threatinator 0.1.6 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -2
- data/Gemfile +18 -13
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/feeds/ET_block-ip_reputation.feed +26 -0
- data/feeds/ET_openbadlist-ip_reputation.feed +35 -0
- data/feeds/bambenek_c2_masterlist-domain_reputation.feed +15 -0
- data/feeds/bambenek_c2_masterlist-ip_reputation.feed +15 -0
- data/feeds/bambenek_dga_feed-domain_reputation.feed +15 -0
- data/feeds/berkeley-ip_reputation.feed +23 -0
- data/feeds/bitcash_cz_blacklist.feed +20 -0
- data/feeds/botscout-ip_reputation.feed +24 -0
- data/feeds/cert_mxpoison-ip_reputation.feed +21 -0
- data/feeds/chaosreigns-ip_reputation.feed +36 -0
- data/feeds/cydef_torexit-ip_reputation.feed +24 -0
- data/feeds/danger_bruteforce-ip_reputation.feed +23 -0
- data/feeds/falconcrest-ip_reputation.feed +18 -0
- data/feeds/h3x_asprox.feed +17 -0
- data/feeds/hosts-file_hphostspartial-domain_reputation.feed +18 -0
- data/feeds/infiltrated_vabl-ip_reputation.feed +29 -0
- data/feeds/isc_suspicious_high-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_low-domain_reputation.feed +25 -0
- data/feeds/isc_suspicious_medium-domain_reputation.feed +25 -0
- data/feeds/malwaredomainlist-url_reputation.feed +16 -0
- data/feeds/malwaredomains-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_dyndns-domain_reputation.feed +27 -0
- data/feeds/malwaredomains_justdomains-domain_reputation.feed +18 -0
- data/feeds/multiproxy-ip_reputation.feed +20 -0
- data/feeds/openphish-url_reputation.feed +22 -0
- data/feeds/packetmail_perimeterbad-ip_reputation.feed +26 -0
- data/feeds/phishtank.feed +1 -1
- data/feeds/sigmaproject_atma.feed +25 -0
- data/feeds/sigmaproject_spyware.feed +24 -0
- data/feeds/sigmaproject_webexploit.feed +26 -0
- data/feeds/snort_bpf-ip_reputation.feed +19 -0
- data/feeds/steeman-ip_reputation.feed +19 -0
- data/feeds/trustedsec-ip_reputation.feed +17 -0
- data/feeds/virbl-ip_reputation.feed +24 -0
- data/feeds/vxvault-url_reputation.feed +22 -0
- data/feeds/yoyo_adservers-domain_reputation.feed +16 -0
- data/lib/threatinator/actions/run/action.rb +15 -3
- data/lib/threatinator/actions/run/coverage_observer.rb +12 -7
- data/lib/threatinator/actions/run/status_observer.rb +37 -0
- data/lib/threatinator/cli.rb +9 -3
- data/lib/threatinator/cli/parser.rb +14 -4
- data/lib/threatinator/config.rb +1 -0
- data/lib/threatinator/config/logger.rb +14 -0
- data/lib/threatinator/event.rb +28 -18
- data/lib/threatinator/event_builder.rb +52 -23
- data/lib/threatinator/exceptions.rb +3 -6
- data/lib/threatinator/feed.rb +1 -1
- data/lib/threatinator/feed_runner.rb +63 -7
- data/lib/threatinator/logger.rb +66 -0
- data/lib/threatinator/logging.rb +20 -0
- data/lib/threatinator/model/base.rb +23 -0
- data/lib/threatinator/model/collection.rb +64 -0
- data/lib/threatinator/model/observables/fqdn_collection.rb +13 -0
- data/lib/threatinator/model/observables/ipv4.rb +30 -0
- data/lib/threatinator/model/observables/ipv4_collection.rb +14 -0
- data/lib/threatinator/model/observables/url_collection.rb +16 -0
- data/lib/threatinator/model/validations.rb +1 -0
- data/lib/threatinator/model/validations/type.rb +21 -0
- data/lib/threatinator/plugins/output/csv.rb +20 -9
- data/spec/feeds/ET_block-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ET_compromised-ip_reputation_spec.rb +2 -5
- data/spec/feeds/ET_openbadlist-ip_reputation_spec.rb +56 -0
- data/spec/feeds/alienvault-ip_reputation_spec.rb +2 -5
- data/spec/feeds/arbor_fastflux-domain_reputation_spec.rb +0 -3
- data/spec/feeds/arbor_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/autoshun_shunlist_spec.rb +1 -4
- data/spec/feeds/bambenek_c2_masterlist-domain_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_c2_masterlist-ip_reputation_spec.rb +39 -0
- data/spec/feeds/bambenek_dga_feed-domain_reputation_spec.rb +39 -0
- data/spec/feeds/berkeley-ip_reputation_spec.rb +47 -0
- data/spec/feeds/bitcash_cz_blacklist-ip_reputation_spec.rb +50 -0
- data/spec/feeds/blocklist_de_apache-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_bots-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ftp-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_imap-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_pop3-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_proftpd-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_sip-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/blocklist_de_strongips-ip_reputation_spec.rb +2 -5
