Example #1
0
    def from_dict(value: dict,
                  system: "ace.system.ACESystem") -> "AnalysisRequest":
        assert isinstance(value, dict)

        data = AnalysisRequestModel(**value)

        root = None
        if isinstance(data.root, RootAnalysisModel):
            root = RootAnalysis.from_dict(data.root.dict(), system=system)

        observable = None
        if data.observable:
            observable = Observable.from_dict(data.observable.dict(), root)
            observable = root.get_observable(observable)

        type = None
        if data.type:
            type = AnalysisModuleType.from_dict(data.type.dict())

        ar = AnalysisRequest(system, root, observable, type)
        ar.id = data.id
        # ar.dependency_analysis = json_data["dependency_analysis"]
        ar.status = data.status
        ar.owner = data.owner

        if data.original_root:
            ar.original_root = RootAnalysis.from_dict(
                data.original_root.dict(), system)

        if data.modified_root:
            ar.modified_root = RootAnalysis.from_dict(
                data.modified_root.dict(), system)

        return ar
Example #2
0
async def test_EVENT_CACHE_HIT(system):
    handler = TestEventHandler()
    await system.register_event_handler(EVENT_CACHE_HIT, handler)

    amt = AnalysisModuleType("test", "", cache_ttl=60)
    await system.register_analysis_module_type(amt)
    root = system.new_root()
    observable = root.add_observable("test", "test")
    root_request = root.create_analysis_request()
    await system.process_analysis_request(root_request)
    request = await system.get_next_analysis_request("owner", amt, 0)
    request.initialize_result()
    request.modified_observable.add_analysis(type=amt,
                                             details={"test": "test"})
    await system.process_analysis_request(request)
    assert handler.event is None

    root = system.new_root()
    observable = root.add_observable("test", "test")
    root_request = root.create_analysis_request()
    await system.process_analysis_request(root_request)

    await handler.wait()
    assert handler.event.name == EVENT_CACHE_HIT
    event_root = RootAnalysis.from_dict(handler.event.args[0], system)
    assert event_root.uuid == root.uuid and event_root.version is not None
    assert handler.event.args[1]["type"] == observable.type
    assert handler.event.args[1]["value"] == observable.value
    assert isinstance(AnalysisRequest.from_dict(handler.event.args[2], system),
                      AnalysisRequest)
Example #3
0
def test_observable_serialization():
    root = RootAnalysis()
    o_time = utc_now()
    target = root.add_observable("test", "other")
    o1 = root.add_observable(
        "test",
        "test",
        time=o_time,
        context="text context",
        directives=["directive1", "directive2"],
        limited_analysis=["limit1", "limit2"],
        excluded_analysis=["excluded1", "excluded2"],
        requested_analysis=["requested1", "requested2"],
    )

    o1.add_relationship("test", target)

    root = RootAnalysis.from_dict(root.to_model().dict())
    o2 = root.get_observable(o1)

    # should be two separate instances
    assert id(o1) != id(o2)

    assert o1.type == o2.type
    assert o1.value == o2.value
    assert o1.time == o2.time
    assert o1.context == o2.context
    assert o1.directives == o2.directives
    assert o1.limited_analysis == o2.limited_analysis
    assert o1.excluded_analysis == o2.excluded_analysis
    assert o1.requested_analysis == o2.requested_analysis
    assert o1.relationships == o2.relationships
Example #4
0
    async def get_root_analysis(self, uuid: str) -> Union[RootAnalysis, None]:
        assert isinstance(uuid, str)

        async with self.get_client() as client:
            response = await client.get(f"/analysis_tracking/root/{uuid}")

        if response.status_code == 404:
            return None

        _raise_exception_on_error(response)
        return RootAnalysis.from_dict(response.json())
Example #5
0
async def test_EVENT_ANALYSIS_ROOT_EXPIRED(system):
    handler = TestEventHandler()
    await system.register_event_handler(EVENT_ANALYSIS_ROOT_EXPIRED, handler)

    root = system.new_root(expires=True)
    await root.submit()

