Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Remove workaround to convert ports to integers #72

Merged
merged 2 commits into from
Nov 24, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 0 additions & 8 deletions apps/vast/pyvast_threatbus/message_mapping.py
Original file line number Diff line number Diff line change
Expand Up @@ -101,14 +101,6 @@ def query_result_to_threatbus_sighting(
if not ts:
return None

# TODO: remove the following logic that turns ports into integers.
for key, value in context.items():
if type(value) is str:
if value.endswith("/?"):
context[key] = int(value[:-2])
elif value.endswith("/udp") or value.endswith("/tcp"):
context[key] = int(value[:-4])

return Sighting(
dateutil_parser.parse(ts),
intel.id,
Expand Down
7 changes: 2 additions & 5 deletions apps/vast/pyvast_threatbus/test_message_mapping.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,7 @@ def setUp(self):
self.valid_intel = Intel(
self.ts, self.id, self.valid_intel_data, self.operation
)
self.valid_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": "1193/?", "dest_ip": "65.54.95.64", "dest_port": "80/?", "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
# TODO: the following is similar to the above, except for the ports - remove this, once VAST outputs ports as integers.
self.transformed_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
self.valid_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http.hostname": "download.windowsupdate.com", "http.url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http.http_port": null, "http.http_user_agent": "Windows-Update-Agent", "http.http_content_type": "application/octet-stream", "http.http_method": "HEAD", "http.http_refer": null, "http.protocol": "HTTP/1.1", "http.status": 200, "http.redirect": null, "http.length": 0, "tx_id": 0}}'
self.unflattened_query_result = f'{{"timestamp": "{self.ts}", "flow_id": 1840147514011873, "pcap_cnt": 626, "src_ip": "{self.indicator[0]}", "src_port": 1193, "dest_ip": "65.54.95.64", "dest_port": 80, "proto": "TCP", "event_type": "http", "community_id": "1:AzSEWwmsqEKUX5qrReAHI3Rpizg=", "http": {{"hostname": "download.windowsupdate.com", "url": "/v9/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3setup.cab?0911180916", "http_port": null, "http_user_agent": "Windows-Update-Agent", "http_content_type": "application/octet-stream", "http_method": "HEAD", "http_refer": null, "protocol": "HTTP/1.1", "status": 200, "redirect": null, "length": 0}}, "tx_id": 0}}'
self.valid_vast_sighting = f'{{"ts": "{self.ts}", "data_id": 8, "indicator_id": 5, "matcher": "threatbus-syeocdkfcy", "ioc": "{self.indicator[0]}", "reference": "threatbus__{self.id}"}}'
self.invalid_intel_1 = {
Expand Down Expand Up @@ -201,8 +199,7 @@ def test_valid_query_result_to_threatbus_sighting(self):
self.assertEqual(parsed_sighting.ts, self.ts)
self.assertEqual(parsed_sighting.ioc, self.indicator)

# TODO: use self.valid_query_result for comparison, once VAST outputs ports as integers
expected_context = json.loads(self.transformed_query_result)
expected_context = json.loads(self.valid_query_result)
expected_context["source"] = "VAST"
self.assertEqual(parsed_sighting.context, expected_context)
self.assertEqual(parsed_sighting.intel, self.id)
Expand Down