def test_update_regex(): """Tests that a Regex object is succesfully updated.""" regex = Regex(name='Zeus C2', labels=['malicious-activity'], description='This is how C2 URLs for Zeus usually end.', pattern=r'gate\.php$', valid_from='2016-01-01T00:00:00Z', valid_until='2017-01-01T00:00:00Z', kill_chain_phases=[{ 'kill_chain_name': 'lockheed-martin-cyber-kill-chain', 'phase_name': 'reconnaissance' }]) regex.save() stix_id = regex.id updated = regex.update({'name': 'Zeus Gate URLs'}) assert updated.id == stix_id assert updated.name == 'Zeus Gate URLs' assert updated.labels == ['malicious-activity'] assert updated.description == 'This is how C2 URLs for Zeus usually end.' assert updated.kill_chain_phases == [{ 'kill_chain_name': 'lockheed-martin-cyber-kill-chain', 'phase_name': 'reconnaissance' }] assert updated.pattern == r'gate\.php$' assert str(updated.valid_from) == '2016-01-01 00:00:00+00:00' assert str(updated.valid_until) == '2017-01-01 00:00:00+00:00'
def test_yara_rule_attributes(): """Tests that a created YaraRule has all needed attributes.""" regex_type = type(re.compile('')) for rule in Regex.list(): assert isinstance(rule.pattern, str) assert hasattr(rule, 'compiled_regex') assert isinstance(rule.compiled_regex, regex_type)
def test_regex_get_or_create(populate_regex): """Tests the creation of a single regex.""" test_pattern = populate_regex[0].pattern regex = Regex.get_or_create(name='random', pattern=test_pattern) assert isinstance(regex, Regex) assert regex.id is not None assert regex.pattern == test_pattern
def test_invalid_regex(): """Tests that an invalid regular expression is not accepted.""" with pytest.raises(ValidationError) as error: Regex(name='Zeus C2', labels=['malicious-activity'], description='This is how C2 URLs for Zeus usually end.', pattern=r'gate\.php$)', valid_from='2016-01-01T00:00:00Z', valid_until='2017-01-01T00:00:00Z') assert 'is not a valid regular expression' in str(error.value)
def test_regex_creation(): """Tests the creation of a single Regex object.""" regex = Regex(name='Zeus C2', labels=['malicious-activity'], description='This is how C2 URLs for Zeus usually end.', pattern=r'gate\.php$', valid_from='2016-01-01T00:00:00Z', valid_until='2017-01-01T00:00:00Z') # pylint: disable=protected-access assert regex._stix_object is not None assert isinstance(regex._stix_object, StixRegex)
def test_invalid_regex_object(): """Tests that an invalid Regex object cannot be created.""" with pytest.raises(ValidationError) as error: Regex( name='Zeus C2', labels=['malicious-activity'], description='This is how C2 URLs for Zeus usually end.', pattern=r'gate\.php$)', # valid_from='2016-01-01T00:00:00Z', # valid_until='2017-01-01T00:00:00Z' ) assert 'No values for required properties' in str(error.value) assert 'valid_from' in str(error.value)
def populate_regex(): r1 = Regex(name='Zeus C2', labels=['malicious-activity'], description='This is how C2 URLs for Zeus usually end.', pattern=r'gate\.php$', valid_from='2016-01-01T00:00:00Z', valid_until='2017-01-01T00:00:00Z', kill_chain_phases=[{ 'kill_chain_name': 'lockheed-martin-cyber-kill-chain', 'phase_name': 'reconnaissance' }]).save() r2 = Regex(name='AppData', labels=['persistence'], description='AppData directory', pattern=r'Roaming\\AppData\\\w+$', valid_from='2016-01-01T00:00:00Z', valid_until='2017-01-01T00:00:00Z', kill_chain_phases=[{ 'kill_chain_name': 'lockheed-martin-cyber-kill-chain', 'phase_name': 'reconnaissance' }]).save() return [r1, r2]
def test_invalid_yara_rule(): """Tests that regex can't be created with invalid names or patterns.""" with pytest.raises(ValidationError): Regex(name="FailRule", pattern=123).save() with pytest.raises(ValidationError): Regex(name="FailRule", pattern='asd[3-2]').save()
def test_get_regex(populate_regex): """Tests that a YaraRule fetched from the DB has the correct type.""" name = populate_regex[0].name yr = Regex.filter({'name': name})[0] assert isinstance(yr, Regex)
def populate_regex(): r = Regex(name='AppData', pattern=r'AppData\\Roaming\\\w+').save() return [r]