    await handler.wait()
    assert handler.event.name == EVENT_ANALYSIS_ROOT_EXPIRED
    event_root = RootAnalysis.from_dict(handler.event.args, system)
    assert event_root.uuid == root.uuid and event_root.version is not None
Example #6
0
def test_root_analysis_serialization():
    root = RootAnalysis(
        tool="test",
        tool_instance="test",
        alert_type="test",
        desc="test",
        event_time=datetime.datetime.now(),
        name="test",
        analysis_mode="test",
        queue="test",
        instructions="test",
    )

    amt = AnalysisModuleType("test", "")
    observable = root.add_observable("test", "test")
    analysis = observable.add_analysis(type=amt, details={"test": "test"})
    root.add_detection_point("test")

    new_root = RootAnalysis.from_dict(root.to_dict())
    assert root == new_root
    assert root.tool == new_root.tool
    assert root.tool_instance == new_root.tool
    assert root.alert_type == new_root.alert_type
    assert root.description == new_root.description
    assert root.event_time == new_root.event_time
    assert root.name == new_root.name
    assert root.analysis_mode == new_root.analysis_mode
    assert root.queue == new_root.queue
    assert root.instructions == new_root.instructions
    assert root.detections == new_root.detections

    # the observable property for the root should always be None
    assert root.observable is None
    assert len(root.observables) == 1

    new_root = RootAnalysis.from_json(root.to_json())
    assert root == new_root
    assert root.tool == new_root.tool
    assert root.tool_instance == new_root.tool
    assert root.alert_type == new_root.alert_type
    assert root.description == new_root.description
    assert root.event_time == new_root.event_time
    assert root.name == new_root.name
    assert root.analysis_mode == new_root.analysis_mode
    assert root.queue == new_root.queue
    assert root.instructions == new_root.instructions

    # the observable property for the root should always be None
    assert root.observable is None
    assert len(root.observables) == 1
Example #7
0
def test_analysis_eq():
    amt_1 = AnalysisModuleType("test1", "")
    amt_2 = AnalysisModuleType("test2", "")

    root = RootAnalysis()
    observable_1 = root.add_observable("test", "test")
    analysis_1 = observable_1.add_analysis(type=amt_1)
    analysis_2 = observable_1.add_analysis(type=amt_2)
    observable_2 = root.add_observable("test2", "test")
    analysis_3 = observable_2.add_analysis(type=amt_1)

    # different amt
    assert analysis_1 != analysis_2
    # different observable
    assert analysis_1 != analysis_3
    # wrong object type
    assert analysis_1 != object()

    root_1 = RootAnalysis.from_dict(root.to_dict())
    root_2 = RootAnalysis.from_dict(root.to_dict())

    # same amt and observable
    assert root_1.get_observable(observable_1).get_analysis(
        amt_1) == root_2.get_observable(observable_1).get_analysis(amt_1)
Example #8
0
async def test_EVENT_ANALYSIS_ROOT_MODIFIED(system):
    handler = TestEventHandler()
    await system.register_event_handler(EVENT_ANALYSIS_ROOT_MODIFIED, handler)
    root = system.new_root()
    await system.track_root_analysis(root)

    assert handler.event is None

    handler = TestEventHandler()
    await system.register_event_handler(EVENT_ANALYSIS_ROOT_MODIFIED, handler)
    # already tracked so should fire as modified
    await system.track_root_analysis(root)

    await handler.wait()
    assert handler.event.name == EVENT_ANALYSIS_ROOT_MODIFIED
    assert RootAnalysis.from_dict(handler.event.args, system) == root
Example #9
0
async def test_EVENT_ANALYSIS_DETAILS_NEW(system):
    handler = TestEventHandler()
    await system.register_event_handler(EVENT_ANALYSIS_DETAILS_NEW, handler)
    root = system.new_root(details={"test": "test"})
    await system.track_root_analysis(root)
    await system.track_analysis_details(root, root.uuid, await
                                        root.get_details())

    await handler.wait()
    assert handler.event.name == EVENT_ANALYSIS_DETAILS_NEW
    assert RootAnalysis.from_dict(handler.event.args[0], system) == root
    assert handler.event.args[1] == root.uuid

    handler = TestEventHandler()
    await system.register_event_handler(EVENT_ANALYSIS_DETAILS_NEW, handler)
    # already tracked
    await system.track_analysis_details(root, root.uuid, await
                                        root.get_details())

    assert handler.event is None