def test_apply_merge_redirection():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
# test the case where the redirection target does not exist in the root analysis
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_redirection_observable = target_root.add_observable(
"other_type", "other_value")
target_observable.redirection = target_redirection_observable
assert observable.redirection is None
observable.apply_merge(target_observable)
assert observable.redirection == target_redirection_observable
# also test the case where the redirection target already exists in the root analysis
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
root.add_observable("other_type", "other_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_redirection_observable = target_root.add_observable(
"other_type", "other_value")
target_observable.redirection = target_redirection_observable
assert observable.redirection is None
observable.apply_merge(target_observable)
assert observable.redirection == target_redirection_observable
def test_apply_diff_merge_directives():
# does not exist before but exists after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
modified_observable.add_directive("test")
target_root = RootAnalysis()
observable = target_root.add_observable("test", "test")
assert not observable.has_directive("test")
observable.apply_diff_merge(original_observable, modified_observable)
assert observable.has_directive("test")
# exists before but not after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
original_observable.add_directive("test")
modified_observable = modified_root.get_observable(original_observable)
target_root = RootAnalysis()
observable = target_root.add_observable("test", "test")
assert not observable.has_directive("test")
observable.apply_diff_merge(original_observable, modified_observable)
# should still not exist
assert not observable.has_directive("test")
def test_apply_merge_links():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
# test the case where the link target does not exist in the root analysis
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
linked_observable = target_root.add_observable("other_type", "other_value")
target_observable.add_link(linked_observable)
assert not observable.links
observable.apply_merge(target_observable)
assert observable.links
assert observable.links[0] == linked_observable
# also test the case where the link target already exists in the root analysis
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
root.add_observable("other_type", "other_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
linked_observable = target_root.add_observable("other_type", "other_value")
target_observable.add_link(linked_observable)
assert not observable.links
observable.apply_merge(target_observable)
assert observable.links
assert observable.links[0] == linked_observable
def test_apply_diff_merge_excluded_analysis():
# does not exist before but exists after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
modified_observable.exclude_analysis("test")
target_root = RootAnalysis()
observable = target_root.add_observable("test", "test")
assert not observable.excluded_analysis
observable.apply_diff_merge(original_observable, modified_observable)
assert observable.excluded_analysis[0] == "test"
# exists before but not after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
original_observable.exclude_analysis("test")
target_root = RootAnalysis()
observable = target_root.add_observable("test", "test")
assert not observable.excluded_analysis
observable.apply_diff_merge(original_observable, modified_observable)
# should still not exist
assert not observable.excluded_analysis
def test_apply_merge_relationships():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
# test the case where the relationship target does not exist in the root analysis
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
r_observable = target_root.add_observable("other_type", "other_value")
target_observable.add_relationship("downloaded_from", r_observable)
assert not observable.relationships
observable.apply_merge(target_observable)
assert observable.relationships["downloaded_from"] == [r_observable]
# also test the case where the relationship target already exists in the root analysis
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
root.add_observable("other_type", "other_value")
# test the case where the relationship target does not exist in the root analysis
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
r_observable = target_root.add_observable("other_type", "other_value")
target_observable.add_relationship("downloaded_from", r_observable)
assert not observable.relationships
observable.apply_merge(target_observable)
assert observable.relationships["downloaded_from"] == [r_observable]
async def test_storage_dir(tmpdir):
root = RootAnalysis()
assert root.storage_dir is None
# use the default temp dir
root.initialize_storage()
assert root.storage_dir
assert os.path.isdir(root.storage_dir)
path = root.storage_dir
await root.discard()
assert root.storage_dir is None
assert not os.path.isdir(path)
# specify a temp dir
path = str(tmpdir.mkdir("temp"))
root = RootAnalysis()
assert root.storage_dir is None
root.initialize_storage(path)
assert root.storage_dir == path
assert os.path.exists(path)
await root.discard()
assert root.storage_dir is None
assert not os.path.exists(path)
# specify a temp dir that does not exist yet
# we'll re-use the previous one
root = RootAnalysis()
assert root.storage_dir is None
root.initialize_storage(path) # does not currently exist
assert root.storage_dir == path
assert os.path.exists(path)
await root.discard()
assert root.storage_dir is None
assert not os.path.exists(path)
def test_apply_diff_merge_tags():
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = original_root.copy()
modified_observable = modified_root.get_observable(original_observable)
modified_observable.add_tag("test")
target_root = original_root.copy()
