Skip to content

Commit

Permalink
pydoc comments for initial tests
Browse files Browse the repository at this point in the history
  • Loading branch information
mmguero committed Dec 19, 2024
1 parent da5edc3 commit 6595910
Show file tree
Hide file tree
Showing 12 changed files with 400 additions and 2 deletions.
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "hatchling.build"

[project]
name = "malcolm-test"
version = "0.9.0"
version = "0.9.1"
authors = [
{ name="Seth Grover", email="[email protected]" },
]
Expand Down
94 changes: 94 additions & 0 deletions src/maltest/tests/test_arkime_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,14 @@ def test_arkime_views(
malcolm_url,
malcolm_http_auth,
):
"""test_arkime_views
Test the Arkime views API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/arkime/api/views",
headers={"Content-Type": "application/json"},
Expand All @@ -50,6 +58,15 @@ def test_arkime_sessions(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_sessions
Test the Arkime sessions API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
for viewName in EXPECTED_VIEWS:
response = requests.post(
f"{malcolm_url}/arkime/api/sessions",
Expand Down Expand Up @@ -77,6 +94,15 @@ def test_arkime_connections(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_connections
Test the Arkime connections API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/arkime/api/connections",
headers={"Content-Type": "application/json"},
Expand All @@ -102,6 +128,15 @@ def test_arkime_pcap_payload(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_pcap_payload
Test the Arkime sessions/pcap API (download a PCAP payload)
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/arkime/api/sessions",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -140,6 +175,15 @@ def test_arkime_spiview(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_spiview
Test the Arkime SPIview API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/arkime/api/spiview",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -167,6 +211,15 @@ def test_arkime_spigraph(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_spigraph
Test the Arkime SPIgraph API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/arkime/api/spigraph",
headers={"Content-Type": "application/json"},
Expand All @@ -193,6 +246,14 @@ def test_arkime_files(
malcolm_url,
malcolm_http_auth,
):
"""test_arkime_files
Test the Arkime files API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/arkime/api/files",
headers={"Content-Type": "application/json"},
Expand All @@ -211,6 +272,14 @@ def test_arkime_fields(
malcolm_url,
malcolm_http_auth,
):
"""test_arkime_fields
Test the Arkime fields API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/arkime/api/fields",
headers={"Content-Type": "application/json"},
Expand All @@ -229,6 +298,14 @@ def test_arkime_valueactions(
malcolm_url,
malcolm_http_auth,
):
"""test_arkime_valueactions
Test the Arkime valueactions API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/arkime/api/valueactions",
headers={"Content-Type": "application/json"},
Expand All @@ -247,6 +324,14 @@ def test_arkime_fieldactions(
malcolm_url,
malcolm_http_auth,
):
"""test_arkime_fieldactions
Test the Arkime fieldactions API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/arkime/api/fieldactions",
headers={"Content-Type": "application/json"},
Expand All @@ -267,6 +352,15 @@ def test_arkime_unique(
malcolm_http_auth,
artifact_hash_map,
):
"""test_arkime_unique
Test the Arkime unique API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/arkime/api/unique",
headers={"Content-Type": "application/json"},
Expand Down
60 changes: 59 additions & 1 deletion src/maltest/tests/test_common_protocols.py
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,20 @@

@pytest.mark.mapi
@pytest.mark.pcap
def test_common_protocols(
def test_common_protocols_zeek(
malcolm_http_auth,
malcolm_url,
artifact_hash_map,
):
"""test_common_protocols_zeek
Checks for the existence of various Zeek logs (event.dataset)
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
assert all([artifact_hash_map.get(x, None) for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)])

