2018-08-10 19:04:02 +02:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
|
|
import unittest
|
|
|
|
|
|
2018-08-21 11:16:51 +02:00
|
|
|
from pymisp import ExpandedPyMISP, MISPEvent, MISPOrganisation, MISPUser, Distribution, ThreatLevel, Analysis
|
2018-09-19 06:58:20 +02:00
|
|
|
from datetime import datetime, timedelta, date
|
|
|
|
|
from io import BytesIO
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
import time
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
from keys import url, key
|
2018-08-12 01:21:49 +02:00
|
|
|
except ImportError as e:
|
|
|
|
|
print(e)
|
2018-08-10 19:04:02 +02:00
|
|
|
url = 'http://localhost:8080'
|
|
|
|
|
key = 'fk5BodCZw8owbscW8pQ4ykMASLeJ4NYhuAbshNjo'
|
|
|
|
|
|
|
|
|
|
from uuid import uuid4
|
|
|
|
|
|
2018-09-21 22:22:37 +02:00
|
|
|
local = False
|
|
|
|
|
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
class TestComprehensive(unittest.TestCase):
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def setUpClass(cls):
|
|
|
|
|
cls.maxDiff = None
|
|
|
|
|
# Connect as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
cls.admin_misp_connector = ExpandedPyMISP(url, key, debug=False)
|
2018-08-10 19:04:02 +02:00
|
|
|
# Creates an org
|
|
|
|
|
org = cls.admin_misp_connector.add_organisation(name='Test Org')
|
|
|
|
|
cls.test_org = MISPOrganisation()
|
|
|
|
|
cls.test_org.from_dict(**org)
|
|
|
|
|
# Creates a user
|
|
|
|
|
usr = cls.admin_misp_connector.add_user(email='testusr@user.local', org_id=cls.test_org.id, role_id=3)
|
|
|
|
|
cls.test_usr = MISPUser()
|
|
|
|
|
cls.test_usr.from_dict(**usr)
|
2018-08-20 18:27:06 +02:00
|
|
|
cls.user_misp_connector = ExpandedPyMISP(url, cls.test_usr.authkey)
|
2018-08-10 19:04:02 +02:00
|
|
|
# Creates a publisher
|
|
|
|
|
pub = cls.admin_misp_connector.add_user(email='testpub@user.local', org_id=cls.test_org.id, role_id=4)
|
|
|
|
|
cls.test_pub = MISPUser()
|
|
|
|
|
cls.test_pub.from_dict(**pub)
|
2018-08-20 18:27:06 +02:00
|
|
|
cls.pub_misp_connector = ExpandedPyMISP(url, cls.test_pub.authkey)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def tearDownClass(cls):
|
|
|
|
|
# Delete publisher
|
|
|
|
|
cls.admin_misp_connector.delete_user(user_id=cls.test_pub.id)
|
|
|
|
|
# Delete user
|
|
|
|
|
cls.admin_misp_connector.delete_user(user_id=cls.test_usr.id)
|
|
|
|
|
# Delete org
|
|
|
|
|
cls.admin_misp_connector.delete_organisation(org_id=cls.test_org.id)
|
|
|
|
|
|
2018-08-21 00:32:27 +02:00
|
|
|
def create_simple_event(self, force_timestamps=False):
|
2018-08-10 19:04:02 +02:00
|
|
|
mispevent = MISPEvent(force_timestamps=force_timestamps)
|
2018-08-21 00:32:27 +02:00
|
|
|
mispevent.info = 'This is a super simple test'
|
2018-08-10 19:04:02 +02:00
|
|
|
mispevent.distribution = Distribution.your_organisation_only
|
|
|
|
|
mispevent.threat_level_id = ThreatLevel.low
|
|
|
|
|
mispevent.analysis = Analysis.completed
|
|
|
|
|
mispevent.add_attribute('text', str(uuid4()))
|
|
|
|
|
return mispevent
|
|
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def environment(self):
|
|
|
|
|
first_event = MISPEvent()
|
|
|
|
|
first_event.info = 'First event - org only - low - completed'
|
|
|
|
|
first_event.distribution = Distribution.your_organisation_only
|
|
|
|
|
first_event.threat_level_id = ThreatLevel.low
|
|
|
|
|
first_event.analysis = Analysis.completed
|
|
|
|
|
first_event.set_date("2017-12-31")
|
|
|
|
|
first_event.add_attribute('text', str(uuid4()))
|
2018-08-21 11:16:51 +02:00
|
|
|
first_event.attributes[0].add_tag('admin_only')
|
|
|
|
|
first_event.attributes[0].add_tag('tlp:white___test')
|
2018-08-21 14:34:29 +02:00
|
|
|
first_event.add_attribute('text', str(uuid4()))
|
|
|
|
|
first_event.attributes[1].add_tag('unique___test')
|
2018-08-20 18:27:06 +02:00
|
|
|
|
|
|
|
|
second_event = MISPEvent()
|
|
|
|
|
second_event.info = 'Second event - org only - medium - ongoing'
|
|
|
|
|
second_event.distribution = Distribution.your_organisation_only
|
|
|
|
|
second_event.threat_level_id = ThreatLevel.medium
|
|
|
|
|
second_event.analysis = Analysis.ongoing
|
|
|
|
|
second_event.set_date("Aug 18 2018")
|
|
|
|
|
second_event.add_attribute('text', str(uuid4()))
|
|
|
|
|
second_event.attributes[0].add_tag('tlp:white___test')
|
|
|
|
|
second_event.add_attribute('ip-dst', '1.1.1.1')
