From a591138020b4a878ea92c2a19d2a349843f4295f Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 Oct 2019 16:07:19 +0200 Subject: [PATCH 1/6] add: Added tests for some expansion modules without API key required - More tests to come --- tests/test_expansions.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index af90213..f737de9 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -24,11 +24,31 @@ class TestExpansions(unittest.TestCase): return data return data['results'][0]['values'] + def test_btc_steroids(self): + query = {"module": "btc_steroids", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} + reponse = self.misp_modules_post(query) + self.assertTrue(self.get_values(response)[0].startswith('\n\nAddress:\t1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA\nBalance:\t0.0000000000 BTC (+0.0005355700 BTC / -0.0005355700 BTC)')) + + def test_btc_scam_check(self): + query = {"module": "btc_scam_check", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} + response = slef.misp_modules_post(query) + self.assertEqual(self.get_values(response), '1es14c7qlb5cyhlmuekctxlgc1fv2ti9da fraudolent bitcoin address') + + def test_countrycode(self): + query = {"module": "countrycode", "domain": "www.circl.lu"} + reponse = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), ['Luxembourg']) + def test_cve(self): query = {"module": "cve", "vulnerability": "CVE-2010-3333", "config": {"custom_API": "https://cve.circl.lu/api/cve/"}} response = self.misp_modules_post(query) self.assertTrue(self.get_values(response).startswith("Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3")) + def test_dbl_spamhaus(self): + query = {"module": "dbl_spamhaus", "domain": "language.wikaba.com"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), 'language.wikaba.com - abused legit malware') + def test_dns(self): query = {"module": "dns", "hostname": "www.circl.lu", "config": {"nameserver": "8.8.8.8"}} response = self.misp_modules_post(query) From cbb7a430a7e6ecbd2533427a91ef8ca8a6336e6f Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 Oct 2019 16:46:57 +0200 Subject: [PATCH 2/6] add: More modules tested --- tests/test_expansions.py | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index f737de9..56fa14e 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -24,6 +24,11 @@ class TestExpansions(unittest.TestCase): return data return data['results'][0]['values'] + def test_bgpranking(self): + query = {"module": "bgpranking", "AS": "13335"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response)['response']['asn_description'], 'CLOUDFLARENET - Cloudflare, Inc., US') + def test_btc_steroids(self): query = {"module": "btc_steroids", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} reponse = self.misp_modules_post(query) @@ -54,11 +59,6 @@ class TestExpansions(unittest.TestCase): response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), ['149.13.33.14']) - def test_macvendors(self): - query = {"module": "macvendors", "mac-address": "FC-A1-3E-2A-1C-33"} - response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), 'Samsung Electronics Co.,Ltd') - def test_haveibeenpwned(self): query = {"module": "hibp", "email-src": "info@circl.lu"} response = self.misp_modules_post(query) @@ -79,7 +79,17 @@ class TestExpansions(unittest.TestCase): entry = self.get_values(response)['response'][key]['asn'] self.assertEqual(entry, '13335') - def test_bgpranking(self): - query = {"module": "bgpranking", "AS": "13335"} + def test_macvendors(self): + query = {"module": "macvendors", "mac-address": "FC-A1-3E-2A-1C-33"} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response)['response']['asn_description'], 'CLOUDFLARENET - Cloudflare, Inc., US') + self.assertEqual(self.get_values(response), 'Samsung Electronics Co.,Ltd') + + def test_rbl(self): + query = {"module": "rbl", "ip-src": "8.8.8.8"} + response = self.misp_modules_post(auery) + self.assertTrue(self.get_values(response).startswith('8.8.8.8.query.senderbase.org: "0-0=1|1=GOOGLE')) + + def test_reversedns(self): + query = {"module": "reversedns", "ip-src": "8.8.8.8"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), ['dns.google.']) From db804b6a125a8ee00941665841d9d556c8f5ee8a Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 Oct 2019 17:46:25 +0200 Subject: [PATCH 3/6] add: Tests for sigma queries and syntax validator modules --- tests/test_expansions.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index aa356c5..fe6217c 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -13,6 +13,7 @@ class TestExpansions(unittest.TestCase): self.maxDiff = None self.headers = {'Content-Type': 'application/json'} self.url = "http://127.0.0.1:6666/" + self.sigma_rule = "title: Antivirus Web Shell Detection\r\ndescription: Detects a highly relevant Antivirus alert that reports a web shell\r\ndate: 2018/09/09\r\nmodified: 2019/10/04\r\nauthor: Florian Roth\r\nreferences:\r\n - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/\r\ntags:\r\n - attack.persistence\r\n - attack.t1100\r\nlogsource:\r\n product: antivirus\r\ndetection:\r\n selection:\r\n Signature: \r\n - \"PHP/Backdoor*\"\r\n - \"JSP/Backdoor*\"\r\n - \"ASP/Backdoor*\"\r\n - \"Backdoor.PHP*\"\r\n - \"Backdoor.JSP*\"\r\n - \"Backdoor.ASP*\"\r\n - \"*Webshell*\"\r\n condition: selection\r\nfields:\r\n - FileName\r\n - User\r\nfalsepositives:\r\n - Unlikely\r\nlevel: critical" def misp_modules_post(self, query): return