crt0mega
/
mvt
mirror of https://github.com/mvt-project/mvt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Generate stix2 for each test run

This commit is contained in:
Donncha Ó Cearbhaill 2022-01-07 17:51:21 +01:00
parent 3f8dade610
commit e85c70c603
10 changed files with 47 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tests/artifacts/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
test.stix2

12
tests/artifacts/generate_stix.py
View File

@ -2,10 +2,9 @@ import os
from stix2.v21 import (Indicator, Malware, Relationship, Bundle)
if __name__ == "__main__":
if os.path.isfile("test.stix2"):
os.remove("test.stix2")
def generate_test_stix_file(file_path):
if os.path.isfile(file_path):
os.remove(file_path)
domains = ["example.org"]
processes = ["Launch"]
@ -36,7 +35,10 @@ if __name__ == "__main__":
res.append(Relationship(i, 'indicates', malware))
bundle = Bundle(objects=res)
with open("test.stix2", "w+") as f:
with open(file_path, "w+") as f:
f.write(bundle.serialize(pretty=True))
if __name__ == "__main__":
generate_test_stix_file("test.stix2")
print("test.stix2 file created")

112
tests/artifacts/test.stix2
View File

@ -1,112 +0,0 @@
{
"type": "bundle",
"id": "bundle--25fa4351-8a0a-4fea-bb4c-88ecbd0dfbf2",
"objects": [
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--b4581613-1fe9-441a-a7a5-56df36664e54",
"created": "2021-12-16T11:49:29.897487Z",
"modified": "2021-12-16T11:49:29.897487Z",
"name": "TestMalware",
"description": "",
"is_family": false
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8614e326-7863-4d79-902c-89a0b769f290",
"created": "2021-12-16T11:49:29.897624Z",
"modified": "2021-12-16T11:49:29.897624Z",
"indicator_types": [
"malicious-activity"
],
"pattern": "[domain-name:value='example.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-12-16T11:49:29.897624Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6e02e776-1aa7-4436-8df0-d6cb6227f098",
"created": "2021-12-16T11:49:29.903846Z",
"modified": "2021-12-16T11:49:29.903846Z",
"relationship_type": "indicates",
"source_ref": "indicator--8614e326-7863-4d79-902c-89a0b769f290",
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1917e54e-d91d-4d11-811c-79e861c31661",
"created": "2021-12-16T11:49:29.903984Z",
"modified": "2021-12-16T11:49:29.903984Z",
"indicator_types": [
"malicious-activity"
],
"pattern": "[process:name='Launch']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-12-16T11:49:29.903984Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--e6561236-ef2e-45ed-984b-d1c4832119ca",
"created": "2021-12-16T11:49:29.905442Z",
"modified": "2021-12-16T11:49:29.905442Z",
"relationship_type": "indicates",
"source_ref": "indicator--1917e54e-d91d-4d11-811c-79e861c31661",
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bd3961ab-e13a-42f5-b677-a797ced82adf",
"created": "2021-12-16T11:49:29.905565Z",
"modified": "2021-12-16T11:49:29.905565Z",
"indicator_types": [
"malicious-activity"
],
"pattern": "[file:name='/var/foobar/txt']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-12-16T11:49:29.905565Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9f4b5ee9-45d1-4b55-877c-082104baedab",
"created": "2021-12-16T11:49:29.906687Z",
"modified": "2021-12-16T11:49:29.906687Z",
"relationship_type": "indicates",
"source_ref": "indicator--bd3961ab-e13a-42f5-b677-a797ced82adf",
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0a798fe3-2293-4e60-8d45-d8d5cbd3f22f",
"created": "2021-12-16T11:49:29.906826Z",
"modified": "2021-12-16T11:49:29.906826Z",
"indicator_types": [
"malicious-activity"
],
"pattern": "[email-addr:value='foobar@example.org']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-12-16T11:49:29.906826Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--40f7462d-173b-43b5-b9e3-056f28c01ff7",
"created": "2021-12-16T11:49:29.907909Z",
"modified": "2021-12-16T11:49:29.907909Z",
"relationship_type": "indicates",
"source_ref": "indicator--0a798fe3-2293-4e60-8d45-d8d5cbd3f22f",
"target_ref": "malware--b4581613-1fe9-441a-a7a5-56df36664e54"
}
]
}

