anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ee55ec3418370215929f03250ba2c92f156b84b
DECNET/tests/intel/test_feodo.py
anti cd70136d09 feat(intel): wire GreyNoise, AbuseIPDB, Feodo Tracker + ThreatFox 
Four concrete IntelProvider impls — three per-IP queries plus one bulk
feed:

* GreyNoiseProvider — community endpoint, optional API key for higher
  rate limit. 404 = unknown (cache the absence so we don't re-query).
* AbuseIPDBProvider — score threshold mapping (>=75 malicious, >=25
  suspicious, else benign). Self-disables with a clear error when no
  API key is configured rather than burning quota.
* FeodoProvider — fetches the bulk botnet C2 IP feed once per refresh
  window and answers every lookup from an in-memory set. Listed = C2.
* ThreatFoxProvider — POST /api/v1/ search_ioc query, optional Auth-Key
  header. Match in data[] = malicious; no_result = absence-not-benign.

Every provider routes through decnet.net.http.stealth_client so the
egress UA never leaks 'DECNET'.
2026-04-26 05:15:17 -04:00

100 lines
3.1 KiB
Python
Raw Blame History

"""Unit tests for the abuse.ch Feodo Tracker provider.
Bulk-feed semantics: one HTTP fetch loads the in-memory set, all
subsequent ``lookup`` calls hit memory. We assert:
* a fresh provider triggers exactly one refresh, then answers from cache
* a listed IP returns verdict='malicious' with the upstream record
* an unlisted IP returns verdict=None (absence ≠ benign)
* a feed fetch failure is reported as an error, not silently swallowed
"""
from __future__ import annotations
import json
import httpx
import pytest
from decnet.intel.feodo import FeodoProvider
def _install_transport(handler) -> list[httpx.Request]:
captured: list[httpx.Request] = []
async def _wrapped(request: httpx.Request) -> httpx.Response:
captured.append(request)
return await handler(request)
transport = httpx.MockTransport(_wrapped)
from decnet.intel import feodo as mod
def _factory(*, timeout: float = 20.0):
return httpx.AsyncClient(
transport=transport,
headers={"User-Agent": "curl/7.88.1"},
timeout=timeout,
)
mod.stealth_client = _factory # type: ignore[assignment]
return captured
_FEED = [
{"ip_address": "9.9.9.9", "port": 443, "malware": "TrickBot"},
{"ip_address": "10.10.10.10", "port": 80, "malware": "Emotet"},
]
@pytest.mark.anyio
async def test_listed_ip_yields_malicious_verdict():
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(200, json=_FEED)
captured = _install_transport(handler)
provider = FeodoProvider(refresh_interval_s=999.0)
result = await provider.lookup("9.9.9.9")
assert result.verdict == "malicious"
assert result.column_updates["feodo_listed"] is True
raw = json.loads(result.column_updates["feodo_raw"])
assert raw["malware"] == "TrickBot"
assert len(captured) == 1
@pytest.mark.anyio
async def test_subsequent_lookups_dont_refetch():
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(200, json=_FEED)
captured = _install_transport(handler)
provider = FeodoProvider(refresh_interval_s=999.0)
await provider.lookup("9.9.9.9")
await provider.lookup("10.10.10.10")
await provider.lookup("not-listed.example")
assert len(captured) == 1 # one refresh, three answers
@pytest.mark.anyio
async def test_unlisted_ip_returns_no_verdict():
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(200, json=_FEED)
_install_transport(handler)
provider = FeodoProvider(refresh_interval_s=999.0)
result = await provider.lookup("1.2.3.4")
assert result.verdict is None
assert result.column_updates["feodo_listed"] is False
@pytest.mark.anyio
async def test_feed_failure_reports_error():
async def handler(request: httpx.Request) -> httpx.Response:
return httpx.Response(503)
_install_transport(handler)
provider = FeodoProvider(refresh_interval_s=999.0)
result = await provider.lookup("1.2.3.4")
assert result.error == "HTTP 503"
assert result.column_updates == {}
Reference in New Issue View Git Blame Copy Permalink