|
|
|
|
|
# Same value as in first event.
|
|
|
|
|
second_event.add_attribute('text', first_event.attributes[0].value)
|
|
|
|
|
|
|
|
|
|
third_event = MISPEvent()
|
|
|
|
|
third_event.info = 'Third event - all orgs - high - initial'
|
|
|
|
|
third_event.distribution = Distribution.all_communities
|
|
|
|
|
third_event.threat_level_id = ThreatLevel.high
|
|
|
|
|
third_event.analysis = Analysis.initial
|
|
|
|
|
third_event.set_date("Jun 25 2018")
|
|
|
|
|
third_event.add_tag('tlp:white___test')
|
|
|
|
|
third_event.add_attribute('text', str(uuid4()))
|
|
|
|
|
third_event.attributes[0].add_tag('tlp:amber___test')
|
|
|
|
|
third_event.attributes[0].add_tag('foo_double___test')
|
|
|
|
|
third_event.add_attribute('ip-src', '8.8.8.8')
|
|
|
|
|
third_event.attributes[1].add_tag('tlp:amber___test')
|
|
|
|
|
third_event.add_attribute('ip-dst', '9.9.9.9')
|
|
|
|
|
|
|
|
|
|
# Create first and third event as admin
|
|
|
|
|
# usr won't be able to see the first one
|
|
|
|
|
first = self.admin_misp_connector.add_event(first_event)
|
|
|
|
|
third = self.admin_misp_connector.add_event(third_event)
|
|
|
|
|
# Create second event as user
|
|
|
|
|
second = self.user_misp_connector.add_event(second_event)
|
|
|
|
|
return first, second, third
|
|
|
|
|
|
2018-08-10 19:04:02 +02:00
|
|
|
def test_search_value_event(self):
|
2018-08-20 18:27:06 +02:00
|
|
|
'''Search a value on the event controller
|
|
|
|
|
* Test ACL admin user vs normal user in an other org
|
|
|
|
|
* Make sure we have one match
|
|
|
|
|
'''
|
2018-08-10 19:04:02 +02:00
|
|
|
try:
|
2018-08-20 18:27:06 +02:00
|
|
|
first, second, third = self.environment()
|
2018-08-10 19:04:02 +02:00
|
|
|
# Search as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [first.id, second.id])
|
2018-08-20 18:27:06 +02:00
|
|
|
# Search as user
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [second.id])
|
2018-08-20 18:27:06 +02:00
|
|
|
# Non-existing value
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(value=str(uuid4()), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-08-20 18:27:06 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete events
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
|
|
|
|
|
|
|
|
|
def test_search_value_attribute(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search value in attributes controller'''
|
2018-08-20 18:27:06 +02:00
|
|
|
try:
|
|
|
|
|
first, second, third = self.environment()
|
|
|
|
|
# Search as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes', value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 2)
|
|
|
|
|
for a in attributes:
|
|
|
|
|
self.assertIn(a.event_id, [first.id, second.id])
|
2018-08-10 19:04:02 +02:00
|
|
|
# Search as user
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 1)
|
|
|
|
|
for a in attributes:
|
|
|
|
|
self.assertIn(a.event_id, [second.id])
|
2018-08-20 18:27:06 +02:00
|
|
|
# Non-existing value
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', value=str(uuid4()), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(attributes, [])
|
2018-08-10 19:04:02 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-20 18:27:06 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def test_search_type_event(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search multiple events, search events containing attributes with specific types'''
|
2018-08-19 14:35:32 +02:00
|
|
|
try:
|
2018-08-20 18:27:06 +02:00
|
|
|
first, second, third = self.environment()
|
2018-08-19 14:35:32 +02:00
|
|
|
# Search as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(timestamp=first.timestamp.timestamp(), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 3)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [first.id, second.id, third.id])
|
|
|
|
|
attributes_types_search = self.admin_misp_connector.build_complex_query(or_parameters=['ip-src', 'ip-dst'])
|
|
|
|
|
events = self.admin_misp_connector.search(timestamp=first.timestamp.timestamp(),
|
2018-09-19 06:58:20 +02:00
|
|
|
type_attribute=attributes_types_search, pythonify=True)
|
2018-08-21 11:35:36 +02:00
|
|
|
self.assertEqual(len(events), 2)
|
2018-08-21 11:16:51 +02:00
|
|
|
for e in events:
|
2018-08-21 11:35:36 +02:00
|
|
|
self.assertIn(e.id, [second.id, third.id])
|
2018-08-19 14:35:32 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-20 18:27:06 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-08-19 14:35:32 +02:00
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def test_search_type_attribute(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search multiple attributes, search attributes with specific types'''
|
2018-08-19 14:35:32 +02:00
|
|
|
try:
|
2018-08-20 18:27:06 +02:00
|
|
|
first, second, third = self.environment()
|
2018-08-19 14:35:32 +02:00
|
|
|
# Search as admin
|
2018-08-21 11:16:51 +02:00
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes',
|
2018-09-19 06:58:20 +02:00
|
|
|
timestamp=first.timestamp.timestamp(), pythonify=True)
|
2018-08-21 14:34:29 +02:00
|
|
|
self.assertEqual(len(attributes), 8)
|
2018-08-21 11:16:51 +02:00
|
|
|
for a in attributes:
