diff --git a/src/Model/Table/NoticelistsTable.php b/src/Model/Table/NoticelistsTable.php index bc3c5d45b..90ab2df7f 100644 --- a/src/Model/Table/NoticelistsTable.php +++ b/src/Model/Table/NoticelistsTable.php @@ -40,7 +40,7 @@ class NoticelistsTable extends AppTable public function update() { - $directories = glob(APP . '..' . DS . 'libraries' . DS . 'misp-noticelist' . DS . 'lists' . DS . '*', GLOB_ONLYDIR); + $directories = glob(APP . '..' . DS . 'Libraries' . DS . 'misp-noticelist' . DS . 'lists' . DS . '*', GLOB_ONLYDIR); $updated = []; foreach ($directories as $dir) { $list = FileAccessTool::readJsonFromFile($dir . DS . 'list.json'); diff --git a/src/Model/Table/TaxonomiesTable.php b/src/Model/Table/TaxonomiesTable.php index c0e111dd4..146129475 100644 --- a/src/Model/Table/TaxonomiesTable.php +++ b/src/Model/Table/TaxonomiesTable.php @@ -31,7 +31,7 @@ class TaxonomiesTable extends AppTable ] ); - $this->taxonomiesPath = Configure::read('MISP.custom_taxonomies_path', APP . '..' . DS . 'libraries' . DS . 'misp-taxonomies' . DS); + $this->taxonomiesPath = Configure::read('MISP.custom_taxonomies_path', APP . '..' . DS . 'Libraries' . DS . 'misp-taxonomies' . DS); } public function validationDefault(Validator $validator): Validator diff --git a/tests/Files/event.csv b/tests/Files/event.csv new file mode 100644 index 000000000..7cdefdbde --- /dev/null +++ b/tests/Files/event.csv @@ -0,0 +1,40 @@ +uuid,event_id,category,type,value,comment,to_ids,date,object_relation,attribute_tag,object_uuid,object_name,object_meta_category +"5488466a-f0d0-4b58-89a5-15bc950d210b",1,"External analysis","link","https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf","",0,1418217066,"","","","","" +"548847d8-01e0-4231-a739-15bb950d210b",1,"Payload installation","md5","744c07e886497f7b68f6f7fe57b7ab54","Regin samples collected.",1,1418217432,"","","","","" +"548847d8-05f8-49e7-af79-15bb950d210b",1,"Payload installation","md5","47d0e8f9d7a6429920329207a32ecc2e","Regin samples collected.",1,1418217432,"","","","","" +"548847d8-3fbc-4a06-ba82-15bb950d210b",1,"Payload installation","md5","2c8b9d2885543d7ade3cae98225e263b","Regin samples collected.",1,1418217432,"","","","","" +"548847d8-9db0-4df6-8206-15bb950d210b",1,"Payload installation","md5","26297dc3cd0b688de3b846983c5385e5","Regin samples collected.",1,1418217432,"","","","","" +"548847d8-a33c-41f3-9f7a-15bb950d210b",1,"Payload installation","md5","01c2f321b6bfdb9473c079b0797567ba","Regin samples collected.",1,1418217432,"","","","","" +"548847d8-c950-48eb-b960-15bb950d210b",1,"Payload installation","md5","4b6b86c7fec1c574706cecedf44abded","Regin samples collected.",1,1418217432,"","","","","" +"548847d9-1404-4331-ae3c-15bb950d210b",1,"Payload installation","md5","90fecc6a89b2e22d82d58878d93477d4","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-39dc-4247-b23d-15bb950d210b",1,"Payload installation","md5","06665b96e293b23acc80451abb413e50","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-3b28-449e-b527-15bb950d210b",1,"Payload installation","md5","e94393561901895cb0783edc34740fd4","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-4020-41da-b5f3-15bb950d210b",1,"Payload installation","md5","db405ad775ac887a337b02ea8b07fddc","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-6340-44a0-8f33-15bb950d210b",1,"Payload installation","md5","ffb0b9b5b610191051a7bdf0806e1e47","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-8b18-4654-9766-15bb950d210b",1,"Payload installation","md5","f3ffc2aaaa1e2ab55ec26ff098653347","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-a564-4178-b8e6-15bb950d210b",1,"Payload installation","md5","6662c390b2bbbd291ec7987388fc75d7","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-afe0-4531-a4b0-15bb950d210b",1,"Payload installation","md5","187044596bc1328efa0ed636d8aa4a5c","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-b63c-4c95-a2bd-15bb950d210b",1,"Payload installation","md5","1800def71006ca6790767e202fae9b9a","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-e6fc-4b93-a773-15bb950d210b",1,"Payload installation","md5","bfbe8c3ee78750c3a520480700e440f8","Regin samples collected.",1,1418217433,"","","","","" +"548847d9-fd54-4e49-909b-15bb950d210b",1,"Payload installation","md5","89003e9a1ae635c97ebad07aebc67f00","Regin samples collected.",1,1418217433,"","","","","" +"548847da-1660-4562-a1f8-15bb950d210b",1,"Payload installation","md5","b505d65721bb2453d5039a389113b566","Regin samples collected.",1,1418217434,"","","","","" +"548847da-2134-43d7-ba22-15bb950d210b",1,"Payload installation","md5","8fcf4e53ece6111758a1dd3139dc7cad","Regin samples collected.",1,1418217434,"","","","","" +"548847da-3e40-4ab2-a5eb-15bb950d210b",1,"Payload installation","md5","1c024e599ac055312a4ab75b3950040a","Regin samples collected.",1,1418217434,"","","","","" +"548847da-49c0-404d-ae42-15bb950d210b",1,"Payload installation","md5","d240f06e98c8d3e647cbf4d442d79475","Regin samples collected.",1,1418217434,"","","","","" +"548847da-71ec-4b2b-bae5-15bb950d210b",1,"Payload installation","md5","148c1bb9d405d717252c77593aff4bd8","Regin samples collected.",1,1418217434,"","","","","" +"548847da-9798-4b6d-b422-15bb950d210b",1,"Payload installation","md5","ba7bb65634ce1e30c1e5415be3d1db1d","Regin samples collected.",1,1418217434,"","","","","" +"548847da-ac78-474c-86fe-15bb950d210b",1,"Payload installation","md5","b29ca4f22ae7b7b25f79c1d4a421139d","Regin samples collected.",1,1418217434,"","","","","" +"548847da-c2d0-4d24-821e-15bb950d210b",1,"Payload installation","md5","b269894f434657db2b15949641a67532","Regin samples collected.",1,1418217434,"","","","","" +"548847da-ffe4-4a90-9f2a-15bb950d210b",1,"Payload installation","md5","22bfc970f707fd775d49e875b63c2f0c","Regin samples collected.",1,1418217434,"","","","","" +"548847db-060c-4275-a0c7-15bb950d210b",1,"Payload installation","md5","049436bb90f71cf38549817d9b90e2da","Regin samples collected.",1,1418217435,"","","","","" +"54884832-2608-4fe6-959e-1ac6950d210b",1,"Artifacts dropped","filename","ser8uart.sys","",0,1418217522,"","","","","" +"54884832-5134-460e-bea2-1ac6950d210b",1,"Artifacts