- data/spec/feeds/botscout-ip_reputation_spec.rb +50 -0
- data/spec/feeds/cert_mxpoison-ip_reputation_spec.rb +47 -0
- data/spec/feeds/chaosreigns-ip_reputation_spec.rb +50 -0
- data/spec/feeds/ciarmy-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cruzit-ip_reputation_spec.rb +2 -5
- data/spec/feeds/cydef_torexit-ip_reputation_spec.rb +47 -0
- data/spec/feeds/dan_me_uk_torlist-ip_reputation_spec.rb +2 -5
- data/spec/feeds/danger_bruteforce-ip_reputation_spec.rb +47 -0
- data/spec/feeds/data/ET_block-ip_reputation.txt +80 -0
- data/spec/feeds/data/ET_openbadlist-ip_reputation.txt +62 -0
- data/spec/feeds/data/bambenek_c2-dommasterlist.csv +30 -0
- data/spec/feeds/data/bambenek_c2-ipmasterlist.csv +27 -0
- data/spec/feeds/data/bambenek_dga_feed.csv +42 -0
- data/spec/feeds/data/berkeley.txt +29 -0
- data/spec/feeds/data/bitcash_cz_blacklist.txt +7 -0
- data/spec/feeds/data/botscout-ip-reputation.txt +713 -0
- data/spec/feeds/data/cert_mxpoison-ip_reputation.txt +17 -0
- data/spec/feeds/data/chaosreigns-ip-reputation.txt +26 -0
- data/spec/feeds/data/cydef_torexit-ip_reputation.txt +27 -0
- data/spec/feeds/data/danger_bruteforce-ip_reputation.txt +12 -0
- data/spec/feeds/data/falconcrest_iplist.txt +345 -0
- data/spec/feeds/data/h3x_asprox.txt +20 -0
- data/spec/feeds/data/hosts-file_hphostspartial_domainlist.txt +24 -0
- data/spec/feeds/data/infiltrated_vabl_iplist.txt +33 -0
- data/spec/feeds/data/isc_suspicious_high_domainlist.txt +26 -0
- data/spec/feeds/data/isc_suspicious_low_domainlist.txt +34 -0
- data/spec/feeds/data/isc_suspicious_medium_domainlist.txt +32 -0
- data/spec/feeds/data/malwaredomainlist-url-reputation.txt +8 -0
- data/spec/feeds/data/malwaredomains_domainlist.txt +24 -0
- data/spec/feeds/data/malwaredomains_dyndns_domainlist.txt +34 -0
- data/spec/feeds/data/malwaredomains_justdomains_domainlist.txt +18 -0
- data/spec/feeds/data/multiproxy_iplist.txt +15 -0
- data/spec/feeds/data/openphish-url-reputation.txt +16 -0
- data/spec/feeds/data/packetmail_perimeterbad-ip_reputation.txt +44 -0
- data/spec/feeds/data/sigmaproject_atma.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_spyware.return.gz +0 -0
- data/spec/feeds/data/sigmaproject_webexploit.return.gz +0 -0
- data/spec/feeds/data/snort_bpf-ip_reputation.txt +16 -0
- data/spec/feeds/data/steeman-ip-reputation.txt +13 -0
- data/spec/feeds/data/trustedsec-ip-reputation.txt +12 -0
- data/spec/feeds/data/virbl-ip_reputation.txt +14 -0
- data/spec/feeds/data/vxvault-url-reputation.txt +15 -0
- data/spec/feeds/data/yoyo_adservers.txt +25 -0
- data/spec/feeds/dshield_attackers-top1000_spec.rb +1 -4
- data/spec/feeds/falconcrest-ip_reputation_spec.rb +37 -0
- data/spec/feeds/feodo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/feodo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/h3x_asprox-ip_reputation_spec.rb +50 -0
- data/spec/feeds/hosts-file_hphostspartial-domain_reputation_spec.rb +47 -0
- data/spec/feeds/infiltrated-ip_reputation_spec.rb +2 -5
- data/spec/feeds/infiltrated_vabl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_high-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_low-domain_reputation_spec.rb +47 -0
- data/spec/feeds/isc_suspicious_medium-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malc0de-domain_reputation_spec.rb +0 -3
- data/spec/feeds/malc0de-ip_reputation_spec.rb +2 -5
- data/spec/feeds/malwaredomainlist_url_reputation_spec.rb +50 -0
- data/spec/feeds/malwaredomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_dyndns-domain_reputation_spec.rb +47 -0
- data/spec/feeds/malwaredomains_justdomains-domain_reputation_spec.rb +47 -0
- data/spec/feeds/mirc-domain_reputation_spec.rb +0 -3
- data/spec/feeds/multiproxy-ip_reputation_spec.rb +47 -0
- data/spec/feeds/nothink_irc-ip_reputation_spec.rb +2 -5
- data/spec/feeds/nothink_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openbl-ip_reputation_spec.rb +2 -5
- data/spec/feeds/openphish_url_reputation_spec.rb +50 -0
- data/spec/feeds/packetmail_perimeterbad-ip_reputation_spec.rb +47 -0
