Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Remove workaround to convert ports to integers #72

Merged
merged 2 commits into from
Nov 24, 2020
Merged

Remove workaround to convert ports to integers #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e9df6bd
Remove workaround to convert ports to integers
0snap Nov 23, 2020
031584e
Apply suggestions from code review
0snap Nov 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions apps/vast/pyvast_threatbus/message_mapping.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,14 +101,6 @@ def query_result_to_threatbus_sighting(
if not ts:
return None

# TODO: remove the following logic that turns ports into integers.
for key, value in context.items():
if type(value) is str:
if value.endswith("/?"):
context[key] = int(value[:-2])
elif value.endswith("/udp") or value.endswith("/tcp"):
context[key] = int(value[:-4])

return Sighting(
dateutil_parser.parse(ts),
intel.id,
Expand Down
7 changes: 2 additions & 5 deletions apps/vast/pyvast_threatbus/test_message_mapping.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,7 @@ def setUp(self):
self.valid_intel = Intel(
self.ts, self.id, self.valid_intel_data, self.operation
)
self.valid_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": "1193/?", "dest_ip": "65.54.95.64", "dest_port": "80/?", "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
# TODO: the following is similar to the above, except for the ports - remove this, once VAST outputs ports as integers.
self.transformed_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
self.valid_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
self.unflattened_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http": {{"hostname": "download.windowsupdate.com", "url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http_port": null, "http_user_agent": "Windows-Update-Agent", "http_content_type": "application/octet-stream", "http_method": "HEAD", "http_refer": null, "protocol": "HTTP/1.1", "status": 200, "redirect": null, "length": 0}}, "tx_id": 0}}'
self.valid_vast_sighting = f'{{"ts": "{self.ts}", "data_id": 8, "indicator_id": 5, "matcher": "threatbus-syeocdkfcy", "ioc": "{self.indicator[0]}", "reference": "threatbus__{self.id}"}}'
self.invalid_intel_1 = {
Expand Down Expand Up @@ -201,8 +199,7 @@ def test_valid_query_result_to_threatbus_sighting(self):
self.assertEqual(parsed_sighting.ts, self.ts)
self.assertEqual(parsed_sighting.ioc, self.indicator)

# TODO: use self.valid_query_result for comparison, once VAST outputs ports as integers
expected_context = json.loads(self.transformed_query_result)
expected_context = json.loads(self.valid_query_result)
expected_context["source"] = "VAST"
self.assertEqual(parsed_sighting.context, expected_context)
self.assertEqual(parsed_sighting.intel, self.id)
Expand Down