| 1 | from cti.feeds.feodo import FeodoTracker |
| 2 | from cti.feeds.openphish import OpenPhish |
| 3 | from cti.feeds.otx import OTX |
| 4 | from cti.feeds.threatfox import ThreatFox |
| 5 | from cti.feeds.urlhaus import URLhaus |
| 6 | |
| 7 | |
| 8 | def test_threatfox_parses_types_and_strips_port(fixtures_dir): |
| 9 | indicators = ThreatFox().collect(fixtures_dir) |
| 10 | ips = [i for i in indicators if i.type == "ip"] |
| 11 | assert any(i.value == "45.137.21.9" for i in ips) |
| 12 | assert all(":" not in i.value for i in ips) |
| 13 | cobalt = next(i for i in ips if i.value == "45.137.21.9") |
| 14 | assert "T1071.001" in cobalt.techniques |
| 15 | |
| 16 | |
| 17 | def test_threatfox_maps_hashes(fixtures_dir): |
| 18 | indicators = ThreatFox().collect(fixtures_dir) |
| 19 | hashes = [i for i in indicators if i.type == "sha256"] |
| 20 | assert len(hashes) == 2 |
| 21 | |
| 22 | |
| 23 | def test_feodo_marks_c2(fixtures_dir): |
| 24 | indicators = FeodoTracker().collect(fixtures_dir) |
| 25 | assert all(i.threat_type == "botnet_cc" for i in indicators) |
| 26 | assert any(i.malware == "Emotet" for i in indicators) |
| 27 | |
| 28 | |
| 29 | def test_urlhaus_extracts_domain_from_url(fixtures_dir): |
| 30 | indicators = URLhaus().collect(fixtures_dir) |
| 31 | domains = {i.value for i in indicators if i.type == "domain"} |
| 32 | assert "update-flashplayer.org" in domains |
| 33 | |
| 34 | |
| 35 | def test_otx_pulls_attack_ids(fixtures_dir): |
| 36 | indicators = OTX().collect(fixtures_dir) |
| 37 | assert any("T1566.001" in i.techniques for i in indicators) |
| 38 | |
| 39 | |
| 40 | def test_openphish_classifies_phishing(fixtures_dir): |
| 41 | indicators = OpenPhish().collect(fixtures_dir) |
| 42 | assert indicators |
| 43 | assert all(i.threat_type == "phishing" for i in indicators) |
| 44 | assert all("T1566.002" in i.techniques for i in indicators) |