Pierre-Olivier Mercier
229e7a8f02
ThreatFox queries the IOC database for domain indicators (C2 servers, malware distribution, phishing); MalwareBazaar searches for malware samples tagged with the domain. Both require a free abuse.ch Auth-Key.
94 lines
3.2 KiB
Go
94 lines
3.2 KiB
Go
package checker
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
sdk "git.happydns.org/checker-sdk-go/checker"
|
|
)
|
|
|
|
func TestMalwareBazaarSource_NoResults(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(`{"query_status":"no_results"}`))
|
|
}))
|
|
defer srv.Close()
|
|
|
|
s := &malwareBazaarSource{endpoint: srv.URL}
|
|
results := s.Query(context.Background(), "example.com", "example.com", sdk.CheckerOptions{"enable_malwarebazaar": true, "malwarebazaar_auth_key": "k"})
|
|
if len(results) != 1 {
|
|
t.Fatalf("expected 1 result, got %d", len(results))
|
|
}
|
|
r := results[0]
|
|
listed, _ := s.Evaluate(r)
|
|
if !r.Enabled || listed || r.Error != "" {
|
|
t.Fatalf("expected enabled+clean, got %+v, Evaluate listed=%v", r, listed)
|
|
}
|
|
}
|
|
|
|
func TestMalwareBazaarSource_Listed(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Header.Get("Auth-Key") == "" {
|
|
t.Errorf("missing Auth-Key header")
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(`{
|
|
"query_status": "ok",
|
|
"data": [{
|
|
"sha256_hash": "aaaa1111bbbb2222cccc3333dddd4444eeee5555ffff6666aaaa1111bbbb2222",
|
|
"file_name": "evil.exe",
|
|
"file_type_mime": "application/x-dosexec",
|
|
"signature": "Emotet",
|
|
"first_seen": "2024-01-01 00:00:00"
|
|
}]
|
|
}`))
|
|
}))
|
|
defer srv.Close()
|
|
|
|
s := &malwareBazaarSource{endpoint: srv.URL}
|
|
r := s.Query(context.Background(), "example.com", "example.com", sdk.CheckerOptions{"enable_malwarebazaar": true, "malwarebazaar_auth_key": "k"})[0]
|
|
if len(r.Evidence) != 1 {
|
|
t.Fatalf("expected 1 evidence item, got %+v", r)
|
|
}
|
|
if listed, severity := s.Evaluate(r); !listed || severity != SeverityWarn {
|
|
t.Errorf("expected Evaluate()=(true, warn), got (%v, %q)", listed, severity)
|
|
}
|
|
if r.Evidence[0].Status != "application/x-dosexec" {
|
|
t.Errorf("evidence status = %q", r.Evidence[0].Status)
|
|
}
|
|
if len(r.Reasons) != 1 || r.Reasons[0] != "Emotet" {
|
|
t.Errorf("reasons = %v", r.Reasons)
|
|
}
|
|
}
|
|
|
|
func TestMalwareBazaarSource_HTTPError(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
_, _ = w.Write([]byte("unauthorized"))
|
|
}))
|
|
defer srv.Close()
|
|
|
|
s := &malwareBazaarSource{endpoint: srv.URL}
|
|
r := s.Query(context.Background(), "example.com", "example.com", sdk.CheckerOptions{"enable_malwarebazaar": true, "malwarebazaar_auth_key": "k"})[0]
|
|
if r.Error == "" {
|
|
t.Errorf("expected error, got %+v", r)
|
|
}
|
|
}
|
|
|
|
func TestMalwareBazaarSource_Disabled(t *testing.T) {
|
|
s := &malwareBazaarSource{endpoint: "http://nope"}
|
|
r := s.Query(context.Background(), "example.com", "example.com", sdk.CheckerOptions{"enable_malwarebazaar": false})[0]
|
|
if r.Enabled {
|
|
t.Errorf("expected disabled, got %+v", r)
|
|
}
|
|
}
|
|
|
|
func TestMalwareBazaarSource_NoAuthKey(t *testing.T) {
|
|
s := &malwareBazaarSource{endpoint: "http://nope"}
|
|
r := s.Query(context.Background(), "example.com", "example.com", sdk.CheckerOptions{"enable_malwarebazaar": true})[0]
|
|
if r.Enabled {
|
|
t.Errorf("expected disabled when no auth key, got %+v", r)
|
|
}
|
|
}
|