dropped","filename","atdisk.sys","",0,1418217522,"","","","","" +"54884832-6fb4-4c63-937c-1ac6950d210b",1,"Artifacts dropped","filename","rdpmdd.sys","",0,1418217522,"","","","","" +"54884832-93a4-4fb0-aeba-1ac6950d210b",1,"Artifacts dropped","filename","usbclass.sys","",0,1418217522,"","","","","" +"54884832-983c-4e4c-a692-1ac6950d210b",1,"Artifacts dropped","filename","pcidump.sys","",0,1418217522,"","","","","" +"54884832-f2a8-46ff-be58-1ac6950d210b",1,"Artifacts dropped","filename","abiosdsk.sys","",0,1418217522,"","","","","" +"5488486c-1418-4624-b87c-15ba950d210b",1,"Artifacts dropped","regkey","Class\{4F20E605-9452-4787-B793-D0204917CA58}","",1,1418217580,"","","","","" +"5488486c-47ec-4952-8e60-15ba950d210b",1,"Artifacts dropped","regkey","Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}","",1,1418217580,"","","","","" +"5488486c-a044-4c31-830c-15ba950d210b",1,"Artifacts dropped","regkey","HKLM\System\CurrentControlSet\Control\","",1,1418217580,"","","","","" +"54884899-35b8-48a3-9da2-15c6950d210b",1,"Other","text","Regin","",0,1418217625,"","","","","" + diff --git a/tests/Files/event.json b/tests/Files/event.json new file mode 100644 index 000000000..f16be2a7a --- /dev/null +++ b/tests/Files/event.json @@ -0,0 +1,1469 @@ +{ + "Event": { + "id": "750", + "orgc_id": "2", + "org_id": "2", + "date": "2014-12-10", + "threat_level_id": "1", + "info": "OSINT - F-Secure W32/Regin, Stage #1", + "published": true, + "uuid": "54884656-2da8-4625-bf07-43ef950d210b", + "attribute_count": "39", + "analysis": "2", + "timestamp": "1418217625", + "distribution": "3", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "1418217647", + "sharing_group_id": "0", + "Galaxy": [], + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Attribute": [ + { + "id": "96642", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-f2a8-46ff-be58-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "abiosdsk.sys", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + } + ] + }, + { + "id": "96643", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-2608-4fe6-959e-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "ser8uart.sys", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + } + ] + }, + { + "id": "96644", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-93a4-4fb0-aeba-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "usbclass.sys", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96645", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-983c-4e4c-a692-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "pcidump.sys", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96646", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-5134-460e-bea2-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "atdisk.sys", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96647", + "type": "filename", + "category": "Artifacts dropped", + "to_ids": false, + "uuid": "54884832-6fb4-4c63-937c-1ac6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217522", + "comment": "", + "sharing_group_id": "0", + "value": "rdpmdd.sys", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96648", + "type": "regkey", + "category": "Artifacts dropped", + "to_ids": true, + "uuid": "5488486c-a044-4c31-830c-15ba950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217580", + "comment": "", + "sharing_group_id": "0", + "value": "HKLM\\System\\CurrentControlSet\\Control\\", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96649", + "type": "regkey", + "category": "Artifacts dropped", + "to_ids": true, + "uuid": "5488486c-47ec-4952-8e60-15ba950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217580", + "comment": "", + "sharing_group_id": "0", + "value": "Class\\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96650", + "type": "regkey", + "category": "Artifacts dropped", + "to_ids": true, + "uuid": "5488486c-1418-4624-b87c-15ba950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217580", + "comment": "", + "sharing_group_id": "0", + "value": "Class\\{4F20E605-9452-4787-B793-D0204917CA58}", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96614", + "type": "link", + "category": "External analysis", + "to_ids": false, + "uuid": "5488466a-f0d0-4b58-89a5-15bc950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217066", + "comment": "", + "sharing_group_id": "0", + "value": "https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96652", + "type": "text", + "category": "Other", + "to_ids": false, + "uuid": "54884899-35b8-48a3-9da2-15c6950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217625", + "comment": "", + "sharing_group_id": "0", + "value": "Regin", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2824", + "org_id": "2", + "info": "OSINT: An analysis of Regin’s Hopscotch and Legspin" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "833", + "org_id": "2", + "info": "OSINT - An analysis of Regin's Hopscotch and Legspin" + }, + { + "id": "759", + "org_id": "26", + "info": "OSINT F-Secure W64/Regin, Stage #1" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "726", + "org_id": "2", + "info": "Regin fake certificates thumbprints" + }, + { + "id": "715", + "org_id": "26", + "info": "OSINT Regin samples shared by VirusShare" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "700", + "org_id": "2", + "info": "Regin Yara rules" + }, + { + "id": "699", + "org_id": "2", + "info": "OSINT - The Regin Espionage Toolkit" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96615", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-9db0-4df6-8206-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "26297dc3cd0b688de3b846983c5385e5", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + } + ] + }, + { + "id": "96616", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-05f8-49e7-af79-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "47d0e8f9d7a6429920329207a32ecc2e", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "715", + "org_id": "26", + "info": "OSINT Regin samples shared by VirusShare" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + } + ] + }, + { + "id": "96617", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-a33c-41f3-9f7a-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "01c2f321b6bfdb9473c079b0797567ba", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + } + ] + }, + { + "id": "96618", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-c950-48eb-b960-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "4b6b86c7fec1c574706cecedf44abded", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96619", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-01e0-4231-a739-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "744c07e886497f7b68f6f7fe57b7ab54", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "715", + "org_id": "26", + "info": "OSINT Regin samples shared by VirusShare" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + } + ] + }, + { + "id": "96620", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d8-3fbc-4a06-ba82-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217432", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "2c8b9d2885543d7ade3cae98225e263b", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96621", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-8b18-4654-9766-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "f3ffc2aaaa1e2ab55ec26ff098653347", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96622", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-3b28-449e-b527-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "e94393561901895cb0783edc34740fd4", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96623", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-e6fc-4b93-a773-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "bfbe8c3ee78750c3a520480700e440f8", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96624", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-fd54-4e49-909b-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "89003e9a1ae635c97ebad07aebc67f00", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96625", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-b63c-4c95-a2bd-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "1800def71006ca6790767e202fae9b9a", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96626", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-1404-4331-ae3c-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "90fecc6a89b2e22d82d58878d93477d4", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96627", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-4020-41da-b5f3-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "db405ad775ac887a337b02ea8b07fddc", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + } + ] + }, + { + "id": "96628", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-a564-4178-b8e6-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "6662c390b2bbbd291ec7987388fc75d7", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96629", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-39dc-4247-b23d-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "06665b96e293b23acc80451abb413e50", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96630", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-6340-44a0-8f33-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "ffb0b9b5b610191051a7bdf0806e1e47", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96631", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847d9-afe0-4531-a4b0-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217433", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "187044596bc1328efa0ed636d8aa4a5c", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96632", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-ac78-474c-86fe-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "b29ca4f22ae7b7b25f79c1d4a421139d", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "715", + "org_id": "26", + "info": "OSINT Regin samples shared by VirusShare" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96633", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-49c0-404d-ae42-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "d240f06e98c8d3e647cbf4d442d79475", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96634", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-2134-43d7-ba22-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "8fcf4e53ece6111758a1dd3139dc7cad", + "SharingGroup": [], + "ShadowAttribute": [] + }, + { + "id": "96635", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-71ec-4b2b-bae5-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "148c1bb9d405d717252c77593aff4bd8", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + } + ] + }, + { + "id": "96636", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-3e40-4ab2-a5eb-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "1c024e599ac055312a4ab75b3950040a", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96637", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-c2d0-4d24-821e-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "b269894f434657db2b15949641a67532", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "715", + "org_id": "26", + "info": "OSINT Regin samples shared by VirusShare" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96638", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-9798-4b6d-b422-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "ba7bb65634ce1e30c1e5415be3d1db1d", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96639", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-ffe4-4a90-9f2a-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "22bfc970f707fd775d49e875b63c2f0c", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + } + ] + }, + { + "id": "96640", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847da-1660-4562-a1f8-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217434", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "b505d65721bb2453d5039a389113b566", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "2825", + "org_id": "2", + "info": "OSINT: THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS" + }, + { + "id": "2006", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec" + }, + { + "id": "730", + "org_id": "26", + "info": "Regin