From fc4e58b7f72e6ad57958a5de81bc79df01466893 Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Wed, 8 Jan 2025 14:32:49 +0100 Subject: [PATCH] add: analyst data event level --- src/mispguard.py | 9 +- .../test_event_note_blocked_distribution.json | 98 ++++++++++++++ ...st_event_opinion_blocked_distribution.json | 98 ++++++++++++++ ...ent_relationship_blocked_distribution.json | 124 ++++++++++++++++++ src/test/test_push_scenarios.json | 48 +++++++ 5 files changed, 374 insertions(+), 3 deletions(-) create mode 100644 src/test/fixtures/test_event_note_blocked_distribution.json create mode 100644 src/test/fixtures/test_event_opinion_blocked_distribution.json create mode 100644 src/test/fixtures/test_event_relationship_blocked_distribution.json diff --git a/src/mispguard.py b/src/mispguard.py index a884517..d9e7e0b 100644 --- a/src/mispguard.py +++ b/src/mispguard.py @@ -492,13 +492,16 @@ def check_event_level_rules(self, rules: dict, event: dict) -> None: self.check_event_sharing_groups_rules(rules, event) if "Note" in event["Event"]: - self.check_analyst_data_rules(rules, event["Event"]["Note"]) + for note in event["Event"]["Note"]: + self.check_analyst_data_rules(rules, note) if "Opinion" in event["Event"]: - self.check_analyst_data_rules(rules, event["Event"]["Opinion"]) + for opinion in event["Event"]["Opinion"]: + self.check_analyst_data_rules(rules, opinion) if "Relationship" in event["Event"]: - self.check_analyst_relationship_rules(rules, event["Event"]["Relationship"]) + for relationship in event["Event"]["Relationship"]: + self.check_analyst_relationship_rules(rules, relationship) def check_attribute_level_rules(self, rules: dict, attributes: dict) -> None: logger.debug("checking attribute level rules") diff --git a/src/test/fixtures/test_event_note_blocked_distribution.json b/src/test/fixtures/test_event_note_blocked_distribution.json new file mode 100644 index 0000000..cc280bc --- /dev/null +++ b/src/test/fixtures/test_event_note_blocked_distribution.json @@ -0,0 +1,98 @@ +{ + "Event": { + "id": "1", + "orgc_id": "1", + "org_id": "1", + "date": "2022-08-31", + "threat_level_id": "1", + "info": "non-blocked", + "published": false, + "uuid": "385283a1-b5e0-4e10-a532-dce11c365a56", + "attribute_count": "4", + "analysis": "0", + "timestamp": "1661956788", + "distribution": "2", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "1661956380", + "sharing_group_id": "0", + "disable_correlation": false, + "extends_uuid": "", + "protected": null, + "event_creator_email": "admin@admin.test", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Attribute": [ + { + "id": "1", + "type": "ip-src", + "category": "Network activity", + "to_ids": false, + "uuid": "e37a6c99-c7dc-4e41-8c79-25e35c39df0a", + "event_id": "1", + "distribution": "5", + "timestamp": "1661956302", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "0", + "object_relation": null, + "first_seen": null, + "last_seen": null, + "value": "8.8.8.8", + "Galaxy": [], + "ShadowAttribute": [] + } + ], + "ShadowAttribute": [], + "RelatedEvent": [], + "Galaxy": [], + "Object": [], + "EventReport": [], + "CryptographicKey": [], + "Note": [ + { + "id": "1", + "uuid": "9c0e3e20-b1ea-4473-81d2-845c4399c36d", + "object_uuid": "b3eedfc4-8ffa-41a2-875b-6c3d0e4602b8", + "object_type": "Attribute", + "authors": "john.doe@admin.test", + "org_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "orgc_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "created": "2024-10-04 08:09:39", + "modified": "2024-10-04 08:09:39", + "distribution": "0", + "sharing_group_id": null, + "locked": false, + "note": "Ceci est une note", + "language": "fr-BE", + "note_type": 0, + "note_type_name": "Note", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "_canEdit": true + } + ] + } +} \ No newline at end of file diff --git a/src/test/fixtures/test_event_opinion_blocked_distribution.json b/src/test/fixtures/test_event_opinion_blocked_distribution.json new file mode 100644 index 0000000..91479c5 --- /dev/null +++ b/src/test/fixtures/test_event_opinion_blocked_distribution.json @@ -0,0 +1,98 @@ +{ + "Event": { + "id": "1", + "orgc_id": "1", + "org_id": "1", + "date": "2022-08-31", + "threat_level_id": "1", + "info": "non-blocked", + "published": false, + "uuid": "385283a1-b5e0-4e10-a532-dce11c365a56", + "attribute_count": "4", + "analysis": "0", + "timestamp": "1661956788", + "distribution": "2", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "1661956380", + "sharing_group_id": "0", + "disable_correlation": false, + "extends_uuid": "", + "protected": null, + "event_creator_email": "admin@admin.test", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Attribute": [ + { + "id": "1", + "type": "ip-src", + "category": "Network activity", + "to_ids": false, + "uuid": "e37a6c99-c7dc-4e41-8c79-25e35c39df0a", + "event_id": "1", + "distribution": "5", + "timestamp": "1661956302", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "0", + "object_relation": null, + "first_seen": null, + "last_seen": null, + "value": "8.8.8.8", + "Galaxy": [], + "ShadowAttribute": [] + } + ], + "ShadowAttribute": [], + "RelatedEvent": [], + "Galaxy": [], + "Object": [], + "EventReport": [], + "CryptographicKey": [], + "Opinion": [ + { + "id": "1", + "uuid": "f43b2e9c-93c3-4d1e-a99a-e0996ced962c", + "object_uuid": "b3eedfc4-8ffa-41a2-875b-6c3d0e4602b8", + "object_type": "Event", + "authors": "john.doe@admin.test", + "org_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "orgc_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "created": "2024-10-04 08:09:47", + "modified": "2024-10-04 08:09:47", + "distribution": "0", + "sharing_group_id": null, + "locked": false, + "opinion": "75", + "comment": "This is an opinion", + "note_type": 1, + "note_type_name": "Opinion", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "_canEdit": true + } + ] + } +} \ No newline at end of file diff --git a/src/test/fixtures/test_event_relationship_blocked_distribution.json b/src/test/fixtures/test_event_relationship_blocked_distribution.json new file mode 100644 index 0000000..cd56367 --- /dev/null +++ b/src/test/fixtures/test_event_relationship_blocked_distribution.json @@ -0,0 +1,124 @@ +{ + "Event": { + "id": "1", + "orgc_id": "1", + "org_id": "1", + "date": "2022-08-31", + "threat_level_id": "1", + "info": "non-blocked", + "published": false, + "uuid": "385283a1-b5e0-4e10-a532-dce11c365a56", + "attribute_count": "4", + "analysis": "0", + "timestamp": "1661956788", + "distribution": "2", + "proposal_email_lock": false, + "locked": false, + "publish_timestamp": "1661956380", + "sharing_group_id": "0", + "disable_correlation": false, + "extends_uuid": "", + "protected": null, + "event_creator_email": "admin@admin.test", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Attribute": [ + { + "id": "1", + "type": "ip-src", + "category": "Network activity", + "to_ids": false, + "uuid": "e37a6c99-c7dc-4e41-8c79-25e35c39df0a", + "event_id": "1", + "distribution": "5", + "timestamp": "1661956302", + "comment": "", + "sharing_group_id": "0", + "deleted": false, + "disable_correlation": false, + "object_id": "0", + "object_relation": null, + "first_seen": null, + "last_seen": null, + "value": "8.8.8.8", + "Galaxy": [], + "ShadowAttribute": [] + } + ], + "ShadowAttribute": [], + "RelatedEvent": [], + "Galaxy": [], + "Object": [], + "EventReport": [], + "CryptographicKey": [], + "Relationship": [ + { + "id": "1", + "uuid": "41146bcb-2869-4cf0-8abb-015e8d1350c9", + "object_uuid": "a81a9424-a62d-4a3d-b402-917d48b124bd", + "object_type": "Attribute", + "authors": "admin@admin.test", + "org_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "orgc_uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "created": "2024-10-30 11:09:13", + "modified": "2024-10-30 11:09:13", + "distribution": "0", + "sharing_group_id": null, + "locked": false, + "relationship_type": "Acquaintance", + "related_object_uuid": "bba62eca-8f51-45c9-ad90-5abaca45d6cd", + "related_object_type": "Event", + "note_type": 2, + "note_type_name": "Relationship", + "Org": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "Orgc": { + "id": "1", + "name": "HOST", + "uuid": "10c8f445-888b-4a2d-bac8-4e1e8861d595", + "local": true + }, + "_canEdit": true, + "related_object": { + "Event": { + "id": "37", + "org_id": "6", + "date": "2022-03-24", + "info": "Test Event", + "user_id": "138", + "uuid": "bba62eca-8f51-45c9-ad90-5abaca45d6cd", + "published": true, + "analysis": "1", + "attribute_count": "11", + "orgc_id": "2", + "timestamp": "1730278463", + "distribution": "3", + "sharing_group_id": "0", + "proposal_email_lock": false, + "locked": true, + "threat_level_id": "2", + "publish_timestamp": "1730278489", + "sighting_timestamp": "0", + "disable_correlation": false, + "extends_uuid": "", + "protected": null + } + } + } + ] + } +} \ No newline at end of file diff --git a/src/test/test_push_scenarios.json b/src/test/test_push_scenarios.json index 0825c28..de9482e 100644 --- a/src/test/test_push_scenarios.json +++ b/src/test/test_push_scenarios.json @@ -739,6 +739,54 @@ "expected_status_code": 200, "expected_logs": [] }, + { + "name": "push_new_event_blocked_note_distribution", + "host": "instance1-comp2.com", + "port": 443, + "url": "/events/add/metadata:1", + "method": "POST", + "client": { + "ip": "20.0.0.2", + "port": 22 + }, + "fixture_file": "./test/fixtures/test_event_note_blocked_distribution.json", + "expected_status_code": 403, + "expected_logs": [ + "request blocked: [POST]/events/add/metadata:1 - analyst data has blocked distribution level: 0" + ] + }, + { + "name": "push_new_event_blocked_opinion_distribution", + "host": "instance1-comp2.com", + "port": 443, + "url": "/events/add/metadata:1", + "method": "POST", + "client": { + "ip": "20.0.0.2", + "port": 22 + }, + "fixture_file": "./test/fixtures/test_event_opinion_blocked_distribution.json", + "expected_status_code": 403, + "expected_logs": [ + "request blocked: [POST]/events/add/metadata:1 - analyst data has blocked distribution level: 0" + ] + }, + { + "name": "push_new_event_blocked_relationship_distribution", + "host": "instance1-comp2.com", + "port": 443, + "url": "/events/add/metadata:1", + "method": "POST", + "client": { + "ip": "20.0.0.2", + "port": 22 + }, + "fixture_file": "./test/fixtures/test_event_relationship_blocked_distribution.json", + "expected_status_code": 403, + "expected_logs": [ + "request blocked: [POST]/events/add/metadata:1 - analyst data has blocked distribution level: 0" + ] + }, { "name": "push_new_event_blocked_attribute_note_distribution", "host": "instance1-comp2.com",