- data/spec/feeds/palevo-domain_reputation_spec.rb +0 -3
- data/spec/feeds/palevo-ip_reputation_spec.rb +2 -5
- data/spec/feeds/phishtank_spec.rb +2 -5
- data/spec/feeds/sigmaproject_atma_spec.rb +63 -0
- data/spec/feeds/sigmaproject_spyware_spec.rb +64 -0
- data/spec/feeds/sigmaproject_webexploit_spec.rb +63 -0
- data/spec/feeds/snort_bpf-ip_reputation_spec.rb +47 -0
- data/spec/feeds/spyeye-domain_reputation_spec.rb +0 -3
- data/spec/feeds/spyeye-ip_reputation_spec.rb +2 -5
- data/spec/feeds/steeman-ip_reputation_spec.rb +50 -0
- data/spec/feeds/t-arend-de_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/the_haleys_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/trustedsec-ip_reputation_spec.rb +47 -0
- data/spec/feeds/virbl-ip_reputation_spec.rb +47 -0
- data/spec/feeds/vxvault_url_reputation_spec.rb +50 -0
- data/spec/feeds/yourcmc_ssh-ip_reputation_spec.rb +2 -5
- data/spec/feeds/yoyo_adservers_spec.rb +47 -0
- data/spec/feeds/zeus-domain_reputation_spec.rb +0 -3
- data/spec/feeds/zeus-ip_reputation_spec.rb +2 -5
- data/spec/spec_helper.rb +2 -0
- data/spec/support/factories/event.rb +11 -7
- data/spec/support/factories/feed.rb +28 -1
- data/spec/support/factories/ipv4.rb +36 -0
- data/spec/support/factories/url.rb +34 -0
- data/spec/support/shared/feed_runner_observer.rb +136 -0
- data/spec/support/shared/feeds.rb +19 -4
- data/spec/support/shared/model/collection.rb +164 -0
- data/spec/threatinator/actions/run/action_spec.rb +27 -10
- data/spec/threatinator/actions/run/coverage_observer_spec.rb +39 -4
- data/spec/threatinator/actions/run/status_observer_spec.rb +86 -0
- data/spec/threatinator/event_builder_spec.rb +111 -21
- data/spec/threatinator/event_spec.rb +237 -13
- data/spec/threatinator/event_spec.rb.new +319 -0
- data/spec/threatinator/feed_builder_spec.rb +0 -3
- data/spec/threatinator/feed_runner_spec.rb +254 -70
- data/spec/threatinator/logger_spec.rb +29 -0
- data/spec/threatinator/model/observables/fqdn_collection_spec.rb +42 -0
- data/spec/threatinator/model/observables/ipv4_collection_spec.rb +36 -0
- data/spec/threatinator/model/observables/ipv4_spec.rb +75 -0
- data/spec/threatinator/model/observables/url_collection_spec.rb +45 -0
- data/spec/threatinator/model/validations/type_spec.rb +37 -0
- data/spec/threatinator/plugins/output/csv_spec.rb +4 -3
- metadata +216 -19
- data/lib/threatinator/property_definer.rb +0 -101
- data/spec/threatinator/property_definer_spec.rb +0 -155
@@ -2,32 +2,122 @@ require 'spec_helper'
|
|
2
2
|
require 'threatinator/event_builder'
|
3
3
|
|
4
4
|
describe Threatinator::EventBuilder do
|
5
|
-
let(:
|
6
|
-
let(:
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
5
|
+
let(:feed_provider) { 'my_provider' }
|
6
|
+
let(:feed_name) { 'my_feed' }
|
7
|
+
let(:event_builder) { described_class.new(feed_provider, feed_name) }
|
8
|
+
let(:type) { :c2 }
|
9
|
+
|
10
|
+
before :each do
|
11
|
+
event_builder.type = :c2
|
12
|
+
end
|
13
|
+
|
14
|
+
describe "#reset" do
|
15
|
+
it "resets 'type' to nil" do
|
16
|
+
event_builder.type = :c2
|
17
|
+
event_builder.reset
|
18
|
+
expect {
|
19
|
+
event_builder.build
|
20
|
+
}.to raise_error(Threatinator::Exceptions::EventBuildError)
|
21
|
+
end
|
22
|
+
|
23
|
+
it "resets the fqdns" do
|
24
|
+
event_builder.add_fqdn('foo.com')
|
25
|
+
event_builder.reset
|
26
|
+
event_builder.type = :c2
|
27
|
+
event1 = event_builder.build
|
28
|
+
expect(event1.fqdns).to be_empty
|
29
|
+
end
|
30
|
+
|
31
|
+
it "resets the ipv4s" do
|
32
|
+
event_builder.add_ipv4('1.2.3.4')
|
33
|
+
event_builder.reset
|
34
|
+
event_builder.type = :c2
|
35
|
+
event1 = event_builder.build
|
36
|
+
expect(event1.ipv4s).to be_empty
|
37
|
+
end
|
38
|
+
|
39
|
+
it "does not reset feed_provider or feed_name" do
|
40
|
+
event_builder.reset
|
41
|
+
event_builder.type = :c2
|
42
|
+
event1 = event_builder.build
|
43
|
+
expect(event1.feed_provider).to eq('my_provider')
|
44
|
+
expect(event1.feed_name).to eq('my_feed')
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
describe "#type=(type)" do
|
49
|
+
it "sets the 'type' for built events" do
|
50
|
+
event1 = event_builder.build
|
51
|
+
expect(event1.type).to eq(:c2)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
describe "#add_ipv4(ipv4)" do
|
56
|
+
