mirror of https://github.com/mvt-project/mvt.git
Generate stix2 for each test run
This commit is contained in:
parent
3f8dade610
commit
e85c70c603
|
@ -0,0 +1 @@
|
|||
test.stix2
|
|
@ -2,10 +2,9 @@ import os
|
|||
|
||||
from stix2.v21 import (Indicator, Malware, Relationship, Bundle)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
if os.path.isfile("test.stix2"):
|
||||
os.remove("test.stix2")
|
||||
def generate_test_stix_file(file_path):
|
||||
if os.path.isfile(file_path):
|
||||
os.remove(file_path)
|
||||
|
||||
domains = ["example.org"]
|
||||
processes = ["Launch"]
|
||||
|
@ -36,7 +35,10 @@ if __name__ == "__main__":
|
|||
res.append(Relationship(i, 'indicates', malware))
|
||||
|
||||
bundle = Bundle(objects=res)
|
||||
with open("test.stix2", "w+") as f:
|
||||
with open(file_path, "w+") as f:
|
||||
f.write(bundle.serialize(pretty=True))
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
generate_test_stix_file("test.stix2")
|
||||
print("test.stix2 file created")
|
||||
|
|
|
@ -1,112 +0,0 @@
|
|||
{
|
||||
"type": "bundle",
|
||||
"id": "bundle--25fa4351-8a0a-4fea-bb4c-88ecbd0dfbf2",
|
||||
"objects": [
|
||||
{
|
||||
"type": "malware",
|
||||
"spec_version": "2.1",
|
||||
"id": "malware--b4581613-1fe9-441a-a7a5-56df36664e54",
|
||||
"created": "2021-12-16T11:49:29.897487Z",
|
||||
"modified": "2021-12-16T11:49:29.897487Z",
|
||||
"name": "TestMalware",
|
||||
"description": "",
|
||||
"is_family": false
|
||||
},
|
||||
{
|
||||
"type": "indicator",
|
||||
"spec_version": "2.1",
|
||||
"id": "indicator--8614e326-7863-4d79-902c-89a0b769f290",
|
||||
"created": "2021-12-16T11:49:29.897624Z",
|
||||
"modified": "2021-12-16T11:49:29.897624Z",
|
||||
"indicator_types": [
|
||||
"malicious-activity"
|
||||
],
|
||||
"pattern": "[domain-name:value='example.org']",
|
||||
"pattern_type": "stix",
|
||||
"pattern_version": "2.1",
|
||||
"valid_from": "2021-12-16T11:49:29.897624Z"
|
||||
},
|
||||
{
|
||||
"type": "relationship",
|
||||
"spec_version": "2.1",
|
||||
"id": "relationship--6e02e776-1aa7-4436-8df0-d6cb6227f098",
|
||||
"created": "2021-12-16T11:49:29.903846Z",
|
||||
"modified": "2021-12-16T11:49:29.903846Z",
|
||||
"relationship_type": "indicates",
|
||||
"source_ref": "indicator--8614e326-7863-4d79-902c-89a0b769f290",
|
||||
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
|
||||
},
|
||||
{
|
||||
"type": "indicator",
|
||||
"spec_version": "2.1",
|
||||
"id": "indicator--1917e54e-d91d-4d11-811c-79e861c31661",
|
||||
"created": "2021-12-16T11:49:29.903984Z",
|
||||
"modified": "2021-12-16T11:49:29.903984Z",
|
||||
"indicator_types": [
|
||||
"malicious-activity"
|
||||
],
|
||||
"pattern": "[process:name='Launch']",
|
||||
"pattern_type": "stix",
|
||||
"pattern_version": "2.1",
|
||||
"valid_from": "2021-12-16T11:49:29.903984Z"
|
||||
},
|
||||
{
|
||||
"type": "relationship",
|
||||
"spec_version": "2.1",
|
||||
"id": "relationship--e6561236-ef2e-45ed-984b-d1c4832119ca",
|
||||
"created": "2021-12-16T11:49:29.905442Z",
|
||||
"modified": "2021-12-16T11:49:29.905442Z",
|
||||
"relationship_type": "indicates",
|
||||
"source_ref": "indicator--1917e54e-d91d-4d11-811c-79e861c31661",
|
||||
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
|
||||
},
|
||||
{
|
||||
"type": "indicator",
|
||||
"spec_version": "2.1",
|
||||
"id": "indicator--bd3961ab-e13a-42f5-b677-a797ced82adf",
|
||||
"created": "2021-12-16T11:49:29.905565Z",
|
||||
"modified": "2021-12-16T11:49:29.905565Z",
|
||||
"indicator_types": [
|
||||
"malicious-activity"
|
||||
],
|
||||
"pattern": "[file:name='/var/foobar/txt']",
|
||||
"pattern_type": "stix",
|
||||
"pattern_version": "2.1",
|
||||
"valid_from": "2021-12-16T11:49:29.905565Z"
|
||||
},
|
||||
{
|
||||
"type": "relationship",
|
||||
