MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

added test files for threat_connect_export

Browse Source
pull/133/head
Thomas Gardner 6 years ago
parent 529719d9d8
commit 441d41cf5d
2 changed files with 357 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 297
      tests/test_files/misp_event.json
  2. 60
      tests/threatconnect_export_test.py

297
tests/test_files/misp_event.json
Unescape View File

@ -0,0 +1,297 @@
{
"Event": {
"id": "625",
"orgc_id": "2",
"org_id": "1",
"date": "2017-05-24",
"threat_level_id": "3",
"info": "M2M - Fwd: IMG_3428.pdf",
"published": false,
"uuid": "59259036-fcd0-4749-8a6c-4d88950d210f",
"attribute_count": "2",
"analysis": "1",
"timestamp": "1500496265",
"distribution": "3",
"proposal_email_lock": false,
"user_id": "1",
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false
},
"User": {
"email": "admin@misp.training",
"id": "1"
},
"ThreatLevel": {
"name": "Low",
"id": "3"
},
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Attribute": [{
"id": "157835",
"type": "attachment",
"category": "Artifacts dropped",
"to_ids": false,
"uuid": "59259037-1014-4669-96b1-46af950d210f",
"event_id": "625",
"distribution": "5",
"timestamp": "1495633975",
"comment": "IMG_3428.pdf",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"value": "tmpzuni0skf",
"AttributeTag": [],
"ShadowAttribute": []
}, {
"id": "164191",
"type": "domain|ip",
"category": "Network activity",
"to_ids": false,
"uuid": "59430251-e6a4-4900-b78b-060dc0a83832",
"event_id": "625",
"distribution": "5",
"timestamp": "1497563729",
"comment": "Test data",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"value": "google.com|127.0.0.1",
"AttributeTag": [],
"ShadowAttribute": []
}],
"ShadowAttribute": [],
"EventTag": [{
"id": "1482",
"event_id": "625",
"tag_id": "2",
"Tag": {
"id": "2",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"org_id": "0",
"hide_tag": false
}
}],
"Galaxy": [],
"RelatedEvent": [{
"Event": {
"id": "226",
"date": "2015-11-05",
"threat_level_id": "4",
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman",
"published": true,
"uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"analysis": "2",
"timestamp": "1487757679",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "207",
"date": "2015-04-03",
"threat_level_id": "4",
"info": "OSINT The Dyre Wolf report from IBM",
"published": true,
"uuid": "551e8745-ace0-461c-b9eb-ce36950d210b",
"analysis": "2",
"timestamp": "1428070986",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "209",
"date": "2015-01-26",
"threat_level_id": "2",
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation",
"published": true,
"uuid": "54c60f43-b084-453a-a162-4e08950d210b",
"analysis": "2",
"timestamp": "1422356942",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "214",
"date": "2014-12-18",
"threat_level_id": "4",
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014",
"published": true,
"uuid": "54932a3e-7284-4753-b95c-4e08950d210b",
"analysis": "2",
"timestamp": "1442489489",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "208",
"date": "2014-11-20",
"threat_level_id": "4",
"info": "Import of CitizenLab public DB of malware indicators",
"published": true,
"uuid": "546e08ce-3134-4892-997b-73ff950d210b",
"analysis": "2",
"timestamp": "1487758220",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "373",
"date": "2014-11-18",
"threat_level_id": "4",
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC",
"published": true,
"uuid": "546bc3e8-d498-4e0c-b169-f2ea950d210b",
"analysis": "2",
"timestamp": "1487758281",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "230",
"date": "2014-10-02",
"threat_level_id": "3",
"info": "OSINT ShellShock scanning IPs from OpenDNS",
"published": true,
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b",
"analysis": "2",
"timestamp": "1442489604",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}],
"RelatedAttribute": {
"164191": [{
"id": "207",
"org_id": "1",
"info": "OSINT The Dyre Wolf report from IBM",
"value": "google.com"
}, {
"id": "208",
"org_id": "1",
"info": "Import of CitizenLab public DB of malware indicators",
"value": "127.0.0.1"
}, {
"id": "209",
"org_id": "1",
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation",
"value": "127.0.0.1"
}, {
"id": "214",
"org_id": "1",
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014",
"value": "127.0.0.1"
}, {
"id": "226",
"org_id": "1",
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman",
"value": "127.0.0.1"
}, {
"id": "230",
"org_id": "1",
"info": "OSINT ShellShock scanning IPs from OpenDNS",
"value": "127.0.0.1"
}, {
"id": "373",
"org_id": "1",
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC",
"value": "127.0.0.1"
}]
},
"RelatedShadowAttribute": [],
"Sighting": []
}

60
tests/threatconnect_export_test.py
Unescape View File

@ -0,0 +1,60 @@
"""Test module for the ThreatConnect Export module"""
import base64
import csv
import io
import json
import os
import unittest
import requests
class TestModules(unittest.TestCase):
"""Unittest module for threat_connect_export.py"""
def setUp(self):
self.headers = {'Content-Type': 'application/json'}
self.url = "http://127.0.0.1:6666/"
self.module = "threat_connect_export"
input_event_path = "%s/test_files/misp_event.json" % os.path.dirname(os.path.realpath(__file__))
with open(input_event_path, "r") as ifile:
self.event = json.load(ifile)
def test_01_introspection(self):
"""Taken from test.py"""
try:
response = requests.get(self.url + "modules")
modules = [module["name"] for module in response.json()]
assert self.module in modules
finally:
response.connection.close()
def test_02_export(self):
"""Test an event export"""
test_source = "Test Export"
query = {
"module": self.module,
"data": [self.event],
"config": {
"Default_Source": test_source
}
}
try:
response = requests.post(self.url + "query", headers=self.headers, data=json.dumps(query))
data = base64.b64decode(response.json()["data"]).decode("utf-8")
csvfile = io.StringIO(data)
reader = csv.DictReader(csvfile)
values = [field["Value"] for field in reader]
assert "google.com" in values
assert "127.0.0.1" in values
# resetting file pointer to read through again and extract sources
csvfile.seek(0)
# use a set comprehension to deduplicate sources
sources = {field["Source"] for field in reader}
assert test_source in sources
finally:
response.connection.close()
if __name__ == "__main__":
unittest.main()
Write Preview
Loading…
Cancel
Save