updates

idaholab · Dec 3, 2024 · 3c374fc · 3c374fc
1 parent 9be3f86
commit 3c374fc
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 106 deletions.
diff --git a/README.md b/README.md
@@ -299,4 +299,4 @@ See the following tests for examples of how to access and use these fixtures:
 
 * [test_malcolm_response.py](src/maltest/tests/test_malcolm_response.py) - querying the [Malcolm API](https://idaholab.github.io/Malcolm/docs/api.html#API) using the [Requests](https://requests.readthedocs.io/en/latest/) library
 * [test_malcolm_db_health.py](src/maltest/tests/test_malcolm_db_health.py) - querying the [data store](https://idaholab.github.io/Malcolm/docs/opensearch-instances.html#OpenSearchInstance) directly using the [OpenSearch](https://opensearch.org/docs/latest/clients/python-low-level/) or [Elasticsearch](https://www.elastic.co/guide/en/elasticsearch/client/python-api/current/index.html) client
-* [test_icsnpp_protocols.py](src/maltest/tests/test_icsnpp_protocols.py) - querying the [Malcolm Field Aggregation API](https://idaholab.github.io/Malcolm/docs/api-aggregations.html), specifying a `from` query start time filter to search all historical data, a filter on `event.provider` to limit the result set to records from Zeek, and a `tags` filter to limit the matching records to the tags represented by the uploaded PCAPs (see above)
+* [test_common_protocols.py](src/maltest/tests/test_common_protocols.py) - querying the [Malcolm Field Aggregation API](https://idaholab.github.io/Malcolm/docs/api-aggregations.html), specifying a `from` query start time filter to search all historical data, a filter on `event.provider` to limit the result set to records from Zeek, and a `tags` filter to limit the matching records to the tags represented by the uploaded PCAPs (see above)
diff --git a/src/maltest/tests/test_common_protocols.py b/src/maltest/tests/test_common_protocols.py
@@ -0,0 +1,119 @@
+import mmguero
+import requests
+import logging
+
+LOGGER = logging.getLogger(__name__)
+
+UPLOAD_ARTIFACTS = [
+    "DCERPC.pcap",
+    "DHCP.pcap",
+    "DNS.pcap",
+    "FTP.pcap",
+    "HTTP_1.pcap",
+    "HTTP_2.pcap",
+    "IPsec.pcap",
+    "IRC.pcap",
+    "KRB5.pcap",
+    "LDAP.pcap",
+    "MySQL.pcap",
+    "NTLM.pcap",
+    "NTP.pcap",
+    "OpenVPN.pcap",
+    "OSPF.pcap",
+    "QUIC.pcap",
+    "RADIUS.pcap",
+    "RDP.pcap",
+    "RFB.pcap",
+    "SIP.pcap",
+    "SMB.pcap",
+    "SMTP.pcap",
+    "SNMP.pcap",
+    "SSH.pcap",
+    "SSL.pcap",
+    "STUN.pcap",
+    "Syslog.pcap",
+    "Telnet.pcap",
+    "TFTP.pcap",
+    "Tunnels.pcap",
+    "WireGuard.pcap",
+]
+
+EXPECTED_DATASETS = [
+    "conn",
+    "dce_rpc",
+    "dhcp",
+    "dns",
+    "dpd",
+    "files",
+    "ftp",
+    "gquic",
+    "http",
+    "ipsec",
+    "irc",
+    "ja4ssh",
+    "kerberos",
+    "known_certs",
+    "known_hosts",
+    "known_services",
+    "ldap",
+    "ldap_search",
+    "login",
+    "mysql",
+    "notice",
+    "ntlm",
+    "ntp",
+    "ocsp",
+    "ospf",
+    "pe",
+    "radius",
+    "rdp",
+    "rfb",
+    "sip",
+    "smb_cmd",
+    "smb_files",
+    "smb_mapping",
+    "smtp",
+    "snmp",
+    "socks",
+    "software",
+    "ssh",
+    "ssl",
+    "stun",
+    "stun_nat",
+    "syslog",
+    "tftp",
+    "tunnel",
+    "websocket",
+    "weird",
+    "wireguard",
+    "x509",
+]
+
+
+def test_common_protocols(
+    malcolm_http_auth,
+    malcolm_url,
+    pcap_hash_map,
+):
+    assert all([pcap_hash_map.get(x, None) for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)])
+
+    response = requests.post(
+        f"{malcolm_url}/mapi/agg/event.dataset",
+        headers={"Content-Type": "application/json"},
+        json={
+            "from": "0",
+            "filter": {
+                "event.provider": "zeek",
+                "tags": [pcap_hash_map[x] for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)],
+            },
+        },
+        allow_redirects=True,
+        auth=malcolm_http_auth,
+        verify=False,
+    )
+    response.raise_for_status()
+    buckets = {
+        item['key']: item['doc_count'] for item in mmguero.DeepGet(response.json(), ['event.dataset', 'buckets'], [])
+    }
+    LOGGER.info(buckets)
+    assert all([(buckets.get(x, 0) > 0) for x in EXPECTED_DATASETS])
diff --git a/src/maltest/tests/test_malcolm_pcap.py b/src/maltest/tests/test_malcolm_pcap.py
diff --git a/src/maltest/tests/test_icsnpp_protocols.py → src/maltest/tests/test_ot_protocols.py b/src/maltest/tests/test_icsnpp_protocols.py → src/maltest/tests/test_ot_protocols.py
@@ -21,7 +21,12 @@
     "protocols/TDS.pcap",
 ]
 
-# TODO: genisys is not enabled by default?
+# TODO:
+# "ecat_arp_info",
+# "ecat_foe_info",
+# "ecat_soe_info",
+# "ge_srtp",
+# "genisys",
 EXPECTED_DATASETS = [
     "bacnet",
     "bacnet_device_control",
@@ -109,7 +114,7 @@
 ]
 
 
-def test_icsnpp_protocols(
+def test_ot_protocols(
     malcolm_http_auth,
     malcolm_url,
     pcap_hash_map,