it "adds the provided ipv4s to built events" do
|
57
|
+
event_builder.add_ipv4('1.2.3.4')
|
58
|
+
event_builder.add_ipv4('8.8.8.8')
|
59
|
+
event1 = event_builder.build
|
60
|
+
expect(event1.ipv4s).to contain_exactly(build(:ipv4, ipv4:'1.2.3.4'), build(:ipv4, ipv4: '8.8.8.8'))
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
describe "#add_fqdn(fqdn)" do
|
65
|
+
it "adds the provided fqdns to built events" do
|
66
|
+
event_builder.add_fqdn('google.com')
|
67
|
+
event_builder.add_fqdn('yahoo.com')
|
68
|
+
event1 = event_builder.build
|
69
|
+
expect(event1.fqdns).to contain_exactly('google.com', 'yahoo.com')
|
20
70
|
end
|
71
|
+
end
|
72
|
+
|
73
|
+
describe "#add_url(url)" do
|
74
|
+
it "converts the provided URLs strings into Addressable::URI objects and adds them to the built events" do
|
75
|
+
event_builder.add_url('http://google.com/foo/bar')
|
76
|
+
event_builder.add_url('http://yahoo.com')
|
77
|
+
event = event_builder.build
|
78
|
+
expect(event.urls).to contain_exactly(
|
79
|
+
::Addressable::URI.parse('http://google.com/foo/bar'),
|
80
|
+
::Addressable::URI.parse('http://yahoo.com')
|
81
|
+
)
|
82
|
+
end
|
83
|
+
end
|
21
84
|
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
85
|
+
describe "#build" do
|
86
|
+
it "generates a new event with each call" do
|
87
|
+
event1 = event_builder.build
|
88
|
+
event2 = event_builder.build
|
89
|
+
expect(event1).not_to be(event2)
|
90
|
+
end
|
91
|
+
|
92
|
+
specify "successively built events will == each other if the builder has not been changed" do
|
93
|
+
event_builder.type = :c2
|
94
|
+
event_builder.add_ipv4('1.2.3.4')
|
95
|
+
event_builder.add_fqdn('foo.com')
|
96
|
+
event1 = event_builder.build
|
97
|
+
event2 = event_builder.build
|
98
|
+
expect(event1).to be == event2
|
99
|
+
end
|
100
|
+
|
101
|
+
context "when an added URL is not parseable as a URI" do
|
102
|
+
it "raises EventBuildError" do
|
103
|
+
event_builder.type = :c2
|
104
|
+
event_builder.add_url(1234)
|
105
|
+
expect {
|
106
|
+
event_builder.build
|
107
|
+
}.to raise_error(Threatinator::Exceptions::EventBuildError)
|
26
108
|
end
|
27
|
-
|
28
|
-
|
109
|
+
end
|
110
|
+
|
111
|
+
context "when an added URL is not absolute" do
|
112
|
+
it "raises EventBuildError" do
|
113
|
+
event_builder.type = :c2
|
114
|
+
event_builder.add_url("/foo/bar")
|
115
|
+
expect {
|
116
|
+
event_builder.build
|
117
|
+
}.to raise_error(Threatinator::Exceptions::EventBuildError)
|
29
118
|
end
|
30
119
|
end
|
120
|
+
|
31
121
|
end
|
32
122
|
end
|
33
123
|
|
@@ -2,29 +2,253 @@ require 'spec_helper'
|
|
2
2
|
require 'threatinator/event'
|
3
3
|
|
4
4
|
describe Threatinator::Event do
|
5
|
-
|
6
|
-
|
7
|
-
|
5
|
+
|
6
|
+
let(:event_opts) { { feed_provider: 'foo', feed_name: 'bar', type: :c2 } }
|
7
|
+
|
8
|
+
describe "initialization" do
|
9
|
+
it "requires at least :feed_provider, :feed_name, and :type to be valid" do
|
10
|
+
expect {
|
11
|
+
described_class.new(feed_provider: 'foo', feed_name: 'bar', type: :c2)
|
12
|
+
}.not_to raise_error
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
16
|
+
describe "#==(other)" do
|
17
|
+
it "returns true when compared to an identically configured event" do
|
18
|
+
event_opts.merge!(ipv4s: build(:ipv4s, values: ['1.2.3.4']), fqdns: ['foo.com'])
|
19
|
+
event1 = described_class.new(event_opts)
|
20
|
+
event2 = described_class.new(event_opts)
|
21
|
+
expect(event1).to be == event2
|
22
|
+
end
|
23
|
+
|
24
|
+
it "returns true when compared to an identically configured event" do
|
25
|
+
event_opts.merge!(ipv4s: build(:ipv4s, values: ['1.2.3.4']), fqdns: ['foo.com'])
|
26
|
+
event1 = described_class.new(event_opts)
|
27
|
+
event_opts.merge!(ipv4s: build(:ipv4s, values: ['8.8.8.8']), fqdns: ['foo.com'])
|
28
|
+
event2 = described_class.new(event_opts)
|
29
|
+
expect(event1).not_to be == event2
|
30
|
+
end
|
8
31
|
end
|
9
32
|
|
10
|
-
describe "
|
11
|
-
|
12
|
-
|
33
|
+
describe ":feed_provider" do
|
34
|
+
it "can be set to a String" do
|
35
|
+
event_opts[:feed_provider] = "asdf"
|
36
|
+
expect(described_class.new(event_opts).feed_provider).to eq("asdf")
|
37
|
+
end
|
38
|
+
|
39
|
+
it "is required to be a String" do
|
40
|
+
event_opts[:feed_provider] = 1234
|
41
|
+
expect {
|
42
|
