def test_default_intel_operation(self):
broker_intel_data = {
"indicator": "example.com",
"intel_type": "DOMAIN"
}
event = broker.zeek.Event("intel", self.ts, 0, broker_intel_data)
intel = map_to_internal(event, self.module_namespace)
self.assertEqual(intel.operation, Operation.ADD)
event = broker.zeek.Event("intel", self.ts, 0, broker_intel_data,
"INVALID")
intel = map_to_internal(event, self.module_namespace)
self.assertEqual(intel.operation, Operation.ADD)
def test_valid_zeek_sighting(self):
context = {"last_seen": 1234, "count": 13}
# without namespace:
event = broker.zeek.Event("sighting", self.ts, self.id, context)
sighting = map_to_internal(event, self.module_namespace)
self.assertEqual(type(sighting), Sighting)
self.assertEqual(sighting.ts, self.ts)
self.assertEqual(sighting.intel, self.id)
self.assertEqual(sighting.context, context)
# with namespace:
event = broker.zeek.Event(self.module_namespace + "::sighting",
self.ts, self.id, context)
sighting_ns = map_to_internal(event, self.module_namespace)
self.assertEqual(sighting, sighting_ns)
def test_invalid_intel_data_is_not_mapped(self):
event = broker.zeek.Event("intel", self.ts, 0)
intel = map_to_internal(event, self.module_namespace)
self.assertIsNone(intel)
event = broker.zeek.Event("intel", self.ts, 0, {})
intel = map_to_internal(event, self.module_namespace)
self.assertIsNone(intel)
event = broker.zeek.Event("intel", self.ts, 0,
{"indicator": "6.6.6.6"})
intel = map_to_internal(event, self.module_namespace)
self.assertIsNone(intel)
event = broker.zeek.Event("intel", self.ts, 0, {"intel_type": "ADDR"})
intel = map_to_internal(event, self.module_namespace)
self.assertIsNone(intel)
def test_valid_zeek_intel(self):
broker_intel_data = {"indicator": "6.6.6.6", "intel_type": "ADDR"}
expexted_intel_data = IntelData("6.6.6.6", IntelType.IPSRC)
op = Operation.REMOVE
# without namespace:
event = broker.zeek.Event("intel", self.ts, self.id, broker_intel_data,
op.value)
intel = map_to_internal(event, self.module_namespace)
self.assertEqual(type(intel), Intel)
self.assertEqual(intel.ts, self.ts)
self.assertEqual(intel.id, self.id)
self.assertEqual(intel.data, expexted_intel_data)
self.assertEqual(intel.operation, op)
# with namespace:
event = broker.zeek.Event(
self.module_namespace + "::intel",
self.ts,
self.id,
broker_intel_data,
op.value,
)
intel_ns = map_to_internal(event, self.module_namespace)
self.assertEqual(intel, intel_ns)
def test_invalid_zeek_inputs(self):
broker_data = broker.zeek.Event("Hello") # unknown event
self.assertIsNone(map_to_internal(broker_data, None))
self.assertIsNone(map_to_internal(broker_data, self.module_namespace))
self.assertIsNone(map_management_message(broker_data, None))
self.assertIsNone(
map_management_message(broker_data, self.module_namespace))
# not enough arguments provided
broker_data = broker.zeek.Event("sighting", 1, 2)
self.assertIsNone(map_to_internal(broker_data, None))
self.assertIsNone(map_to_internal(broker_data, self.module_namespace))
self.assertIsNone(map_management_message(broker_data, None))
self.assertIsNone(
map_management_message(broker_data, self.module_namespace))
broker_data = broker.zeek.Event("intel", 42, {})
self.assertIsNone(map_to_internal(broker_data, None))
self.assertIsNone(map_to_internal(broker_data, self.module_namespace))
self.assertIsNone(map_management_message(broker_data, None))
self.assertIsNone(
map_management_message(broker_data, self.module_namespace))
broker_data = broker.zeek.Event("subscribe", "topic")
self.assertIsNone(map_to_internal(broker_data, None))
self.assertIsNone(map_to_internal(broker_data, self.module_namespace))
self.assertIsNone(map_management_message(broker_data, None))
self.assertIsNone(
map_management_message(broker_data, self.module_namespace))
broker_data = broker.zeek.Event("unsubscribe")
self.assertIsNone(map_to_internal(broker_data, None))
self.assertIsNone(map_to_internal(broker_data, self.module_namespace))
self.assertIsNone(map_management_message(broker_data, None))
self.assertIsNone(
map_management_message(broker_data, self.module_namespace))
def listen(logger, module_namespace, ep, inq):
"""Binds a broker subscriber to the given endpoint. Forwards all received
intel and sightings to the inq.
@param logger A logging.logger object
@param module_namespace A Zeek namespace to accept events from
@param ep The broker endpoint used for listening
@param inq The queue to forward messages to
"""
sub = ep.make_subscriber(["threatbus/intel", "threatbus/sighting"])
while True:
ready = select.select([sub.fd()], [], [])
if not ready[0]:
logger.critical("Broker intel/sightings subscriber filedescriptor error.")
(topic, broker_data) = sub.get()
msg = map_to_internal(broker_data, module_namespace)
if msg:
inq.put(msg)