def test_correlation_bait_session(self): """ Test if bait session is correctly identified as related to a specific honeypot session. We expect the bait entity to be classified as a legit (successfully completed) 'bait_Session' and that the honeypot session is deleted. """ #setup the honeypot session we expect to match the bait_session db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() s_id = str(uuid.uuid4()) s = Session(id=s_id, source_ip='321', destination_ip='123', received=datetime.now(), timestamp=self.bait_session_datetime - timedelta(seconds=2), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True, timestamp=datetime.utcnow()) s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_bait_session(0) bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one() session = db_session.query(Session).filter(Session.id == s_id).first() #test that the bait session got classified self.assertTrue( bait_session.classification == db_session.query(Classification).filter(Classification.type == 'bait_session').one()) #test that the honeypot session got deleted self.assertIsNone(session)
def test_classify_sessions_probe(self): """ Test if session without authentication attempts is tagged as probes. """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() session_id = str(uuid.uuid4()) s = Session(id=session_id, source_ip='111', destination_ip='222', received=datetime.utcnow(), timestamp=datetime.utcnow(), protocol='telnet', source_port=1, destination_port=1, honeypot=honeypot) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(0, db_session) result = db_session.query(Session).filter(Session.classification_id == 'probe').one() #we expect the resultset to contain session1010 self.assertEquals(result.id, session_id)
def test_classify_sessions_reuse_credentails(self): """ Test if attack which uses previously transmitted credentials is tagged correctly """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() s = Session(id='session1010', source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=-25), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******') s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(0, db_session) result = db_session.query(Session).filter(Session.classification_id == 'credentials_reuse').one() #we expect the resultset to contain session1010 self.assertEquals(result.id, 'session1010')
def test_classify_sessions_bruteforce(self): """ Test if 'standalone' sessions older than X seconds get classified as brute-force attempts. """ db_session = database.get_session() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() for id, offset in (('session99', -30), ('session88', -10), ('session77', -2)): s = Session(id=id, source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=datetime.utcnow() + timedelta(seconds=offset), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******') s.authentication.append(a) db_session.add(s) db_session.commit() c = Classifier() c.classify_sessions(5) result = db_session.query(Session).filter(Session.classification_id == 'bruteforce').all() #we expect the resultset to contain session1 and session2 self.assertEquals(len(result), 2)
def test_matching_session(self): """ Test if the get_matching_session method returns the session that matches the given bait session. """ db_session = database.get_session() bait_session = db_session.query(BaitSession).filter(BaitSession.id == self.bait_session_id).one() honeypot = db_session.query(Honeypot).filter(Honeypot.id == self.honeypot_id).one() #session2 is the matching session for id, offset in (('session1', -15), ('session2', 3), ('session3', 15)): s = Session(id=id, source_ip='321', destination_ip='123', received=datetime.utcnow(), timestamp=bait_session.timestamp + timedelta(seconds=offset), protocol='pop3', source_port=1, destination_port=1, honeypot=honeypot) a = Authentication(id=str(uuid.uuid4()), username='******', password='******', successful=True, timestamp=datetime.utcnow()) s.authentication.append(a) db_session.add(s) db_session.commit() classifier = Classifier() result = classifier.get_matching_session(bait_session) self.assertEqual('session2', result.id)