mirror of https://github.com/MISP/misp-modules
Fix verify module, add test case
parent
3c121e1ce8
commit
52437a416c
12
.travis.yml
12
.travis.yml
|
@ -5,17 +5,29 @@ cache: pip
|
||||||
services:
|
services:
|
||||||
- redis-server
|
- redis-server
|
||||||
|
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- libgpg-error-dev
|
||||||
|
- libgpgme11-dev
|
||||||
|
|
||||||
python:
|
python:
|
||||||
- "3.3"
|
- "3.3"
|
||||||
- "3.4"
|
- "3.4"
|
||||||
- "3.5"
|
- "3.5"
|
||||||
- "3.5-dev"
|
- "3.5-dev"
|
||||||
|
- "3.6-dev"
|
||||||
- "nightly"
|
- "nightly"
|
||||||
|
|
||||||
|
before_install:
|
||||||
|
- gpg --batch --gen-key tests/gpg/test_org_gpg
|
||||||
|
|
||||||
install:
|
install:
|
||||||
|
- pip install -U pip
|
||||||
- pip install -U nose
|
- pip install -U nose
|
||||||
- pip install coveralls
|
- pip install coveralls
|
||||||
- pip install codecov
|
- pip install codecov
|
||||||
|
- pip install --pre pyme3
|
||||||
- pip install -U -r REQUIREMENTS
|
- pip install -U -r REQUIREMENTS
|
||||||
- pip install .
|
- pip install .
|
||||||
|
|
||||||
|
|
|
@ -15,3 +15,5 @@ git+https://github.com/Rafiot/uwhoisd.git@testing#egg=uwhois&subdirectory=client
|
||||||
pillow
|
pillow
|
||||||
pytesseract
|
pytesseract
|
||||||
SPARQLWrapper
|
SPARQLWrapper
|
||||||
|
git+https://github.com/MISP/PyMISP.git
|
||||||
|
--pre pyme3
|
||||||
|
|
|
@ -10,7 +10,7 @@ moduleinfo = {'version': '0.1', 'author': 'Raphaël Vinot',
|
||||||
'description': 'Verify the signature of a MISP Event',
|
'description': 'Verify the signature of a MISP Event',
|
||||||
'module-type': ['event']}
|
'module-type': ['event']}
|
||||||
|
|
||||||
moduleconfig = ['uid']
|
moduleconfig = []
|
||||||
|
|
||||||
'''
|
'''
|
||||||
NOTE:
|
NOTE:
|
||||||
|
@ -26,7 +26,7 @@ def handler(q=False):
|
||||||
request = json.loads(q) # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
|
request = json.loads(q) # Assuming request has two keys: config & mispevent (mispevent being the json dump of the event)
|
||||||
mispevent = MISPEvent()
|
mispevent = MISPEvent()
|
||||||
mispevent.load(request['mispevent'])
|
mispevent.load(request['mispevent'])
|
||||||
verified = mispevent.verify(mispevent.Org['uuid'])
|
verified = mispevent.verify(mispevent.Orgc['uuid'])
|
||||||
return json.dumps(verified)
|
return json.dumps(verified)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
{"Event": {"info": "Ransomware - Xorist", "publish_timestamp": "1472548231", "timestamp": "1472541011", "analysis": "2", "Attribute": [{"category": "External analysis", "comment": "Imported via the Freetext Import Tool - Xchecked via VT: b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "uuid": "57c5300c-0560-4146-bfaa-40e802de0b81", "timestamp": "1472540684", "to_ids": false, "value": "https://www.virustotal.com/file/b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68/analysis/1469554268/", "type": "link"}, {"category": "External analysis", "comment": "", "uuid": "57c5310b-dc34-43cb-8b8e-4846950d210f", "timestamp": "1472541011", "to_ids": false, "value": "http://www.xylibox.com/2011/06/have-fun-with-trojan-ransomwin32xorist.html", "type": "link"}, {"category": "Other", "comment": "", "uuid": "57c444c0-8004-48fa-9c33-8aca950d210f", "timestamp": "1472480448", "to_ids": false, "value": "UPX packed", "type": "comment"}, {"category": "Other", "comment": "", "uuid": "57c44648-96f4-45d4-a8eb-453e950d210f", "timestamp": "1472480840", "to_ids": false, "value": "Key: 