|
|
|
|
|
self.assertIn(a.event_id, [first.id, second.id, third.id])
|
|
|
|
|
# Search as user
|
|
|
|
|
attributes_types_search = self.admin_misp_connector.build_complex_query(or_parameters=['ip-src', 'ip-dst'])
|
|
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes',
|
|
|
|
|
timestamp=first.timestamp.timestamp(),
|
2018-09-19 06:58:20 +02:00
|
|
|
type_attribute=attributes_types_search, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 3)
|
|
|
|
|
for a in attributes:
|
|
|
|
|
self.assertIn(a.event_id, [second.id, third.id])
|
2018-08-19 14:35:32 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-20 18:27:06 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-08-19 14:35:32 +02:00
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def test_search_tag_event(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search Tags at events level'''
|
2018-08-17 15:09:17 +02:00
|
|
|
try:
|
2018-08-20 18:27:06 +02:00
|
|
|
first, second, third = self.environment()
|
2018-08-17 15:09:17 +02:00
|
|
|
# Search as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(tags='tlp:white___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 3)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [first.id, second.id, third.id])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(tags='tlp:amber___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [third.id])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(tags='admin_only', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [first.id])
|
2018-08-17 15:09:17 +02:00
|
|
|
# Search as user
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(tags='tlp:white___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [second.id, third.id])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(tags='tlp:amber___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [third.id])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(tags='admin_only', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-08-17 15:09:17 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-20 18:27:06 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def test_search_tag_attribute(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search Tags at attributes level'''
|
2018-08-17 15:09:17 +02:00
|
|
|
try:
|
2018-08-20 18:27:06 +02:00
|
|
|
first, second, third = self.environment()
|
2018-08-17 15:09:17 +02:00
|
|
|
# Search as admin
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes', tags='tlp:white___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 5)
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes', tags='tlp:amber___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 2)
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.admin_misp_connector.search(tags='admin_only', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 1)
|
2018-08-17 15:09:17 +02:00
|
|
|
# Search as user
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', tags='tlp:white___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 4)
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', tags='tlp:amber___test', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 2)
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(tags='admin_only', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(attributes, [])
|
2018-08-17 15:09:17 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-20 18:27:06 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-20 18:27:06 +02:00
|
|
|
def test_search_tag_advanced_event(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Advanced search Tags at events level'''
|
2018-08-20 18:27:06 +02:00
|
|
|
try:
|
|
|
|
|
first, second, third = self.environment()
|
|
|
|
|
complex_query = self.admin_misp_connector.build_complex_query(or_parameters=['tlp:white___test'],
|
|
|
|
|
not_parameters=['tlp:amber___test',
|
|
|
|
|
'foo_double___test'])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(tags=complex_query, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 3)
|
2018-08-20 18:27:06 +02:00
|
|
|
for e in events:
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertIn(e.id, [first.id, second.id, third.id])
|
2018-08-20 18:27:06 +02:00
|
|
|
for a in e.attributes:
|
|
|
|
|
self.assertEqual([t for t in a.tags if t.name == 'tlp:amber___test'], [])
|
|
|
|
|
for a in e.attributes:
|
|
|
|
|
self.assertEqual([t for t in a.tags if t.name == 'foo_double___test'], [])
|
2018-08-21 11:16:51 +02:00
|
|
|
|
2018-08-21 14:34:29 +02:00
|
|
|
complex_query = self.admin_misp_connector.build_complex_query(or_parameters=['unique___test'],
|
|
|
|
|
not_parameters=['tlp:white___test'])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.admin_misp_connector.search(tags=complex_query, pythonify=True)
|
2018-08-21 14:34:29 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-08-21 11:16:51 +02:00
|
|
|
for e in events:
|
|
|
|
|
self.assertIn(e.id, [first.id, second.id])
|
|
|
|
|
for a in e.attributes:
|
|
|
|
|
self.assertEqual([t for t in a.tags if t.name == 'tlp:white___test'], [])
|
2018-08-20 18:27:06 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
|
|
|
|
|
|
