Exemple #1
0
def test_phishtank_urls():
    indicators = set()
    tags = set()

    from csirtg_fm.clients.http import Client
    cli = Client(rule, 'urls')
    cli.cache = decode(cli.cache)
    cli.cache = 'test/phishtank/feed.json'

    parser_name = get_type(cli.cache)
    assert parser_name == 'json'

    for i in s.process(rule, 'urls', parser_name, cli):
        if not i:
            continue

        assert parse_timestamp(i.reported_at).year > 1980
        assert parse_timestamp(i.last_at).year > 1980
        assert parse_timestamp(i.first_at).year > 1980

        indicators.add(i.indicator)
        tags.add(i.tags[0])

    assert 'http://charlesleonardconstruction.com/irs/confim/index.html' in \
           indicators
def test_malwaredomains_urlshorteners():
    indicators = set()
    tags = set()

    from csirtg_fm.clients.http import Client
    cli = Client(rule, 'registrars')
    decode(cli.cache)
    cli.cache = 'test/malwaredomains/bulk_registrars.txt'

    parser_name = get_type(cli.cache)
    assert parser_name == 'pattern'

    for i in s.process(rule, 'registrars', parser_name, cli, limit=250):
        if not i:
            continue

        assert parse_timestamp(i.reported_at).year > 1980
        # assert parse_timestamp(i.last_at).year > 1980
        # assert parse_timestamp(i.first_at).year > 1980

        indicators.add(i.indicator)
        tags.add(i.tags[0])

    assert 'registrar' in tags
    assert 'us.pn' in indicators
def test_malwaredomains_malware():
    indicators = set()
    tags = set()

    from csirtg_fm.clients.http import Client
    cli = Client(rule, 'malware')
    decode(cli.cache)
    cli.cache = 'test/malwaredomains/domains.txt'

    parser_name = get_type(cli.cache)
    assert parser_name == 'tsv'

    for i in s.process(rule, 'malware', parser_name, cli, limit=250):
        if not i:
            continue

        assert parse_timestamp(i.reported_at).year > 1980
        # assert parse_timestamp(i.last_at).year > 1980
        # assert parse_timestamp(i.first_at).year > 1980

        indicators.add(i.indicator)
        tags.add(i.tags[0])

    assert 'exploit' in tags
    assert '002it.com' in indicators