MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

added test files for threat_connect_export

pull/133/head
Thomas Gardner 2017-08-03 16:21:41 -06:00
parent 529719d9d8
commit 441d41cf5d
2 changed files with 357 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

297
tests/test_files/misp_event.json Normal file
View File

@ -0,0 +1,297 @@
{
"Event": {
"id": "625",
"orgc_id": "2",
"org_id": "1",
"date": "2017-05-24",
"threat_level_id": "3",
"info": "M2M - Fwd: IMG_3428.pdf",
"published": false,
"uuid": "59259036-fcd0-4749-8a6c-4d88950d210f",
"attribute_count": "2",
"analysis": "1",
"timestamp": "1500496265",
"distribution": "3",
"proposal_email_lock": false,
"user_id": "1",
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false
},
"User": {
"email": "admin@misp.training",
"id": "1"
},
"ThreatLevel": {
"name": "Low",
"id": "3"
},
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Attribute": [{
"id": "157835",
"type": "attachment",
"category": "Artifacts dropped",
"to_ids": false,
"uuid": "59259037-1014-4669-96b1-46af950d210f",
"event_id": "625",
"distribution": "5",
"timestamp": "1495633975",
"comment": "IMG_3428.pdf",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"value": "tmpzuni0skf",
"AttributeTag": [],
"ShadowAttribute": []
}, {
"id": "164191",
"type": "domain|ip",
"category": "Network activity",
"to_ids": false,
"uuid": "59430251-e6a4-4900-b78b-060dc0a83832",
"event_id": "625",
"distribution": "5",
"timestamp": "1497563729",
"comment": "Test data",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"value": "google.com|127.0.0.1",
"AttributeTag": [],
"ShadowAttribute": []
}],
"ShadowAttribute": [],
"EventTag": [{
"id": "1482",
"event_id": "625",
"tag_id": "2",
"Tag": {
"id": "2",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"org_id": "0",
"hide_tag": false
}
}],
"Galaxy": [],
"RelatedEvent": [{
"Event": {
"id": "226",
"date": "2015-11-05",
"threat_level_id": "4",
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman",
"published": true,
"uuid": "563b3ea6-b26c-401f-a68b-4d84950d210b",
"analysis": "2",
"timestamp": "1487757679",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "207",
"date": "2015-04-03",
"threat_level_id": "4",
"info": "OSINT The Dyre Wolf report from IBM",
"published": true,
"uuid": "551e8745-ace0-461c-b9eb-ce36950d210b",
"analysis": "2",
"timestamp": "1428070986",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "209",
"date": "2015-01-26",
"threat_level_id": "2",
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation",
"published": true,
"uuid": "54c60f43-b084-453a-a162-4e08950d210b",
"analysis": "2",
"timestamp": "1422356942",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "214",
"date": "2014-12-18",
"threat_level_id": "4",
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014",
"published": true,
"uuid": "54932a3e-7284-4753-b95c-4e08950d210b",
"analysis": "2",
"timestamp": "1442489489",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "208",
"date": "2014-11-20",
"threat_level_id": "4",
"info": "Import of CitizenLab public DB of malware indicators",
"published": true,
"uuid": "546e08ce-3134-4892-997b-73ff950d210b",
"analysis": "2",
"timestamp": "1487758220",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "373",
"date": "2014-11-18",
"threat_level_id": "4",
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC",
"published": true,
"uuid": "546bc3e8-d498-4e0c-b169-f2ea950d210b",
"analysis": "2",
"timestamp": "1487758281",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}, {
"Event": {
"id": "230",
"date": "2014-10-02",
"threat_level_id": "3",
"info": "OSINT ShellShock scanning IPs from OpenDNS",
"published": true,
"uuid": "542e4c9c-cadc-4f8f-bb11-6d13950d210b",
"analysis": "2",
"timestamp": "1442489604",
"distribution": "3",
"org_id": "1",
"orgc_id": "3",
"Org": {
"id": "1",
"name": "MISP",
"uuid": "56ef3277-1ad4-42f6-b90b-04e5c0a83832"
},
"Orgc": {
"id": "3",
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
}
}
}],
"RelatedAttribute": {
"164191": [{
"id": "207",
"org_id": "1",
"info": "OSINT The Dyre Wolf report from IBM",
"value": "google.com"
}, {
"id": "208",
"org_id": "1",
"info": "Import of CitizenLab public DB of malware indicators",
"value": "127.0.0.1"
}, {
"id": "209",
"org_id": "1",
"info": "OSINT I Know You Want Me - Unplugging PlugX from Takahiro Haruyama & Hiroshi Suzuki Black Hat Asia 2014 presentation",
"value": "127.0.0.1"
}, {
"id": "214",
"org_id": "1",
"info": "Expansion on two IPs listed in OSINT IOCs from various campaigns listed in Detecting Bleeding Edge Malware presentation at hack.lu 2014",
"value": "127.0.0.1"
}, {
"id": "226",
"org_id": "1",
"info": "OSINT Expansion on Systematic cyber attacks against Israeli and Palestinian targets going on for a year by Norman",
"value": "127.0.0.1"
}, {
"id": "230",
"org_id": "1",
"info": "OSINT ShellShock scanning IPs from OpenDNS",
"value": "127.0.0.1"
}, {
"id": "373",
"org_id": "1",
"info": "OSINT Expansion on Additional indicators relating to Sofacy (APT28) phishing blog post by PWC",
"value": "127.0.0.1"
}]
},
"RelatedShadowAttribute": [],
"Sighting": []
}

60
tests/threatconnect_export_test.py Normal file
View File

@ -0,0 +1,60 @@
"""Test module for the ThreatConnect Export module"""
import base64
import csv
import io
import json
import os
import unittest
import requests
class TestModules(unittest.TestCase):
"""Unittest module for threat_connect_export.py"""
def setUp(self):
self.headers = {'Content-Type': 'application/json'}
self.url = "http://127.0.0.1:6666/"
self.module = "threat_connect_export"
input_event_path = "%s/test_files/misp_event.json" % os.path.dirname(os.path.realpath(__file__))
with open(input_event_path, "r") as ifile:
self.event = json.load(ifile)
def test_01_introspection(self):
"""Taken from test.py"""
try:
response = requests.get(self.url + "modules")
modules = [module["name"] for module in response.json()]
assert self.module in modules
finally:
response.connection.close()
def test_02_export(self):
"""Test an event export"""
test_source = "Test Export"
query = {
"module": self.module,
"data": [self.event],
"config": {
"Default_Source": test_source
}
}
try:
response = requests.post(self.url + "query", headers=self.headers, data=json.dumps(query))
data = base64.b64decode(response.json()["data"]).decode("utf-8")
csvfile = io.StringIO(data)
reader = csv.DictReader(csvfile)
values = [field["Value"] for field in reader]
assert "google.com" in values
assert "127.0.0.1" in values
# resetting file pointer to read through again and extract sources
csvfile.seek(0)
# use a set comprehension to deduplicate sources
sources = {field["Source"] for field in reader}
assert test_source in sources
finally:
response.connection.close()
if __name__ == "__main__":
unittest.main()