85350044dF4AC3518D185678A9414A7F,\r\nEncryption rounds:8,\r\nStart offset: 64,\r\nAlgorithm: TEA", "type": "text"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-fb04-457d-87e7-4127950d210f", "timestamp": "1472480394", "to_ids": true, "value": "3Z4wnG9603it23y.exe", "type": "filename"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-454c-4d17-90d1-4d2f950d210f", "timestamp": "1472480395", "to_ids": true, "value": "0749bae92ca336a02c83d126e04ec628", "type": "md5"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448a-bef0-4ba7-a071-444e950d210f", "timestamp": "1472480394", "to_ids": true, "value": "77b0c41b7d340b8a3d903f21347bbf06aa766b5b", "type": "sha1"}, {"category": "Payload delivery", "comment": "Imported via the Freetext Import Tool", "uuid": "57c4448b-3fa4-4d65-9ccc-4afa950d210f", "timestamp": "1472480395", "to_ids": true, "value": "b3c4ae251f8094fa15b510051835c657eaef2a6cea46075d3aec964b14a99f68", "type": "sha256"}, {"category": "Persistence mechanism", "comment": "", "uuid": "57c54b0f-27a4-458b-8e63-4455950d210f", "timestamp": "1472547599", "to_ids": true, "value": "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run|%TEMP%\\3Z4wnG9603it23y.exe", "type": "regkey|value"}], "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#3d7a00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#420053", "exportable": true, "name": "ms-caro-malware:malware-type=\"Ransom\""}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}], "published": true, "date": "2016-08-29", "Orgc": {"name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"}, "threat_level_id": "3", "uuid": "57c4445b-c548-4654-af0b-4be3950d210f"}}
|
|
@ -0,0 +1,7 @@
|
||||||
|
%echo Generating a basic OpenPGP key
|
||||||
|
Key-Type: RSA
|
||||||
|
Name-Real: 5832bfa8-76d0-4bdb-a221-46fa950d210f
|
||||||
|
Passphrase: misptestorg
|
||||||
|
# Do a commit here, so that we can later print "done" :-)
|
||||||
|
%commit
|
||||||
|
%echo done
|
|
@ -6,6 +6,7 @@ import requests
|
||||||
import base64
|
import base64
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
|
from pymisp import MISPEvent, EncodeUpdate
|
||||||
|
|
||||||
|
|
||||||
class TestModules(unittest.TestCase):
|
class TestModules(unittest.TestCase):
|
||||||
|
@ -54,5 +55,19 @@ class TestModules(unittest.TestCase):
|
||||||
response = requests.post(self.url + "query", data=f.read()).json()
|
response = requests.post(self.url + "query", data=f.read()).json()
|
||||||
assert(response)
|
assert(response)
|
||||||
|
|
||||||
|
def test_sign(self):
|
||||||
|
event = MISPEvent()
|
||||||
|
event.load('tests/57c4445b-c548-4654-af0b-4be3950d210f.json')
|
||||||
|
data = {'module': 'sign',
|
||||||
|
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f', 'passphrase': 'misptestorg'},
|
||||||
|
'mispevent': json.dumps(event, cls=EncodeUpdate)}
|
||||||
|
signed_event = requests.post(self.url + "query", data=json.dumps(data)).json()
|
||||||
|
event.load(signed_event)
|
||||||
|
data = {'module': 'verify',
|
||||||
|
'config': {'uid': '5832bfa8-76d0-4bdb-a221-46fa950d210f'},
|
||||||
|
'mispevent': json.dumps(event, cls=EncodeUpdate)}
|
||||||
|
verified = requests.post(self.url + "query", data=json.dumps(data))
|
||||||
|
assert(verified)
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
unittest.main()
|
unittest.main()
|
||||||
|
|
Loading…
Reference in New Issue