tests/test_rules.py · CTI Detection Automation

50 lines · python

from xml.etree import ElementTree
 
from cti.models import Indicator
from cti.rules import build_cdb_lists, build_rules_xml
 
 
def sample():
    return [
        Indicator(type="ip", value="45.137.21.9", source="threatfox", threat_type="botnet_cc",
                  confidence=100, malware="Cobalt Strike", techniques=["T1071.001"]),
        Indicator(type="domain", value="cdn-jquery-min.net", source="threatfox",
                  threat_type="botnet_cc", confidence=85, malware="AgentTesla",
                  techniques=["T1056.001"]),
        Indicator(type="sha256", value="5d41402abc4b2a76b9719d911017c592e1b2c3d4f5a6978899aabbccddeeff00",
                  source="threatfox", threat_type="payload_delivery", confidence=95,
                  malware="AgentTesla", techniques=["T1204.002"]),
        Indicator(type="url", value="http://update-flashplayer.org/payload/load.php",
                  source="urlhaus", threat_type="payload_delivery", confidence=80,
                  techniques=["T1105"]),
    ]
 
 
def test_cdb_lists_have_expected_buckets():
    lists = build_cdb_lists(sample())
    assert "45.137.21.9:Cobalt Strike" in lists["cti-malicious-ip"]
    assert lists["cti-malicious-domain"].startswith("cdn-jquery-min.net")
    assert "cti-malware-hash" in lists
 
 
def test_cdb_label_is_sanitized():
    indicators = [Indicator(type="ip", value="1.2.3.4", source="x",
                            threat_type="weird:type", confidence=90)]
    lists = build_cdb_lists(indicators)
    assert ":weird-type" in lists["cti-malicious-ip"]
 
 
def test_rules_xml_is_wellformed_and_tagged():
    xml = build_rules_xml(sample(), base_id=100300)
    root = ElementTree.fromstring(xml)
    assert root.tag == "group"
    rule_ids = [r.get("id") for r in root.findall("rule")]
    assert "100300" in rule_ids
    techniques = [t.text for t in root.iter("id")]
    assert "T1071.001" in techniques
 
 
def test_rules_reference_generated_lists():
    xml = build_rules_xml(sample(), base_id=100300)
    assert "etc/lists/cti-malicious-ip" in xml
    assert "etc/lists/cti-malware-hash" in xml

1	from xml.etree import ElementTree
2
3	from cti.models import Indicator
4	from cti.rules import build_cdb_lists, build_rules_xml
5
6
7	def sample():
8	return [
9	Indicator(type="ip", value="45.137.21.9", source="threatfox", threat_type="botnet_cc",
10	confidence=100, malware="Cobalt Strike", techniques=["T1071.001"]),
11	Indicator(type="domain", value="cdn-jquery-min.net", source="threatfox",
12	threat_type="botnet_cc", confidence=85, malware="AgentTesla",
13	techniques=["T1056.001"]),
14	Indicator(type="sha256", value="5d41402abc4b2a76b9719d911017c592e1b2c3d4f5a6978899aabbccddeeff00",
15	source="threatfox", threat_type="payload_delivery", confidence=95,
16	malware="AgentTesla", techniques=["T1204.002"]),
17	Indicator(type="url", value="http://update-flashplayer.org/payload/load.php",
18	source="urlhaus", threat_type="payload_delivery", confidence=80,
19	techniques=["T1105"]),
20	]
21
22
23	def test_cdb_lists_have_expected_buckets():
24	lists = build_cdb_lists(sample())
25	assert "45.137.21.9:Cobalt Strike" in lists["cti-malicious-ip"]
26	assert lists["cti-malicious-domain"].startswith("cdn-jquery-min.net")
27	assert "cti-malware-hash" in lists
28
29
30	def test_cdb_label_is_sanitized():
31	indicators = [Indicator(type="ip", value="1.2.3.4", source="x",
32	threat_type="weird:type", confidence=90)]
33	lists = build_cdb_lists(indicators)
34	assert ":weird-type" in lists["cti-malicious-ip"]
35
36
37	def test_rules_xml_is_wellformed_and_tagged():
38	xml = build_rules_xml(sample(), base_id=100300)
39	root = ElementTree.fromstring(xml)
40	assert root.tag == "group"
41	rule_ids = [r.get("id") for r in root.findall("rule")]
42	assert "100300" in rule_ids
43	techniques = [t.text for t in root.iter("id")]
44	assert "T1071.001" in techniques
45
46
47	def test_rules_reference_generated_lists():
48	xml = build_rules_xml(sample(), base_id=100300)
49	assert "etc/lists/cti-malicious-ip" in xml
50	assert "etc/lists/cti-malware-hash" in xml