From b02cce7d149953360af3891b1396206394ed8f9d Mon Sep 17 00:00:00 2001 From: begunrom Date: Sun, 17 Nov 2019 09:45:30 +0100 Subject: [PATCH] added unit test for carrier --- tests/config_carrier.py | 80 +++++++++++++++++++++++++++++++++++++++++ tests/tests.py | 6 ++++ 2 files changed, 86 insertions(+) create mode 100644 tests/config_carrier.py diff --git a/tests/config_carrier.py b/tests/config_carrier.py new file mode 100644 index 0000000..be5c95d --- /dev/null +++ b/tests/config_carrier.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +misp_url = 'YOUR_MISP_URL' +misp_key = 'YOUR_KEY_HERE' # The MISP auth key can be found on the MISP web interface under the automation section +misp_verifycert = True +spamtrap = False +default_distribution = 0 +default_threat_level = 3 +default_analysis = 1 + +body_config_prefix = 'm2m' # every line in the body starting with this value will be skipped from the IOCs +m2m_key = 'YOUSETYOURKEYHERE' +m2m_benign_attachment_keyword = 'benign' + +debug = True +nameservers = ['8.8.8.8'] +email_subject_prefix = 'M2M' +attach_original_mail = True +ignore_carrier_mail = True + +excludelist = ('google.com', 'microsoft.com') +externallist = ('virustotal.com', 'malwr.com', 'hybrid-analysis.com', 'emergingthreats.net') +internallist = ('internal.system.local') +noidsflaglist = ('myexternalip.com', 'ipinfo.io', 'icanhazip.com', 'wtfismyip.com', 'ipecho.net', + 'api.ipify.org', 'checkip.amazonaws.com', 'whatismyipaddress.com', 'google.com', + 'dropbox.com' + ) + +# Stop parsing when this term is found +stopword = 'Whois & IP Information' + +# Ignore lines in body of message containing: +ignorelist = ("From:", "Sender:", "Received:", "Sender IP:", "Reply-To:", "Registrar WHOIS Server:", + "Registrar:", "Domain Status:", "Registrant Email:", "IP Location:", + "X-Get-Message-Sender-Via:", "X-Authenticated-Sender:") + +# Ignore (don't add) attributes that are on server side warning list +enforcewarninglist = True + +# Add a sighting for each value +sighting = False +sighting_source = "YOUR_MAIL_TO_MISP_IDENTIFIER" + +# Remove "Re:", "Fwd:" and {Spam?} from subject +# add: "[\(\[].*?[\)\]]" to remove everything between [] and (): i.e. [tag] +removelist = (r'Re:', r'Fwd:', r'\{Spam?\}') + +# TLP tag setup +# Tuples contain different variations of spelling +tlptags = {'tlp:amber': ['tlp:amber', 'tlp: amber', 'tlp amber'], + 'tlp:green': ['tlp:green', 'tlp: green', 'tlp green'], + 'tlp:white': ['tlp:white', 'tlp: white', 'tlp white'] + } +tlptag_default = sorted(tlptags.keys())[0] + +malwaretags = {'locky': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Locky"'], + 'jaff': ['ecsirt:malicious-code="ransomware"', 'misp-galaxy:ransomware="Jaff"'], + 'dridex': ['misp-galaxy:tool="dridex"'], + 'netwire': ['Netwire RAT'], + 'Pony': ['misp-galaxy:tool="Hancitor"'], + 'ursnif': ['misp-galaxy:tool="Snifula"'], + 'NanoCore': ['misp-galaxy:tool="NanoCoreRAT"'], + 'trickbot': ['misp-galaxy:tool="Trick Bot"'] + } + +# Tags to be set depending on the presence of other tags +dependingtags = {'tlp:white': ['circl:osint-feed'] + } + +# Known identifiers for forwarded messages +forward_identifiers = {'-------- Forwarded Message --------', 'Begin forwarded message:'} + +# Tags to add when hashes are found (e.g. to do automatic expansion) +hash_only_tags = {'TODO:VT-ENRICHMENT'} + +# If an attribute is on any MISP server side `warning list`, skip the creation of the attribute +skip_item_on_warninglist = True + +vt_key = None diff --git a/tests/tests.py b/tests/tests.py index 42bde92..44391b9 100644 --- a/tests/tests.py +++ b/tests/tests.py @@ -82,6 +82,12 @@ class TestMailToMISP(unittest.TestCase): self.assertEqual(self.mail2misp.misp_event.analysis, '0') self.mail2misp.add_event() + def test_attached_emails(self): + config = importlib.import_module('tests.config_carrier') + self.mail2misp = Mail2MISP('', '', '', config=config, offline=True) + with open('tests/mails/test_7_email_attachments.eml', 'rb') as f: + attached_emails = self.mail2misp.get_attached_emails(BytesIO(f.read())) + self.assertEqual(len(attached_emails), 7) if __name__ == '__main__': unittest.main()