+
described_class.new(event_opts)
|
43
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
44
|
+
end
|
45
|
+
|
46
|
+
it "is required" do
|
47
|
+
event_opts.delete(:feed_provider)
|
48
|
+
expect {
|
49
|
+
described_class.new(event_opts)
|
50
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
describe ":feed_name" do
|
55
|
+
it "can be set to a String" do
|
56
|
+
event_opts[:feed_name] = "foo"
|
57
|
+
expect(described_class.new(event_opts).feed_name).to eq("foo")
|
58
|
+
end
|
59
|
+
|
60
|
+
it "is required to be a String" do
|
61
|
+
event_opts[:feed_name] = 1234
|
62
|
+
expect {
|
63
|
+
described_class.new(event_opts)
|
64
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
65
|
+
end
|
66
|
+
|
67
|
+
it "is required" do
|
68
|
+
event_opts.delete(:feed_name)
|
69
|
+
expect {
|
70
|
+
described_class.new(event_opts)
|
71
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
13
72
|
end
|
14
|
-
it "should raise an InvalidAttributeError if set to something other than a symbol"
|
15
73
|
end
|
16
74
|
|
17
|
-
describe "
|
18
|
-
it "
|
75
|
+
describe ":type" do
|
76
|
+
it "cannot be be nil" do
|
77
|
+
event_opts[:type] = nil
|
78
|
+
expect {
|
79
|
+
described_class.new(event_opts)
|
80
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
81
|
+
end
|
82
|
+
it "is required" do
|
83
|
+
event_opts.delete(:type)
|
84
|
+
expect {
|
85
|
+
described_class.new(event_opts)
|
86
|
+
}.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
87
|
+
end
|
88
|
+
[:c2, :attacker, :malware_host, :spamming, :scanning, :phishing].each do |v|
|
89
|
+
it "can be #{v.inspect}" do
|
90
|
+
event_opts[:type] = v
|
91
|
+
expect(described_class.new(event_opts).type).to eq(v)
|
92
|
+
end
|
93
|
+
end
|
19
94
|
end
|
20
95
|
|
21
|
-
describe "
|
22
|
-
|
96
|
+
describe ":fqdns" do
|
97
|
+
context "when nil" do
|
98
|
+
it "is valid" do
|
99
|
+
event_opts[:fqdns] = nil
|
100
|
+
expect {
|
101
|
+
described_class.new(event_opts)
|
102
|
+
}.not_to raise_error
|
103
|
+
end
|
104
|
+
describe "#fqdns" do
|
105
|
+
it "returns an an empty array" do
|
106
|
+
event_opts[:fqdns] = nil
|
107
|
+
expect(described_class.new(event_opts).fqdns).to be_empty
|
108
|
+
end
|
109
|
+
end
|
110
|
+
end
|
111
|
+
context "when set to an empty array" do
|
112
|
+
it "is valid" do
|
113
|
+
event_opts[:fqdns] = nil
|
114
|
+
expect {
|
115
|
+
described_class.new(event_opts)
|
116
|
+
}.not_to raise_error
|
117
|
+
end
|
118
|
+
describe "#fqdns" do
|
119
|
+
it "returns an an empty array" do
|
120
|
+
event_opts[:fqdns] = []
|
121
|
+
expect(described_class.new(event_opts).fqdns).to be_empty
|
122
|
+
end
|
123
|
+
end
|
124
|
+
end
|
125
|
+
context "with :fqdns set to an array of fqdn strings" do
|
126
|
+
let(:fqdns) { ['foo.com', 'bar.com'] }
|
127
|
+
it "is valid" do
|
128
|
+
event_opts[:fqdns] = ['foo.com', 'bar.com']
|
129
|
+
expect {
|
130
|
+
described_class.new(event_opts)
|
131
|
+
}.not_to raise_error
|
132
|
+
end
|
133
|
+
describe "#fqdns" do
|
134
|
+
it "returns a collection containing the provided fqdns" do
|
135
|
+
event_opts[:fqdns] = ['foo.com', 'bar.com']
|
136
|
+
expect(described_class.new(event_opts).fqdns).to contain_exactly('foo.com', 'bar.com')
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
23
140
|
end
|
24
141
|
|
25
|
-
|
142
|
+
|
143
|
+
describe ":ipv4s" do
|
144
|
+
context "when nil" do
|
145
|
+
it "is valid" do
|
146
|
+
event_opts[:ipv4s] = nil
|
147
|
+
expect {
|
148
|
+
described_class.new(event_opts)
|
149
|
+
}.not_to raise_error
|
150
|
+
end
|
151
|
+
describe "#ipv4s" do
|
152
|
+
it "returns an an empty collection" do
|
153
|
+
event_opts[:ipv4s] = nil
|
154
|
+
expect(described_class.new(event_opts).ipv4s).to be_empty
|
155
|
+
end
|
156
|
+
end
|
157
|
+
end
|
158
|
+
context "when set to an empty array" do
|
159
|
+
it "is valid" do
|
160
|
+
event_opts[:ipv4s] = nil
|
161
|
+
expect {
|
162
|
+
described_class.new(event_opts)
|
163
|
+
}.not_to raise_error
|
164
|
+
end
|
165
|
+
describe "#ipv4s" do
|
166
|
+
it "returns an an empty collection" do
|
167
|
+
event_opts[:ipv4s] = []
|
168
|
+
expect(described_class.new(event_opts).ipv4s).to be_empty
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
172
|
+
context "with :ipv4s set to an empty Ipv4Collection" do
