Fix verify module, add test case

event_exp
Raphaël Vinot 2016-11-22 11:36:46 +01:00
parent 3c121e1ce8
commit 52437a416c
6 changed files with 39 additions and 2 deletions

View File

@ -5,17 +5,29 @@ cache: pip
services:
- redis-server
addons:
apt:
packages:
- libgpg-error-dev
- libgpgme11-dev
python:
- "3.3"
- "3.4"
- "3.5"
- "3.5-dev"
- "3.6-dev"
- "nightly"
before_install:
- gpg --batch --gen-key tests/gpg/test_org_gpg
install:
- pip install -U pip
- pip install -U nose
- pip install coveralls
- pip install codecov
- pip install --pre pyme3
- pip install -U -r REQUIREMENTS
- pip install .

View File

@ -15,3 +15,5 @@ git+https://github.com/Rafiot/uwhoisd.git@testing#egg=uwhois&subdirectory=client
pillow
pytesseract
SPARQLWrapper
git+https://github.com/MISP/PyMISP.git
--pre pyme3

View File

@ -10,7 +10,7 @@ moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
'description': 'Verify the signature of a MISP Event',
'module-type': ['event']}
moduleconfig = ['uid']
moduleconfig = []
'''
NOTE:
@ -26,7 +26,7 @@ def handler(q=False):
request = json.loads(q) # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
mispevent = MISPEvent()
mispevent.load(request['mispevent'])
verified = mispevent.verify(mispevent.Org['uuid'])
verified = mispevent.verify(mispevent.Orgc['uuid'])
return json.dumps(verified)

View File

@ -0,0 +1 @@
{"Event": {"info": "Ransomware - Xorist", "publish_timestamp": "1472548231", "timestamp": "1472541011", "analysis": "2", "Attribute": [{"category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "uuid": "57c5300c-0560-4146-bfaa-40e802de0b81", "timestamp": "1472540684", "to_ids": false, "value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/", "type": "link"}, {"category": "External analysis", "comment": "", "uuid": "57c5310b-dc34-43cb-8b8e-4846950d210f", "timestamp": "1472541011", "to_ids": false, "value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html", "type": "link"}, {"category": "Other", "comment": "", "uuid": "57c444c0-8004-48fa-9c33-8aca950d210f", "timestamp": "1472480448", "to_ids": false, "value": "UPX packed", "type": "comment"}, {"category": "Other", "comment": "", "uuid": "57c44648-96f4-45d4-a8eb-453e950d210f", "timestamp": "1472480840", "to_ids": false, "value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA", "type": "text"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-fb04-457d-87e7-4127950d210f", "timestamp": "1472480394", "to_ids": true, "value": "3Z4wnG9603it23y.exe", "type": "filename"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-454c-4d17-90d1-4d2f950d210f", "timestamp": "1472480395", "to_ids": true, "value": "0749bae92ca336a02c83d126e04ec628", "type": "md5"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-bef0-4ba7-a071-444e950d210f", "timestamp": "1472480394", "to_ids": true, "value": "77b0c41b7d340b8a3d903f21347bbf06aa766b5b", "type": "sha1"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-3fa4-4d65-9ccc-4afa950d210f", "timestamp": "1472480395", "to_ids": true, "value": "b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "type": "sha256"}, {"category": "Persistence mechanism", "comment": "", "uuid": "57c54b0f-27a4-458b-8e63-4455950d210f", "timestamp": "1472547599", "to_ids": true, "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run|%TEMP%\\3Z4wnG9603it23y.exe", "type": "regkey|value"}], "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#3d7a00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#420053", "exportable": true, "name": "ms-caro-malware:malware-type=\"Ransom\""}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}], "published": true, "date": "2016-08-29", "Orgc": {"name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"}, "threat_level_id": "3", "uuid": "57c4445b-c548-4654-af0b-4be3950d210f"}}

7
tests/gpg/test_org_gpg Normal file
View File

@ -0,0 +1,7 @@
%echo Generating a basic OpenPGP key
Key-Type: RSA
Name-Real: 5832bfa8-76d0-4bdb-a221-46fa950d210f
Passphrase: misptestorg
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done

View File

@ -6,6 +6,7 @@ import requests
import base64
import json
import os
from pymisp import MISPEvent, EncodeUpdate
class TestModules(unittest.TestCase):
@ -54,5 +55,19 @@ class TestModules(unittest.TestCase):
response = requests.post(self.url + "query", data=f.read()).json()
assert(response)
def test_sign(self):
event = MISPEvent()
event.load('tests/57c4445b-c548-4654-af0b-4be3950d210f.json')
data = {'module': 'sign',
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f', 'passphrase': 'misptestorg'},
'mispevent': json.dumps(event, cls=EncodeUpdate)}
signed_event = requests.post(self.url + "query", data=json.dumps(data)).json()
event.load(signed_event)
data = {'module': 'verify',
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f'},
'mispevent': json.dumps(event, cls=EncodeUpdate)}
verified = requests.post(self.url + "query", data=json.dumps(data))
assert(verified)
if __name__ == '__main__':
unittest.main()