revised tests

Author: elsif2

intelmq/tests/bots/parsers/shadowserver/test_broken.py

@@ -13,12 +13,12 @@
 REPORT1 = {"raw": utils.base64_encode('adasdasdasdasd\nadasdasdafgf'),
            "__type": "Report",
            "time.observation": "2015-01-01T00:00:00+00:00",
-           "extra.file_name": "2019-01-01-scan_http-test-test.csv",
+           "extra.file_name": "2019-01-01-test_smb-test-test.csv",
            }
 REPORT2 = {"raw": utils.base64_encode('timestamp,ip,port\n2018-08-01T00:00:00+00,127.0.0.1,80'),
            "__type": "Report",
            "time.observation": "2015-01-01T00:00:00+00:00",
-           "extra.file_name": "2019-01-01-scan_ftp-test-test.csv",
+           "extra.file_name": "2019-01-01-test_telnet-test-test.csv",
            }
 REPORT3 = {"raw": utils.base64_encode('adasdasdasdasd\nadasdasdafgf'),
            "__type": "Report",
@@ -48,10 +48,10 @@ def test_broken(self):
         """
         self.input_message = REPORT1
         self.run_bot(allowed_error_count=1)
-        self.assertLogMatches(pattern="Detected report's file name: 'scan_http'.",
+        self.assertLogMatches(pattern="Detected report's file name: 'test_smb'.",
                               levelname="DEBUG")
         self.assertLogMatches(pattern="Failed to parse line.")
-        self.assertLogMatches(pattern="ValueError: Required column 'timestamp' not found in feed 'Accessible-HTTP'. Possible change in data format or misconfiguration.")
+        self.assertLogMatches(pattern="ValueError: Required column 'timestamp' not found in feed 'Test-Accessible-SMB'. Possible change in data format or misconfiguration.")
         self.assertLogMatches(pattern=r"Sent 0 events and found 1 problem\(s\)\.",
                               levelname="INFO")
 
@@ -61,9 +61,9 @@ def test_half_broken(self):
         """
         self.input_message = REPORT2
         self.run_bot(allowed_warning_count=63)
-        self.assertLogMatches(pattern="Detected report's file name: 'scan_ftp'.",
+        self.assertLogMatches(pattern="Detected report's file name: 'test_telnet'.",
                               levelname="DEBUG")
-        self.assertLogMatches(pattern="Optional key 'jarm' not found in feed 'Accessible-FTP'.",
+        self.assertLogMatches(pattern="Optional key 'banner' not found in feed 'Test-Accessible-Telnet'.",
                               levelname="WARNING")
         self.assertLogMatches(pattern=r"Sent 1 events and found 0 problem\(s\)\.",
                               levelname="INFO")

intelmq/tests/bots/parsers/shadowserver/test_mapping.py

@@ -11,22 +11,22 @@
 
 
 with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/scan_telnet.csv')) as handle:
+                       'testdata/test_telnet.csv')) as handle:
     TELNET_FILE = handle.read()
 EXAMPLE_TELNET = {
     "raw": utils.base64_encode(TELNET_FILE),
     "__type": "Report",
     "time.observation": "2015-01-01T00:00:00+00:00",
-    "extra.file_name": "2019-01-01-scan_telnet.csv",
+    "extra.file_name": "2019-01-01-test_telnet.csv",
 }
 with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/scan_vnc.csv')) as handle:
+                       'testdata/test_smb.csv')) as handle:
     TELNET_FILE = handle.read()
 EXAMPLE_VNC = {
     "raw": utils.base64_encode(TELNET_FILE),
     "__type": "Report",
     "time.observation": "2015-01-01T00:00:00+00:00",
-    "extra.file_name": "2019-01-01-scan_vnc.csv",
+    "extra.file_name": "2019-01-01-test_smb.csv",
 }
 
 

intelmq/tests/bots/parsers/shadowserver/test_parameters.py

@@ -12,38 +12,41 @@
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
 with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/scan_dns.csv')) as handle:
+                       'testdata/test_smb.csv')) as handle:
     EXAMPLE_FILE = handle.read()
 EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
 