Scanner" + }, + { + "id": "714", + "org_id": "3", + "info": "Script to detect Regin VFS" + }, + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + }, + { + "id": "709", + "org_id": "2", + "info": "OSINT - Regin: Nation-state ownage of GSM networks" + }, + { + "id": "697", + "org_id": "2", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance" + } + ] + }, + { + "id": "96641", + "type": "md5", + "category": "Payload installation", + "to_ids": true, + "uuid": "548847db-060c-4275-a0c7-15bb950d210b", + "event_id": "750", + "distribution": "3", + "timestamp": "1418217435", + "comment": "Regin samples collected.", + "sharing_group_id": "0", + "value": "049436bb90f71cf38549817d9b90e2da", + "SharingGroup": [], + "ShadowAttribute": [], + "RelatedAttribute": [ + { + "id": "710", + "org_id": "26", + "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept" + } + ] + } + ], + "ShadowAttribute": [], + "RelatedEvent": [ + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "2006", + "date": "2015-08-27", + "threat_level_id": "1", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance by Symantec", + "published": true, + "uuid": "55df7369-7d68-428b-aa03-4f5d950d210b", + "analysis": "2", + "timestamp": "1440752388", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + }, + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "833", + "date": "2015-01-22", + "threat_level_id": "1", + "info": "OSINT - An analysis of Regin's Hopscotch and Legspin", + "published": true, + "uuid": "54c0ce92-9d00-42b7-8cfc-f03f950d210b", + "analysis": "2", + "timestamp": "1422266910", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + }, + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "697", + "date": "2014-11-24", + "threat_level_id": "1", + "info": "OSINT - Regin: Top-tier espionage tool enables stealthy surveillance", + "published": true, + "uuid": "5472cdc5-3e3c-47c9-a3b1-47be950d210b", + "analysis": "2", + "timestamp": "1416818985", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + }, + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "699", + "date": "2014-11-24", + "threat_level_id": "1", + "info": "OSINT - The Regin Espionage Toolkit", + "published": true, + "uuid": "5472fbd1-1a38-484a-b3f4-4502950d210b", + "analysis": "2", + "timestamp": "1416821880", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + }, + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "700", + "date": "2014-11-24", + "threat_level_id": "1", + "info": "Regin Yara rules", + "published": true, + "uuid": "5473051e-2db8-4467-b6d5-4b1d950d210b", + "analysis": "1", + "timestamp": "1417157341", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + }, + { + "Org": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "2", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Event": { + "id": "709", + "date": "2014-11-24", + "threat_level_id": "1", + "info": "OSINT - Regin: Nation-state ownage of GSM networks", + "published": true, + "uuid": "5473429a-bc10-498d-a195-46e2950d2109", + "analysis": "2", + "timestamp": "1416843113", + "distribution": "3", + "org_id": "2", + "orgc_id": "2" + } + } + ], + "Tag": [ + { + "id": "1", + "name": "Type:OSINT", + "colour": "#1eed40", + "exportable": true + } + ] + } +} diff --git a/tests/Fixture/FeedsFixture.php b/tests/Fixture/FeedsFixture.php index c0a1f0f38..c8650cd97 100644 --- a/tests/Fixture/FeedsFixture.php +++ b/tests/Fixture/FeedsFixture.php @@ -25,13 +25,15 @@ class FeedsFixture extends TestFixture 'id' => self::FEED_1_ID, 'name' => self::FEED_1_NAME, 'provider' => 'test-provider', - 'url' => 'http://localhost/test-feed-1' + 'url' => 'http://localhost/test-feed-1', + 'enabled' => true, ], [ 'id' => self::FEED_2_ID, 'name' => self::FEED_2_NAME, 'provider' => 'test-provider', - 'url' => 'http://localhost/test-feed-2' + 'url' => 'http://localhost/test-feed-2', + 'enabled' => false, ] ]; parent::init(); diff --git a/tests/libraries/misp-galaxy/clusters/test.json b/tests/Libraries/misp-galaxy/clusters/test.json similarity index 100% rename from tests/libraries/misp-galaxy/clusters/test.json rename to tests/Libraries/misp-galaxy/clusters/test.json diff --git a/tests/libraries/misp-galaxy/galaxies/test.json b/tests/Libraries/misp-galaxy/galaxies/test.json similarity index 100% rename from tests/libraries/misp-galaxy/galaxies/test.json rename to tests/Libraries/misp-galaxy/galaxies/test.json diff --git a/tests/libraries/misp-taxonomies/test/machinetag.json b/tests/Libraries/misp-taxonomies/test/machinetag.json similarity index 100% rename from tests/libraries/misp-taxonomies/test/machinetag.json rename to tests/Libraries/misp-taxonomies/test/machinetag.json diff --git a/tests/TestCase/Api/Feeds/DisableFeedApiTest.php b/tests/TestCase/Api/Feeds/DisableFeedApiTest.php new file mode 100644 index 000000000..c7cf202ad --- /dev/null +++ b/tests/TestCase/Api/Feeds/DisableFeedApiTest.php @@ -0,0 +1,42 @@ +skipOpenApiValidations(); + + $this->setAuthToken(AuthKeysFixture::ADMIN_API_KEY); + + $url = sprintf('%s/%d', self::ENDPOINT, FeedsFixture::FEED_1_ID); + + $this->assertDbRecordExists('Feeds', ['id' => FeedsFixture::FEED_1_ID, 'enabled' => true]); + + # disable + $this->post($url); + $this->assertResponseOk(); + $this->assertResponseContains('"message": "Feed disabled."'); + $this->assertDbRecordExists('Feeds', ['id' => FeedsFixture::FEED_1_ID, 'enabled' => false]); + } +} diff --git a/tests/TestCase/Api/Feeds/EnableFeedApiTest.php b/tests/TestCase/Api/Feeds/EnableFeedApiTest.php new file mode 100644 index 000000000..3eed2c6e4 --- /dev/null +++ b/tests/TestCase/Api/Feeds/EnableFeedApiTest.php @@ -0,0 +1,42 @@ +skipOpenApiValidations(); + + $this->setAuthToken(AuthKeysFixture::ADMIN_API_KEY); + + $url = sprintf('%s/%d', self::ENDPOINT, FeedsFixture::FEED_2_ID); + + $this->assertDbRecordExists('Feeds', ['id' => FeedsFixture::FEED_2_ID, 'enabled' => false]); + + # enable + $this->post($url); + $this->assertResponseOk(); + $this->assertResponseContains('"message": "Feed enabled."'); + $this->assertDbRecordExists('Feeds', ['id' => FeedsFixture::FEED_2_ID, 'enabled' => true]); + } +} diff --git