"spec_version": "2.1",
|
||||
"id": "relationship--9f4b5ee9-45d1-4b55-877c-082104baedab",
|
||||
"created": "2021-12-16T11:49:29.906687Z",
|
||||
"modified": "2021-12-16T11:49:29.906687Z",
|
||||
"relationship_type": "indicates",
|
||||
"source_ref": "indicator--bd3961ab-e13a-42f5-b677-a797ced82adf",
|
||||
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
|
||||
},
|
||||
{
|
||||
"type": "indicator",
|
||||
"spec_version": "2.1",
|
||||
"id": "indicator--0a798fe3-2293-4e60-8d45-d8d5cbd3f22f",
|
||||
"created": "2021-12-16T11:49:29.906826Z",
|
||||
"modified": "2021-12-16T11:49:29.906826Z",
|
||||
"indicator_types": [
|
||||
"malicious-activity"
|
||||
],
|
||||
"pattern": "[email-addr:value='foobar@example.org']",
|
||||
"pattern_type": "stix",
|
||||
"pattern_version": "2.1",
|
||||
"valid_from": "2021-12-16T11:49:29.906826Z"
|
||||
},
|
||||
{
|
||||
"type": "relationship",
|
||||
"spec_version": "2.1",
|
||||
"id": "relationship--40f7462d-173b-43b5-b9e3-056f28c01ff7",
|
||||
"created": "2021-12-16T11:49:29.907909Z",
|
||||
"modified": "2021-12-16T11:49:29.907909Z",
|
||||
"relationship_type": "indicates",
|
||||
"source_ref": "indicator--0a798fe3-2293-4e60-8d45-d8d5cbd3f22f",
|
||||
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,37 +1,26 @@
|
|||
import pytest
|
||||
import logging
|
||||
import os
|
||||
|
||||
from mvt.common.indicators import Indicators
|
||||
|
||||
from ..utils import get_artifact, init_setup
|
||||
|
||||
|
||||
class TestIndicators:
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def set(self):
|
||||
init_setup()
|
||||
|
||||
def test_parse_stix2(self):
|
||||
stix_path = get_artifact("test.stix2")
|
||||
def test_parse_stix2(self, indicator_file):
|
||||
ind = Indicators(log=logging)
|
||||
ind.load_indicators_files([stix_path], load_default=False)
|
||||
ind.load_indicators_files([indicator_file], load_default=False)
|
||||
assert ind.ioc_count == 4
|
||||
assert len(ind.ioc_domains) == 1
|
||||
assert len(ind.ioc_emails) == 1
|
||||
assert len(ind.ioc_files) == 1
|
||||
assert len(ind.ioc_processes) == 1
|
||||
|
||||
def test_check_domain(self):
|
||||
def test_check_domain(self, indicator_file):
|
||||
ind = Indicators(log=logging)
|
||||
stix_path = get_artifact("test.stix2")
|
||||
ind.load_indicators_files([stix_path], load_default=False)
|
||||
ind.load_indicators_files([indicator_file], load_default=False)
|
||||
assert ind.check_domain("https://www.example.org/foobar")
|
||||
assert ind.check_domain("http://example.org:8080/toto")
|
||||
|
||||
def test_env_stix(self):
|
||||
stix_path = get_artifact("test.stix2")
|
||||
os.environ["MVT_STIX2"] = stix_path
|
||||
def test_env_stix(self, indicator_file):
|
||||
os.environ["MVT_STIX2"] = indicator_file
|
||||
ind = Indicators(log=logging)
|
||||
ind.load_indicators_files([stix_path], load_default=False)
|
||||
ind.load_indicators_files([indicator_file], load_default=False)
|
||||
assert ind.ioc_count == 4
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
import os
|
||||
|
||||
import pytest
|
||||
|
||||
from .artifacts.generate_stix import generate_test_stix_file
|
||||
|
||||
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def indicator_file(request, tmp_path_factory):
|
||||
indicator_dir = tmp_path_factory.mktemp("indicators")
|
||||
stix_path = indicator_dir / "indicators.stix2"
|
||||
generate_test_stix_file(stix_path)
|
||||
return str(stix_path)
|
||||
|
||||
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def clean_test_env(request, tmp_path_factory):
|
||||
try:
|
||||
del os.environ['MVT_STIX2']
|
||||
except KeyError:
|
||||
pass
|
|
@ -1,17 +1,12 @@
|
|||
import pytest
|
||||
import logging
|
||||
|
||||
from mvt.ios.modules.backup.backup_info import BackupInfo
|
||||
