Merge pull request #916 from Sekhar-Kumar-Dash/patch-50

added a test for idea_format

Author: AlyaGomaa

.github/workflows/unit-tests.yml

@@ -77,6 +77,7 @@ jobs:
           - test_host_ip_manager.py
           - test_host_ip_manager.py
           - test_rnn_cc_detection.py
+          - test_idea_format.py
 
     steps:
     - uses: actions/checkout@v4

modules/cesnet/cesnet.py

@@ -1,14 +1,23 @@
-from slips_files.common.parsers.config_parser import ConfigParser
-from slips_files.common.abstracts.module import IModule
-from ..cesnet.warden_client import Client, read_cfg
 import os
 import json
 import time
 import threading
 import queue
 import ipaddress
 import validators
+
+from slips_files.common.parsers.config_parser import ConfigParser
+from slips_files.common.abstracts.module import IModule
+from slips_files.core.structures.evidence import (
+    ThreatLevel,
+    Evidence,
+    dict_to_evidence,
+)
+from ..cesnet.warden_client import Client, read_cfg
 from slips_files.common.slips_utils import utils
+from slips_files.common.idea_format import (
+    idea_format,
+)
 
 
 class CESNET(IModule):
@@ -92,34 +101,13 @@ def export_evidence(self, evidence: dict):
         """
         Exports evidence to warden server
         """
-        threat_level = evidence.get("threat_level")
-        if threat_level == "info":
+        evidence: Evidence = dict_to_evidence(evidence)
+        threat_level = evidence.threat_level
+        if threat_level == ThreatLevel.INFO:
             # don't export alerts of type 'info'
             return False
 
-        description = evidence["description"]
-        profileid = evidence["profileid"]
-        srcip = profileid.split("_")[1]
-        evidence_type = evidence["evidence_type"]
-        attacker_direction = evidence["attacker_direction"]
-        attacker = evidence["attacker"]
-        evidence_id = evidence["ID"]
-        confidence = evidence.get("confidence")
-        port = evidence.get("port")
-        proto = evidence.get("proto")
-
-        evidence_in_idea = utils.IDEA_format(
-            srcip,
-            evidence_type,
-            attacker_direction,
-            attacker,
-            description,
-            confidence,
-            port,
-            proto,
-            evidence_id,
-        )
-
+        evidence_in_idea: dict = idea_format(evidence)
         # remove private ips from the alert
         evidence_in_idea = self.remove_private_ips(evidence_in_idea)
 
@@ -178,7 +166,8 @@ def import_alerts(self):
         tag = []
         notag = []
 
-        # group = ['cz.tul.ward.kippo','cz.vsb.buldog.kippo', 'cz.zcu.civ.afrodita','cz.vutbr.net.bee.hpscan']
+        # group = ['cz.tul.ward.kippo','cz.vsb.buldog.kippo',
+        # 'cz.zcu.civ.afrodita','cz.vutbr.net.bee.hpscan']
         group = []
         nogroup = []
 

slips_files/common/idea_format.py

@@ -1,4 +1,3 @@
-import traceback
 from datetime import datetime
 from typing import Tuple
 
@@ -57,13 +56,13 @@ def extract_role_type(evidence: Evidence, role=None) -> str:
         ioc = evidence.victim.value
         ioc_type = evidence.victim.victim_type
 
-    if ioc_type == IoCType.IP.name:
+    if ioc_type == IoCType.IP:
         return ioc, get_ip_version(ioc)
 
     # map of slips victim types to IDEA supported types
     idea_type = {
-        IoCType.DOMAIN.name: "Hostname",
-        IoCType.URL.name: "URL",
+        IoCType.DOMAIN: "Hostname",
+        IoCType.URL: "URL",
     }
     return ioc, idea_type[ioc_type]
 