|
173
|
+
it "is valid" do
|
174
|
+
event_opts[:ipv4s] = build(:ipv4s)
|
175
|
+
expect {
|
176
|
+
described_class.new(event_opts)
|
177
|
+
}.not_to raise_error
|
178
|
+
end
|
179
|
+
describe "#ipv4s" do
|
180
|
+
it "returns an an empty collection" do
|
181
|
+
event_opts[:ipv4s] = []
|
182
|
+
expect(described_class.new(event_opts).ipv4s).to be_empty
|
183
|
+
end
|
184
|
+
end
|
185
|
+
end
|
186
|
+
context "with :ipv4s set to an array of Ipv4 observables" do
|
187
|
+
it "is valid" do
|
188
|
+
event_opts[:ipv4s] = [build(:ipv4, ipv4: '1.2.3.4'), build(:ipv4, ipv4: '8.8.8.8')]
|
189
|
+
expect {
|
190
|
+
described_class.new(event_opts)
|
191
|
+
}.not_to raise_error
|
192
|
+
end
|
193
|
+
describe "#ipv4s" do
|
194
|
+
it "returns a collection containing the provided Ipv4 observables" do
|
195
|
+
o1 = build(:ipv4, ipv4: '1.2.3.4')
|
196
|
+
o2 = build(:ipv4, ipv4: '8.8.8.8')
|
197
|
+
event_opts[:ipv4s] = [o1, o2]
|
198
|
+
expect(described_class.new(event_opts).ipv4s).to contain_exactly(o1, o2)
|
199
|
+
end
|
200
|
+
end
|
201
|
+
end
|
26
202
|
end
|
27
203
|
|
28
|
-
describe "
|
204
|
+
describe ":urls" do
|
205
|
+
context "when nil" do
|
206
|
+
it "is valid" do
|
207
|
+
event_opts[:urls] = nil
|
208
|
+
expect {
|
209
|
+
described_class.new(event_opts)
|
210
|
+
}.not_to raise_error
|
211
|
+
end
|
212
|
+
describe "#urls" do
|
213
|
+
it "returns an an empty array" do
|
214
|
+
event_opts[:urls] = nil
|
215
|
+
expect(described_class.new(event_opts).urls).to be_empty
|
216
|
+
end
|
217
|
+
end
|
218
|
+
end
|
219
|
+
context "when set to an empty array" do
|
220
|
+
it "is valid" do
|
221
|
+
event_opts[:urls] = nil
|
222
|
+
expect {
|
223
|
+
described_class.new(event_opts)
|
224
|
+
}.not_to raise_error
|
225
|
+
end
|
226
|
+
describe "#urls" do
|
227
|
+
it "returns an an empty array" do
|
228
|
+
event_opts[:urls] = []
|
229
|
+
expect(described_class.new(event_opts).urls).to be_empty
|
230
|
+
end
|
231
|
+
end
|
232
|
+
end
|
233
|
+
context "with :urls set to an array of url strings" do
|
234
|
+
let(:urls) {
|
235
|
+
[
|
236
|
+
Addressable::URI.parse('http://yahoo.com'),
|
237
|
+
Addressable::URI.parse('http://google.com'),
|
238
|
+
]
|
239
|
+
}
|
240
|
+
it "is valid" do
|
241
|
+
event_opts[:urls] = urls
|
242
|
+
expect {
|
243
|
+
described_class.new(event_opts)
|
244
|
+
}.not_to raise_error
|
245
|
+
end
|
246
|
+
describe "#urls" do
|
247
|
+
it "returns a collection containing the provided urls" do
|
248
|
+
event_opts[:urls] = urls
|
249
|
+
expect(described_class.new(event_opts).urls).to match_array(urls)
|
250
|
+
end
|
251
|
+
end
|
252
|
+
end
|
29
253
|
end
|
30
254
|
end
|
@@ -0,0 +1,319 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
require 'threatinator/event'
|
3
|
+
|
4
|
+
describe Threatinator::Event do
|
5
|
+
it "requires at least :feed_provider, :feed_name, and :type to be valid" do
|
6
|
+
event = described_class.new(feed_provider: 'foo', feed_name: 'bar', type: :c2)
|
7
|
+
expect(event).to be_valid
|
8
|
+
end
|
9
|
+
|
10
|
+
let(:event_opts) { { feed_provider: 'foo', feed_name: 'bar', type: :c2 } }
|
11
|
+
|
12
|
+
|
13
|
+
|
14
|
+
describe "#validate!" do
|
15
|
+
context "when the event is valid" do
|
16
|
+
it "does not raise anything" do
|
17
|
+
event = described_class.new(event_opts)
|
18
|
+
expect(event).to be_valid
|
19
|
+
expect { event.validate! }.not_to raise_error
|
20
|
+
end
|
21
|
+
end
|
22
|
+
context "when the event is not valid" do
|
23
|
+
it "raises an InvalidAttributeError" do
|
24
|
+
event_opts.delete(:feed_name)
|
25
|
+
event = described_class.new(event_opts)
|
26
|
+
expect(event).not_to be_valid
|
27
|
+
expect { event.validate! }.to raise_error(Threatinator::Exceptions::InvalidAttributeError)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
describe "#==(other)" do
|
34
|
+
it "returns true when compared to an identically configured event" do
|
35
|
+
event_opts.merge!(ipv4s: ['1.2.3.4'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
|
36
|
+
event1 = described_class.new(event_opts)
|
37
|
+
event2 = described_class.new(event_opts)
|
38
|
+
expect(event1).to be == event2
|
39
|
+
end
|
40
|
+
|
41
|
+
it "returns true when compared to an identically configured event" do