|
|
|
def test_search_tag_advanced_attributes(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Advanced search Tags at attributes level'''
|
2018-08-20 18:27:06 +02:00
|
|
|
try:
|
|
|
|
|
first, second, third = self.environment()
|
|
|
|
|
complex_query = self.admin_misp_connector.build_complex_query(or_parameters=['tlp:white___test'],
|
|
|
|
|
not_parameters=['tlp:amber___test',
|
|
|
|
|
'foo_double___test'])
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.admin_misp_connector.search(controller='attributes', tags=complex_query, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 3)
|
2018-08-20 18:27:06 +02:00
|
|
|
for a in attributes:
|
|
|
|
|
self.assertEqual([t for t in a.tags if t.name == 'tlp:amber___test'], [])
|
|
|
|
|
for a in attributes:
|
|
|
|
|
self.assertEqual([t for t in a.tags if t.name == 'foo_double___test'], [])
|
|
|
|
|
finally:
|
|
|
|
|
# Delete event
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
|
|
|
|
|
|
|
|
|
def test_search_timestamp_event(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search specific update timestamps at events level'''
|
2018-08-10 19:04:02 +02:00
|
|
|
# Creating event 1 - timestamp 5 min ago
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.create_simple_event(force_timestamps=True)
|
|
|
|
|
event_creation_timestamp_first = datetime.now() - timedelta(minutes=5)
|
|
|
|
|
first.timestamp = event_creation_timestamp_first
|
|
|
|
|
# Creating event 2 - timestamp 2 min ago
|
|
|
|
|
second = self.create_simple_event(force_timestamps=True)
|
|
|
|
|
event_creation_timestamp_second = datetime.now() - timedelta(minutes=2)
|
|
|
|
|
second.timestamp = event_creation_timestamp_second
|
|
|
|
|
try:
|
|
|
|
|
first = self.user_misp_connector.add_event(first)
|
|
|
|
|
second = self.user_misp_connector.add_event(second)
|
|
|
|
|
# Search as user
|
|
|
|
|
# # Test - last 4 min
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp='4m', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
self.assertEqual(events[0].timestamp.timestamp(), int(event_creation_timestamp_second.timestamp()))
|
2018-08-21 00:32:27 +02:00
|
|
|
|
|
|
|
|
# # Test timestamp of 2nd event
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=event_creation_timestamp_second.timestamp(), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
self.assertEqual(events[0].timestamp.timestamp(), int(event_creation_timestamp_second.timestamp()))
|
2018-08-21 00:32:27 +02:00
|
|
|
|
|
|
|
|
# # Test interval -6 min -> -4 min
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=['6m', '4m'], pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
self.assertEqual(events[0].timestamp.timestamp(), int(event_creation_timestamp_first.timestamp()))
|
2018-08-21 00:32:27 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
|
2018-08-21 11:16:51 +02:00
|
|
|
def test_search_timestamp_attribute(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search specific update timestamps at attributes level'''
|
2018-08-21 00:32:27 +02:00
|
|
|
# Creating event 1 - timestamp 5 min ago
|
|
|
|
|
first = self.create_simple_event(force_timestamps=True)
|
2018-08-10 19:04:02 +02:00
|
|
|
event_creation_timestamp_first = datetime.now() - timedelta(minutes=5)
|
|
|
|
|
first.timestamp = event_creation_timestamp_first
|
2018-08-21 00:32:27 +02:00
|
|
|
first.attributes[0].timestamp = event_creation_timestamp_first
|
2018-08-10 19:04:02 +02:00
|
|
|
# Creating event 2 - timestamp 2 min ago
|
2018-08-21 00:32:27 +02:00
|
|
|
second = self.create_simple_event(force_timestamps=True)
|
2018-08-10 19:04:02 +02:00
|
|
|
event_creation_timestamp_second = datetime.now() - timedelta(minutes=2)
|
|
|
|
|
second.timestamp = event_creation_timestamp_second
|
2018-08-21 00:32:27 +02:00
|
|
|
second.attributes[0].timestamp = event_creation_timestamp_second
|
2018-08-10 19:04:02 +02:00
|
|
|
try:
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.user_misp_connector.add_event(first)
|
|
|
|
|
second = self.user_misp_connector.add_event(second)
|
2018-08-10 19:04:02 +02:00
|
|
|
# Search as user
|
|
|
|
|
# # Test - last 4 min
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', timestamp='4m', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 1)
|
|
|
|
|
self.assertEqual(attributes[0].event_id, second.id)
|
|
|
|
|
self.assertEqual(attributes[0].timestamp.timestamp(), int(event_creation_timestamp_second.timestamp()))
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-19 14:35:32 +02:00
|
|
|
# # Test timestamp of 2nd event
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', timestamp=event_creation_timestamp_second.timestamp(), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 1)
|
|
|
|
|
self.assertEqual(attributes[0].event_id, second.id)
|
|
|
|
|
self.assertEqual(attributes[0].timestamp.timestamp(), int(event_creation_timestamp_second.timestamp()))
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
# # Test interval -6 min -> -4 min
|
2018-09-19 06:58:20 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', timestamp=['6m', '4m'], pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(attributes), 1)