a/tests/TestCase/Tool/AttributeValidationToolTest.php b/tests/TestCase/Tool/AttributeValidationToolTest.php new file mode 100644 index 000000000..5f8c933de --- /dev/null +++ b/tests/TestCase/Tool/AttributeValidationToolTest.php @@ -0,0 +1,183 @@ +shouldBeValid('filename|md5', [ + 'cmd.exe|0cc175b9c0f1b6a831c399e269772661', + ]); + $this->shouldBeInvalid('filename|md5', [ + 'cmd.exe|86f7e437faa5a7fce15d1ddcb9eaeaea377667b8', + ]); + $this->shouldBeValid('tlsh', [ + 'b2317c38fac0333c8ff7d3ff31fcf3b7fb3f9a3ef3bf3c880cfc43ebf97f3cc73fbfc', + 't1fdd4e000b6a1c034f1f612f849b6a3a4b53f7ea1677481cf12d916ea4a79af1ed31317', + ]); + $this->shouldBeValid('filename|tlsh', [ + 'cmd.exe|b2317c38fac0333c8ff7d3ff31fcf3b7fb3f9a3ef3bf3c880cfc43ebf97f3cc73fbfc', + 'cmd.exe|t1fdd4e000b6a1c034f1f612f849b6a3a4b53f7ea1677481cf12d916ea4a79af1ed31317', + ]); + $this->shouldBeValid('ssdeep', [ + '96:s4Ud1Lj96tHHlZDrwciQmA+4uy1I0G4HYuL8N3TzS8QsO/wqWXLcMSx:sF1LjEtHHlZDrJzrhuyZvHYm8tKp/RWO', + '384:EWo4X1WaPW9ZWhWzLo+lWpct/fWbkWsWIwW0/S7dZhgG8:EWo4X1WmW9ZWhWH/WpchfWgWsWTWtf8', + '6144:3wSQSlrBHFjOvwYAU/Fsgi/2WDg5+YaNk5xcHrYw+Zg+XrZsGEREYRGAFU25ttR/:ctM7E0L4q', + ]); + $this->shouldBeValid('filename|ssdeep', [ + 'ahoj.txt|96:s4Ud1Lj96tHHlZDrwciQmA+4uy1I0G4HYuL8N3TzS8QsO/wqWXLcMSx:sF1LjEtHHlZDrJzrhuyZvHYm8tKp/RWO', + ]); + } + + public function testValidateIp(): void + { + foreach (['ip-src', 'ip-dst'] as $type) { + $this->shouldBeValid($type, [ + '127.0.0.1', + '127.0.0.1/32', + '::1', + '::1/128', + ]); + $this->shouldBeInvalid($type, [ + '127', + '127.0.0.', + '127.0.0.1/', + '127.0.0.1/32/1', + '127.0.0.1/128', + '::1/257', + '::1/257', + '::1/128/1', + ]); + } + } + + public function testValidatePort(): void + { + $this->assertTrue(AttributeValidationTool::validate('port', '1')); + $this->assertTrue(AttributeValidationTool::validate('port', 1)); + $this->assertTrue(AttributeValidationTool::validate('port', 80)); + $this->assertNotTrue(AttributeValidationTool::validate('port', -80)); + $this->assertNotTrue(AttributeValidationTool::validate('port', '-80')); + } + + public function testValidateSshFingerprint(): void + { + $this->shouldBeValid('ssh-fingerprint', [ + '7b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a', + 'MD5:7b:e5:6f:a7:f4:f9:81:62:5c:e3:1f:bf:8b:57:6c:5a', + 'SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE', + ]); + } + + public function testValidateDomainIp(): void + { + $this->shouldBeValid('domain|ip', [ + 'example.com|127.0.0.1', + 'example.com|::1', + ]); + $this->shouldBeInvalid('domain|ip', [ + 'example.com|127', + 'example.com|1', + ]); + } + + public function testValidateFilename(): void + { + $this->shouldBeValid('filename', [ + 'cmd.exe', + 'cmd.com', + ]); + $this->shouldBeInvalid('filename', [ + "cmd.exe\ncmd.com", + ]); + $this->shouldBeValid('filename|md5', [ + 'cmd.exe|0cc175b9c0f1b6a831c399e269772661', + 'cmd.com|0cc175b9c0f1b6a831c399e269772661', + ]); + $this->shouldBeInvalid('filename|md5', [ + "cmd.exe\ncmd.com|0cc175b9c0f1b6a831c399e269772661", + ]); + } + + public function testValidateAs(): void + { + $this->shouldBeValid('AS', [ + '0', + 0, + 1, + '1', + 4294967295, + ]); + $this->shouldBeInvalid('AS', [ + '1.2.3.4', + ]); + } + + public function testRemoveCidrFromIp(): void + { + $this->assertEquals('127.0.0.1', AttributeValidationTool::modifyBeforeValidation('ip-src', '127.0.0.1/32')); + $this->assertEquals('127.0.0.1/31', AttributeValidationTool::modifyBeforeValidation('ip-src', '127.0.0.1/31')); + $this->assertEquals('example.com|1234:fd2:5621:1:89::4500', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'example.com|1234:0fd2:5621:0001:0089:0000:0000:4500/128')); + $this->assertEquals('1234:fd2:5621:1:89::4500|80', AttributeValidationTool::modifyBeforeValidation('ip-src|port', '1234:0fd2:5621:0001:0089:0000:0000:4500/128|80')); + $this->assertEquals('1234:fd2:5621:1:89::4500/127|80', AttributeValidationTool::modifyBeforeValidation('ip-src|port', '1234:0fd2:5621:0001:0089:0000:0000:4500/127|80')); + $this->assertEquals('127.0.0.1', AttributeValidationTool::modifyBeforeValidation('ip-src', '127.0.0.1')); + } + + public function testCompressIpv6(): void + { + $this->assertEquals('1234:fd2:5621:1:89::4500', AttributeValidationTool::modifyBeforeValidation('ip-src', '1234:0fd2:5621:0001:0089:0000:0000:4500')); + $this->assertEquals('example.com|1234:fd2:5621:1:89::4500', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'example.com|1234:0fd2:5621:0001:0089:0000:0000:4500')); + $this->assertEquals('1234:fd2:5621:1:89::4500|80', AttributeValidationTool::modifyBeforeValidation('ip-src|port', '1234:0fd2:5621:0001:0089:0000:0000:4500|80')); + $this->assertEquals('127.0.0.1', AttributeValidationTool::modifyBeforeValidation('ip-src', '127.0.0.1')); + } + + public function testFilenameHashLowercase() + { + $this->assertEquals('CMD.EXE|0cc175b9c0f1b6a831c399e269772661', AttributeValidationTool::modifyBeforeValidation('filename|md5', 'CMD.EXE|0CC175B9C0F1B6A831C399E269772661')); + } + + public function testDomainModify() + { + $this->assertEquals('example.com', AttributeValidationTool::modifyBeforeValidation('domain', 'example.com')); + $this->assertEquals('example.com', AttributeValidationTool::modifyBeforeValidation('domain', 'EXAMPLE.COM')); + $this->assertEquals('example.com|127.0.0.1', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'example.com|127.0.0.1')); + $this->assertEquals('example.com|127.0.0.1', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'EXAMPLE.COM|127.0.0.1')); + $this->assertEquals('xn--hkyrky-ptac70bc.cz', AttributeValidationTool::modifyBeforeValidation('domain', 'háčkyčárky.cz')); + $this->assertEquals('xn--hkyrky-ptac70bc.cz', AttributeValidationTool::modifyBeforeValidation('domain', 'HÁČKYČÁRKY.CZ')); + $this->assertEquals('xn--hkyrky-ptac70bc.cz|127.0.0.1', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'háčkyčárky.cz|127.0.0.1')); + $this->assertEquals('xn--hkyrky-ptac70bc.cz|127.0.0.1', AttributeValidationTool::modifyBeforeValidation('domain|ip', 'HÁČKYČÁRKY.CZ|127.0.0.1')); + } + + public function