def test_misp_all_urls():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_url.return_value = None
r.all_urls(
{
"network": {
"http_ex": [
{
"protocol": "http",
"host": "hello",
"uri": "/bar",
},
],
"https_ex": [
{
"protocol": "https",
"host": "hello",
"uri": "/foobar",
},
],
},
}, "event")
r.misp.add_url.assert_called_once_with(
"event", ["http://hello/bar", "https://hello/foobar"])
def test_misp_domain_ipaddr():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_domains_ips.return_value = None
r.misp.add_ipdst.return_value = None
r.domain_ipaddr({
"network": {
"domains": [
{
"domain": "foobar",
"ip": "1.2.3.4",
},
{
# TODO Now that we have global whitelisting, this
# custom-made support for the MISP reporting module should
# probably be removed.
"domain": "time.windows.com",
"ip": "1.2.3.4",
},
],
"hosts": [
"2.3.4.5",
"3.4.5.6",
],
},
}, "event")
r.misp.add_domains_ips.assert_called_once_with(
"event", {
"foobar": "1.2.3.4",
},
)
r.misp.add_ipdst.assert_called_once_with(
"event", ["2.3.4.5", "3.4.5.6"],
)
def test_misp_all_urls():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_url.return_value = None
r.all_urls({
"network": {
"http_ex": [
{
"protocol": "http",
"host": "hello",
"uri": "/bar",
},
],
"https_ex": [
{
"protocol": "https",
"host": "hello",
"uri": "/foobar",
},
],
},
}, "event")
r.misp.add_url.assert_called_once_with(
"event", [
"http://hello/bar", "https://hello/foobar"
]
)
def test_misp_maldoc():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_url.return_value = None
r.maldoc_network({
"signatures": [
{
"name": "foobar",
},
{
"name": "malicious_document_urls",
"marks": [
{
"category": "file",
},
{
"category": "url",
"ioc": "url_ioc",
}
],
},
],
}, "event")
r.misp.add_url.assert_called_once_with("event", ["url_ioc"])
def test_misp_domain_ipaddr():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_domains_ips.return_value = None
r.misp.add_ipdst.return_value = None
r.domain_ipaddr({
"network": {
"domains": [
{
"domain": "foobar",
"ip": "1.2.3.4",
},
{
# TODO Now that we have global whitelisting, this
# custom-made support for the MISP reporting module should
# probably be removed.
"domain": "time.windows.com",
"ip": "1.2.3.4",
},
],
"hosts": [
"2.3.4.5",
"3.4.5.6",
],
},
}, "event")
r.misp.add_domains_ips.assert_called_once_with(
"event", {
"foobar": "1.2.3.4",
},
)
r.misp.add_ipdst.assert_called_once_with(
"event", ["2.3.4.5", "3.4.5.6"],
)
def test_misp_maldoc():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_url.return_value = None
r.maldoc_network({
"signatures": [
{
"name": "foobar",
},
{
"name": "malicious_document_urls",
"marks": [
{
"category": "file",
},
{
"category": "url",
"ioc": "url_ioc",
}
],
},
],
}, "event")
r.misp.add_url.assert_called_once_with("event", ["url_ioc"])
def test_misp_family():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_detection_name.return_value = None
r.misp.add_url.return_value = None
r.misp.add_mutex.return_value = None
r.misp.add_useragent.return_value = None
r.family({
"metadata": {
"cfgextr": [
{
"family": "3x4mpl3",
"cnc": ["example.com/gate.php"]
},
{
"family": "3x4mpl3_2",
"url": ["http://example.org"]
},
{
"family": "3x4mpl3_3",
"mutex": ["@@@@@@"],
"user_agent": ["M3mebr0wz0r V42"]
}
]
}
}, "event")
assert r.misp.add_detection_name.call_count == 3
r.misp.add_detection_name.assert_has_calls([
mock.call("event", "3x4mpl3", "External analysis"),
mock.call("event", "3x4mpl3_2", "External analysis"),
mock.call("event", "3x4mpl3_3", "External analysis")
])
assert r.misp.add_url.call_count == 2
r.misp.add_url.assert_has_calls([
mock.call("event", "example.com/gate.php"),
mock.call("event", "http://example.org")
])
r.misp.add_mutex.assert_called_once_with("event", "@@@@@@")
r.misp.add_useragent.assert_called_once_with("event", "M3mebr0wz0r V42")
def test_misp_sample_hashes():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_hashes.return_value = None
r.sample_hashes({
"target": {
"file": {
"name": "foobar",
"md5": "m d 5",
"sha1": "sha one",
"sha256": "sha 256",
},
},
}, "event")
r.misp.add_hashes.assert_called_once_with(
"event", category="Payload delivery", filename="foobar",
md5="m d 5", sha1="sha one", sha256="sha 256",
comment="File submitted to Cuckoo"
)
def test_misp_sample_hashes():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_hashes.return_value = None
r.sample_hashes({
"target": {
"file": {
"name": "foobar",
"md5": "m d 5",
"sha1": "sha one",
"sha256": "sha 256",
},
},
}, "event")
r.misp.add_hashes.assert_called_once_with(
"event", category="Payload delivery", filename="foobar",
md5="m d 5", sha1="sha one", sha256="sha 256",
comment="File submitted to Cuckoo"
)
def test_misp_domain_ipaddr():
set_cwd(tempfile.mkdtemp())
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_domains_ips.return_value = None
r.misp.add_ipdst.return_value = None
r.domain_ipaddr({
"network": {
"domains": [
{
"domain": "foobar",
"ip": "1.2.3.4",
},
{
"domain": "time.windows.com",
"ip": "1.2.3.4",
},
{
"domain": "www.msftncsi.com",
"ip": "95.101.2.42"
}
],
"hosts": [
"2.3.4.5",
"3.4.5.6",
"8.8.8.8"
],
},
}, "event")
r.misp.add_domains_ips.assert_called_once_with(
"event", {
"foobar": "1.2.3.4",
},
)
r.misp.add_ipdst.assert_called_once_with(
"event", ["2.3.4.5", "3.4.5.6"],
)
def test_misp_signatures():
r = MISP()
r.misp = mock.MagicMock()
r.misp.add_internal_comment.return_value = None
with open("tests/files/reportsignatures.json", "rb") as fp:
signatures = json.load(fp)
r.signature({"signatures": signatures}, "event")
assert r.misp.add_internal_comment.call_count == 36
r.misp.add_internal_comment.assert_has_calls([
mock.call("event", "Creates a service - (T1031, CreateServiceW)"),
mock.call("event", "Searches running processes potentially to identify"
" processes for sandbox evasion, code injection or"
" memory dumping -"
" (T1057, Process32FirstW, Process32NextW)"),
mock.call("event", "TTP: T1054, short: Indicator Blocking"),
mock.call("event", "Disables Windows Security features -"
" (T1089, T1112, attempts to disable user access"
" control)"),
mock.call("event", "Communicates with host for which no DNS query was"
" performed - (200.87.164.69)")
], any_order=True)
def misp_export(task_id, report=None):
"""
Uploads the report to the MISP instance using the reporting module.
:param task_id: task id
:param report: additional report dict
"""
report_path = cwd("reports", "report.json", analysis=task_id)
task_path = cwd("", "task.json", analysis=task_id)
j = open(report_path)
results = json.load(j)
t = open(task_path)
task = json.load(t)
m = MISP()
options = config2("reporting", 'misp')
m.set_task(task)
m.set_options(options)
m.run(results)