response = requests.post(
Expand Down Expand Up @@ -133,6 +142,15 @@ def test_mapi_document_lookup(
malcolm_http_auth,
artifact_hash_map,
):
"""test_mapi_document_lookup
Test the /mapi/document API by looking up the JSON document for a zeek log
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/mapi/document",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -166,6 +184,17 @@ def test_extracted_files_download(
malcolm_url,
malcolm_http_auth,
):
"""test_extracted_files_download
List the quarantined .exe files from the /extracted-files/quarantine page, then download one of them.
With the assumption that the downloaded .exe file is zipped (the test suite's default) and
encrypted with a password of "infected" (the test suite's default), it attempts to decrypt
and unzip the file.
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/extracted-files/quarantine",
allow_redirects=True,
Expand Down Expand Up @@ -213,6 +242,16 @@ def test_freq(
malcolm_url,
artifact_hash_map,
):
"""test_freq
Test that the event.freq_score_v1 and event.freq_score_v2 fields were calculated. These fields
represent the entropy of dns.host values.
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/mapi/agg/dns.host,event.freq_score_v1,event.freq_score_v2",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -250,6 +289,15 @@ def test_geo_asn(
malcolm_url,
artifact_hash_map,
):
"""test_geo_asn
Test that GeoIP and ASN lookups were performed for Zeek and Suricata logs
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
for provider in ('zeek', 'suricata'):
for field in ('destination.geo.city_name', 'source.geo.city_name', 'destination.as.full', 'source.as.full'):
response = requests.post(
Expand Down Expand Up @@ -280,6 +328,16 @@ def test_conn_info(
malcolm_url,
artifact_hash_map,
):
"""test_conn_info
Check that connection-related enrichment information (source and destination OUIs, direction, transport,
user agent, etc.) are calculated.
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
for provider in ['zeek']:
for field in (
'source.oui',
Expand Down
23 changes: 23 additions & 0 deletions src/maltest/tests/test_connectivity.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@
def test_vm_exists(
malcolm_vm_info,
):
"""test_vm_exists
Check that the VM in which the Malcolm instance is running is exists and has an IP address.
Args:
malcolm_vm_info (dict): information relating to the Malcolm instance (see MalcolmVM.Info())
"""
LOGGER.debug(malcolm_vm_info)
assert isinstance(malcolm_vm_info, dict) and malcolm_vm_info.get("ip", None)

Expand All @@ -18,6 +25,14 @@ def test_ping(
malcolm_url,
malcolm_http_auth,
):
"""test_ping
Test the /mapi/ping API
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
"""
response = requests.get(
f"{malcolm_url}/mapi/ping",
allow_redirects=True,
Expand All @@ -35,6 +50,14 @@ def test_db_health(
malcolm_url,
database_objs,
):
"""test_db_health
Check the OpenSearch API and that the cluster's health returns "green" or "yellow"
Args:
malcolm_url (str): URL for connecting to the Malcolm instance
database_objs (DatabaseObjs): object containing classes references for either the OpenSearch or Elasticsearch Python libraries
"""
dbObjs = database_objs
healthDict = dict(
dbObjs.DatabaseClass(
Expand Down
37 changes: 37 additions & 0 deletions src/maltest/tests/test_detection_packages.py
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,15 @@ def test_detection_packages(
malcolm_url,
artifact_hash_map,
):
"""test_detection_packages
Check the rule.category field for various values related to Zeek packages that detect CVEs, etc.
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
assert all([artifact_hash_map.get(x, None) for x in mmguero.GetIterable(UPLOAD_ARTIFACTS)])

response = requests.post(
Expand Down Expand Up @@ -187,6 +196,15 @@ def test_hassh_package(
malcolm_url,
artifact_hash_map,
):
"""test_hassh_package
Test for the presence of zeek.ssh.hassh field generated by the HASSH package
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/mapi/agg/zeek.ssh.hassh",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -216,6 +234,16 @@ def test_xor_decrypt_package(
malcolm_url,
artifact_hash_map,
):
"""test_xor_decrypt_package
Test for the existence of a file.source value of "XOR decrypted", which is generated by the
corelight/zeek-xor-exe-plugin package.
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/mapi/agg/file.path",
headers={"Content-Type": "application/json"},
Expand Down Expand Up @@ -245,6 +273,15 @@ def test_http_sniffpass(
malcolm_url,
artifact_hash_map,
):
"""test_http_sniffpass
Check for the existence of the zeek.http.post_username field, which is generated by the cybera/zeek-sniffpass package
Args:
malcolm_http_auth (HTTPBasicAuth): username and password for the Malcolm instance
malcolm_url (str): URL for connecting to the Malcolm instance
artifact_hash_map (defaultdict(lambda: None)): a map of artifact files' full path to their file hash
"""
response = requests.post(
f"{malcolm_url}/mapi/agg/zeek.http.post_username",
headers={"Content-Type": "application/json"},
Expand Down
Loading

0 comments on commit 6595910

Please sign in to comment.