 EXAMPLE_REPORT = {"raw": utils.base64_encode(EXAMPLE_FILE),
                   "__type": "Report",
                   "time.observation": "2018-07-30T00:00:00+00:00",
-                  "extra.file_name": "2019-01-01-scan_dns-test-test.csv",
+                  "extra.file_name": "2019-01-01-test_smb-test-test.csv",
                   'feed.name': 'report feedname',
                   }
 EVENTS = [{
     '__type': 'Event',
     'feed.name': 'report feedname',
-    "classification.identifier": "dns-open-resolver",
+    "classification.identifier": 'test-smb',
     "classification.taxonomy": "vulnerable",
     "classification.type": "vulnerable-system",
-    "extra.dns_version": "dnsmasq-2.66",
-    "extra.min_amplification": 4.619,
-    "extra.tag": "openresolver",
-    "protocol.application": "dns",
-    "protocol.transport": "udp",
+    "extra.smb_implant": False,
+    "extra.smb_major_number": '2',
+    "extra.smb_minor_number": '1',
+    "extra.smb_version_string": 'SMB 2.1',
+    "extra.smbv1_support": 'N',
+    "extra.tag": "smb",
+    "protocol.application": "smb",
+    "protocol.transport": "tcp",
     'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
                                          EXAMPLE_LINES[1]])),
-    "source.asn": 25255,
-    "source.geolocation.cc": "AT",
-    "source.geolocation.city": "VIENNA",
-    "source.geolocation.region": "WIEN",
-    "source.ip": "198.51.100.179",
-    "source.port": 53,
-    "source.reverse_dns": "198-51-100-189.example.net",
+    "source.asn": 64512,
+    "source.geolocation.cc": "ZZ",
+    "source.geolocation.city": "City",
+    "source.geolocation.region": "Region",
+    "source.ip": "192.168.0.1",
+    "source.port": 445,
+    "source.reverse_dns": "node01.example.com",
     "time.observation": "2018-07-30T00:00:00+00:00",
-    "time.source": "2018-04-14T00:14:34+00:00"
+    "time.source": "2010-02-10T00:00:00+00:00"
 },
 ]
 
@@ -70,7 +73,7 @@ def test_overwrite_feed_name(self):
         self.run_bot(prepare=False)
         for i, EVENT in enumerate(EVENTS):
             event = EVENT.copy()
-            event['feed.name'] = 'DNS-Open-Resolvers'
+            event['feed.name'] = 'Test-Accessible-SMB'
             self.assertMessageEqual(i, event)
 
 

intelmq/tests/bots/parsers/shadowserver/test_report_smb.py

@@ -0,0 +1,124 @@
+# SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/test_smb.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Test-Accessible-SMB',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2015-01-01T00:00:00+00:00",
+                  "extra.file_name": "2019-01-01-test_smb-test-geo.csv",
+                  }
+EVENTS = [
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'test-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Test-Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[1]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.1',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node01.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:00+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'test-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Test-Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[2]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.2',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node02.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:01+00:00'
+},
+
+{
+   '__type' : 'Event',
+   'classification.identifier' : 'test-smb',
+   'classification.taxonomy' : 'vulnerable',
+   'classification.type' : 'vulnerable-system',
+   'extra.smb_implant' : False,
+   'extra.smb_major_number' : '2',
+   'extra.smb_minor_number' : '1',
+   'extra.smb_version_string' : 'SMB 2.1',
+   'extra.smbv1_support' : 'N',
+   'extra.tag' : 'smb',
+   'feed.name' : 'Test-Accessible-SMB',
+   'protocol.application' : 'smb',
+   'protocol.transport' : 'tcp',
+   'raw' : utils.base64_encode('\n'.join([EXAMPLE_LINES[0], EXAMPLE_LINES[3]])),
+   'source.asn' : 64512,
+   'source.geolocation.cc' : 'ZZ',
+   'source.geolocation.city' : 'City',
+   'source.geolocation.region' : 'Region',
+   'source.ip' : '192.168.0.3',
+   'source.port' : 445,
+   'source.reverse_dns' : 'node03.example.com',
+   'time.observation' : '2015-01-01T00:00:00+00:00',
+   'time.source' : '2010-02-10T00:00:02+00:00'
+}
+          ]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()

intelmq/tests/bots/parsers/shadowserver/test_report_switch.py

@@ -12,24 +12,24 @@
 from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
 
 with open(os.path.join(os.path.dirname(__file__),
-                       'testdata/scan_ftp.csv')) as handle:
+                       'testdata/test_smb.csv')) as handle:
     EXAMPLE_LINES = handle.read().splitlines()[:2]
 
-FIRST_REPORT = {'feed.name': 'Accessible FTP',
+FIRST_REPORT = {'feed.name': 'Test-Accessible-SMB',
                   "raw": utils.base64_encode('\n'.join(EXAMPLE_LINES)),
                   "__type": "Report",
                   "time.observation": "2019-03-25T00:00:00+00:00",
-                  "extra.file_name": "2019-03-25-scan_ftp-test-test.csv",
+                  "extra.file_name": "2019-03-25-test_smb-test-test.csv",
                   }
-with open(os.path.join(os.path.dirname(__file__), 'testdata/blocklist.csv')) as handle:
+with open(os.path.join(os.path.dirname(__file__), 'testdata/test_telnet.csv')) as handle:
     EXAMPLE_LINES = handle.read().splitlines()[:2]
 
 SECOND_REPORT = {
-    'feed.name': 'Blocklist',
+    'feed.name': 'Test-Accessible-Telnet',
     "raw": utils.base64_encode('\n'.join(EXAMPLE_LINES)),
     "__type": "Report",
     "time.observation": "2015-01-01T00:00:00+00:00",
-    "extra.file_name": "2019-01-01-blocklist-test-geo.csv",
+    "extra.file_name": "2019-01-01-test_telnet-test-geo.csv",
 }
 