|
|
|
|
|
self.assertEqual(attributes[0].event_id, first.id)
|
|
|
|
|
self.assertEqual(attributes[0].timestamp.timestamp(), int(event_creation_timestamp_first.timestamp()))
|
2018-08-10 19:04:02 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-21 00:32:27 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
def test_user_perms(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Test publish rights'''
|
2018-08-10 19:04:02 +02:00
|
|
|
try:
|
2018-08-21 11:16:51 +02:00
|
|
|
first = self.create_simple_event()
|
2018-08-21 00:32:27 +02:00
|
|
|
first.publish()
|
2018-08-10 19:04:02 +02:00
|
|
|
# Add event as user, no publish rights
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.user_misp_connector.add_event(first)
|
|
|
|
|
self.assertFalse(first.published)
|
2018-08-10 19:04:02 +02:00
|
|
|
# Add event as publisher
|
2018-08-21 00:32:27 +02:00
|
|
|
first.publish()
|
|
|
|
|
first = self.pub_misp_connector.update_event(first)
|
|
|
|
|
self.assertTrue(first.published)
|
2018-08-10 19:04:02 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-21 00:32:27 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-21 00:32:27 +02:00
|
|
|
# @unittest.skip("Uncomment when adding new tests, it has a 10s sleep")
|
|
|
|
|
def test_search_publish_timestamp(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search for a specific publication timestamp, an interval, and invalid values.'''
|
2018-08-10 19:04:02 +02:00
|
|
|
# Creating event 1
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.create_simple_event()
|
2018-08-10 19:04:02 +02:00
|
|
|
first.publish()
|
|
|
|
|
# Creating event 2
|
2018-08-21 00:32:27 +02:00
|
|
|
second = self.create_simple_event()
|
2018-08-10 19:04:02 +02:00
|
|
|
second.publish()
|
|
|
|
|
try:
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.pub_misp_connector.add_event(first)
|
|
|
|
|
time.sleep(10)
|
|
|
|
|
second = self.pub_misp_connector.add_event(second)
|
2018-08-10 19:04:02 +02:00
|
|
|
# Test invalid query
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp='5x', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp='ad', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp='aaad', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-08-21 00:32:27 +02:00
|
|
|
# Test - last 4 min
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp='5s', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-21 00:32:27 +02:00
|
|
|
# Test 5 sec before timestamp of 2nd event
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp=(second.publish_timestamp.timestamp()), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-21 00:32:27 +02:00
|
|
|
# Test interval -6 min -> -4 min
|
2018-08-21 11:16:51 +02:00
|
|
|
events = self.pub_misp_connector.search(publish_timestamp=[first.publish_timestamp.timestamp() - 5,
|
2018-09-19 06:58:20 +02:00
|
|
|
second.publish_timestamp.timestamp() - 5], pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, first.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-21 00:32:27 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
|
|
|
|
|
def test_simple_event(self):
|
2018-09-19 06:58:20 +02:00
|
|
|
'''Search a bunch of parameters:
|
|
|
|
|
* Value not existing
|
|
|
|
|
* only return metadata
|
|
|
|
|
* published yes/no
|
|
|
|
|
* event id
|
|
|
|
|
* uuid
|
|
|
|
|
* creator org
|
|
|
|
|
* substring search in value and eventinfo
|
|
|
|
|
* quickfilter
|
|
|
|
|
* date_from
|
|
|
|
|
* date_to
|
|
|
|
|
* deleted
|
|
|
|
|
* to_ids
|
|
|
|
|
* include_event_uuid
|
2018-09-20 02:22:37 +02:00
|
|
|
warning list
|
2018-09-19 06:58:20 +02:00
|
|
|
'''
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.create_simple_event()
|
|
|
|
|
first.info = 'foo bar blah'
|
2018-09-20 02:22:37 +02:00
|
|
|
# First has one text attribute
|
2018-09-19 06:58:20 +02:00
|
|
|
second = self.create_simple_event()
|
|
|
|
|
second.info = 'foo blah'
|
|
|
|
|
second.set_date('2018-09-01')
|
|
|
|
|
second.add_attribute('ip-src', '8.8.8.8')
|
2018-09-20 02:22:37 +02:00
|
|
|
# second has two attributes: text and ip-src
|
2018-08-10 19:04:02 +02:00
|
|
|
try:
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.user_misp_connector.add_event(first)
|
2018-09-19 06:58:20 +02:00
|
|
|
second = self.user_misp_connector.add_event(second)
|
2018-08-21 00:32:27 +02:00
|
|
|
timeframe = [first.timestamp.timestamp() - 5, first.timestamp.timestamp() + 5]
|
2018-08-21 11:16:51 +02:00
|
|
|
# Search event we just created in multiple ways. Make sure it doesn't catch it when it shouldn't
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events[0].id, first.id)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[1].id, second.id)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, value='nothere', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=[first.timestamp.timestamp() - 50,
|
|
|
|
|
first.timestamp.timestamp() - 10],
|
2018-09-19 06:58:20 +02:00
|
|
|
value=first.attributes[0].value, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-09-19 06:58:20 +02:00
|
|
|
|
2018-08-10 19:04:02 +02:00
|
|
|