|
42
|
+
event_opts.merge!(ipv4s: ['1.2.3.4'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
|
43
|
+
event1 = described_class.new(event_opts)
|
44
|
+
event_opts.merge!(ipv4s: ['8.8.8.8'], fqdns: ['foo.com'], urls: [{url: 'http://foo.com'}])
|
45
|
+
event2 = described_class.new(event_opts)
|
46
|
+
expect(event1).not_to be == event2
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
describe "feed_provider" do
|
51
|
+
it "can be set to a String" do
|
52
|
+
event_opts[:feed_provider] = "asdf"
|
53
|
+
expect(described_class.new(event_opts).feed_provider).to eq("asdf")
|
54
|
+
end
|
55
|
+
|
56
|
+
it "is required to be a String" do
|
57
|
+
event_opts[:feed_provider] = 1234
|
58
|
+
x = described_class.new(event_opts)
|
59
|
+
expect(x).not_to be_valid
|
60
|
+
end
|
61
|
+
|
62
|
+
it "is required" do
|
63
|
+
event_opts.delete(:feed_provider)
|
64
|
+
x = described_class.new(event_opts)
|
65
|
+
expect(x).not_to be_valid
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
describe "feed_name" do
|
70
|
+
it "can be set to a String" do
|
71
|
+
event_opts[:feed_name] = "foo"
|
72
|
+
expect(described_class.new(event_opts).feed_name).to eq("foo")
|
73
|
+
end
|
74
|
+
|
75
|
+
it "is required to be a String" do
|
76
|
+
event_opts[:feed_name] = 1234
|
77
|
+
x = described_class.new(event_opts)
|
78
|
+
expect(x).not_to be_valid
|
79
|
+
end
|
80
|
+
|
81
|
+
end
|
82
|
+
|
83
|
+
describe "type" do
|
84
|
+
let(:event) { described_class.new(event_opts) }
|
85
|
+
context "when nil" do
|
86
|
+
before :each do
|
87
|
+
event_opts[:type] = nil
|
88
|
+
end
|
89
|
+
it "is not valid" do
|
90
|
+
expect(event).not_to be_valid
|
91
|
+
end
|
92
|
+
end
|
93
|
+
context "when not set" do
|
94
|
+
before :each do
|
95
|
+
event_opts.delete(:type)
|
96
|
+
end
|
97
|
+
it "is not valid" do
|
98
|
+
expect(event).not_to be_valid
|
99
|
+
end
|
100
|
+
end
|
101
|
+
describe ":c2" do
|
102
|
+
before :each do
|
103
|
+
event_opts[:type] = :c2
|
104
|
+
end
|
105
|
+
it "is valid" do
|
106
|
+
expect(event).to be_valid
|
107
|
+
end
|
108
|
+
end
|
109
|
+
describe ":attacker" do
|
110
|
+
before :each do
|
111
|
+
event_opts[:type] = :attacker
|
112
|
+
end
|
113
|
+
it "is valid" do
|
114
|
+
expect(event).to be_valid
|
115
|
+
end
|
116
|
+
end
|
117
|
+
describe ":malware_host" do
|
118
|
+
before :each do
|
119
|
+
event_opts[:type] = :malware_host
|
120
|
+
end
|
121
|
+
it "is valid" do
|
122
|
+
expect(event).to be_valid
|
123
|
+
end
|
124
|
+
end
|
125
|
+
describe ":spamming" do
|
126
|
+
before :each do
|
127
|
+
event_opts[:type] = :spamming
|
128
|
+
end
|
129
|
+
it "is valid" do
|
130
|
+
expect(event).to be_valid
|
131
|
+
end
|
132
|
+
end
|
133
|
+
describe ":scanning" do
|
134
|
+
before :each do
|
135
|
+
event_opts[:type] = :scanning
|
136
|
+
end
|
137
|
+
it "is valid" do
|
138
|
+
expect(event).to be_valid
|
139
|
+
end
|
140
|
+
end
|
141
|
+
describe ":phishing" do
|
142
|
+
before :each do
|
143
|
+
event_opts[:type] = :phishing
|
144
|
+
end
|
145
|
+
it "is valid" do
|
146
|
+
expect(event).to be_valid
|
147
|
+
end
|
148
|
+
end
|
149
|
+
describe "an invalid type" do
|
150
|
+
before :each do
|
151
|
+
event_opts[:type] = :foo
|
152
|
+
end
|
153
|
+
it "is not valid" do
|
154
|
+
expect(event).not_to be_valid
|
155
|
+
end
|
156
|
+
end
|
157
|
+
end
|
158
|
+
|
159
|
+
describe "fqdns" do
|
160
|
+
let(:event) { described_class.new(event_opts.merge({ fqdns: fqdns })) }
|
161
|
+
context "with :fqdns set to nil" do
|
162
|
+
let(:fqdns) { nil }
|
163
|
+
it "is valid" do
|
164
|
+
expect(event).to be_valid
|
165
|
+
end
|
166
|
+
describe "#fqdns" do
|
167
|
+
it "returns an an empty array" do
|
168
|
+
expect(event.fqdns).to be_empty
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
172
|
+
context "with :fqdns set to an empty array" do
|
173
|
+
let(:fqdns) { [] }
|
174
|
+
it "is valid" do
|
175
|
+
expect(event).to be_valid
|
176
|
+
end
|
177
|
+
describe "#fqdns" do
|
178
|
+
it "returns an an empty array" do
|
179
|
+
expect(event.fqdns).to be_empty
|
180
|
+
end
|
181
|
+
end
|
182
|
+
end
|
183
|
+
context "with :fqdns set to an array of fqdn strings" do
|
184
|
+
let(:fqdns) { ['foo.com', 'bar.com'] }
|
185
|
+
it "is valid" do
