Google Git
Sign in
apache / metron / b71ddceeefb4efc677f800c66ca65fae46f4a45a / . / metron-platform / metron-enrichment / metron-enrichment-common / src / test / java / org / apache / metron / enrichment / adapters / threatintel / ThreatIntelAdapterTest.java
blob: 4072b8937db9990eb4e27c54da4ad5d8e4a9f161 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.metron.enrichment.adapters.threatintel;
import org.adrianwalker.multilinestring.Multiline;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.client.Table;
import org.apache.log4j.Level;
import org.apache.metron.common.configuration.enrichment.SensorEnrichmentConfig;
import org.apache.metron.common.utils.JSONUtils;
import org.apache.metron.enrichment.cache.CacheKey;
import org.apache.metron.enrichment.converter.EnrichmentHelper;
import org.apache.metron.enrichment.converter.EnrichmentKey;
import org.apache.metron.enrichment.converter.EnrichmentValue;
import org.apache.metron.enrichment.lookup.EnrichmentLookup;
import org.apache.metron.enrichment.lookup.LookupKV;
import org.apache.metron.enrichment.lookup.accesstracker.BloomAccessTracker;
import org.apache.metron.enrichment.lookup.accesstracker.PersistentAccessTracker;
import org.apache.metron.hbase.TableProvider;
import org.apache.metron.hbase.mock.MockHBaseTableProvider;
import org.apache.metron.hbase.mock.MockHTable;
import org.apache.metron.test.utils.UnitTestHelper;
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import static org.junit.jupiter.api.Assertions.*;
public class ThreatIntelAdapterTest {
public static class ExceptionProvider implements TableProvider {
public ExceptionProvider() {};
@Override
public Table getTable(Configuration config, String tableName) throws IOException {
throw new IOException();
}
}
private String cf = "cf";
private String atTableName = "tracker";
private static final String MALICIOUS_IP_TYPE = "malicious_ip";
private final String threatIntelTableName = "threat_intel";
private EnrichmentLookup lookup;
/**
{
"10.0.2.3":"alert"
}
*/
@Multiline
private String expectedMessageString;
/**
{
"enrichment": {
"fieldMap": {
"geo": ["ip_dst_addr", "ip_src_addr"],
"host": ["host"]
}
},
"threatIntel" : {
"fieldMap": {
"hbaseThreatIntel": ["ip_dst_addr", "ip_src_addr"]
},
"fieldToTypeMap": {
"ip_dst_addr" : [ "10.0.2.3" ],
"ip_src_addr" : [ "malicious_ip" ]
}
}
}
*/
@Multiline
private static String sourceConfigStr;
private JSONObject expectedMessage;
@BeforeEach
public void setup() throws Exception {
final MockHTable trackerTable = (MockHTable) MockHBaseTableProvider.addToCache(atTableName, cf);
final MockHTable threatIntelTable = (MockHTable) MockHBaseTableProvider.addToCache(threatIntelTableName, cf);
EnrichmentHelper.INSTANCE.load(threatIntelTable, cf, new ArrayList<LookupKV<EnrichmentKey, EnrichmentValue>>() {{
add(new LookupKV<>(new EnrichmentKey("10.0.2.3", "10.0.2.3"), new EnrichmentValue(new HashMap<>())));
}});
BloomAccessTracker bat = new BloomAccessTracker(threatIntelTableName, 100, 0.03);
PersistentAccessTracker pat = new PersistentAccessTracker(threatIntelTableName, "0", trackerTable, cf, bat, 0L);
lookup = new EnrichmentLookup(threatIntelTable, cf, pat);
JSONParser jsonParser = new JSONParser();
expectedMessage = (JSONObject) jsonParser.parse(expectedMessageString);
}
@Test
public void testEnrich() throws Exception {
ThreatIntelAdapter tia = new ThreatIntelAdapter();
tia.lookup = lookup;
SensorEnrichmentConfig broSc = JSONUtils.INSTANCE.load(sourceConfigStr, SensorEnrichmentConfig.class);
JSONObject actualMessage = tia.enrich(new CacheKey("ip_dst_addr", "10.0.2.3", broSc));
assertNotNull(actualMessage);
assertEquals(expectedMessage, actualMessage);
}
@Test
public void testEnrichNonString() throws Exception {
ThreatIntelAdapter tia = new ThreatIntelAdapter();
tia.lookup = lookup;
SensorEnrichmentConfig broSc = JSONUtils.INSTANCE.load(sourceConfigStr, SensorEnrichmentConfig.class);
JSONObject actualMessage = tia.enrich(new CacheKey("ip_dst_addr", "10.0.2.3", broSc));
assertNotNull(actualMessage);
assertEquals(expectedMessage, actualMessage);
actualMessage = tia.enrich(new CacheKey("ip_dst_addr", 10L, broSc));
assertEquals(actualMessage,new JSONObject());
}
@Test
public void testInitializeAdapter() {
String cf = "cf";
String table = "threatintel";
String trackCf = "cf";
String trackTable = "Track";
double falsePositive = 0.03;
int expectedInsertion = 1;
long millionseconds = (long) 0.1;
ThreatIntelConfig config = new ThreatIntelConfig();
config.withHBaseCF(cf);
config.withHBaseTable(table);
config.withExpectedInsertions(expectedInsertion);
config.withFalsePositiveRate(falsePositive);
config.withMillisecondsBetweenPersists(millionseconds);
config.withTrackerHBaseCF(trackCf);
config.withTrackerHBaseTable(trackTable);
config.withProviderImpl(ExceptionProvider.class.getName());
ThreatIntelAdapter tia = new ThreatIntelAdapter(config);
UnitTestHelper.setLog4jLevel(ThreatIntelAdapter.class, Level.FATAL);
tia.initializeAdapter(null);
UnitTestHelper.setLog4jLevel(ThreatIntelAdapter.class, Level.ERROR);
assertFalse(tia.isInitialized());
}
}