# Test return content
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, metadata=False, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events[0].attributes), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(len(events[1].attributes), 2)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, metadata=True, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events[0].attributes), 0)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(len(events[1].attributes), 0)
|
|
|
|
|
|
2018-08-10 19:04:02 +02:00
|
|
|
# other things
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, published=True, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(events, [])
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, published=False, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
events = self.user_misp_connector.search(eventid=first.id, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
events = self.user_misp_connector.search(uuid=first.uuid, pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
events = self.user_misp_connector.search(org=first.orgc_id, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
|
|
|
|
|
# test like search
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, value='%{}%'.format(first.attributes[0].value.split('-')[2]), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, eventinfo='%bar blah%', pythonify=True)
|
|
|
|
|
# FIXME: should return one event
|
|
|
|
|
# self.assertEqual(len(events), 1)
|
|
|
|
|
# self.assertEqual(events[0].id, first.id)
|
|
|
|
|
|
|
|
|
|
# quickfilter
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, quickfilter='bar', pythonify=True)
|
|
|
|
|
# FIXME: should return one event
|
|
|
|
|
# self.assertEqual(len(events), 1)
|
|
|
|
|
# self.assertEqual(events[0].id, second.id)
|
2018-09-20 02:22:37 +02:00
|
|
|
|
|
|
|
|
# date_from / date_to
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, date_from=date.today().isoformat(), pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, first.id)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, date_from='2018-09-01', pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, date_from='2018-09-01', date_to='2018-09-02', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
|
|
|
|
|
# Category
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, category='Network activity', pythonify=True)
|
2018-08-21 11:16:51 +02:00
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
|
|
|
|
|
# toids
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, to_ids='0', pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, to_ids='1', pythonify=True)
|
2018-09-20 02:22:37 +02:00
|
|
|
self.assertEqual(len(events), 2)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 0)
|
|
|
|
|
self.assertEqual(events[1].id, second.id)
|
|
|
|
|
self.assertEqual(len(events[1].attributes), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=timeframe, to_ids='exclude', pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 2)
|
2018-09-20 02:22:37 +02:00
|
|
|
# FIXME: exclude == 1
|
2018-09-19 06:58:20 +02:00
|
|
|
# self.assertEqual(len(events[0].attributes), 1)
|
2018-09-20 02:22:37 +02:00
|
|
|
# self.assertEqual(len(events[1].attributes), 1)
|
2018-09-19 06:58:20 +02:00
|
|
|
|
|
|
|
|
# deleted
|
|
|
|
|
second.attributes[1].delete()
|
|
|
|
|
self.user_misp_connector.update_event(second)
|
|
|
|
|
events = self.user_misp_connector.search(eventid=second.id, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 1)
|
|
|
|
|
events = self.user_misp_connector.search(eventid=second.id, deleted=True, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 2)
|
|
|
|
|
|
|
|
|
|
# include_event_uuid
|
2018-09-21 22:33:22 +02:00
|
|
|
attributes = self.user_misp_connector.search(controller='attributes', eventid=second.id, include_event_uuid=True, pythonify=True)
|
|
|
|
|
self.assertEqual(attributes[0].event_uuid, second.uuid)
|
2018-09-19 06:58:20 +02:00
|
|
|
|
|
|
|
|
# event_timestamp
|
|
|
|
|
second.add_attribute('ip-src', '8.8.8.9')
|
|
|
|
|
second = self.user_misp_connector.update_event(second)
|
|
|
|
|
# FIXME: returns everything
|
|
|
|
|
# events = self.user_misp_connector.search(event_timestamp=second.timestamp.timestamp(), pythonify=True)
|
|
|
|
|
# self.assertEqual(len(events), 1)
|
|
|
|
|
|
|
|
|
|
# searchall
|
|
|
|
|
# FIXME: searchall doesn't seem to do anything
|
|
|
|
|
# second.add_attribute('text', 'This is a test for the full text search', comment='Test stuff comment')
|
|
|
|
|
# second = self.user_misp_connector.update_event(second)
|
|
|
|
|
# events = self.user_misp_connector.search(value='This is a test for the full text search', searchall=True, pythonify=True)
|
|
|
|
|
# self.assertEqual(len(events), 1)
|
|
|
|
|
# events = self.user_misp_connector.search(value='stuff', searchall=True, pythonify=True)
|
|
|
|
|
# self.assertEqual(len(events), 1)
|
|
|
|
|
|
2018-09-21 22:02:15 +02:00
|
|
|
# warninglist
|
|
|
|
|
# FIXME: the warning lists ID aren't deterministic
|
2018-09-21 22:22:37 +02:00
|
|
|
if local:
|
|
|
|
|
response = self.admin_misp_connector.toggle_warninglist('17', force_enable=True) # enable ipv4 DNS.
