mirror of https://github.com/MISP/misp-modules
parent
529719d9d8
commit
441d41cf5d
2 changed files with 357 additions and 0 deletions
@ -0,0 +1,297 @@ |
||||
{ |
||||
"Event": { |
||||
"id": "625", |
||||
"orgc_id": "2", |
||||
"org_id": "1", |
||||
"date": "2017-05-24", |
||||
"threat_level_id": "3", |
||||
"info": "M2M - Fwd: IMG_3428.pdf", |
||||
"published": false, |
||||
"uuid": "59259036-fcd0-4749-8a6c-4d88950d210f", |
||||
"attribute_count": "2", |
||||
"analysis": "1", |
||||
"timestamp": "1500496265", |
||||
"distribution": "3", |
||||
"proposal_email_lock": false, |
||||
"user_id": "1", |
||||
"locked": false, |
||||
"publish_timestamp": "0", |
||||
"sharing_group_id": "0", |
||||
"disable_correlation": false |
||||
}, |
||||
"User": { |
||||
"email": "admin@misp.training", |
||||
"id": "1" |
||||
}, |
||||
"ThreatLevel": { |
||||
"name": "Low", |
||||
"id": "3" |
||||
}, |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "2", |
||||
"name": "CIRCL", |
||||
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" |
||||
}, |
||||
"Attribute": [{ |
||||
"id": "157835", |
||||
"type": "attachment", |
||||
"category": "Artifacts dropped", |
||||
"to_ids": false, |
||||
"uuid": "59259037-1014-4669-96b1-46af950d210f", |
||||
"event_id": "625", |
||||
"distribution": "5", |
||||
"timestamp": "1495633975", |
||||
"comment": "IMG_3428.pdf", |
||||
"sharing_group_id": "0", |
||||
"deleted": false, |
||||
"disable_correlation": false, |
||||
"value": "tmpzuni0skf", |
||||
"AttributeTag": [], |
||||
"ShadowAttribute": [] |
||||
}, { |
||||
"id": "164191", |
||||
"type": "domain|ip", |
||||
"category": "Network activity", |
||||
"to_ids": false, |
||||
"uuid": "59430251-e6a4-4900-b78b-060dc0a83832", |
||||
"event_id": "625", |
||||
"distribution": "5", |
||||
"timestamp": "1497563729", |
||||
"comment": "Test data", |
||||
"sharing_group_id": "0", |
||||
"deleted": false, |
||||
"disable_correlation": false, |
||||
"value": "google.com|127.0.0.1", |
||||
"AttributeTag": [], |
||||
"ShadowAttribute": [] |
||||
}], |
||||
"ShadowAttribute": [], |
||||
"EventTag": [{ |
||||
"id": "1482", |
||||
"event_id": "625", |
||||
"tag_id": "2", |
||||
"Tag": { |
||||
"id": "2", |
||||
"name": "tlp:white", |
||||
"colour": "#ffffff", |
||||
"exportable": true, |
||||
"org_id": "0", |
||||
"hide_tag": false |
||||
} |
||||
}], |
||||
"Galaxy": [], |
||||
"RelatedEvent": [{ |
||||
"Event": { |
||||
"id": "226", |
||||
"date": "2015-11-05", |
||||
"threat_level_id": "4", |
||||
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman", |
||||
"published": true, |
||||
"uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1487757679", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "207", |
||||
"date": "2015-04-03", |
||||
"threat_level_id": "4", |
||||
"info": "OSINT The Dyre Wolf report from IBM", |
||||
"published": true, |
||||
"uuid": "551e8745-ace0-461c-b9eb-ce36950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1428070986", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "209", |
||||
"date": "2015-01-26", |
||||
"threat_level_id": "2", |
||||
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation", |
||||
"published": true, |
||||
"uuid": "54c60f43-b084-453a-a162-4e08950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1422356942", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "214", |
||||
"date": "2014-12-18", |
||||
"threat_level_id": "4", |
||||
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014", |
||||
"published": true, |
||||
"uuid": "54932a3e-7284-4753-b95c-4e08950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1442489489", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "208", |
||||
"date": "2014-11-20", |
||||
"threat_level_id": "4", |
||||
"info": "Import of CitizenLab public DB of malware indicators", |
||||
"published": true, |
||||
"uuid": "546e08ce-3134-4892-997b-73ff950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1487758220", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "373", |
||||
"date": "2014-11-18", |
||||
"threat_level_id": "4", |
||||