testSssdeep() + { + $this->shouldBeValid('ssdeep', ["768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX:RFu8QAFzffJui79f13/AnB5EPAkX"]); + $this->shouldBeInvalid('ssdeep', ["768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX\n\n:RFu8QAFzffJui79f13/AnB5EPAkX"]); + } + + private function shouldBeValid($type, array $values) + { + foreach ($values as $value) { + $this->assertTrue(AttributeValidationTool::validate($type, $value), "Value `$value` of type `$type` should be valid."); + } + } + + private function shouldBeInvalid($type, array $values) + { + foreach ($values as $value) { + $this->assertNotTrue(AttributeValidationTool::validate($type, $value), "Value `$value` of type `$type` should be invalid."); + } + } +} diff --git a/tests/TestCase/Tool/ComplexTypeToolTest.php b/tests/TestCase/Tool/ComplexTypeToolTest.php new file mode 100644 index 000000000..4749d96be --- /dev/null +++ b/tests/TestCase/Tool/ComplexTypeToolTest.php @@ -0,0 +1,579 @@ +checkCSV($csv); + $this->assertCount(2, $results); + } + + public function testCheckCSVTabulator(): void + { + $complexTypeTool = new ComplexTypeTool(); + $csv = <<checkCSV($csv, ['delimiter' => '\t']); + $this->assertCount(5, $results); + } + + public function testCheckCSVValues(): void + { + $complexTypeTool = new ComplexTypeTool(); + $csv = <<checkCSV($csv, ['value' => '1', 'delimiter' => '\t']); + $this->assertCount(2, $results); + foreach (['127.0.0.1', '127.0.0.3'] as $k => $test) { + $this->assertEquals($test, $results[$k]['value']); + $this->assertEquals('ip-dst', $results[$k]['default_type']); + } + } + + public function testCheckCSVEmpty(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkCSV(''); + $this->assertCount(0, $results); + } + + public function testCheckCSVEmptyLines(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkCSV(",,,\t\n,,,,,"); + $this->assertCount(0, $results); + } + + public function testCheckCSVTestFile(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkCSV(file_get_contents(__DIR__ . '/../../Files/event.csv')); + $this->assertCount(37, $results); + } + + public function testCheckFreeTextHeader(): void + { + $complexTypeTool = new ComplexTypeTool(); + $text = <<; "127.0.0.4" "'127.0.0.5'" +EOT; + $results = $complexTypeTool->checkFreeText($text); + $this->assertCount(5, $results); + foreach (['127.0.0.1', '127.0.0.2', '127.0.0.3', '127.0.0.4', '127.0.0.5'] as $k => $test) { + $this->assertEquals($test, $results[$k]['value']); + $this->assertEquals('ip-dst', $results[$k]['default_type']); + } + } + + public function testCheckFreeTextIpv4(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('127.0.0.1'); + $this->assertCount(1, $results); + $this->assertEquals('127.0.0.1', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + public function testCheckFreeTextIpv4Bracket(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('we also saw an IP address (8.8.8.8).'); + $this->assertCount(1, $results); + $this->assertEquals('8.8.8.8', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + public function testCheckFreeTextIpv4WithPort(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('127.0.0.1:8080'); + $this->assertCount(1, $results); + $this->assertEquals('127.0.0.1|8080', $results[0]['value']); + $this->assertEquals('ip-dst|port', $results[0]['default_type']); + $this->assertEquals('On port 8080', $results[0]['comment']); + } + + public function testCheckFreeTextIpv4Cidr(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('127.0.0.1/32'); + $this->assertCount(1, $results); + $this->assertEquals('127.0.0.1/32', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/6009 + public function testCheckFreeTextIpv6(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('2a00:1450:4005:80a::2003'); + $this->assertCount(1, $results); + $this->assertEquals('2a00:1450:4005:80a::2003', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/3383 + public function testCheckFreeTextIpv6Invalid(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('fe80:0000:f2cd:7d80:3f37:52c6'); + $this->assertCount(0, $results); + } + + public function testCheckFreeTextIpv6Cidr(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('2a00:1450:4005:80a::2003/128'); + $this->assertCount(1, $results); + $this->assertEquals('2a00:1450:4005:80a::2003/128', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + public function testCheckFreeTextIpv6WithPort(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('[1fff:0:a88:85a3::ac1f]:8001'); + $this->assertCount(1, $results); + $this->assertEquals('1fff:0:a88:85a3::ac1f|8001', $results[0]['value']); + $this->assertEquals('ip-dst|port', $results[0]['default_type']); + $this->assertEquals('On port 8001', $results[0]['comment']); + } + + public function testCheckFreeTextDomain(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('example.com'); + $this->assertCount(1, $results); + $this->assertEquals('example.com', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + public function testCheckFreeTextDomainThirdLevel(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('example.example.com'); + $this->assertCount(1, $results); + $this->assertEquals('example.example.com', $results[0]['value']); + $this->assertEquals('hostname', $results[0]['default_type']); + } + + public function testCheckFreeTextDomainDot(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('example.com.'); + $this->assertCount(1, $results); + $this->assertEquals('example.com', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + public function testCheckFreeTextDomainNotExistsTld(): void + { + $complexTypeTool = new ComplexTypeTool(); + $complexTypeTool->setTLDs(['com']); + $results = $complexTypeTool->checkFreeText('example.example'); + $this->assertCount(1, $results); + $this->assertEquals('example.example', $results[0]['value']); + $this->assertEquals('filename', $results[0]['default_type']); + } + + public function testCheckFreeTextFilenameMultipleExt(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('example.txt.zip'); + $this->assertCount(1, $results); + $this->assertEquals('example.txt.zip', $results[0]['value']); + $this->assertEquals('filename', $results[0]['default_type']); + } + + public function