#!/bin/bash # Smoke test for zircolite: fetch sample EVTX, run, check outputs, print stats. # # Available SUBSET values (under test-data/sample-evtx/): # DeepBlueCLI 21 files, ~30s — well-known PowerShell + auth attacks # YamatoSecurity 16 files, ~20s — Yamato Security's own samples # EVTX-ATTACK-SAMPLES 278 files, ~5min — sbousseaden's MITRE-mapped corpus # EVTX-to-MITRE-Attack 284 files, ~5min — mdecrevoisier's MITRE-mapped corpus # "" 599 files, ~10min — full bundle # # Env vars: TAG=ls-zircolite:test SUBSET=DeepBlueCLI KEEP_DATA=1 set -u TAG="${TAG:-ls-zircolite:test}" SUBSET="${SUBSET:-DeepBlueCLI}" KEEP_DATA="${KEEP_DATA:-0}" cd "$(dirname "$0")" ROOT="$(pwd)" DATA="$ROOT/test-data/sample-evtx" OUT="$(mktemp -d)" trap 'rm -rf "$OUT"; [ "$KEEP_DATA" = 0 ] && rm -rf "$ROOT/test-data"' EXIT pass=0; fail=0 ok() { echo "PASS $1"; pass=$((pass+1)); } bad() { echo "FAIL $1"; fail=$((fail+1)); } if docker image inspect "$TAG" >/dev/null 2>&1; then ok "image $TAG present" else bad "image $TAG not present"; exit 1 fi if [ ! -d "$DATA" ]; then echo "Fetching sample EVTX..." ./fetch-test-data.sh >/dev/null fi SCAN="$DATA/$SUBSET"; [ -z "$SUBSET" ] && SCAN="$DATA" n=$(find "$SCAN" -name "*.evtx" | wc -l | tr -d ' ') [ "$n" -gt 0 ] && ok "found $n EVTX in ${SUBSET:-}" || { bad "no EVTX"; exit 1; } echo "Running scan..." if docker run --rm --network=none -v "$SCAN:/data:ro" -v "$OUT:/output" "$TAG" >"$OUT/.run.log" 2>&1; then ok "container exited cleanly" else bad "container non-zero"; tail -20 "$OUT/.run.log" fi json=$(ls "$OUT"/zircolite_*.json 2>/dev/null | head -1) log=$(ls "$OUT"/zircolite_*.log 2>/dev/null | head -1) [ -s "$json" ] && ok "JSON report exists ($(du -h "$json" | cut -f1))" || bad "JSON missing/empty" [ -s "$log" ] && ok "scan log exists" || bad "log missing" if [ -s "$json" ]; then hits=$(grep -oE '"title"' "$json" | wc -l | tr -d ' ') echo echo "Sigma rule hits: $hits" fi echo echo "Summary: $pass pass, $fail fail" [ "$fail" -eq 0 ]