From 53eb22cac5b64953c838ed20717fc070b5087f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 4 Jan 2018 17:12:15 +0100 Subject: [PATCH] chg: Add test for loading existing malware sample from MISP --- tests/mispevent_testfiles/malware_exist.json | 165 +++++++++++++++++++ tests/test_mispevent.py | 8 + 2 files changed, 173 insertions(+) create mode 100644 tests/mispevent_testfiles/malware_exist.json diff --git a/tests/mispevent_testfiles/malware_exist.json b/tests/mispevent_testfiles/malware_exist.json new file mode 100644 index 0000000..9a7c3b3 --- /dev/null +++ b/tests/mispevent_testfiles/malware_exist.json @@ -0,0 +1,165 @@ +{"response":[{ + "Event": { + "id": "6719", + "orgc_id": "1", + "org_id": "1", + "date": "2018-01-04", + "threat_level_id": "1", + "info": "Test existing malware PyMISP", + "published": false, + "uuid": "5a4e4fdd-1eb4-4ff3-9e87-43fa950d210f", + "attribute_count": "6", + "analysis": "0", + "timestamp": "1515081727", + "distribution": "0", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "0", + "sharing_group_id": "0", + "disable_correlation": false, + "event_creator_email": "raphael.vinot@circl.lu", + "Org": { + "id": "1", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Orgc": { + "id": "1", + "name": "CIRCL", + "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" + }, + "Attribute": [], + "ShadowAttribute": [], + "RelatedEvent": [], + "Galaxy": [], + "Object": [ + { + "id": "2279", + "name": "file", + "meta-category": "file", + "description": "File object describing a file with meta-information", + "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "template_version": "7", + "event_id": "6719", + "uuid": "5a4e4ffe-4cb8-48b1-bd5c-48fb950d210f", + "timestamp": "1515081726", + "distribution": "5", + "sharing_group_id": "0", + "comment": "", + "deleted": false, + "ObjectReference": [], + "Attribute": [ + { + "id": "814967", + "type": "malware-sample", + "category": "Payload delivery", + "to_ids": true, + "uuid": "5a4e4fff-407c-40ff-9de5-43dc950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "2279", + "object_relation": "malware-sample", + "value": "simple.json|7637beddacbeac59d44469b2b120b9e6", + "data": "UEsDBAoACQAAAEOAJEyjHboUIQAAABUAAAAgABwANzYzN2JlZGRhY2JlYWM1OWQ0NDQ2OWIyYjEyMGI5ZTZVVAkAA\/5PTlr+T05adXgLAAEEIQAAAAQhAAAATvzonhGOj12MyB1QeGLJ5iZhOjD+zymV4FU2+kjD4oTYUEsHCKMduhQhAAAAFQAAAFBLAwQKAAkAAABDgCRMg45UABcAAAALAAAALQAcADc2MzdiZWRkYWNiZWFjNTlkNDQ0NjliMmIxMjBiOWU2LmZpbGVuYW1lLnR4dFVUCQAD\/k9OWv5PTlp1eAsAAQQhAAAABCEAAADDgZOh6307Bduy829xtRjpivO\/xFI3KVBLBwiDjlQAFwAAAAsAAABQSwECHgMKAAkAAABDgCRMox26FCEAAAAVAAAAIAAYAAAAAAABAAAApIEAAAAANzYzN2JlZGRhY2JlYWM1OWQ0NDQ2OWIyYjEyMGI5ZTZVVAUAA\/5PTlp1eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAABDgCRMg45UABcAAAALAAAALQAYAAAAAAABAAAApIGLAAAANzYzN2JlZGRhY2JlYWM1OWQ0NDQ2OWIyYjEyMGI5ZTYuZmlsZW5hbWUudHh0VVQFAAP+T05adXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAABkBAAAAAA==", + "ShadowAttribute": [] + }, + { + "id": "814968", + "type": "filename", + "category": "Payload delivery", + "to_ids": false, + "uuid": "5a4e4fff-9ec0-4822-a405-4e29950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "2279", + "object_relation": "filename", + "value": "simple.json", + "ShadowAttribute": [] + }, + { + "id": "814969", + "type": "md5", + "category": "Payload delivery", + "to_ids": true, + "uuid": "5a4e4fff-8000-49f9-8c3e-4598950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "2279", + "object_relation": "md5", + "value": "7637beddacbeac59d44469b2b120b9e6", + "ShadowAttribute": [] + }, + { + "id": "814970", + "type": "sha1", + "category": "Payload delivery", + "to_ids": true, + "uuid": "5a4e4fff-dae0-4aa4-81ea-4899950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "2279", + "object_relation": "sha1", + "value": "023853a4331db8d67e44553004cf338ec1b7440e", + "ShadowAttribute": [] + }, + { + "id": "814971", + "type": "sha256", + "category": "Payload delivery", + "to_ids": true, + "uuid": "5a4e4fff-03ec-4e88-b5f4-472b950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "2279", + "object_relation": "sha256", + "value": "6ae8b0f1c7d6f3238d1fc14038018c3b4704c8cc23dac1c2bfd2c81b5a278eef", + "ShadowAttribute": [] + }, + { + "id": "814972", + "type": "size-in-bytes", + "category": "Other", + "to_ids": false, + "uuid": "5a4e4fff-b6f4-41ba-a6eb-446c950d210f", + "event_id": "6719", + "distribution": "5", + "timestamp": "1515081727", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": true, + "object_id": "2279", + "object_relation": "size-in-bytes", + "value": "21", + "ShadowAttribute": [] + } + ] + } + ] + } +}]} diff --git a/tests/test_mispevent.py b/tests/test_mispevent.py index 1f6ea4a..2cbeebf 100644 --- a/tests/test_mispevent.py +++ b/tests/test_mispevent.py @@ -93,6 +93,14 @@ class TestMISPEvent(unittest.TestCase): ref_json = json.load(f) self.assertEqual(self.mispevent.to_json(), json.dumps(ref_json, sort_keys=True, indent=2)) + def test_existing_malware(self): + self.mispevent.load_file('tests/mispevent_testfiles/malware_exist.json') + with open('tests/mispevent_testfiles/simple.json', 'rb') as f: + pseudofile = BytesIO(f.read()) + self.assertEqual( + self.mispevent.objects[0].get_attributes_by_relation('malware-sample')[0].malware_binary.read(), + pseudofile.read()) + def test_sighting(self): sighting = MISPSighting() sighting.from_dict(value='1', type='bar', timestamp=11111111)