25
tests/common/test_indicators.py
View File

@ -1,37 +1,26 @@
import pytest
import logging
import os
from mvt.common.indicators import Indicators
from ..utils import get_artifact, init_setup
class TestIndicators:
@pytest.fixture(scope="session", autouse=True)
def set(self):
init_setup()
def test_parse_stix2(self):
stix_path = get_artifact("test.stix2")
def test_parse_stix2(self, indicator_file):
ind = Indicators(log=logging)
ind.load_indicators_files([stix_path], load_default=False)
ind.load_indicators_files([indicator_file], load_default=False)
assert ind.ioc_count == 4
assert len(ind.ioc_domains) == 1
assert len(ind.ioc_emails) == 1
assert len(ind.ioc_files) == 1
assert len(ind.ioc_processes) == 1
def test_check_domain(self):
def test_check_domain(self, indicator_file):
ind = Indicators(log=logging)
stix_path = get_artifact("test.stix2")
ind.load_indicators_files([stix_path], load_default=False)
ind.load_indicators_files([indicator_file], load_default=False)
assert ind.check_domain("https://www.example.org/foobar")
assert ind.check_domain("http://example.org:8080/toto")
def test_env_stix(self):
stix_path = get_artifact("test.stix2")
os.environ["MVT_STIX2"] = stix_path
def test_env_stix(self, indicator_file):
os.environ["MVT_STIX2"] = indicator_file
ind = Indicators(log=logging)
ind.load_indicators_files([stix_path], load_default=False)
ind.load_indicators_files([indicator_file], load_default=False)
assert ind.ioc_count == 4

21
tests/conftest.py Normal file
View File

@ -0,0 +1,21 @@
import os
import pytest
from .artifacts.generate_stix import generate_test_stix_file
@pytest.fixture(scope="session", autouse=True)
def indicator_file(request, tmp_path_factory):
indicator_dir = tmp_path_factory.mktemp("indicators")
stix_path = indicator_dir / "indicators.stix2"
generate_test_stix_file(stix_path)
return str(stix_path)
@pytest.fixture(scope="session", autouse=True)
def clean_test_env(request, tmp_path_factory):
try:
del os.environ['MVT_STIX2']
except KeyError:
pass

7
tests/ios/test_backup_info.py
View File

@ -1,17 +1,12 @@
import pytest
import logging
from mvt.ios.modules.backup.backup_info import BackupInfo
from mvt.common.module import run_module
from ..utils import get_backup_folder, init_setup
from ..utils import get_backup_folder
class TestBackupInfoModule:
@pytest.fixture(scope="session", autouse=True)
def set(self):
init_setup()
def test_manifest(self):
m = BackupInfo(base_folder=get_backup_folder(), log=logging)
run_module(m)

11
tests/ios/test_datausage.py
View File

@ -1,17 +1,12 @@
import pytest
import logging
from mvt.common.indicators import Indicators
from mvt.ios.modules.mixed.net_datausage import Datausage
from mvt.common.module import run_module
from ..utils import get_artifact, get_backup_folder, init_setup
from ..utils import get_backup_folder
class TestDatausageModule:
@pytest.fixture(scope="session", autouse=True)
def set(self):
init_setup()
def test_datausage(self):
m = Datausage(base_folder=get_backup_folder(), log=logging)
run_module(m)
@ -19,10 +14,10 @@ class TestDatausageModule:
assert len(m.timeline) == 60
assert len(m.detected) == 0
def test_detection(self):
def test_detection(self, indicator_file):
m = Datausage(base_folder=get_backup_folder(), log=logging)
ind = Indicators(log=logging)
ind.parse_stix2(get_artifact("test.stix2"))
ind.parse_stix2(indicator_file)
# Adds a file that exists in the manifest
ind.ioc_processes[0] = "CumulativeUsageTracker"
m.indicators = ind

12
tests/ios/test_manifest.py
View File

@ -1,17 +1,13 @@
import pytest
import logging
from mvt.common.indicators import Indicators
from mvt.ios.modules.backup.manifest import Manifest
from mvt.common.module import run_module
from ..utils import get_artifact, get_backup_folder, init_setup
from ..utils import get_backup_folder
class TestManifestModule:
@pytest.fixture(scope="session", autouse=True)
def set(self):
init_setup()
def test_manifest(self):
m = Manifest(base_folder=get_backup_folder(), log=logging)
run_module(m)
@ -19,10 +15,10 @@ class TestManifestModule:
assert len(m.timeline) == 5881
assert len(m.detected) == 0
def test_detection(self):
def test_detection(self, indicator_file):
m = Manifest(base_folder=get_backup_folder(), log=logging)
ind = Indicators(log=logging)
ind.parse_stix2(get_artifact("test.stix2"))
ind.parse_stix2(indicator_file)
# Adds a file that exists in the manifest
ind.ioc_files[0] = "com.apple.CoreBrightness.plist"
m.indicators = ind

7
tests/ios/test_tcc.py
View File

@ -1,16 +1,11 @@
import pytest
import logging
from mvt.ios.modules.mixed.tcc import TCC
from mvt.common.module import run_module
from ..utils import get_backup_folder, init_setup
from ..utils import get_backup_folder
class TestManifestModule:
@pytest.fixture(scope="session", autouse=True)
def set(self):
init_setup()
def test_manifest(self):
m = TCC(base_folder=get_backup_folder(), log=logging)
run_module(m)

10
tests/utils.py
View File

@ -18,11 +18,5 @@ def get_artifact_folder():
def get_backup_folder():
return os.path.join(os.path.dirname(__file__), "artifacts", "ios_backup")
def init_setup():
"""
init data to have a clean state before testing
"""
try:
del os.environ['MVT_STIX2']
except KeyError:
pass
def get_indicator_file():
print("PYTEST env", os.getenv('PYTEST_CURRENT_TEST'))