target_observable = target_root.add_observable("test", "test")
assert not target_observable.tags
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert target_observable.tags
assert target_observable.tags[0] == "test"
# exists before but not after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = original_root.copy()
modified_observable = modified_root.get_observable(original_observable)
target_root = original_root.copy()
target_observable = target_root.add_observable("test", "test")
original_observable.add_tag("test")
assert not target_observable.tags
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert not target_observable.tags
def test_apply_diff_merge_detetion_points():
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = original_root.copy()
modified_observable = modified_root.get_observable(original_observable)
modified_observable.add_detection_point("test")
target_root = original_root.copy()
target_observable = target_root.get_observable(original_observable)
assert not target_observable.has_detection_points()
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert target_observable.has_detection_points
# exists before but not after
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = original_root.copy()
modified_observable = modified_root.get_observable(original_observable)
target_root = original_root.copy()
target_observable = target_root.get_observable(original_observable)
original_observable.add_detection_point("test")
assert not target_observable.has_detection_points()
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert not target_observable.has_detection_points()
def test_apply_merge_directives():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_observable.add_directive("some_directive")
assert not observable.has_directive("some_directive")
observable.apply_merge(target_observable)
assert observable.has_directive("some_directive")
def test_apply_merge_detetion_points():
root = RootAnalysis()
observable = root.add_observable("test", "test")
target_root = RootAnalysis()
target_observable = target_root.add_observable("test", "test")
target_observable.add_detection_point("test")
assert not observable.has_detection_points()
observable.apply_merge(target_observable)
assert observable.has_detection_points
def test_apply_merge_grouping_target():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_observable.grouping_target = True
assert not observable.grouping_target
observable.apply_merge(target_observable)
assert observable.grouping_target
def test_apply_merge_excluded_analysis():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_observable.exclude_analysis("some_module")
assert not observable.excluded_analysis
observable.apply_merge(target_observable)
assert observable.excluded_analysis
assert observable.excluded_analysis[0] == "some_module"
def test_apply_merge_tags():
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_observable.add_tag("test")
assert not observable.tags
observable.apply_merge(target_observable)
assert observable.tags
assert observable.tags[0] == "test"
def test_add_analysis():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
# test adding an Analysis object
analysis = Analysis(details={"hello": "world"}, type=amt)
result = observable.add_analysis(analysis)
assert result == analysis
# test adding just a details, type
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(details={"hello": "world"}, type=amt)
assert result == analysis
def test_apply_merge_analysis():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("some_type", "some_value")
target_root = RootAnalysis()
target_observable = target_root.add_observable("some_type", "some_value")
target_observable.add_analysis(Analysis(type=amt, details={"test":
"test"}))
assert not observable.analysis
observable.apply_merge(target_observable)
assert observable.analysis
assert observable.get_analysis("test") is not None
assert observable.get_analysis("test")._details == {"test": "test"}
def test_apply_diff_merge_grouping_target():
# grouping target modified
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
modified_observable.grouping_target = True
target_root = RootAnalysis()
target_observable = target_root.add_observable("test", "test")
assert not target_observable.grouping_target
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert target_observable.grouping_target
def test_root_diff_merge():
target = RootAnalysis()
before = RootAnalysis()
after = before.copy()
after.analysis_mode = "test"
after.queue = "test"
after.description = "test"
after.analysis_cancelled = True
after.analysis_cancelled_reason = "test"
target.apply_diff_merge(before, after)
assert target.analysis_mode == "test"
assert target.queue == "test"
assert target.description == "test"
assert target.analysis_cancelled
assert target.analysis_cancelled_reason == "test"
def test_observable_serialization():
root = RootAnalysis()
o_time = utc_now()
target = root.add_observable("test", "other")
o1 = root.add_observable(
"test",
"test",
time=o_time,
context="text context",
directives=["directive1", "directive2"],
limited_analysis=["limit1", "limit2"],
excluded_analysis=["excluded1", "excluded2"],
requested_analysis=["requested1", "requested2"],
)
o1.add_relationship("test", target)
root = RootAnalysis.from_dict(root.to_model().dict())
o2 = root.get_observable(o1)
# should be two separate instances
assert id(o1) != id(o2)
assert o1.type == o2.type
assert o1.value == o2.value
assert o1.time == o2.time
assert o1.context == o2.context
assert o1.directives == o2.directives
assert o1.limited_analysis == o2.limited_analysis
assert o1.excluded_analysis == o2.excluded_analysis
assert o1.requested_analysis == o2.requested_analysis
assert o1.relationships == o2.relationships
def test_root_eq():
# two different uuids
assert RootAnalysis() != RootAnalysis()
root = RootAnalysis()
# same uuids
assert root == root.copy()
# invalid compare
assert root != object()
# same uuid different version
root = RootAnalysis()
modified_root = root.copy()
modified_root.version = str(uuid.uuid4())
