def test_multy_sdo_match(pattern): # Only the first matched SDO will be returned res = match(pattern, _observations, stix_version=_stix_version) assert res assert len(res) == 1 assert res[0]['objects'][0][ 'id'] == 'observed-data--1209f166-bba6-4307-a566-60e3a6c39cd2'
def test_matching_sdos(pattern, expected_ids): sdos = match(pattern, _observations) # import pprint # pprint.pprint(sdos) sdo_ids = [sdo["id"] for sdo in sdos] if isinstance(expected_ids, six.string_types): assert sdo_ids == [expected_ids] else: assert sorted(sdo_ids) == sorted(expected_ids)
def get_indicator_from_observed_data(stix2, observed_data): stix2_json = json.loads(str(observed_data)) for object_ in stix2.objects: if object_.type != 'indicator': continue matches = match(object_.pattern, [stix2_json]) if len(matches) == 0: continue return object_ return None
def test_within_nomatch(interval1, interval2, duration): _observations[0]["objects"][0]["first_observed"] = interval1[0] _observations[0]["objects"][0]["last_observed"] = interval1[1] _observations[1]["objects"][0]["first_observed"] = interval2[0] _observations[1]["objects"][0]["last_observed"] = interval2[1] pattern = "([person:name='alice'] AND [person:name='bob']) " \ "WITHIN {0} SECONDS".format(duration) assert not match(pattern, _observations, stix_version=_stix_version)
def _get_matches_observable_caches_vs_indicator_v2_cache(observable_caches,indicator_v2_cache,cache_list): ret_observable_cashes = [] for observable_cache in observable_caches: observed_data = _get_observed_data(observable_cache) matches = matcher.match(indicator_v2_cache.pattern,[observed_data]) if len(matches) != 0: indicator_v2_cache.type = observable_cache.type indicator_v2_cache.value = observable_cache.value indicator_v2_cache.cache_list = cache_list ret_observable_cashes.append(observable_cache) return ret_observable_cashes
def test_quoting(pattern): assert match(pattern, _observations)
def test_ts_pattern_error_parse(pattern): with pytest.raises(ParseException): match(pattern, _observations, stix_version=_stix_version)
def _get_exact_matched_info(package_id): ret_observable_cashes = [] cache_collections = [ ObservableCaches, ExploitTargetCaches, ] for cache_collection in cache_collections: caches = cache_collection.objects.filter(package_id=package_id) for cache in caches: if cache.value is None: continue exacts = cache_collection.objects.filter( Q(type__exact=cache.type) & Q(value__exact=cache.value) & Q(package_id__ne=package_id)) ret_observable_cashes.extend(exacts) if isinstance(cache, ObservableCaches): indicator_v2_cachses = IndicatorV2Caches.objects.filter( Q(package_id__ne=package_id)) for indicator_v2_cache in indicator_v2_cachses: observed_data = _get_observed_data(cache) matches = matcher.match(indicator_v2_cache.pattern, [observed_data]) if len(matches) != 0: indicator_v2_cache.type = cache.type indicator_v2_cache.value = cache.value indicator_v2_cache.start_collection = cache_collection ret_observable_cashes.append(indicator_v2_cache) indicator_v2_caches = IndicatorV2Caches.objects.filter( package_id=package_id) for indicator_v2_cache in indicator_v2_caches: query_set = _get_observables_cashes_query(indicator_v2_cache.pattern, package_id) caches = ObservableCaches.objects.filter(query_set) for cache in caches: observed_data = _get_observed_data(cache) matches = matcher.match(indicator_v2_cache.pattern, [observed_data]) if len(matches) != 0: cache.start_collection = IndicatorV2Caches cache.pattern = indicator_v2_cache.pattern ret_observable_cashes.append(cache) exacts = IndicatorV2Caches.objects.filter( Q(pattern__exact=indicator_v2_cache.pattern) & Q(package_id__ne=package_id)) for exact in exacts: exact.cache_list = IndicatorV2Caches exact.start_collection = IndicatorV2Caches ret_observable_cashes.append(exact) label_caches = LabelCaches.objects.filter(package_id=package_id) for label_cache in label_caches: exacts = LabelCaches.objects.filter( Q(label__iexact=label_cache.label) & Q(package_id__ne=package_id)) for exact in exacts: ret_observable_cashes.append(exact) return ret_observable_cashes
def test_binary_nomatch(pattern): assert not match(pattern, _observations)
def test_unicode_normalization_set_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_basic_ops_int_nomatch(pattern): assert not match(pattern, _observations, stix_version=_stix_version)
def test_quoting(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_complex_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_temp_qual_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_temp_qual_error_match(pattern): with pytest.raises(MatcherException): match(pattern, _observations, stix_version=_stix_version)
def test_unicode_normalization_set_match(pattern): assert match(pattern, _observations)
def test_basic_ops_set_err(pattern): with pytest.raises(MatcherException): match(pattern, _observations, stix_version=_stix_version)
def test_quoting_error(pattern): with pytest.raises(ParseException): match(pattern, _observations, stix_version=_stix_version)
def test_basic_ops_float_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_combinatorial_explosion_nomatch(pattern): assert not match(pattern, _observations_combinatorial_explosion)
def test_complex_nomatch(pattern): assert not match(pattern, _observations)
def test_multy_sdo_match(pattern): # Only the first matched SDO will be returned res = match(pattern, _observations, stix_version=_stix_version) assert res assert len(res) == 1 assert res[0]["first_observed"] == "1000-12-03T21:34:41Z"
def test_multy_repeat_match(pattern): res = match(pattern, _observations, stix_version=_stix_version) assert res assert len(res) == 2
def test_binary_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_references_match(pattern): assert match(pattern, _observations, stix_version=_stix_version)
def test_observation_ops_nomatch(pattern): assert not match(pattern, _observations)
def test_ts_nomatch(pattern): assert not match(pattern, _observations, stix_version=_stix_version)
def test_references_nomatch(pattern): assert not match(pattern, _observations)
def test_ts_json_error(pattern): with pytest.raises(MatcherException): match(pattern, _observations, stix_version=_stix_version)
def test_unicode_normalization_eq_nomatch(pattern): assert not match(pattern, _observations)