@@ -75,88 +74,88 @@ def idea_format(evidence: Evidence):
     Detailed explanation of IDEA categories:
     https://idea.cesnet.cz/en/classifications
     """
-    try:
-        idea_dict = {
-            "Format": "IDEA0",
-            "ID": evidence.id,
-            # both times represet the time of the detection, we probably
-            # don't need flow_datetime
-            "DetectTime": datetime.now(utils.local_tz).isoformat(),
-            "EventTime": datetime.now(utils.local_tz).isoformat(),
-            "Confidence": evidence.confidence,
-            "Source": [{}],
-        }
-
-        attacker, attacker_type = extract_role_type(evidence, role="attacker")
-        idea_dict["Source"][0].update({attacker_type: [attacker]})
-
-        # according to the IDEA format
-        # When someone communicates with C&C, both sides of communication are
-        # sources, differentiated by the Type attribute, 'C&C' or 'Botnet'
-        # https://idea.cesnet.cz/en/design#:~:text=to%20string%20%E2%80%9CIDEA1
-        # %E2%80%9D.-,Sources%20and%20targets,-As%20source%20of
-        if evidence.evidence_type == EvidenceType.COMMAND_AND_CONTROL_CHANNEL:
-            # botnet, ip_version = extract_cc_botnet_ip(evidence)
-            idea_dict["Source"][0].update({"Type": ["Botnet"]})
-
-            cc_server, ip_version = extract_cc_server_ip(evidence)
-            server_info: dict = {ip_version: [cc_server], "Type": ["CC"]}
-
-            idea_dict["Source"].append(server_info)
-
-        # the idx of the daddr, in CC detections, it's the second one
-        idx = (
-            1
-            if (
-                evidence.evidence_type
-                == EvidenceType.COMMAND_AND_CONTROL_CHANNEL
-            )
-            else 0
-        )
-        if evidence.port:
-            idea_dict["Source"][idx].update({"Port": [evidence.port]})
-        if evidence.proto:
-            idea_dict["Source"][idx].update({"Proto": [evidence.proto.name]})
-
-        if hasattr(evidence, "victim") and evidence.victim:
-            # is the dstip ipv4/ipv6 or mac?
-            victims_ip: str
-            victim_type: str
-            victims_ip, victim_type = extract_role_type(
-                evidence, role="victim"
-            )
-            idea_dict["Target"] = [{victim_type: [victims_ip]}]
+    # try:
+    idea_dict = {
+        "Format": "IDEA0",
+        "ID": evidence.id,
+        # both times represet the time of the detection, we probably
+        # don't need flow_datetime
+        "DetectTime": datetime.now(utils.local_tz).isoformat(),
+        "EventTime": datetime.now(utils.local_tz).isoformat(),
+        "Confidence": evidence.confidence,
+        "Source": [{}],
+    }
 
-        # add the description
-        attachment = {
-            "Attach": [
+    attacker, attacker_type = extract_role_type(evidence, role="attacker")
+    idea_dict["Source"][0].update({attacker_type: [attacker]})
+
+    # according to the IDEA format
+    # When someone communicates with C&C, both sides of communication are
+    # sources, differentiated by the Type attribute, 'C&C' or 'Botnet'
+    # https://idea.cesnet.cz/en/design#:~:text=to%20string%20%E2%80%9CIDEA1
+    # %E2%80%9D.-,Sources%20and%20targets,-As%20source%20of
+    if evidence.evidence_type == EvidenceType.COMMAND_AND_CONTROL_CHANNEL:
+        # botnet, ip_version = extract_cc_botnet_ip(evidence)
+        idea_dict["Source"][0].update({"Type": ["Botnet"]})
+
+        cc_server, ip_version = extract_cc_server_ip(evidence)
+        server_info: dict = {ip_version: [cc_server], "Type": ["CC"]}
+
+        idea_dict["Source"].append(server_info)
+
+    # the idx of the daddr, in CC detections, is the second one
+    idx = (
+        1
+        if (evidence.evidence_type == EvidenceType.COMMAND_AND_CONTROL_CHANNEL)
+        else 0
+    )
+    if evidence.src_port:
+        idea_dict["Source"][idx].update({"Port": [evidence.src_port]})
+    if evidence.src_port:
+        idea_dict["Target"][idx].update({"Port": [evidence.dst_port]})
+    if evidence.proto:
+        idea_dict["Source"][idx].update({"Proto": [evidence.proto.name]})
+
+    if hasattr(evidence, "victim") and evidence.victim:
+        # is the dstip ipv4/ipv6 or mac?
+        victims_ip: str
+        victim_type: str
+        victims_ip, victim_type = extract_role_type(evidence, role="victim")
+        idea_dict["Target"] = [{victim_type: [victims_ip]}]
+
+    # add the description
+    attachment = {
+        "Attach": [
+            {
+                "Content": evidence.description,
+                "ContentType": "text/plain",
+            }
+        ]
+    }
+    idea_dict.update(attachment)
+
+    if evidence.evidence_type == EvidenceType.MALICIOUS_DOWNLOADED_FILE:
+        md5 = evidence.description.split("downloaded file ")[-1].split(
+            ". size"
+        )[0]
+        idea_dict["Attach"] = [
+            {
+                "Type": ["Malware"],
+                "Hash": [f"md5:{md5}"],
+            }
+        ]
+        if "size" in evidence.description:
+            idea_dict.update(
                 {
-                    "Content": evidence.description,
-                    "ContentType": "text/plain",
+                    "Size": int(
+                        evidence.description.replace(".", "")
+                        .split("size:")[1]
+                        .split("bytes")[0]
+                    )
                 }
-            ]
-        }
-        idea_dict.update(attachment)
+            )
 
-        if evidence.evidence_type == EvidenceType.MALICIOUS_DOWNLOADED_FILE:
-            idea_dict["Attach"] = [
-                {
-                    "Type": ["Malware"],
-                    "Hash": [f"md5:{evidence.attacker.value}"],
-                }
-            ]
-            if "size" in evidence.description:
-                idea_dict.update(
-                    {
-                        "Size": int(
-                            evidence.description.replace(".", "")
-                            .split("size:")[1]
-                            .split("from")[0]
-                        )
-                    }
-                )
-
-        return idea_dict
-    except Exception as e:
-        print(f"Error in idea_format(): {e}")
-        print(traceback.format_exc())
+    return idea_dict
+    # except Exception as e:
+    #     print(f"Error in idea_format(): {e}")
+    #     print(traceback.format_exc())