def test_surfcertids(self):
"""Objective: Testing if a basic event can be transmitted using hpfriends."""
config_file = tempfile.mkstemp()[1]
with open(config_file, "w") as f:
f.writelines(helpers.gen_config(""))
try:
attack_event = AttackEvent()
request = (
"GET /pub/WWW/TheProject.html HTTP/1.1\r\n"
"Host: www.evil.org\r\n"
"Referer: http://www.honeynet.org\r\n"
"User-Agent: Mozilla 5\r\n"
"\r\n\r\n"
"GET /beer\r\n"
)
attack_event.http_request = HTTPHandler(request, "1.2.3.4")
attack_event.source_addr = ("4.3.2.1", 41022)
logSURFcertIDS = LogSURFcertIDS(None, config_file)
logSURFcertIDS.connection = connectionMock()
finally:
if os.path.isfile(config_file):
os.remove(config_file)
def test_stix_transform(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue(
'<HTTPSessionObj:User_Agent>test</HTTPSessionObj:User_Agent>' in
stix_package_xml)
self.assertTrue(
'<HTTPSessionObj:HTTP_Method datatype="string">GET</HTTPSessionObj:HTTP_Method>'
in stix_package_xml)
self.assertTrue('<HTTPSessionObj:Value>/test</HTTPSessionObj:Value>' in
stix_package_xml)
self.assertTrue(
'<HTTPSessionObj:Version>HTTP/1.0</HTTPSessionObj:Version>' in
stix_package_xml)
def test_stix_transform_invalid_header(self):
"""
Objective: Test if we can generate valid XML from a HTTP request with a invalid header item.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nXUser-XAgent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error))
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, self.config)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
def test_stix_transform(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue('<HTTPSessionObj:User_Agent>test</HTTPSessionObj:User_Agent>' in stix_package_xml)
self.assertTrue('<HTTPSessionObj:HTTP_Method datatype="string">GET</HTTPSessionObj:HTTP_Method>' in stix_package_xml)
self.assertTrue('<HTTPSessionObj:Value>/test</HTTPSessionObj:Value>' in stix_package_xml)
self.assertTrue('<HTTPSessionObj:Version>HTTP/1.0</HTTPSessionObj:Version>' in stix_package_xml)
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, self.config)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
self.config.write(f)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, os.getcwd(), config_file)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
f.close() #clean the tempfile
def test_stix_transform_invalid_header(self):
"""
Objective: Test if we can generate valid XML from a HTTP request with a invalid header item.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nXUser-XAgent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
self.config.write(f)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, os.getcwd(), config_file)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
f.close() #clean the tempfile
def test_stix_transform_event_with_rfidata(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
rfi_data = """<?php echo "<script>alert("test");</script>";?>"""
rfi_md5 = hashlib.md5(rfi_data).hexdigest()
with open(os.path.join(self.files_dir, rfi_md5), 'w') as rfi_file:
rfi_file.writelines(rfi_data)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
test_event.matched_pattern = 'rfi'
test_event.file_name = rfi_md5
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue(
'<cyboxCommon:Simple_Hash_Value>0e209064ee6949f6e57b3d77d5b1f92c</cyboxCommon:Simple_Hash_Value>'
in stix_package_xml)
self.assertTrue(
'<cyboxCommon:Simple_Hash_Value>11a2a92d391f10821dbb90f1f7e6ae0f2374231e0ccd611665c95d6d7a3bb43c</cyboxCommon:Simple_Hash_Value>'
in stix_package_xml)
self.assertTrue(
'<ArtifactObj:Raw_Artifact datatype="string"><![CDATA[PD9waHAgZWNobyAiPHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0PiI7Pz4=]]></ArtifactObj:Raw_Artifact>'
in stix_package_xml)
def test_stix_transform_event_with_rfidata(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
rfi_data = """<?php echo "<script>alert("test");</script>";?>"""
rfi_md5 = hashlib.md5(rfi_data).hexdigest()
with open(os.path.join(self.files_dir, rfi_md5), 'w') as rfi_file:
rfi_file.writelines(rfi_data)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
test_event.matched_pattern = 'rfi'
test_event.file_name = rfi_md5
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content, None, server_version="", sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error, best_practice_warnings) = self.xml_validator.validate(StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(isvalid, 'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue('<cyboxCommon:Simple_Hash_Value>0e209064ee6949f6e57b3d77d5b1f92c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml)
self.assertTrue('<cyboxCommon:Simple_Hash_Value>11a2a92d391f10821dbb90f1f7e6ae0f2374231e0ccd611665c95d6d7a3bb43c</cyboxCommon:Simple_Hash_Value>' in stix_package_xml)
self.assertTrue('<ArtifactObj:Raw_Artifact datatype="string"><![CDATA[PD9waHAgZWNobyAiPHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0PiI7Pz4=]]></ArtifactObj:Raw_Artifact>' in stix_package_xml)
def test_surfcertids(self):
"""Objective: Testing if a basic event can be transmitted using hpfriends."""
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
f.writelines(helpers.gen_config(''))
try:
attack_event = AttackEvent()
request = "GET /pub/WWW/TheProject.html HTTP/1.1\r\n" \
"Host: www.evil.org\r\n" \
"Referer: http://www.honeynet.org\r\n" \
"User-Agent: Mozilla 5\r\n" \
"\r\n\r\n" \
"GET /beer\r\n"
attack_event.http_request = HTTPHandler(request, "1.2.3.4")
attack_event.source_addr = ('4.3.2.1', 41022)
logSURFcertIDS = LogSURFcertIDS(None, os.getcwd(), config_file)
logSURFcertIDS.connection = connectionMock()
finally:
if os.path.isfile(config_file):
os.remove(config_file)
