def test_load_hunts(self):
hunter = HuntManager(**manager_kwargs())
hunter.load_hunts_from_config()
self.assertEquals(len(hunter.hunts), 2)
self.assertTrue(isinstance(hunter.hunts[0], TestHunt))
self.assertTrue(isinstance(hunter.hunts[1], TestHunt))
for hunt in hunter.hunts:
hunt.last_executed_time = datetime.datetime.now()
self.assertTrue(hunter.hunts[1].enabled)
self.assertEquals(hunter.hunts[1].name, 'unit_test_1')
self.assertEquals(hunter.hunts[1].description,
'Unit Test Description 1')
self.assertEquals(hunter.hunts[1].type, 'test')
self.assertTrue(
isinstance(hunter.hunts[1].frequency, datetime.timedelta))
self.assertEquals(hunter.hunts[1].tags, ['tag1', 'tag2'])
self.assertTrue(hunter.hunts[0].enabled)
self.assertEquals(hunter.hunts[0].name, 'unit_test_2')
self.assertEquals(hunter.hunts[0].description,
'Unit Test Description 2')
self.assertEquals(hunter.hunts[0].type, 'test')
self.assertTrue(
isinstance(hunter.hunts[0].frequency, datetime.timedelta))
self.assertEquals(hunter.hunts[0].tags, ['tag1', 'tag2'])
def test_load_hunt_ini(self):
manager = HuntManager(**manager_kwargs())
manager.load_hunts_from_config()
self.assertEquals(len(manager.hunts), 1)
hunt = manager.hunts[0]
self.assertTrue(hunt.enabled)
self.assertEquals(hunt.name, 'query_test_1')
self.assertEquals(hunt.description, 'Query Test Description 1')
self.assertEquals(hunt.type, 'test_query')
self.assertEquals(hunt.frequency, create_timedelta('00:01:00'))
self.assertEquals(hunt.tags, ['tag1', 'tag2'])
self.assertEquals(hunt.time_range, create_timedelta('00:01:00'))
self.assertEquals(hunt.max_time_range, create_timedelta('01:00:00'))
self.assertEquals(hunt.offset, create_timedelta('00:05:00'))
self.assertTrue(hunt.full_coverage)
self.assertEquals(hunt.group_by, 'field1')
self.assertEquals(hunt.query, 'Test query.')
self.assertTrue(hunt.use_index_time)
self.assertEquals(hunt.observable_mapping, {
'src_ip': 'ipv4',
'dst_ip': 'ipv4'
})
self.assertEquals(hunt.temporal_fields, {
'src_ip': True,
'dst_ip': True
})
def test_load_hunt_with_includes(self):
ips_txt = 'hunts/test/splunk/ips.txt'
with open(ips_txt, 'w') as fp:
fp.write('1.1.1.1\n')
manager = HuntManager(**manager_kwargs())
manager.load_hunts_from_config(hunt_filter=lambda hunt: hunt.name == 'query_test_includes')
hunt = manager.get_hunt_by_name('query_test_includes')
self.assertIsNotNone(hunt)
# same as above except that ip address comes from a different file
self.assertEquals(hunt.query, 'index=proxy {time_spec} src_ip=1.1.1.1\n')
# and then change it and it should have a different value
with open(ips_txt, 'a') as fp:
fp.write('1.1.1.2\n')
self.assertEquals(hunt.query, 'index=proxy {time_spec} src_ip=1.1.1.1\n1.1.1.2\n')
os.remove(ips_txt)
def test_load_hunt_ini(self):
manager = HuntManager(**manager_kwargs())
manager.load_hunts_from_config(hunt_filter=lambda hunt: hunt.name == 'query_test_1')
self.assertEquals(len(manager.hunts), 1)
hunt = manager.get_hunt_by_name('query_test_1')
self.assertIsNotNone(hunt)
self.assertTrue(hunt.enabled)
self.assertEquals(hunt.name, 'query_test_1')
self.assertEquals(hunt.description, 'Query Test Description 1')
self.assertEquals(hunt.type, 'splunk')
self.assertEquals(hunt.frequency, create_timedelta('00:01:00'))
self.assertEquals(hunt.tags, ['tag1', 'tag2'])
self.assertEquals(hunt.time_range, create_timedelta('00:01:00'))
self.assertEquals(hunt.max_time_range, create_timedelta('01:00:00'))
self.assertEquals(hunt.offset, create_timedelta('00:05:00'))
self.assertTrue(hunt.full_coverage)
self.assertEquals(hunt.group_by, 'field1')
self.assertEquals(hunt.query, 'index=proxy {time_spec} src_ip=1.1.1.1\n')
self.assertTrue(hunt.use_index_time)
self.assertEquals(hunt.observable_mapping, { 'src_ip': 'ipv4', 'dst_ip': 'ipv4' })
self.assertEquals(hunt.temporal_fields, { 'src_ip': True, 'dst_ip': True })
def test_splunk_query(self):
manager = HuntManager(**manager_kwargs())
manager.load_hunts_from_config(hunt_filter=lambda hunt: hunt.name == 'test_query')
self.assertEquals(len(manager.hunts), 1)
hunt = manager.get_hunt_by_name('test_query')
self.assertIsNotNone(hunt)
with open('test_data/hunts/splunk/test_output.json', 'r') as fp:
query_results = json.load(fp)
result = hunt.execute(unit_test_query_results=query_results)
self.assertTrue(isinstance(result, list))
self.assertEquals(len(result), 4)
for submission in result:
with self.subTest(description=submission.description):
self.assertEquals(submission.analysis_mode, ANALYSIS_MODE_CORRELATION)
self.assertTrue(isinstance(submission.details, list))
self.assertTrue(all([isinstance(_, dict) for _ in submission.details]))
self.assertEquals(submission.files, [])
self.assertEquals(submission.tags, ['tag1', 'tag2'])
self.assertEquals(submission.tool, 'hunter-splunk')
self.assertEquals(submission.tool_instance, saq.CONFIG['splunk']['uri'])
self.assertEquals(submission.type, 'splunk')
if submission.description == 'Test Splunk Query: 29380 (3 events)':
self.assertEquals(submission.event_time, datetime.datetime(2019, 12, 23, 16, 5, 36))
self.assertEquals(submission.observables, [ {'type': 'file_name', 'value': '__init__.py'} ])
elif submission.description == 'Test Splunk Query: 29385 (2 events)':
self.assertEquals(submission.event_time, datetime.datetime(2019, 12, 23, 16, 5, 37))
self.assertEquals(submission.observables, [ {'type': 'file_name', 'value': '__init__.py'} ])
elif submission.description == 'Test Splunk Query: 29375 (2 events)':
self.assertEquals(submission.event_time, datetime.datetime(2019, 12, 23, 16, 5, 36))
self.assertEquals(submission.observables, [ {'type': 'file_name', 'value': '__init__.py'} ])
elif submission.description == 'Test Splunk Query: 31185 (93 events)':
self.assertEquals(submission.event_time, datetime.datetime(2019, 12, 23, 16, 5, 22))
self.assertEquals(submission.observables, [ {'type': 'file_name', 'value': '__init__.py'} ])
else:
self.fail("invalid description")