|
|
|
|
|
self.assertDictEqual(response, {'saved': True, 'success': '1 warninglist(s) enabled'})
|
|
|
|
|
second.add_attribute('ip-src', '9.9.9.9')
|
|
|
|
|
second = self.user_misp_connector.update_event(second)
|
|
|
|
|
|
|
|
|
|
events = self.user_misp_connector.search(eventid=second.id, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 3)
|
|
|
|
|
|
|
|
|
|
events = self.user_misp_connector.search(eventid=second.id, enforce_warninglist=False, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 3)
|
|
|
|
|
|
|
|
|
|
events = self.user_misp_connector.search(eventid=second.id, enforce_warninglist=True, pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertEqual(events[0].id, second.id)
|
|
|
|
|
self.assertEqual(len(events[0].attributes), 2)
|
|
|
|
|
response = self.admin_misp_connector.toggle_warninglist('17') # disable ipv4 DNS.
|
|
|
|
|
self.assertDictEqual(response, {'saved': True, 'success': '1 warninglist(s) disabled'})
|
2018-09-21 22:02:15 +02:00
|
|
|
|
2018-09-19 06:58:20 +02:00
|
|
|
time.sleep(1)
|
|
|
|
|
# attachments
|
|
|
|
|
with open('tests/testlive_comprehensive.py', 'rb') as f:
|
|
|
|
|
first.add_attribute('malware-sample', value='testfile.py', data=BytesIO(f.read()))
|
|
|
|
|
|
|
|
|
|
first = self.user_misp_connector.update_event(first)
|
|
|
|
|
events = self.user_misp_connector.search(timestamp=first.timestamp.timestamp(), with_attachments=True,
|
|
|
|
|
pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 1)
|
2018-09-20 02:22:37 +02:00
|
|
|
self.assertIs(type(events[0].attributes[-1].malware_binary), BytesIO)
|
2018-09-19 06:58:20 +02:00
|
|
|
events = self.user_misp_connector.search(timestamp=first.timestamp.timestamp(), with_attachments=False,
|
|
|
|
|
pythonify=True)
|
|
|
|
|
self.assertEqual(len(events), 1)
|
|
|
|
|
self.assertIs(events[0].attributes[-1].malware_binary, None)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
|
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-21 00:32:27 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
2018-08-10 19:04:02 +02:00
|
|
|
|
2018-08-17 15:09:17 +02:00
|
|
|
def test_edit_attribute(self):
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.create_simple_event()
|
2018-08-17 15:09:17 +02:00
|
|
|
try:
|
|
|
|
|
first.attributes[0].comment = 'This is the original comment'
|
2018-08-21 00:32:27 +02:00
|
|
|
first = self.user_misp_connector.add_event(first)
|
|
|
|
|
first.attributes[0].comment = 'This is the modified comment'
|
|
|
|
|
attribute = self.user_misp_connector.update_attribute(first.attributes[0])
|
|
|
|
|
self.assertEqual(attribute.comment, 'This is the modified comment')
|
|
|
|
|
attribute = self.user_misp_connector.change_comment(first.attributes[0].uuid, 'This is the modified comment, again')
|
|
|
|
|
self.assertEqual(attribute['Attribute']['comment'], 'This is the modified comment, again')
|
2018-08-17 15:09:17 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
2018-08-21 00:32:27 +02:00
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
2018-08-17 15:09:17 +02:00
|
|
|
|
2018-09-18 03:37:07 +02:00
|
|
|
def test_get_csv(self):
|
|
|
|
|
first = self.create_simple_event()
|
2018-09-20 02:22:37 +02:00
|
|
|
second = self.create_simple_event()
|
|
|
|
|
second.info = 'foo blah'
|
|
|
|
|
second.set_date('2018-09-01')
|
|
|
|
|
second.add_attribute('ip-src', '8.8.8.8')
|
2018-09-18 03:37:07 +02:00
|
|
|
try:
|
|
|
|
|
first.attributes[0].comment = 'This is the original comment'
|
|
|
|
|
first = self.user_misp_connector.add_event(first)
|
|
|
|
|
response = self.user_misp_connector.fast_publish(first.id, alert=False)
|
|
|
|
|
self.assertEqual(response['errors'][0][1]['message'], 'You do not have permission to use this functionality.')