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC", |
||||
"published": true, |
||||
"uuid": "546bc3e8-d498-4e0c-b169-f2ea950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1487758281", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}, { |
||||
"Event": { |
||||
"id": "230", |
||||
"date": "2014-10-02", |
||||
"threat_level_id": "3", |
||||
"info": "OSINT ShellShock scanning IPs from OpenDNS", |
||||
"published": true, |
||||
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b", |
||||
"analysis": "2", |
||||
"timestamp": "1442489604", |
||||
"distribution": "3", |
||||
"org_id": "1", |
||||
"orgc_id": "3", |
||||
"Org": { |
||||
"id": "1", |
||||
"name": "MISP", |
||||
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832" |
||||
}, |
||||
"Orgc": { |
||||
"id": "3", |
||||
"name": "CthulhuSPRL.be", |
||||
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" |
||||
} |
||||
} |
||||
}], |
||||
"RelatedAttribute": { |
||||
"164191": [{ |
||||
"id": "207", |
||||
"org_id": "1", |
||||
"info": "OSINT The Dyre Wolf report from IBM", |
||||
"value": "google.com" |
||||
}, { |
||||
"id": "208", |
||||
"org_id": "1", |
||||
"info": "Import of CitizenLab public DB of malware indicators", |
||||
"value": "127.0.0.1" |
||||
}, { |
||||
"id": "209", |
||||
"org_id": "1", |
||||
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation", |
||||
"value": "127.0.0.1" |
||||
}, { |
||||
"id": "214", |
||||
"org_id": "1", |
||||
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014", |
||||
"value": "127.0.0.1" |
||||
}, { |
||||
"id": "226", |
||||
"org_id": "1", |
||||
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman", |
||||
"value": "127.0.0.1" |
||||
}, { |
||||
"id": "230", |
||||
"org_id": "1", |
||||
"info": "OSINT ShellShock scanning IPs from OpenDNS", |
||||
"value": "127.0.0.1" |
||||
}, { |
||||
"id": "373", |
||||
"org_id": "1", |
||||
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC", |
||||
"value": "127.0.0.1" |
||||
}] |
||||
}, |
||||
"RelatedShadowAttribute": [], |
||||
"Sighting": [] |
||||
} |
@ -0,0 +1,60 @@ |
||||
"""Test module for the ThreatConnect Export module""" |
||||
import base64 |
||||
import csv |
||||
import io |
||||
import json |
||||
import os |
||||
import unittest |
||||
import requests |
||||
|
||||
|
||||
class TestModules(unittest.TestCase): |
||||
"""Unittest module for threat_connect_export.py""" |
||||
def setUp(self): |
||||
self.headers = {'Content-Type': 'application/json'} |
||||
self.url = "http://127.0.0.1:6666/" |
||||
self.module = "threat_connect_export" |
||||
input_event_path = "%s/test_files/misp_event.json" % os.path.dirname(os.path.realpath(__file__)) |
||||
with open(input_event_path, "r") as ifile: |
||||
self.event = json.load(ifile) |
||||
|
||||
def test_01_introspection(self): |
||||
"""Taken from test.py""" |
||||
try: |
||||
response = requests.get(self.url + "modules") |
||||
modules = [module["name"] for module in response.json()] |
||||
assert self.module in modules |
||||
finally: |
||||
response.connection.close() |
||||
|
||||
def test_02_export(self): |
||||
"""Test an event export""" |
||||
test_source = "Test Export" |
||||
query = { |
||||
"module": self.module, |
||||
"data": [self.event], |
||||
"config": { |
||||
"Default_Source": test_source |
||||
} |
||||
} |
||||
|
||||
try: |
||||
response = requests.post(self.url + "query", headers=self.headers, data=json.dumps(query)) |
||||
data = base64.b64decode(response.json()["data"]).decode("utf-8") |
||||
csvfile = io.StringIO(data) |
||||
reader = csv.DictReader(csvfile) |
||||
|
||||
values = [field["Value"] for field in reader] |
||||
assert "google.com" in values |
||||
assert "127.0.0.1" in values |
||||
|
||||
# resetting file pointer to read through again and extract sources |
||||
csvfile.seek(0) |
||||
# use a set comprehension to deduplicate sources |
||||
sources = {field["Source"] for field in reader} |
||||
assert test_source in sources |
||||
finally: |
||||
response.connection.close() |
||||
|
||||
if __name__ == "__main__": |
||||
unittest.main() |
Loading…
Reference in new issue