Use STIX-2 in Zeek test utils

tenzir · Mar 4, 2021 · 73b3762 · 73b3762
1 parent 3ebdd70
commit 73b3762
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 9 deletions.
diff --git a/tests/utils/zeek_receiver.py b/tests/utils/zeek_receiver.py
@@ -5,7 +5,7 @@
 import select
 
 
-def receive(items, topic="threatbus/intel", td=timedelta(days=0)):
+def receive(items, topic="stix2/indicator", td=timedelta(days=0)):
     ep = broker.Endpoint()
     ep.peer("127.0.0.1", 47761)
     subscribe_event = broker.zeek.Event("Tenzir::subscribe", topic, td)
@@ -30,7 +30,7 @@ def receive(items, topic="threatbus/intel", td=timedelta(days=0)):
     ep.publish("threatbus/manage", unsubscribe_event)
 
 
-def forward(items, q, topic="threatbus/intel"):
+def forward(items, q, topic="stix2/indicator"):
     """
     Receives the requested amount of items and forwards them to a queue.Queue
     """

diff --git a/tests/utils/zeek_sender.py b/tests/utils/zeek_sender.py
@@ -2,6 +2,7 @@
 import broker
 from datetime import datetime
 import select
+from stix2 import Sighting
 import time
 
 
@@ -38,12 +39,13 @@ def send_generic(topic, items):
         print("Threat Bus subscription failed")
         return
 
-    for i in range(items):
-        data = {
-            "indicator": "example.com",
-            "intel_type": "DOMAIN",
-        }
-        event = broker.zeek.Event("intel", datetime.now(), i, data, "ADD")
+    for _ in range(items):
+        event = broker.zeek.Event(
+            "sighting",
+            datetime.now(),
+            "indicator--cdd5791f-916e-4f62-8090-1a006005af76",
+            {},
+        )
 
         # Threat Bus will pickup the event type and hence forward on a different
         # topic.
@@ -54,4 +56,4 @@ def send_generic(topic, items):
 
 
 if __name__ == "__main__":
-    send_generic("threatbus/intel", 1)
+    send_generic("stix2/sighting", 1)