Example #1
0
def test_multy_sdo_match(pattern):
    # Only the first matched SDO will be returned
    res = match(pattern, _observations, stix_version=_stix_version)
    assert res
    assert len(res) == 1
    assert res[0]['objects'][0][
        'id'] == 'observed-data--1209f166-bba6-4307-a566-60e3a6c39cd2'
Example #2
0
def test_matching_sdos(pattern, expected_ids):
    sdos = match(pattern, _observations)
    #    import pprint
    #    pprint.pprint(sdos)
    sdo_ids = [sdo["id"] for sdo in sdos]

    if isinstance(expected_ids, six.string_types):
        assert sdo_ids == [expected_ids]
    else:
        assert sorted(sdo_ids) == sorted(expected_ids)
Example #3
0
def get_indicator_from_observed_data(stix2, observed_data):
    stix2_json = json.loads(str(observed_data))

    for object_ in stix2.objects:
        if object_.type != 'indicator':
            continue
        matches = match(object_.pattern, [stix2_json])
        if len(matches) == 0:
            continue
        return object_
    return None
Example #4
0
def test_within_nomatch(interval1, interval2, duration):

    _observations[0]["objects"][0]["first_observed"] = interval1[0]
    _observations[0]["objects"][0]["last_observed"] = interval1[1]

    _observations[1]["objects"][0]["first_observed"] = interval2[0]
    _observations[1]["objects"][0]["last_observed"] = interval2[1]

    pattern = "([person:name='alice'] AND [person:name='bob']) " \
              "WITHIN {0} SECONDS".format(duration)
    assert not match(pattern, _observations, stix_version=_stix_version)
Example #5
0
def _get_matches_observable_caches_vs_indicator_v2_cache(observable_caches,indicator_v2_cache,cache_list):
    ret_observable_cashes = []
    for observable_cache in observable_caches:
        observed_data = _get_observed_data(observable_cache)
        matches = matcher.match(indicator_v2_cache.pattern,[observed_data])
        if len(matches) != 0:
            indicator_v2_cache.type = observable_cache.type
            indicator_v2_cache.value = observable_cache.value
            indicator_v2_cache.cache_list = cache_list
            ret_observable_cashes.append(observable_cache)
    return ret_observable_cashes
Example #6
0
def test_quoting(pattern):
    assert match(pattern, _observations)
Example #7
0
def test_ts_pattern_error_parse(pattern):
    with pytest.raises(ParseException):
        match(pattern, _observations, stix_version=_stix_version)
Example #8
0
def _get_exact_matched_info(package_id):
    ret_observable_cashes = []

    cache_collections = [
        ObservableCaches,
        ExploitTargetCaches,
    ]

    for cache_collection in cache_collections:
        caches = cache_collection.objects.filter(package_id=package_id)
        for cache in caches:
            if cache.value is None:
                continue
            exacts = cache_collection.objects.filter(
                Q(type__exact=cache.type)
                & Q(value__exact=cache.value)
                & Q(package_id__ne=package_id))
            ret_observable_cashes.extend(exacts)

            if isinstance(cache, ObservableCaches):
                indicator_v2_cachses = IndicatorV2Caches.objects.filter(
                    Q(package_id__ne=package_id))
                for indicator_v2_cache in indicator_v2_cachses:
                    observed_data = _get_observed_data(cache)
                    matches = matcher.match(indicator_v2_cache.pattern,
                                            [observed_data])
                    if len(matches) != 0:
                        indicator_v2_cache.type = cache.type
                        indicator_v2_cache.value = cache.value
                        indicator_v2_cache.start_collection = cache_collection
                        ret_observable_cashes.append(indicator_v2_cache)

    indicator_v2_caches = IndicatorV2Caches.objects.filter(
        package_id=package_id)
    for indicator_v2_cache in indicator_v2_caches:
        query_set = _get_observables_cashes_query(indicator_v2_cache.pattern,
                                                  package_id)
        caches = ObservableCaches.objects.filter(query_set)
        for cache in caches:
            observed_data = _get_observed_data(cache)
            matches = matcher.match(indicator_v2_cache.pattern,
                                    [observed_data])
            if len(matches) != 0:
                cache.start_collection = IndicatorV2Caches
                cache.pattern = indicator_v2_cache.pattern
                ret_observable_cashes.append(cache)

        exacts = IndicatorV2Caches.objects.filter(
            Q(pattern__exact=indicator_v2_cache.pattern)
            & Q(package_id__ne=package_id))
        for exact in exacts:
            exact.cache_list = IndicatorV2Caches
            exact.start_collection = IndicatorV2Caches
            ret_observable_cashes.append(exact)

    label_caches = LabelCaches.objects.filter(package_id=package_id)
    for label_cache in label_caches:
        exacts = LabelCaches.objects.filter(
            Q(label__iexact=label_cache.label)
            & Q(package_id__ne=package_id))
        for exact in exacts:
            ret_observable_cashes.append(exact)
    return ret_observable_cashes
Example #9
0
def test_binary_nomatch(pattern):
    assert not match(pattern, _observations)
Example #10
0
def test_unicode_normalization_set_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #11
0
def test_basic_ops_int_nomatch(pattern):
    assert not match(pattern, _observations, stix_version=_stix_version)
Example #12
0
def test_quoting(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #13
0
def test_complex_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #14
0
def test_temp_qual_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #15
0
def test_temp_qual_error_match(pattern):
    with pytest.raises(MatcherException):
        match(pattern, _observations, stix_version=_stix_version)
Example #16
0
def test_unicode_normalization_set_match(pattern):
    assert match(pattern, _observations)
Example #17
0
def test_basic_ops_set_err(pattern):
    with pytest.raises(MatcherException):
        match(pattern, _observations, stix_version=_stix_version)
Example #18
0
def test_quoting_error(pattern):
    with pytest.raises(ParseException):
        match(pattern, _observations, stix_version=_stix_version)
Example #19
0
def test_basic_ops_float_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #20
0
def test_combinatorial_explosion_nomatch(pattern):
    assert not match(pattern, _observations_combinatorial_explosion)
Example #21
0
def test_complex_nomatch(pattern):
    assert not match(pattern, _observations)
Example #22
0
def test_multy_sdo_match(pattern):
    # Only the first matched SDO will be returned
    res = match(pattern, _observations, stix_version=_stix_version)
    assert res
    assert len(res) == 1
    assert res[0]["first_observed"] == "1000-12-03T21:34:41Z"
Example #23
0
def test_multy_repeat_match(pattern):
    res = match(pattern, _observations, stix_version=_stix_version)
    assert res
    assert len(res) == 2
Example #24
0
def test_binary_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #25
0
def test_references_match(pattern):
    assert match(pattern, _observations, stix_version=_stix_version)
Example #26
0
def test_observation_ops_nomatch(pattern):
    assert not match(pattern, _observations)
Example #27
0
def test_ts_nomatch(pattern):
    assert not match(pattern, _observations, stix_version=_stix_version)
Example #28
0
def test_references_nomatch(pattern):
    assert not match(pattern, _observations)
Example #29
0
def test_ts_json_error(pattern):
    with pytest.raises(MatcherException):
        match(pattern, _observations, stix_version=_stix_version)
Example #30
0
def test_unicode_normalization_eq_nomatch(pattern):
    assert not match(pattern, _observations)