|
2018-09-19 06:58:20 +02:00
|
|
|
|
2018-09-20 02:22:37 +02:00
|
|
|
# default search, all attributes with to_ids == False
|
2018-09-19 06:58:20 +02:00
|
|
|
self.admin_misp_connector.fast_publish(first.id, alert=False)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp() - 5, pythonify=True)
|
|
|
|
|
# FIXME: Should not return anything (to_ids is False)
|
|
|
|
|
# self.assertEqual(len(csv), 0)
|
|
|
|
|
|
2018-09-20 02:22:37 +02:00
|
|
|
# Also export attributes with to_ids set to false
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp() - 5, ignore=True, pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
|
|
|
|
|
# Default search, attribute with to_ids == True
|
2018-09-19 06:58:20 +02:00
|
|
|
first.attributes[0].to_ids = True
|
|
|
|
|
first = self.user_misp_connector.update_event(first)
|
2018-09-18 03:37:07 +02:00
|
|
|
self.admin_misp_connector.fast_publish(first.id, alert=False)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp() - 5, pythonify=True)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.assertEqual(len(csv), 1)
|
2018-09-18 03:37:07 +02:00
|
|
|
self.assertEqual(csv[0]['value'], first.attributes[0].value)
|
2018-09-19 06:58:20 +02:00
|
|
|
|
2018-09-20 02:22:37 +02:00
|
|
|
# eventid
|
|
|
|
|
csv = self.user_misp_connector.get_csv(eventid=first.id, pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
self.assertEqual(csv[0]['value'], first.attributes[0].value)
|
|
|
|
|
|
|
|
|
|
# category
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp(), category='Other', pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
self.assertEqual(csv[0]['value'], first.attributes[0].value)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp(), category='Person', pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 0)
|
|
|
|
|
|
|
|
|
|
# type_attribute
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp(), type_attribute='text', pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
self.assertEqual(csv[0]['value'], first.attributes[0].value)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp(), type_attribute='ip-src', pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 0)
|
|
|
|
|
|
|
|
|
|
# context
|
|
|
|
|
csv = self.user_misp_connector.get_csv(publish_timestamp=first.timestamp.timestamp(), include_context=True, pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
# print(csv[0])
|
|
|
|
|
# FIXME: there is no context.
|
|
|
|
|
|
|
|
|
|
# date_from date_to
|
|
|
|
|
second = self.user_misp_connector.add_event(second)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(date_from=date.today().isoformat(), pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 1)
|
|
|
|
|
self.assertEqual(csv[0]['value'], first.attributes[0].value)
|
|
|
|
|
csv = self.user_misp_connector.get_csv(date_from='2018-09-01', date_to='2018-09-02', pythonify=True)
|
|
|
|
|
self.assertEqual(len(csv), 2)
|
|
|
|
|
|
|
|
|
|
# headerless
|
|
|
|
|
csv = self.user_misp_connector.get_csv(date_from='2018-09-01', date_to='2018-09-02', headerless=True)
|
|
|
|
|
# FIXME: The header is here.
|
|
|
|
|
# print(csv)
|
|
|
|
|
|
2018-09-19 06:58:20 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
2018-09-20 02:22:37 +02:00
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
2018-09-19 06:58:20 +02:00
|
|
|
|
|
|
|
|
@unittest.skip("Currently failing")
|
|
|
|
|
def test_search_type_event_csv(self):
|
|
|
|
|
try:
|
|
|
|
|
first, second, third = self.environment()
|
|
|
|
|
# Search as admin
|
|
|
|
|
events = self.admin_misp_connector.search(return_format='csv', timestamp=first.timestamp.timestamp())
|
|
|
|
|
print(events)
|
|
|
|
|
attributes_types_search = self.admin_misp_connector.build_complex_query(or_parameters=['ip-src', 'ip-dst'])
|
|
|
|
|
events = self.admin_misp_connector.search(return_format='csv', timestamp=first.timestamp.timestamp(),
|
|
|
|
|
type_attribute=attributes_types_search)
|
|
|
|
|
print(events)
|
2018-09-18 03:37:07 +02:00
|
|
|
finally:
|
|
|
|
|
# Delete event
|
|
|
|
|
self.admin_misp_connector.delete_event(first.id)
|
2018-09-19 06:58:20 +02:00
|
|
|
self.admin_misp_connector.delete_event(second.id)
|
|
|
|
|
self.admin_misp_connector.delete_event(third.id)
|
2018-09-18 03:37:07 +02:00
|
|
|
|
2018-08-12 22:46:21 +02:00
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
unittest.main()
|