from mvt.common.module import run_module
|
||||
|
||||
from ..utils import get_backup_folder, init_setup
|
||||
from ..utils import get_backup_folder
|
||||
|
||||
|
||||
class TestBackupInfoModule:
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def set(self):
|
||||
init_setup()
|
||||
|
||||
def test_manifest(self):
|
||||
m = BackupInfo(base_folder=get_backup_folder(), log=logging)
|
||||
run_module(m)
|
||||
|
|
|
@ -1,17 +1,12 @@
|
|||
import pytest
|
||||
import logging
|
||||
|
||||
from mvt.common.indicators import Indicators
|
||||
from mvt.ios.modules.mixed.net_datausage import Datausage
|
||||
from mvt.common.module import run_module
|
||||
|
||||
from ..utils import get_artifact, get_backup_folder, init_setup
|
||||
from ..utils import get_backup_folder
|
||||
|
||||
class TestDatausageModule:
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def set(self):
|
||||
init_setup()
|
||||
|
||||
def test_datausage(self):
|
||||
m = Datausage(base_folder=get_backup_folder(), log=logging)
|
||||
run_module(m)
|
||||
|
@ -19,10 +14,10 @@ class TestDatausageModule:
|
|||
assert len(m.timeline) == 60
|
||||
assert len(m.detected) == 0
|
||||
|
||||
def test_detection(self):
|
||||
def test_detection(self, indicator_file):
|
||||
m = Datausage(base_folder=get_backup_folder(), log=logging)
|
||||
ind = Indicators(log=logging)
|
||||
ind.parse_stix2(get_artifact("test.stix2"))
|
||||
ind.parse_stix2(indicator_file)
|
||||
# Adds a file that exists in the manifest
|
||||
ind.ioc_processes[0] = "CumulativeUsageTracker"
|
||||
m.indicators = ind
|
||||
|
|
|
@ -1,17 +1,13 @@
|
|||
import pytest
|
||||
import logging
|
||||
|
||||
from mvt.common.indicators import Indicators
|
||||
from mvt.ios.modules.backup.manifest import Manifest
|
||||
from mvt.common.module import run_module
|
||||
|
||||
from ..utils import get_artifact, get_backup_folder, init_setup
|
||||
from ..utils import get_backup_folder
|
||||
|
||||
|
||||
class TestManifestModule:
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def set(self):
|
||||
init_setup()
|
||||
|
||||
def test_manifest(self):
|
||||
m = Manifest(base_folder=get_backup_folder(), log=logging)
|
||||
run_module(m)
|
||||
|
@ -19,10 +15,10 @@ class TestManifestModule:
|
|||
assert len(m.timeline) == 5881
|
||||
assert len(m.detected) == 0
|
||||
|
||||
def test_detection(self):
|
||||
def test_detection(self, indicator_file):
|
||||
m = Manifest(base_folder=get_backup_folder(), log=logging)
|
||||
ind = Indicators(log=logging)
|
||||
ind.parse_stix2(get_artifact("test.stix2"))
|
||||
ind.parse_stix2(indicator_file)
|
||||
# Adds a file that exists in the manifest
|
||||
ind.ioc_files[0] = "com.apple.CoreBrightness.plist"
|
||||
m.indicators = ind
|
||||
|
|
|
@ -1,16 +1,11 @@
|
|||
import pytest
|
||||
import logging
|
||||
|
||||
from mvt.ios.modules.mixed.tcc import TCC
|
||||
from mvt.common.module import run_module
|
||||
|
||||
from ..utils import get_backup_folder, init_setup
|
||||
from ..utils import get_backup_folder
|
||||
|
||||
class TestManifestModule:
|
||||
@pytest.fixture(scope="session", autouse=True)
|
||||
def set(self):
|
||||
init_setup()
|
||||
|
||||
def test_manifest(self):
|
||||
m = TCC(base_folder=get_backup_folder(), log=logging)
|
||||
run_module(m)
|
||||
|
|
|
@ -18,11 +18,5 @@ def get_artifact_folder():
|
|||
def get_backup_folder():
|
||||
return os.path.join(os.path.dirname(__file__), "artifacts", "ios_backup")
|
||||
|
||||
def init_setup():
|
||||
"""
|
||||
init data to have a clean state before testing
|
||||
"""
|
||||
try:
|
||||
del os.environ['MVT_STIX2']
|
||||
except KeyError:
|
||||
pass
|
||||
def get_indicator_file():
|
||||
print("PYTEST env", os.getenv('PYTEST_CURRENT_TEST'))
|
||||
|
|
Loading…
Reference in New Issue