|
186
|
+
expect(event).to be_valid
|
187
|
+
end
|
188
|
+
describe "#fqdns" do
|
189
|
+
it "returns an Array of Strings" do
|
190
|
+
expect(event.fqdns).to contain_exactly('foo.com', 'bar.com')
|
191
|
+
end
|
192
|
+
end
|
193
|
+
end
|
194
|
+
end
|
195
|
+
|
196
|
+
describe "ipv4s" do
|
197
|
+
let(:event) { described_class.new(event_opts.merge({ ipv4s: ipv4s })) }
|
198
|
+
context "with :ipv4s set to nil" do
|
199
|
+
let(:ipv4s) { nil }
|
200
|
+
it "is valid" do
|
201
|
+
expect(event).to be_valid
|
202
|
+
end
|
203
|
+
describe "#ipv4s" do
|
204
|
+
it "returns an an empty array" do
|
205
|
+
expect(event.ipv4s).to be_empty
|
206
|
+
end
|
207
|
+
end
|
208
|
+
end
|
209
|
+
context "with :ipv4s set to an empty array" do
|
210
|
+
let(:ipv4s) { [] }
|
211
|
+
it "is valid" do
|
212
|
+
expect(event).to be_valid
|
213
|
+
end
|
214
|
+
describe "#ipv4s" do
|
215
|
+
it "returns an an empty array" do
|
216
|
+
expect(event.ipv4s).to be_empty
|
217
|
+
end
|
218
|
+
end
|
219
|
+
end
|
220
|
+
context "with :ipv4s set to an array of ipv4 strings" do
|
221
|
+
let(:ipv4s) { ['1.2.3.4', '8.8.8.8'] }
|
222
|
+
it "is valid" do
|
223
|
+
expect(event).to be_valid
|
224
|
+
end
|
225
|
+
describe "#ipv4s" do
|
226
|
+
it "returns an Array of Strings" do
|
227
|
+
expect(event.ipv4s).to contain_exactly('1.2.3.4', '8.8.8.8')
|
228
|
+
end
|
229
|
+
end
|
230
|
+
end
|
231
|
+
end
|
232
|
+
|
233
|
+
describe "urls" do
|
234
|
+
let(:event) { described_class.new(event_opts.merge({ urls: urls })) }
|
235
|
+
|
236
|
+
context "with :urls set to nil" do
|
237
|
+
let(:urls) { nil }
|
238
|
+
it "is valid" do
|
239
|
+
expect(event).to be_valid
|
240
|
+
end
|
241
|
+
describe "#urls" do
|
242
|
+
it "returns an empty array" do
|
243
|
+
expect(event.urls).to eq([])
|
244
|
+
end
|
245
|
+
end
|
246
|
+
end
|
247
|
+
|
248
|
+
context "with :urls set to an empty array" do
|
249
|
+
let(:urls) { [] }
|
250
|
+
it "is valid" do
|
251
|
+
expect(event).to be_valid
|
252
|
+
end
|
253
|
+
describe "#urls" do
|
254
|
+
it "returns an empty array" do
|
255
|
+
expect(event.urls).to eq([])
|
256
|
+
end
|
257
|
+
end
|
258
|
+
end
|
259
|
+
|
260
|
+
context "with :urls set to an array of Hash objects" do
|
261
|
+
let(:urls) {
|
262
|
+
[
|
263
|
+
{url: "http://foo.com"},
|
264
|
+
{url: "path/to/something"},
|
265
|
+
{url: 1234},
|
266
|
+
{url: nil},
|
267
|
+
{}
|
268
|
+
]
|
269
|
+
}
|
270
|
+
describe "#urls" do
|
271
|
+
it "returns an array containing Observables::Url objects that have been coerced from the hashes" do
|
272
|
+
expect(event.urls).to eq([
|
273
|
+
Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
|
274
|
+
Threatinator::Model::Observables::Url.new(url: "path/to/something"),
|
275
|
+
Threatinator::Model::Observables::Url.new(url: 1234),
|
276
|
+
Threatinator::Model::Observables::Url.new(url: nil),
|
277
|
+
Threatinator::Model::Observables::Url.new(url: nil)
|
278
|
+
])
|
279
|
+
end
|
280
|
+
end
|
281
|
+
end
|
282
|
+
|
283
|
+
context "with :urls set to an array of valid Observables::Url objects" do
|
284
|
+
let(:urls) {
|
285
|
+
[
|
286
|
+
Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
|
287
|
+
Threatinator::Model::Observables::Url.new(url: "http://bar.com")
|
288
|
+
]
|
289
|
+
}
|
290
|
+
it "is valid" do
|
291
|
+
expect(event).to be_valid
|
292
|
+
end
|
293
|
+
describe "#urls" do
|
294
|
+
it "returns an array containing the original Observables::Url objects" do
|
295
|
+
expect(event.urls).to eq(urls)
|
296
|
+
end
|
297
|
+
end
|
298
|
+
end
|
299
|
+
|
300
|
+
context "when the :urls array contains any invalid Observables::Url objects" do
|
301
|
+
let(:urls) {
|
302
|
+
[
|
303
|
+
Threatinator::Model::Observables::Url.new(url: "http://foo.com"),
|
304
|
+
Threatinator::Model::Observables::Url.new(url: "http://bar.com"),
|
305
|
+
Threatinator::Model::Observables::Url.new(url: "relative/path/to"),
|
306
|
+
]
|
307
|
+
}
|
308
|
+
it "is not valid" do
|
309
|
+
expect(event).not_to be_valid
|
310
|
+
end
|
311
|
+
describe "#urls" do
|
312
|
+
it "returns an array containing the original Observables::Url objects" do
|
313
|
+
expect(event.urls).to eq(urls)
|
314
|
+
end
|
315
|
+
end
|
316
|
+
end
|
317
|
+
end
|
318
|
+
|
319
|
+
end
|