requests.post(urljoin(self.url, "query"), json=query) @@ -86,10 +87,20 @@ class TestExpansions(unittest.TestCase): def test_rbl(self): query = {"module": "rbl", "ip-src": "8.8.8.8"} - response = self.misp_modules_post(auery) + response = self.misp_modules_post(query) self.assertTrue(self.get_values(response).startswith('8.8.8.8.query.senderbase.org: "0-0=1|1=GOOGLE')) def test_reversedns(self): query = {"module": "reversedns", "ip-src": "8.8.8.8"} response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), ['dns.google.']) + + def test_sigma_queries(self): + query = {"module": "sigma_queries", "sigma": self.sigma_rule} + response = self.misp_modules_post(query) + self.assertTrue(self.get_values(response)['kibana'].startswith('[\n {\n "_id": "Antivirus-Web-Shell-Detection"')) + + def test_sigma_syntax(self): + query = {"module": "sigma_syntax_validator", "sigma": self.sigma_rule} + response = self.misp_modules_post(query) + self.assertTrue(self.get_values(response).startswith('Syntax valid:')) From 1130eaf8401ee23091176f17bfa3632cba56a99b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 Oct 2019 23:16:28 +0200 Subject: [PATCH 4/6] fix: Quick typo & dbl spamhaus test fixes --- tests/test_expansions.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index fe6217c..0097f87 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -32,17 +32,17 @@ class TestExpansions(unittest.TestCase): def test_btc_steroids(self): query = {"module": "btc_steroids", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} - reponse = self.misp_modules_post(query) + response = self.misp_modules_post(query) self.assertTrue(self.get_values(response)[0].startswith('\n\nAddress:\t1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA\nBalance:\t0.0000000000 BTC (+0.0005355700 BTC / -0.0005355700 BTC)')) def test_btc_scam_check(self): query = {"module": "btc_scam_check", "btc": "1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA"} - response = slef.misp_modules_post(query) + response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), '1es14c7qlb5cyhlmuekctxlgc1fv2ti9da fraudolent bitcoin address') def test_countrycode(self): query = {"module": "countrycode", "domain": "www.circl.lu"} - reponse = self.misp_modules_post(query) + response = self.misp_modules_post(query) self.assertEqual(self.get_values(response), ['Luxembourg']) def test_cve(self): @@ -51,9 +51,9 @@ class TestExpansions(unittest.TestCase): self.assertTrue(self.get_values(response).startswith("Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3")) def test_dbl_spamhaus(self): - query = {"module": "dbl_spamhaus", "domain": "language.wikaba.com"} + query = {"module": "dbl_spamhaus", "domain": "totalmateria.net"} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), 'language.wikaba.com - abused legit malware') + self.assertEqual(self.get_values(response), 'totalmateria.net - spam domain') def test_dns(self): query = {"module": "dns", "hostname": "www.circl.lu", "config": {"nameserver": "8.8.8.8"}} From 6a3c9072228af2afde87a3e2166710df6fb0dd48 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Sat, 5 Oct 2019 00:15:29 +0200 Subject: [PATCH 5/6] fix: DBL spamhaus test --- tests/test_expansions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index 0097f87..a4cad97 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -53,7 +53,7 @@ class TestExpansions(unittest.TestCase): def test_dbl_spamhaus(self): query = {"module": "dbl_spamhaus", "domain": "totalmateria.net"} response = self.misp_modules_post(query) - self.assertEqual(self.get_values(response), 'totalmateria.net - spam domain') + self.assertTrue(self.get_values(response).startswith('None of DNS query names exist: totalmateria.net.dbl.spamhaus.org.')) def test_dns(self): query = {"module": "dns", "hostname": "www.circl.lu", "config": {"nameserver": "8.8.8.8"}} From e1faf642968be46f613b1a7419c424a74c7bbd36 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 7 Oct 2019 17:14:27 +0200 Subject: [PATCH 6/6] add: Added tests for the rest of the easily testable expansion modules - More tests for more complex modules to come soon --- tests/test_expansions.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/test_expansions.py b/tests/test_expansions.py index a4cad97..9f1674f 100644 --- a/tests/test_expansions.py +++ b/tests/test_expansions.py @@ -104,3 +104,23 @@ class TestExpansions(unittest.TestCase): query = {"module": "sigma_syntax_validator", "sigma": self.sigma_rule} response = self.misp_modules_post(query) self.assertTrue(self.get_values(response).startswith('Syntax valid:')) + + def test_stix2_pattern_validator(self): + query = {"module": "stix2_pattern_syntax_validator", "stix2-pattern": "[ipv4-addr:value = '8.8.8.8']"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), 'Syntax valid') + + def test_wikidata(self): + query = {"module": "wiki", "text": "Google"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), 'http://www.wikidata.org/entity/Q95') + + def test_yara_query(self): + query = {"module": "yara_query", "md5": "b2a5abfeef9e36964281a31e17b57c97"} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}') + + def test_yara_validator(self): + query = {"module": "yara_syntax_validator", "yara": 'import "hash"\r\nrule MD5 {\r\n\tcondition:\r\n\t\thash.md5(0, filesize) == "b2a5abfeef9e36964281a31e17b57c97"\r\n}'} + response = self.misp_modules_post(query) + self.assertEqual(self.get_values(response), 'Syntax valid')