From 8b3e54115eeab889670e6e147aa37e4fc245e13f Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Tue, 30 Jun 2020 09:15:28 +0530
Subject: [PATCH] tests: add test for classification file merge

---
 tests/classification2.config | 54 ++++++++++++++++++++++++++++++++++++
 tests/test_main.py           | 33 ++++++++++++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 tests/classification2.config

diff --git a/tests/classification2.config b/tests/classification2.config
new file mode 100644
index 0000000..d470ab5
--- /dev/null
+++ b/tests/classification2.config
@@ -0,0 +1,54 @@
+
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,5
+config classification: icmp-event,Generic ICMP event,3
+config classification: kickass-porn,SCORE! Get the lotion!,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
+
+# Update
+config classification: targeted-activity,Targeted Malicious Activity was Detected,1
+config classification: exploit-kit,Exploit Kit Activity Detected,1
+config classification: external-ip-check,Device Retrieving External IP Address Detected,2
+config classification: domain-c2,Domain Observed Used for C2 Detected,1
+config classification: pup-activity,Possibly Unwanted Program Detected,2
+config classification: credential-theft,Successful Credential Theft Detected,1
+config classification: social-engineering,Possible Social Engineering Attempted,2
+config classification: coin-mining,Crypto Currency Mining Activity Detected,2
+config classification: coin-mining-test-1,Crypto Currency Mining Activity Detected Test 1,2
+config classification: coin-mining-test-2,Crypto Currency Mining Activity Detected Test 2,4
+
diff --git a/tests/test_main.py b/tests/test_main.py
index e43b51c..1425cd1 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -239,3 +239,36 @@ class DropRuleFilterTestCase(unittest.TestCase):
         matcher = matchers_mod.IdRuleMatcher.parse("2016659")
         rule_filter = matchers_mod.DropRuleFilter(matcher)
         self.assertFalse(rule_filter.match(rule))
+
+
+class DummySuriConf(dict):
+    def __getattr__(self, val):
+        return self[val]
+
+
+class ClassificationConfigMergeTestCase(unittest.TestCase):
+    test_fname1 = "tests/classification1.config"
+    test_fname2 = "tests/classification2.config"
+
+    def test_merge_classification_files(self):
+        """ Test if the two files get merged properly and priority is maintained"""
+        suriconf = DummySuriConf()
+        suriconf["build_info"] = {}
+        with open(self.test_fname1) as fp:
+            test_file1 = fp.read()
+        with open(self.test_fname2) as fp:
+            test_file2 = fp.read()
+        files = [("test_file1", test_file1.encode()),
+                ("test_file2", test_file2.encode())]
+        cdict = main.load_classification(suriconf, files)
+
+        # Number of classifications in classification1.config: 42
+        # Number of classifications in classification2.config: 44 (2 new)
+        self.assertEqual(44, len(cdict))
+
+        # classification1.config:
+        # config classification: misc-attack,Misc Attack,2
+        #
+        # classification2.config:
+        # config classification: misc-attack,Misc Attack,5
+        self.assertEqual("5", cdict["misc-attack"][1])
-- 
2.47.3