2017-10-23 14:06:29 +02:00
|
|
|
import datetime as dt
|
|
|
|
import re
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
import pytz
|
|
|
|
|
|
|
|
import stix2
|
|
|
|
|
|
|
|
from .constants import CAMPAIGN_ID, NOTE_ID
|
|
|
|
|
2018-07-13 17:10:05 +02:00
|
|
|
DESCRIPTION = (
|
|
|
|
'This note indicates the various steps taken by the threat'
|
|
|
|
' analyst team to investigate this specific campaign. Step'
|
|
|
|
' 1) Do a scan 2) Review scanned results for identified '
|
|
|
|
'hosts not known by external intel... etc'
|
|
|
|
)
|
2017-10-23 14:06:29 +02:00
|
|
|
|
|
|
|
EXPECTED_NOTE = """{
|
|
|
|
"type": "note",
|
2018-06-11 23:33:50 +02:00
|
|
|
"spec_version": "2.1",
|
2017-10-23 14:06:29 +02:00
|
|
|
"id": "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
|
|
|
|
"created": "2016-05-12T08:17:27.000Z",
|
|
|
|
"modified": "2016-05-12T08:17:27.000Z",
|
|
|
|
"summary": "Tracking Team Note#1",
|
|
|
|
"description": "%s",
|
|
|
|
"authors": [
|
|
|
|
"John Doe"
|
|
|
|
],
|
|
|
|
"object_refs": [
|
|
|
|
"campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "job-tracker",
|
|
|
|
"external_id": "job-id-1234"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}""" % DESCRIPTION
|
|
|
|
|
2018-07-13 17:10:05 +02:00
|
|
|
EXPECTED_OPINION_REPR = "Note(" + " ".join((
|
|
|
|
"""
|
2017-10-23 14:06:29 +02:00
|
|
|
type='note',
|
2018-06-11 23:33:50 +02:00
|
|
|
spec_version='2.1',
|
2017-10-23 14:06:29 +02:00
|
|
|
id='note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061',
|
|
|
|
created='2016-05-12T08:17:27.000Z',
|
|
|
|
modified='2016-05-12T08:17:27.000Z',
|
|
|
|
summary='Tracking Team Note#1',
|
|
|
|
description='%s',
|
|
|
|
authors=['John Doe'],
|
|
|
|
object_refs=['campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f'],
|
|
|
|
external_references=[ExternalReference(source_name='job-tracker', external_id='job-id-1234')]
|
2018-07-13 17:10:05 +02:00
|
|
|
""" % DESCRIPTION
|
|
|
|
).split()) + ")"
|
2017-10-23 14:06:29 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_note_with_required_properties():
|
|
|
|
now = dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
|
|
|
|
2018-07-03 15:40:51 +02:00
|
|
|
note = stix2.v21.Note(
|
2017-10-23 14:06:29 +02:00
|
|
|
type='note',
|
|
|
|
id=NOTE_ID,
|
|
|
|
created=now,
|
|
|
|
modified=now,
|
|
|
|
summary='Tracking Team Note#1',
|
|
|
|
object_refs=[CAMPAIGN_ID],
|
|
|
|
authors=['John Doe'],
|
|
|
|
description=DESCRIPTION,
|
|
|
|
external_references=[
|
|
|
|
{
|
|
|
|
'source_name': 'job-tracker',
|
2018-07-13 17:10:05 +02:00
|
|
|
'external_id': 'job-id-1234',
|
|
|
|
},
|
|
|
|
],
|
2017-10-23 14:06:29 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
assert str(note) == EXPECTED_NOTE
|
|
|
|
rep = re.sub(r"(\[|=| )u('|\"|\\\'|\\\")", r"\g<1>\g<2>", repr(note))
|
|
|
|
assert rep == EXPECTED_OPINION_REPR
|
|
|
|
|
|
|
|
|
2018-07-13 17:10:05 +02:00
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"data", [
|
|
|
|
EXPECTED_NOTE,
|
|
|
|
{
|
|
|
|
"type": "note",
|
|
|
|
"spec_version": "2.1",
|
|
|
|
"id": "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
|
|
|
|
"created": "2016-05-12T08:17:27.000Z",
|
|
|
|
"modified": "2016-05-12T08:17:27.000Z",
|
|
|
|
"summary": "Tracking Team Note#1",
|
|
|
|
"description": DESCRIPTION,
|
|
|
|
"authors": [
|
|
|
|
"John Doe",
|
|
|
|
],
|
|
|
|
"object_refs": [
|
|
|
|
"campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
|
|
|
|
],
|
|
|
|
"external_references": [
|
|
|
|
{
|
|
|
|
"source_name": "job-tracker",
|
|
|
|
"external_id": "job-id-1234",
|
|
|
|
},
|
|
|
|
],
|
|
|
|
},
|
|
|
|
],
|
|
|
|
)
|
2017-10-23 14:06:29 +02:00
|
|
|
def test_parse_note(data):
|
2018-07-03 15:40:51 +02:00
|
|
|
note = stix2.parse(data, version="2.1")
|
2017-10-23 14:06:29 +02:00
|
|
|
|
|
|
|
assert note.type == 'note'
|
2018-07-03 15:40:51 +02:00
|
|
|
assert note.spec_version == '2.1'
|
2017-10-23 14:06:29 +02:00
|
|
|
assert note.id == NOTE_ID
|
|
|
|
assert note.created == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
|
|
|
assert note.modified == dt.datetime(2016, 5, 12, 8, 17, 27, tzinfo=pytz.utc)
|
|
|
|
assert note.object_refs[0] == CAMPAIGN_ID
|
|
|
|
assert note.authors[0] == 'John Doe'
|
|
|
|
assert note.summary == 'Tracking Team Note#1'
|
|
|
|
assert note.description == DESCRIPTION
|
|
|
|
rep = re.sub(r"(\[|=| )u('|\"|\\\'|\\\")", r"\g<1>\g<2>", repr(note))
|
|
|
|
assert rep == EXPECTED_OPINION_REPR
|