBuilder()
-      .sqlQuery(sql)
-      .ordered()
-      .baselineColumns("session_start_time", "session_end_time", 
"session_duration", "total_packet_count", "connection_time", "src_ip", 
"dst_ip", "src_port", "dst_port",
-        "src_mac_address", "dst_mac_address", "tcp_session", "is_corrupt", 
"data_from_originator", "data_from_remote", "data_volume_from_origin",
-        "data_volume_from_remote", "packet_count_from_origin", 
"packet_count_from_remote")
-      .baselineValues(LocalDateTime.parse("2009-04-20T03:28:28.374", 
formatter),
-        LocalDateTime.parse("2009-04-20T03:28:28.508", formatter),
-        Period.parse("PT0.134S"), 4,
-        Period.parse("PT0.119S"),
-        "98.114.205.102",
-        "192.150.11.111",
-        1821, 445,
-        "00:08:E2:3B:56:01",
-        "00:30:48:62:4E:4A",
-        -8791568836279708938L,
-        false,
-        "........I....>...>..........Ib...<...<..........I....>...>", "", 
62,0, 3, 1)
-      .go();
+    String sql = "SELECT src_ip, dst_ip, src_port, dst_port, src_mac_address, 
dst_mac_address," +
+      "session_start_time, session_end_time, session_duration, 
total_packet_count, data_volume_from_origin, data_volume_from_remote," +
+      "packet_count_from_origin, packet_count_from_remote, connection_time, 
tcp_session, is_corrupt, data_from_originator, data_from_remote " +
+      "FROM cp.`/store/pcap/http.pcap`";
+
+    String dataFromRemote = 
readAFileIntoString(dirTestWatcher.getRootDir().getAbsolutePath() + 
"/store/pcap/dataFromRemote.txt");
+
+    QueryBuilder q = client.queryBuilder().sql(sql);
+    RowSet results = q.rowSet();
+
+    TupleMetadata expectedSchema = new SchemaBuilder()
+      .addNullable("src_ip", TypeProtos.MinorType.VARCHAR)
+      .addNullable("dst_ip", TypeProtos.MinorType.VARCHAR)
+      .addNullable("src_port", TypeProtos.MinorType.INT)
+      .addNullable("dst_port", TypeProtos.MinorType.INT)
+      .addNullable("src_mac_address", TypeProtos.MinorType.VARCHAR)
+      .addNullable("dst_mac_address", TypeProtos.MinorType.VARCHAR)
+      .addNullable("session_start_time", TypeProtos.MinorType.TIMESTAMP)
+      .addNullable("session_end_time", TypeProtos.MinorType.TIMESTAMP)
+      .addNullable("session_duration", TypeProtos.MinorType.INTERVAL)
+      .addNullable("total_packet_count", TypeProtos.MinorType.INT)
+      .addNullable("data_volume_from_origin", TypeProtos.MinorType.INT)
+      .addNullable("data_volume_from_remote", TypeProtos.MinorType.INT)
+      .addNullable("packet_count_from_origin", TypeProtos.MinorType.INT)
+      .addNullable("packet_count_from_remote", TypeProtos.MinorType.INT)
+      .addNullable("connection_time", TypeProtos.MinorType.INTERVAL)
+      .addNullable("tcp_session", TypeProtos.MinorType.BIGINT)
+      .addNullable("is_corrupt", TypeProtos.MinorType.BIT)
+      .addNullable("data_from_originator", TypeProtos.MinorType.VARCHAR)
+      .addNullable("data_from_remote", TypeProtos.MinorType.VARCHAR)
+      .buildSchema();
+
+    RowSet expected = new RowSetBuilder(client.allocator(), expectedSchema)
+      .addRow(
+        "145.254.160.237",
+        "65.208.228.223",
+        3372, 80,
+        "00:00:01:00:00:00",
+        "FE:FF:20:00:01:00",
+        1084443427311L,
+        1084443445216L,
+        Period.parse("PT17.905S"), 31,
+        437,18000,14, 17,
+        Period.parse("PT0.911S"),
+        -789689725566200012L, false,
+        "r-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) 
Gecko/20040113..Accept: 
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1..Accept-Language:
 en-us,en;q=0.5..Accept-Encoding: gzip,deflate..Accept-Charset: 
ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Alive: 300..Connection: 
keep-alive..Referer: http://www.ethereal.com/[email protected]";,
+        dataFromRemote
+      )
+      .build();
+
+    new RowSetComparison(expected).verifyAndClearAll(results);
   }
 
   @Test
   public void testSerDe() throws Exception {
-    String sql = "SELECT COUNT(*) FROM cp.`/store/pcap/attack-trace.pcap`";
+    String sql = "SELECT COUNT(*) FROM cp.`/store/pcap/http.pcap`";
     String plan = queryBuilder().sql(sql).explainJson();
     long cnt = queryBuilder().physical(plan).singletonLong();
-    assertEquals("Counts should match", 5L, cnt);
+    assertEquals("Counts should match", 1L, cnt);
+  }
+
+
+  private static String readAFileIntoString(String filePath)
 
 Review comment:
   Cleaned up this function.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Malware found with some antiviruses in the Drill test resources folder
> ----------------------------------------------------------------------
>
>                 Key: DRILL-7484
>                 URL: https://issues.apache.org/jira/browse/DRILL-7484
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.17.0
>            Reporter: Denys Ordynskiy
>            Assignee: Charles Givre
>            Priority: Blocker
>             Fix For: 1.17.0
>
>         Attachments: photo_2019-12-11_17-07-45.jpg
>
>
> Avast antivirus found Threat "MPPT97:ShellCode-O [Expl]" in the Apache Drill 
> sources.
> File with virus alert:
> https://github.com/apache/drill/commits/master/exec/java-exec/src/test/resources/store/pcap/attack-trace.pcap
> OS Windows 10.
> Free Avast antivirus v. 19.8.2393 (build 19.8.4793.544)
> Steps to reproduce:
> Download archive with Drill sources from GitHub
> - open Chrome browser;
> - go to https://github.com/apache/drill link;
> - open the "Clone or download" menu;
> - click the "Download ZIP" button and save archive on a disk.
> *Expected result* - archive successfully downloaded.
> *Actual result* - Chrome browser canceled the download and deleted Drill 
> sources archive fron the disk. Avast showed an alert window with virus 
> description. Screenshot is in the attachments.
> Clone Drill sources from GitHub using git console version
> - open CMD;
> - type "git clone https://github.com/apache/drill.git";;
> - scan clonned Drill sources folder using Avast antivirus.
> *Expected result* - Viruses were absent.
> *Actual result* - Avast showed an alert window with virus description.
> Here is the link with report from other antiviruses for this 
> "attack-trace.pcap" file:
> https://r.virscan.org/language/en/report/4df38505462d3afedbbbff3d9217063d



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7484) Malware found with some antiviruses in the Drill test resources folder

Reply via email to