MISP-Taxii-Server/tests/yara-test-mechanism.xml

<stix:STIX_Package 
	xmlns:example="http://example.com"
	xmlns:et="http://stix.mitre.org/ExploitTarget-1"
	xmlns:incident="http://stix.mitre.org/Incident-1"
	xmlns:indicator="http://stix.mitre.org/Indicator-2"
	xmlns:ttp="http://stix.mitre.org/TTP-1"
	xmlns:stixCommon="http://stix.mitre.org/common-1"
	xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
	xmlns:yaraTM="http://stix.mitre.org/extensions/TestMechanism#YARA-1"
	xmlns:stix="http://stix.mitre.org/stix-1"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
	http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd
	http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd
	http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd
	http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd
	http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd
	http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
	http://stix.mitre.org/extensions/TestMechanism#YARA-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd

	http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-ea99d4d4-1ae7-4120-9ebe-67ed4783fb36" version="1.2">
    <stix:Indicators>
        <stix:Indicator id="example:indicator-567b201c-4fd5-4bde-a5db-42abc340807a" timestamp="2014-06-20T15:16:56.987616+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
            <indicator:Title>silent_banker</indicator:Title>
            <indicator:Description>This is just an example.</indicator:Description>
            <indicator:Test_Mechanisms>
                <indicator:Test_Mechanism id="example:testmechanism-a1475567-50f7-4dae-b0d0-47c7ea8e79e1" xsi:type='yaraTM:YaraTestMechanismType'>
                    <indicator:Producer>
                        <stixCommon:Identity id="example:Identity-a0740d84-9fcd-44af-9033-94e76a53201e">
                            <stixCommon:Name>Yara</stixCommon:Name>
                        </stixCommon:Identity>
                        <stixCommon:References>
                            <stixCommon:Reference>http://plusvic.github.io/yara/</stixCommon:Reference>
                        </stixCommon:References>
                    </indicator:Producer>
                    <yaraTM:Rule><![CDATA[
rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}
]]></yaraTM:Rule>
                </indicator:Test_Mechanism>
            </indicator:Test_Mechanisms>
        </stix:Indicator>
    </stix:Indicators>
</stix:STIX_Package>
Added tests and a travis build 2016-11-18 14:51:01 +01:00			`<stix:STIX_Package`
			`xmlns:example="http://example.com"`
			`xmlns:et="http://stix.mitre.org/ExploitTarget-1"`
			`xmlns:incident="http://stix.mitre.org/Incident-1"`
			`xmlns:indicator="http://stix.mitre.org/Indicator-2"`
			`xmlns:ttp="http://stix.mitre.org/TTP-1"`
			`xmlns:stixCommon="http://stix.mitre.org/common-1"`
			`xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"`
			`xmlns:yaraTM="http://stix.mitre.org/extensions/TestMechanism#YARA-1"`
			`xmlns:stix="http://stix.mitre.org/stix-1"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="`
			`http://stix.mitre.org/ExploitTarget-1 http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd`
			`http://stix.mitre.org/Incident-1 http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd`
			`http://stix.mitre.org/Indicator-2 http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd`
			`http://stix.mitre.org/TTP-1 http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd`
			`http://stix.mitre.org/common-1 http://stix.mitre.org/XMLSchema/common/1.2/stix_common.xsd`
			`http://stix.mitre.org/default_vocabularies-1 http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd`
			`http://stix.mitre.org/extensions/TestMechanism#YARA-1 http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd`

			`http://stix.mitre.org/stix-1 http://stix.mitre.org/XMLSchema/core/1.2/stix_core.xsd" id="example:Package-ea99d4d4-1ae7-4120-9ebe-67ed4783fb36" version="1.2">`
			`<stix:Indicators>`
			`<stix:Indicator id="example:indicator-567b201c-4fd5-4bde-a5db-42abc340807a" timestamp="2014-06-20T15:16:56.987616+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">`
			`<indicator:Title>silent_banker</indicator:Title>`
			`<indicator:Description>This is just an example.</indicator:Description>`
			`<indicator:Test_Mechanisms>`
			`<indicator:Test_Mechanism id="example:testmechanism-a1475567-50f7-4dae-b0d0-47c7ea8e79e1" xsi:type='yaraTM:YaraTestMechanismType'>`
			`<indicator:Producer>`
			`<stixCommon:Identity id="example:Identity-a0740d84-9fcd-44af-9033-94e76a53201e">`
			`<stixCommon:Name>Yara</stixCommon:Name>`
			`</stixCommon:Identity>`
			`<stixCommon:References>`
			`<stixCommon:Reference>http://plusvic.github.io/yara/</stixCommon:Reference>`
			`</stixCommon:References>`
			`</indicator:Producer>`
			`<yaraTM:Rule><![CDATA[`
			`rule silent_banker : banker`
			`{`
			`meta:`
			`description = "This is just an example"`
			`thread_level = 3`
			`in_the_wild = true`

			`strings:`
			`$a = {6A 40 68 00 30 00 00 6A 14 8D 91}`
			`$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}`
			`$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"`

			`condition:`
			`$a or $b or $c`
			`}`
			`]]></yaraTM:Rule>`
			`</indicator:Test_Mechanism>`
			`</indicator:Test_Mechanisms>`
			`</stix:Indicator>`
			`</stix:Indicators>`
Squashed commit of the following: commit 3389560fe994c7c17d678c695128fe90824634d6 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Sat Nov 19 15:38:11 2016 +0000 Removed unicode things commit 060f94f565caad28ea66b9a3826b84476dac8b92 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 16:10:28 2016 +0000 Apparently output goes to stderr? commit b41109dd9e2d8df943e40a46153bc8c4e5bd971b Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 16:01:39 2016 +0000 127 not localhost? commit 77c45273b0755c2c16e85936ca2b76b249cc95d9 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:54:12 2016 +0000 Allow server time to start up commit ee06ff076542d269468db5cc7cd2f9f157af16eb Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:48:38 2016 +0000 sudo sudo commit 9f0f31c0234a3c226e7d8ecdd7d9f95afcc77f60 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:47:45 2016 +0000 Move sql install to before_install commit 51b49dc1760643efe3a01756cfdca7fdb335be8e Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:46:02 2016 +0000 Fixed a typo commit 2b90620b4cb0d319dfebe8415d7a4fd0e75f2bf3 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:45:10 2016 +0000 Mysql pls commit 7f4e2b9f6213dd0a39ef38754c3aa6b19a2432aa Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:42:32 2016 +0000 Switch to trusty travis commit 64e39b798347740cd4700f6a2ac0dd9589a87ac1 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:35:31 2016 +0000 Switch to trusty travis commit 44685648608a04cba1b933479654159d4bf804ac Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:30:30 2016 +0000 Stop being a tard commit 0a9f534fa71bce3625c39f6cb28c294a57406806 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:28:04 2016 +0000 Check mysql version commit 887a6d82a7f8fc243f8d0740e97fbf85cb3c3c29 Author: Hannah Ward <Hannah.ward9001@gmail.com> Date: Fri Nov 18 15:17:26 2016 +0000 Print a bit of debug info 2016-11-19 16:42:54 +01:00			`</stix:STIX_Package>`