def test_phishtank_urls():
indicators = set()
tags = set()
from csirtg_fm.clients.http import Client
cli = Client(rule, 'urls')
cli.cache = decode(cli.cache)
cli.cache = 'test/phishtank/feed.json'
parser_name = get_type(cli.cache)
assert parser_name == 'json'
for i in s.process(rule, 'urls', parser_name, cli):
if not i:
continue
assert parse_timestamp(i.reported_at).year > 1980
assert parse_timestamp(i.last_at).year > 1980
assert parse_timestamp(i.first_at).year > 1980
indicators.add(i.indicator)
tags.add(i.tags[0])
assert 'http://charlesleonardconstruction.com/irs/confim/index.html' in \
indicators
def test_malwaredomains_urlshorteners():
indicators = set()
tags = set()
from csirtg_fm.clients.http import Client
cli = Client(rule, 'registrars')
cli._cache_decode()
cli.cache = 'test/malwaredomains/bulk_registrars.txt'
parser_name = get_type(cli.cache)
assert parser_name == 'pattern'
for i in s.process(rule, 'registrars', parser_name, cli, limit=250):
if not i:
continue
assert parse_timestamp(i.reported_at).year > 1980
# assert parse_timestamp(i.last_at).year > 1980
# assert parse_timestamp(i.first_at).year > 1980
indicators.add(i.indicator)
tags.add(i.tags[0])
assert 'registrar' in tags
assert 'us.pn' in indicators
def test_malwaredomains_botnet():
indicators = set()
tags = set()
from csirtg_fm.clients.http import Client
cli = Client(rule, 'botnet')
cli._cache_decode()
cli.cache = 'test/malwaredomains/domains.txt'
parser_name = get_type(cli.cache)
assert parser_name == 'tsv'
for i in s.process(rule, 'botnet', parser_name, cli, limit=250):
if not i:
continue
assert parse_timestamp(i.reported_at).year > 1980
# assert parse_timestamp(i.last_at).year > 1980
# assert parse_timestamp(i.first_at).year > 1980
indicators.add(i.indicator)
tags.add(i.tags[0])
assert 'botnet' in tags
assert 'attack_page' not in tags
assert '9virgins.com' in indicators
def test_csirtg_darknet():
feed = 'csirtgadgets/darknet'
r, f = next(load_rules(rule, feed))
r.feeds[feed]['remote'] = 'test/csirtg/feed.txt'
cli = Client(r, f)
s = FM(client='stdout')
parser_name = get_type(cli.cache)
x = list(s.process(r, f, parser_name, cli))
x = list(x)
assert len(x) > 0
ips = set()
tags = set()
for xx in x:
ips.add(xx.indicator)
tags.add(xx.tags[0])
assert '109.111.134.64' in ips
assert 'scanner' in tags
def test_malc0de_malware():
from csirtg_fm.clients.http import Client
cli = Client(rule, 'malware')
parser_name = get_type(cli.cache)
assert parser_name == 'rss'
indicators = set()
for i in s.process(rule, 'malware', parser_name, cli, indicators=[]):
if not i:
continue
indicators.add(i.indicator)
pprint(indicators)
assert '71941a88f8c895e405dd5cf665f1ef0c' in indicators
def test_openphish():
indicators = []
from csirtg_fm.clients.http import Client
cli = Client(rule, 'urls')
parser_name = get_type(cli.cache)
assert parser_name == 'csv'
for i in s.process(rule, 'urls', parser_name, cli, limit=25,
indicators=[]):
if not i:
continue
indicators.append(i)
assert len(indicators) > 0
assert len(indicators[0].indicator) > 4
def test_malc0de_urls():
from csirtg_fm.clients.http import Client
cli = Client(rule, 'urls')
parser_name = get_type(cli.cache)
assert parser_name == 'rss'
indicators = set()
for i in s.process(rule, 'urls', parser_name, cli, indicators=[]):
if not i:
continue
indicators.add(i.indicator)
pprint(indicators)
assert len(indicators) > 0
assert len(indicators.pop()) > 4
assert 'http://url.goosai.com/down/ufffdufffd?ufffdufffdufffd?ufffdufffdbreakprisonsearchv2.7u03afu06f0ufffdufffdufffdufffdufffdufffdat25_35027.exe' in indicators
def test_abuse_ch_urlhaus():
indicators = set()
tags = set()
from csirtg_fm.clients.http import Client
cli = Client(rule, 'urlhaus')
parser_name = get_type(cli.cache)
assert parser_name == 'csv'
for i in s.process(rule, 'urlhaus', parser_name, cli, limit=250):
if not i:
continue
indicators.add(i.indicator)
tags.add(i.tags[0])
assert 'http://business.imuta.ng/default/us/summit-companies-invoice-12648214' in indicators
assert 'http://mshcoop.com/download/en/scan' in indicators
assert 'exploit' in tags