def test_surfcertids(self): """Objective: Testing if a basic event can be transmitted using hpfriends.""" config_file = tempfile.mkstemp()[1] with open(config_file, "w") as f: f.writelines(helpers.gen_config("")) try: attack_event = AttackEvent() request = ( "GET /pub/WWW/TheProject.html HTTP/1.1\r\n" "Host: www.evil.org\r\n" "Referer: http://www.honeynet.org\r\n" "User-Agent: Mozilla 5\r\n" "\r\n\r\n" "GET /beer\r\n" ) attack_event.http_request = HTTPHandler(request, "1.2.3.4") attack_event.source_addr = ("4.3.2.1", 41022) logSURFcertIDS = LogSURFcertIDS(None, config_file) logSURFcertIDS.connection = connectionMock() finally: if os.path.isfile(config_file): os.remove(config_file)
def test_stix_transform(self): """ Objective: Test if the expected XML is generated from a "unknown" attack event. """ test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate( StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue( isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error)) self.assertTrue( '<HTTPSessionObj:User_Agent>test</HTTPSessionObj:User_Agent>' in stix_package_xml) self.assertTrue( '<HTTPSessionObj:HTTP_Method datatype="string">GET</HTTPSessionObj:HTTP_Method>' in stix_package_xml) self.assertTrue('<HTTPSessionObj:Value>/test</HTTPSessionObj:Value>' in stix_package_xml) self.assertTrue( '<HTTPSessionObj:Version>HTTP/1.0</HTTPSessionObj:Version>' in stix_package_xml)
def test_stix_transform_invalid_header(self): """ Objective: Test if we can generate valid XML from a HTTP request with a invalid header item. """ test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nXUser-XAgent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error))
def test_taxii_connectivity_https(self): """ Objective: Test if we can send a message to mitre's test TAXII server using https. """ self.config.set('taxii', 'use_https', 'True') test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") taxiiLogger = TaxiiLogger(self.tmpdir, self.config) taxii_result = taxiiLogger.insert(test_event) # TaxiiLogger returns false if the message could not be delivered self.assertTrue(taxii_result)
def test_stix_transform(self): """ Objective: Test if the expected XML is generated from a "unknown" attack event. """ test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error)) self.assertTrue('<HTTPSessionObj:User_Agent>test</HTTPSessionObj:User_Agent>' in stix_package_xml) self.assertTrue('<HTTPSessionObj:HTTP_Method datatype="string">GET</HTTPSessionObj:HTTP_Method>' in stix_package_xml) self.assertTrue('<HTTPSessionObj:Value>/test</HTTPSessionObj:Value>' in stix_package_xml) self.assertTrue('<HTTPSessionObj:Version>HTTP/1.0</HTTPSessionObj:Version>' in stix_package_xml)
def test_taxii_connectivity_https(self): """ Objective: Test if we can send a message to mitre's test TAXII server using https. """ self.config.set('taxii', 'use_https', 'True') config_file = tempfile.mkstemp()[1] with open(config_file, 'w') as f: self.config.write(f) test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") taxiiLogger = TaxiiLogger(self.tmpdir, os.getcwd(), config_file) taxii_result = taxiiLogger.insert(test_event) # TaxiiLogger returns false if the message could not be delivered self.assertTrue(taxii_result) f.close() #clean the tempfile
def test_stix_transform_invalid_header(self): """ Objective: Test if we can generate valid XML from a HTTP request with a invalid header item. """ test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) http_request_content = """GET /test HTTP/1.0\r\nXUser-XAgent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate( StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue( isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error))
def test_stix_transform_event_with_rfidata(self): """ Objective: Test if the expected XML is generated from a "unknown" attack event. """ rfi_data = """<?php echo "<script>alert("test");</script>";?>""" rfi_md5 = hashlib.md5(rfi_data).hexdigest() with open(os.path.join(self.files_dir, rfi_md5), 'w') as rfi_file: rfi_file.writelines(rfi_data) test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) test_event.matched_pattern = 'rfi' test_event.file_name = rfi_md5 http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate( StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue( isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error)) self.assertTrue( '<cyboxCommon:Simple_Hash_Value>0e209064ee6949f6e57b3d77d5b1f92c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml) self.assertTrue( '<cyboxCommon:Simple_Hash_Value>11a2a92d391f10821dbb90f1f7e6ae0f2374231e0ccd611665c95d6d7a3bb43c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml) self.assertTrue( '<ArtifactObj:Raw_Artifact datatype="string"><![CDATA[PD9waHAgZWNobyAiPHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0PiI7Pz4=]]></ArtifactObj:Raw_Artifact>' in stix_package_xml)
def test_stix_transform_event_with_rfidata(self): """ Objective: Test if the expected XML is generated from a "unknown" attack event. """ rfi_data = """<?php echo "<script>alert("test");</script>";?>""" rfi_md5 = hashlib.md5(rfi_data).hexdigest() with open(os.path.join(self.files_dir, rfi_md5), 'w') as rfi_file: rfi_file.writelines(rfi_data) test_event = AttackEvent() test_event.source_addr = ('1.2.3.4', 43811) test_event.matched_pattern = 'rfi' test_event.file_name = rfi_md5 http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n""" test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="") stix_package_xml = self.stix_transformer.transform(test_event) (isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8'))) self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error)) self.assertTrue('<cyboxCommon:Simple_Hash_Value>0e209064ee6949f6e57b3d77d5b1f92c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml) self.assertTrue('<cyboxCommon:Simple_Hash_Value>11a2a92d391f10821dbb90f1f7e6ae0f2374231e0ccd611665c95d6d7a3bb43c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml) self.assertTrue('<ArtifactObj:Raw_Artifact datatype="string"><![CDATA[PD9waHAgZWNobyAiPHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0PiI7Pz4=]]></ArtifactObj:Raw_Artifact>' in stix_package_xml)
def test_surfcertids(self): """Objective: Testing if a basic event can be transmitted using hpfriends.""" config_file = tempfile.mkstemp()[1] with open(config_file, 'w') as f: f.writelines(helpers.gen_config('')) try: attack_event = AttackEvent() request = "GET /pub/WWW/TheProject.html HTTP/1.1\r\n" \ "Host: www.evil.org\r\n" \ "Referer: http://www.honeynet.org\r\n" \ "User-Agent: Mozilla 5\r\n" \ "\r\n\r\n" \ "GET /beer\r\n" attack_event.http_request = HTTPHandler(request, "1.2.3.4") attack_event.source_addr = ('4.3.2.1', 41022) logSURFcertIDS = LogSURFcertIDS(None, os.getcwd(), config_file) logSURFcertIDS.connection = connectionMock() finally: if os.path.isfile(config_file): os.remove(config_file)