testCheckFreeTextFilenameWithPathUnix(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('/var/log/example.txt.zip'); + $this->assertCount(1, $results); + $this->assertEquals('/var/log/example.txt.zip', $results[0]['value']); + $this->assertEquals('filename', $results[0]['default_type']); + } + + public function testCheckFreeTextFilenameWithPathWindows(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('C:\example.txt.zip'); + $this->assertCount(1, $results); + $this->assertEquals('C:\example.txt.zip', $results[0]['value']); + $this->assertEquals('filename', $results[0]['default_type']); + } + + public function testCheckFreeTextRegkey(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion'); + $this->assertCount(1, $results); + $this->assertEquals('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion', $results[0]['value']); + $this->assertEquals('regkey', $results[0]['default_type']); + } + + public function testCheckFreeTextDomainWithPort(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('example.com:80'); + $this->assertCount(1, $results); + $this->assertEquals('example.com', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + $this->assertEquals('On port 80', $results[0]['comment']); + } + + public function testCheckFreeTextDomainUppercase(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('EXAMPLE.COM'); + $this->assertCount(1, $results); + $this->assertEquals('EXAMPLE.COM', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + public function testCheckFreeTextIdnDomain(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('háčkyčárky.cz'); + $this->assertCount(1, $results); + $this->assertEquals('háčkyčárky.cz', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/657 + public function testCheckFreeTextPunycode(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('xn--ghq549cb2anjl2suxo.com'); + $this->assertCount(1, $results); + $this->assertEquals('xn--ghq549cb2anjl2suxo.com', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/657 + public function testCheckFreeTextPunycodeTld(): void + { + $complexTypeTool = new ComplexTypeTool(); + $complexTypeTool->setTLDs(['xn--fiqs8s']); + $results = $complexTypeTool->checkFreeText('xn--lbrs59br5a.xn--fiqs8s'); + $this->assertCount(1, $results); + $this->assertEquals('xn--lbrs59br5a.xn--fiqs8s', $results[0]['value']); + $this->assertEquals('domain', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/3580 + public function testCheckFreeTextDate(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('2018-08-21'); + $this->assertCount(0, $results); + } + + public function testCheckFreeTextEmail(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('test@example.com'); + $this->assertCount(1, $results); + $this->assertEquals('test@example.com', $results[0]['value']); + $this->assertEquals('email-src', $results[0]['default_type']); + } + + public function testCheckFreeTextEmailBracket(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('test[@]example.com'); + $this->assertCount(1, $results); + $this->assertEquals('test@example.com', $results[0]['value']); + $this->assertEquals('email-src', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/4805 + public function testCheckFreeTextEmailBracketAt(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('test[at]example.com'); + $this->assertCount(1, $results); + $this->assertEquals('test@example.com', $results[0]['value']); + $this->assertEquals('email-src', $results[0]['default_type']); + } + + public function testCheckFreeTextUrlHttp(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('http://example.com'); + $this->assertCount(1, $results); + $this->assertEquals('http://example.com', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + + public function testCheckFreeTextUrlHttps(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('https://example.com'); + $this->assertCount(1, $results); + $this->assertEquals('https://example.com', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + + public function testCheckFreeTextUrlWithPort(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('https://github.com:443/MISP/MISP'); + $this->assertCount(1, $results); + $this->assertEquals('https://github.com:443/MISP/MISP', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + + public function testCheckFreeTextUrlWithoutProtocol(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('github.com/MISP/MISP'); + $this->assertCount(1, $results); + $this->assertEquals('github.com/MISP/MISP', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + + public function testCheckFreeTextUrlVirusTotal(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('https://www.virustotal.com/example https://virustotal.com/example'); + $this->assertCount(2, $results); + + $this->assertEquals('https://www.virustotal.com/example', $results[0]['value']); + $this->assertEquals('link', $results[0]['default_type']); + + $this->assertEquals('https://virustotal.com/example', $results[1]['value']); + $this->assertEquals('link', $results[1]['default_type']); + } + + public function testCheckFreeTextUrlHybridAnalysis(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('https://www.hybrid-analysis.com/example'); + $this->assertCount(1, $results); + $this->assertEquals('https://www.hybrid-analysis.com/example', $results[0]['value']); + $this->assertEquals('link', $results[0]['default_type']); + } + + // Issue https://github.com/MISP/MISP/issues/4908 + public function testCheckFreeTextUrlReplace(): void + { + $complexTypeTool = new ComplexTypeTool(); + foreach (['hxxp://example.com', 'hxtp://example.com', 'htxp://example.com'] as $test) { + $results = $complexTypeTool->checkFreeText($test); + $this->assertCount(1, $results); + $this->assertEquals('http://example.com', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + } + + // Issue https://github.com/MISP/MISP/issues/4908 + public function testCheckFreeTextUrlReplaceHttps(): void + { + $complexTypeTool = new ComplexTypeTool(); + foreach (['hxxps://example.com', 'hxtps://example.com', 'htxps://example.com'] as $test) { + $results = $complexTypeTool->checkFreeText($test); + $this->assertCount(1, $results); + $this->assertEquals('https://example.com', $results[0]['value']); + $this->assertEquals('url', $results[0]['default_type']); + } + } + + public function testCheckFreeTextBtc(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa'); + $this->assertCount(1, $results); + $this->assertEquals('1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa', $results[0]['value']); + $this->assertEquals('btc', $results[0]['default_type']); + } + + public function testCheckFreeTextBtcBech32(): void + { + $complexTypeTool = new ComplexTypeTool(); + + $validAddresses = [ + 'BC1QW508D6QEJXTDG4Y5R3ZARVARY0C5XW7KV8F3T4', + 'tb1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3q0sl5k7', + 'bc1pw508d6qejxtdg4y5r3zarvary0c5xw7kw508d6qejxtdg4y5r3zarvary0c5xw7k7grplx', + 'BC1SW50QA3JX3S', + 'bc1zw508d6qejxtdg4y5r3zarvaryvg6kdaj', + 'tb1qqqqqp399et2xygdj5xreqhjjvcmzhxw4aywxecjdzew6hylgvsesrxh6hy', + ]; + + foreach ($validAddresses as $validAddress) { + $results = $complexTypeTool->checkFreeText($validAddress); + $this->assertCount(1, $results); + $this->assertEquals($validAddress, $results[0]['value']); + $this->assertEquals('btc', $results[0]['default_type']); + } + } + + public function testCheckFreeTextSsdeep(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('24:VGXGP7L5e/Ixt3af/WKPPaYpzg4m3XWMCsXNCRs0:kYDxcfPZpelCs9Cm0'); + $this->assertCount(1, $results); + $this->assertEquals('24:VGXGP7L5e/Ixt3af/WKPPaYpzg4m3XWMCsXNCRs0:kYDxcfPZpelCs9Cm0', $results[0]['value']); + $this->assertEquals('ssdeep', $results[0]['default_type']); + } + + public function testCheckFreeTextCve(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('CVE-2019-16202'); + $this->assertCount(1, $results); + $this->assertEquals('CVE-2019-16202', $results[0]['value']); + $this->assertEquals('vulnerability', $results[0]['default_type']); + } + + public function testCheckFreeTextCveLowercase(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('cve-2019-16202'); + $this->assertCount(1, $results); + $this->assertEquals('CVE-2019-16202', $results[0]['value']); + $this->assertEquals('vulnerability', $results[0]['default_type']); + } + + public function testCheckFreeTextAs(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('as0 AS0'); + $this->assertCount(1, $results); + $this->assertEquals('AS0', $results[0]['value']); + $this->assertEquals('AS', $results[0]['default_type']); + } + + public function testCheckFreeTextMd5(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('9e107d9d372bb6826bd81d3542a419d6'); + $this->assertCount(1, $results); + $this->assertEquals('9e107d9d372bb6826bd81d3542a419d6', $results[0]['value']); + $this->assertEquals('md5', $results[0]['default_type']); + } + + public function testCheckFreeTextMd5Uppercase(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('9E107D9D372BB6826BD81D3542A419D6'); + $this->assertCount(1, $results); + $this->assertEquals('9E107D9D372BB6826BD81D3542A419D6', $results[0]['value']); + $this->assertEquals('md5', $results[0]['default_type']); + } + + public function testCheckFreeTextSha1(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('da39a3ee5e6b4b0d3255bfef95601890afd80709'); + $this->assertCount(1, $results); + $this->assertEquals('da39a3ee5e6b4b0d3255bfef95601890afd80709', $results[0]['value']); + $this->assertEquals('sha1', $results[0]['default_type']); + } + + public function testCheckFreeTextFilenameWithMd5(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('ahoj.txt|9e107d9d372bb6826bd81d3542a419d6'); + $this->assertCount(1, $results); + $this->assertEquals('ahoj.txt|9e107d9d372bb6826bd81d3542a419d6', $results[0]['value']); + $this->assertEquals('filename|md5', $results[0]['default_type']); + } + + public function testCheckFreeTextRandomString(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('cK753n3MVw'); + $this->assertCount(0, $results); + } + + public function testCheckFreeTextEmpty(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText(''); + $this->assertCount(0, $results); + } + + public function testCheckFreeTextEmptyValues(): void + { + $complexTypeTool = new ComplexTypeTool(); + foreach (['|', '&', '$', '0', ':80', '1.2', '[]:80', '\.', '.', ':', 'a:b', 'a:b:c'] as $char) { + $results = $complexTypeTool->checkFreeText($char); + $this->assertCount(0, $results); + } + } + + public function testCheckFreeTextNonBreakableSpace(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText("127.0.0.1\xc2\xa0127.0.0.2"); + $this->assertCount(2, $results); + $this->assertEquals('127.0.0.1', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + public function testCheckFreeTextQuoted(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('="127.0.0.1",="127.0.0.2","","1"'); + $this->assertCount(2, $results); + $this->assertEquals('127.0.0.1', $results[0]['value']); + $this->assertEquals('ip-dst', $results[0]['default_type']); + } + + public function testCheckFreeTextRemoveDuplicates(): void + { + $complexTypeTool = new ComplexTypeTool(); + $results = $complexTypeTool->checkFreeText('1.2.3.4 1.2.3.4'); + $this->assertCount(1, $results); + } + + public function testRefangValueUrl(): void + { + $complexTypeTool = new ComplexTypeTool(); + foreach (['meow://example.com', 'h[tt]p://example.com'] as $test) { + $this->assertEquals('http://example.com', $complexTypeTool->refangValue($test, 'url')); + $this->assertEquals('http://example.com', $complexTypeTool->refangValue($test, 'link')); + } + } + + public function testRefangValueDot(): void + { + $complexTypeTool = new ComplexTypeTool(); + foreach (['127.0.0.1', '127[.]0.0.1', '127[.]0[.]0[.]1', '127[dot]0[dot]0[dot]1', '127(dot)0(dot)0(dot)1'] as $test) { + $this->assertEquals('127.0.0.1', $complexTypeTool->refangValue($test, 'ip-src')); + } + } + + // see #7214 + public function testRefangKeepBackslashes(): void + { + $text = 'http://googlechromeupdater.twilightparadox.com/html?DVXNSTHORF=fd6f240590734406be3bd35ca3622ea0;GRIBOOZ0LN=a3bf23855b0b40dda08f709fabb60d32;\..\..\..\./mshtml,RunHTMLApplication'; + $complexTypeTool = new ComplexTypeTool(); + $this->assertEquals($text, $complexTypeTool->refangValue($text, 'url')); + } +}