def test_remove_processed_keys(self):
"""ThreatIntel - Remove Unprocessed Keys"""
query_values = {
'1.1.1.1', '2.2.2.2', '09bb8985ca0a702907dbcfad511d138e',
'02907dbcfad38e511d109bb8985ca0a7'
}
unprocesed_keys = [{
'ioc_value': {
'S': '2.2.2.2'
},
'sub_type': {
'S': 'mal_ip'
}
}, {
'ioc_value': {
'S': '09bb8985ca0a702907dbcfad511d138e'
},
'sub_type': {
'S': 'mal_md5'
}
}]
expected_result = {'2.2.2.2', '09bb8985ca0a702907dbcfad511d138e'}
ThreatIntel._remove_processed_keys(query_values, unprocesed_keys)
assert_equal(query_values, expected_result)
def test_insert_ioc_info(self):
"""ThreatIntel - Insert IOC Info"""
record = {'key': 'value'}
ioc_type = 'ip'
ioc_value = 'ioc_value'
expected_result = {
'key': 'value',
'streamalert:ioc': {
ioc_type: {ioc_value}
}
}
ThreatIntel._insert_ioc_info(record, ioc_type, ioc_value)
assert_equal(record, expected_result)
def test_segment(self):
"""ThreatIntel - Segment"""
values = [i for i in range(120)]
expected_result = [{i
for i in range(100)}, {i
for i in range(100, 120)}]
result = list(ThreatIntel._segment(values))
assert_equal(result, expected_result)
def test_setup_excluded_iocs(self):
"""ThreatIntel - Setup Excluded IOCs"""
excluded_iocs = {
'md5': {
'feca1deadbeefcafebeadbeefcafebee': {
'comment': 'not malicious'
}
}
}
expected_result = {'md5': {'feca1deadbeefcafebeadbeefcafebee'}}
result = ThreatIntel._setup_excluded_iocs(excluded_iocs)
assert_equal(result, expected_result)
def test_insert_ioc_info_existing(self):
"""ThreatIntel - Insert IOC Info, With Existing"""
ioc_type = 'ip'
existing_value = 'existing_value'
record = {
'key': 'value',
'streamalert:ioc': {
ioc_type: {existing_value}
}
}
new_value = 'new_value'
expected_result = {
'key': 'value',
'streamalert:ioc': {
ioc_type: {existing_value, new_value}
}
}
ThreatIntel._insert_ioc_info(record, ioc_type, new_value)
assert_equal(record, expected_result)
def test_load_from_config(self):
"""ThreatIntel - Load From Config"""
ti_client = ThreatIntel.load_from_config(self._default_config)
assert_equal(isinstance(ti_client, ThreatIntel), True)
assert_equal(ti_client._table, 'table_name')
assert_equal(ti_client._enabled_clusters, {'prod'})
expected_config = {
'destinationDomain': 'domain',
'sourceAddress': 'ip',
'destinationAddress': 'ip',
'fileHash': 'md5'
}
assert_equal(ti_client._ioc_config, expected_config)
assert_equal(ti_client._excluded_iocs, {'domain': {'not.evil.com'}})
def test_load_from_config_no_clusters(self):
"""ThreatIntel - Load From Config, Clusters Disabled"""
config = {
'threat_intel': {
'enabled': True
},
'clusters': {
'prod': {
'modules': {
'stream_alert': {
'enable_threat_intel': False
}
}
}
}
}
assert_equal(ThreatIntel.load_from_config(config), None)
def test_extract_values_by_keys(self):
"""ThreatIntel - Extract Values By Keys"""
record = {
'region': 'us-east-1',
'detail': {
'eventName': 'ConsoleLogin',
'sourceIPAddress': None
},
'source': '1.1.1.2'
}
keys = [['detail', 'sourceIPAddress'], ['source']]
expected_result = ['1.1.1.2']
result = list(ThreatIntel._extract_values_by_keys(record, keys))
assert_equal(result, expected_result)
def test_deserialize(self):
"""ThreatIntel - Deserialize"""
data = [{
'ioc_value': {
'S': '09bb8985ca0a702907dbcfad511d138e'
},
'sub_type': {
'S': 'mal_md5'
}
}]
expected_result = [{
'ioc_value': '09bb8985ca0a702907dbcfad511d138e',
'sub_type': 'mal_md5'
}]
result = list(ThreatIntel._deserialize(data))
assert_equal(result, expected_result)
def test_setup_excluded_iocs_ip(self):
"""ThreatIntel - Setup Excluded IOCs, With IPs"""
excluded_iocs = {
'ip': {
'10.0.0.0/8': {
'comment': 'RFC1918'
}
},
'md5': {
'feca1deadbeefcafebeadbeefcafebee': {
'comment': 'not malicious'
}
}
}
expected_result = {
'ip': {IPNetwork('10.0.0.0/8')},
'md5': {'feca1deadbeefcafebeadbeefcafebee'}
}
result = ThreatIntel._setup_excluded_iocs(excluded_iocs)
assert_equal(result, expected_result)
def __init__(self, *rule_paths):
RulesEngine._config = RulesEngine._config or load_config()
RulesEngine._threat_intel = (
RulesEngine._threat_intel or ThreatIntel.load_from_config(self.config)
)
# Instantiate the alert forwarder to handle sending alerts to the alert processor
RulesEngine._alert_forwarder = RulesEngine._alert_forwarder or AlertForwarder()
# Load the lookup tables, which include logic for refreshing the tables
RulesEngine._lookup_tables = LookupTables.load_lookup_tables(self.config)
# If not rule import paths are specified, default to the config
if not rule_paths:
rule_paths = [item for location in {'rule_locations', 'matcher_locations'}
for item in self.config['global']['general'][location]]
import_folders(*rule_paths)
self._in_lambda = 'LAMBDA_RUNTIME_DIR' in env
self._required_outputs_set = resources.get_required_outputs()
self._load_rule_table(self.config)
def test_exceptions_to_giveup(self):
"""ThreatIntel - Exceptions to Giveup"""
err = Mock(response={'Error': {'Code': 'ResourceNotFoundException'}})
result = ThreatIntel._exceptions_to_giveup(err)
assert_equal(result, True)
def test_load_from_config_disabled(self):
"""ThreatIntel - Load From Config, Disabled"""
config = {'threat_intel': {'enabled': False}}
assert_equal(ThreatIntel.load_from_config(config), None)
def test_load_from_config_empty(self):
"""ThreatIntel - Load From Config, Empty"""
assert_equal(ThreatIntel.load_from_config({}), None)
def setup(self):
"""ThreatIntel - Setup"""
with patch('boto3.client'):
self._threat_intel = ThreatIntel.load_from_config(
self._default_config)
