def test_filter_iocs(self):
setup = default_configuration()
fp = io.StringIO()
filter_iocs(test_filter_data['iocs'], setup['filter'], fp)
self.assertEqual([1, 4, 6, 8], filter_result_cases(fp))
def test_default(self):
res = default_configuration()
exp = CONFIG_SCHEMA['filter']['dom_confidence'][0](
CONFIG_SCHEMA['filter']['dom_confidence'][1])
self.assertEqual(exp, res['filter']['dom_confidence'])
self.assertEqual(CONFIG_SCHEMA['tie']['feed_api'][1],
res['tie']['feed_api'])
def test_filter_iocs_with_non_malicious_domain_name(self):
setup = default_configuration()
setup['filter']['dom_severity'] = Range(0)
fp = io.StringIO()
filter_iocs(test_filter_data['iocs'], setup['filter'], fp)
self.assertEqual([1, 4, 5.1, 6, 8], filter_result_cases(fp))
def test_wrong_value_severity(self):
have = default_configuration()
have['filter']['url_severity'] = '3-foobar'
with self.assertRaises(TIEConfigError) as ctx:
normalize_configuration(have)
self.assertEqual("range string not valid; was 3-foobar",
str(ctx.exception))
def test_normalize(self):
have = default_configuration()
have['filter']['url_severity'] = '3'
res = normalize_configuration(have)
self.assertIsInstance(res['filter']['url_severity'], SeverityRange)
exp = CONFIG_SCHEMA['filter']['url_severity'][0](
have['filter']['url_severity'])
self.assertEqual(exp,
res['filter']['url_severity'],
msg="Range {} != Range {}".format(
exp, res['filter']['url_severity']))
self.assertEqual(CONFIG_SCHEMA['tie']['feed_api'][1],
res['tie']['feed_api'])
try:
import dcsotie
except ImportError:
sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib"))
from dcsotie.errors import TIEError, TIEConfigError
from dcsotie.fetchers import IoCFetcher
from dcsotiesplunk.config import normalize_configuration, default_configuration
from dcsotiesplunk.logger import get_logger
from dcsotiesplunk.filtering import filter_iocs
logger = get_logger().getChild('tie2index')
FIRST_RUN_TIMEDELTA = datetime.timedelta(days=30)
TIMEOUT = (3, 120) # (connection timeout, read timeout) in seconds (can be float)
SETUP = default_configuration()
try:
# this will only work when application is run within Splunk
from splunk.clilib import cli_common as cli
tie_args = cli.getConfStanza('dcso_tie_setup', 'tie')
filter_args = cli.getConfStanza('dcso_tie_setup', 'filter')
proxy_args = cli.getConfStanza('dcso_tie_setup', 'proxy')
for k, v in tie_args.items():
SETUP['tie'][k] = v
for k, v in filter_args.items():
SETUP['filter'][k] = v