 
@@ -48,9 +48,9 @@ def test_event(self):
         """ Test if the parser correctly detects and handles different report types. """
         self.input_message = [FIRST_REPORT, SECOND_REPORT]
         self.run_bot(iterations=2)
-        self.assertLogMatches("Detected report's file name: 'scan_ftp'",
+        self.assertLogMatches("Detected report's file name: 'test_smb'",
                               levelname='DEBUG')
-        self.assertLogMatches("Detected report's file name: 'blocklist'",
+        self.assertLogMatches("Detected report's file name: 'test_telnet'",
                               levelname='DEBUG')
 
 

intelmq/tests/bots/parsers/shadowserver/test_report_telnet.py

@@ -0,0 +1,87 @@
+# SPDX-FileCopyrightText: 2019 Guillermo Rodriguez
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# -*- coding: utf-8 -*-
+
+import os
+import unittest
+
+import intelmq.lib.test as test
+import intelmq.lib.utils as utils
+from intelmq.bots.parsers.shadowserver.parser import ShadowserverParserBot
+
+with open(os.path.join(os.path.dirname(__file__),
+                       'testdata/test_telnet.csv')) as handle:
+    EXAMPLE_FILE = handle.read()
+EXAMPLE_LINES = EXAMPLE_FILE.splitlines()
+
+EXAMPLE_REPORT = {'feed.name': 'Test-Accessible-Telnet',
+                  "raw": utils.base64_encode(EXAMPLE_FILE),
+                  "__type": "Report",
+                  "time.observation": "2015-01-01T00:00:00+00:00",
+                  "extra.file_name": "2019-01-01-test_telnet-test-geo.csv",
+                  }
+EVENTS = [{'__type': 'Event',
+           'feed.name': 'Test-Accessible-Telnet',
+           "classification.identifier": "test-telnet",
+           "classification.taxonomy": "vulnerable",
+           "classification.type": "vulnerable-system",
+           "extra.banner": "|MikroTik v6.5|Login:",
+           "extra.tag": "telnet-alt",
+           "protocol.application": "telnet",
+           "protocol.transport": "tcp",
+           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                                 EXAMPLE_LINES[1]])),
+           "source.asn": 20255,
+           "source.geolocation.cc": "AA",
+           "source.geolocation.city": "LOCATION",
+           "source.geolocation.region": "LOCATION",
+           "source.ip": "198.123.245.145",
+           "source.port": 5678,
+           "source.reverse_dns": "example.local",
+           "time.observation": "2015-01-01T00:00:00+00:00",
+           "time.source": "2019-09-04T12:27:34+00:00"
+          },
+          {'__type': 'Event',
+           'feed.name': 'Test-Accessible-Telnet',
+           "classification.identifier": "test-telnet",
+           "classification.taxonomy": "vulnerable",
+           "classification.type": "vulnerable-system",
+           "extra.banner": "|MikroTik v6.45.3 (stable)|Login:",
+           "extra.tag": "telnet-alt",
+           "protocol.application": "telnet",
+           "protocol.transport": "tcp",
+           'raw': utils.base64_encode('\n'.join([EXAMPLE_LINES[0],
+                                                 EXAMPLE_LINES[2]])),
+           "source.asn": 20255,
+           "source.geolocation.cc": "AA",
+           "source.geolocation.city": "LOCATION",
+           "source.geolocation.region": "LOCATION",
+           "source.ip": "198.123.245.145",
+           "source.port": 5678,
+           "source.reverse_dns": "example.local",
+           "time.observation": "2015-01-01T00:00:00+00:00",
+           "time.source": "2019-09-04T12:27:40+00:00"
+          }]
+
+
+class TestShadowserverParserBot(test.BotTestCase, unittest.TestCase):
+    """
+    A TestCase for a ShadowserverParserBot.
+    """
+
+    @classmethod
+    def set_bot(cls):
+        cls.bot_reference = ShadowserverParserBot
+        cls.default_input_message = EXAMPLE_REPORT
+
+    def test_event(self):
+        """ Test if correct Event has been produced. """
+        self.run_bot()
+        for i, EVENT in enumerate(EVENTS):
+            self.assertMessageEqual(i, EVENT)
+
+
+if __name__ == '__main__':  # pragma: no cover
+    unittest.main()

intelmq/tests/bots/parsers/shadowserver/testdata/test_smb.csv

@@ -0,0 +1,4 @@
+"timestamp","ip","port","hostname","tag","asn","geo","region","city","naics","sic","smb_implant","arch","key","smbv1_support","smb_major_number","smb_minor_number","smb_revision","smb_version_string"
+"2010-02-10 00:00:00",192.168.0.1,445,node01.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"
+"2010-02-10 00:00:01",192.168.0.2,445,node02.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"
+"2010-02-10 00:00:02",192.168.0.3,445,node03.example.com,smb,64512,ZZ,Region,City,0,0,N,,,N,2,1,0,"SMB 2.1"

intelmq/tests/bots/parsers/shadowserver/testdata/test_smb.csv.license

@@ -0,0 +1,2 @@
+SPDX-FileCopyrightText: 2022 The Shadowserver Foundation
+SPDX-License-Identifier: AGPL-3.0-or-later