assert root != modified_root
# same uuid same version
root.version = modified_root.version
assert root == modified_root
def test_root_all_detection_points():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
observable_2 = analysis.add_observable("test", "test2")
root.add_detection_point("test")
assert root.all_detection_points == [DetectionPoint("test")]
observable.add_detection_point("test")
assert root.all_detection_points == [
DetectionPoint("test"), DetectionPoint("test")
]
analysis.add_detection_point("test")
assert root.all_detection_points == [
DetectionPoint("test"),
DetectionPoint("test"),
DetectionPoint("test")
]
observable_2.add_detection_point("test")
assert root.all_detection_points == [
DetectionPoint("test"),
DetectionPoint("test"),
DetectionPoint("test"),
DetectionPoint("test"),
]
def test_root_get_observable():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
# get by uuid
assert root.get_observable(observable.uuid) == observable
# get by identity
assert root.get_observable(observable) == observable
# get by new object
assert root.get_observable(RootAnalysis().add_observable(
"test", "test")) == observable
# get invalid object
assert root.get_observable("") is None
assert root.get_observable(RootAnalysis().add_observable("test",
"blah")) is None
def test_recurse_down():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
child = analysis.add_observable("test", "child")
observable_2 = root.add_observable("test", "other")
# we'll build a list of the nodes we visit
result = []
def _callback(node):
result.append(node)
# R -> O1 -> A -> O2
# -> O3
recurse_down(root, _callback)
assert result == [root]
result = []
recurse_down(observable, _callback)
assert result == [observable, root]
result = []
recurse_down(analysis, _callback)
assert result == [analysis, observable, root]
result = []
recurse_down(child, _callback)
assert result == [child, analysis, observable, root]
result = []
recurse_down(observable_2, _callback)
assert result == [observable_2, root]
# R -> O1 -> A -> O1
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
# this points to the same observable as before
child = analysis.add_observable("test", "test")
result = []
recurse_down(observable, _callback)
assert len(result) == 3
# (order is random when there are multiple paths to root)
assert analysis in result and observable in result and root in result
def test_has_observable():
root = RootAnalysis()
observable = root.add_observable("test", "test")
assert root.has_observable("test", "test")
assert not root.has_observable("test", "t3st")
assert root.has_observable(Observable("test", "test"))
assert not root.has_observable(Observable("t3st", "test"))
assert not root.has_observable(Observable("test", "t3st"))
def test_observable_properties():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
assert observable.all_analysis == [analysis]
assert observable.children == [analysis]
def test_add_duplicate_analysis():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
# adding the same analysis twice will fail
with pytest.raises(ValueError):
observable.add_analysis(type=amt)
def test_root_all():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
observable_2 = analysis.add_observable("test", "test2")
assert sorted(root.all) == sorted(
[root, analysis, observable, observable_2])
def test_add_limited_analysis():
observable = RootAnalysis().add_observable("test", "test")
assert not observable.limited_analysis
observable.limit_analysis("test")
assert observable.limited_analysis
assert "test" in observable.limited_analysis
observable.limit_analysis(AnalysisModuleType("other", ""))
assert "other" in observable.limited_analysis
def test_add_excluded_analysis():
observable = RootAnalysis().add_observable("test", "test")
assert not observable.excluded_analysis
assert not observable.is_excluded("test")
observable.exclude_analysis("test")
assert observable.excluded_analysis
assert "test" in observable.excluded_analysis
assert observable.is_excluded("test")
assert observable.is_excluded(AnalysisModuleType("test", ""))
observable.exclude_analysis(AnalysisModuleType("other", ""))
assert "other" in observable.excluded_analysis
def test_search_down():
amt = AnalysisModuleType("test", "")
root = RootAnalysis()
observable = root.add_observable("test", "test")
analysis = observable.add_analysis(type=amt)
child = analysis.add_observable("test", "child")
observable_2 = root.add_observable("test", "other")
assert search_down(child, lambda obj: obj == analysis) == analysis
assert search_down(child, lambda obj: obj == observable) == observable
assert search_down(child, lambda obj: obj == root) == root
assert search_down(child, lambda obj: False) is None
def test_apply_diff_merge_redirection():
# test redirection created
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
modified_observable.redirection = modified_root.add_observable(
"target", "target")
target_root = RootAnalysis()
target_observable = target_root.add_observable("test", "test")
assert target_observable.redirection is None
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert target_root.get_observable(modified_observable.redirection)
assert target_observable.redirection == target_root.get_observable(
modified_observable.redirection)
# test redirection modified
original_root = RootAnalysis()
original_observable = original_root.add_observable("test", "test")
original_observable.redirection = original_root.add_observable(
"target", "target")
modified_root = copy.deepcopy(original_root)
modified_observable = modified_root.get_observable(original_observable)
modified_observable.redirection = modified_root.add_observable(
"other", "other")
target_root = RootAnalysis()
target_observable = target_root.add_observable("test", "test")
assert target_observable.redirection is None
target_observable.apply_diff_merge(original_observable,
modified_observable)
assert target_root.get_observable(modified_observable.redirection)
assert target_observable.redirection == target_root.get_observable(
modified_observable.redirection)