def test(self):
# Collect all of the events
nonmatches = data['nonmatches'].get(model.value, [])
matches = data['matches'].get(model.value, [])
events = nonmatches + matches
connector = None
if platform == SearchPlatforms.SPLUNK:
connector = self.splunk
elif platform == SearchPlatforms.ELASTIC:
connector = self.elastic
# Add the GUID, which is how we line up the data after the search
[e.update({'guid': str(uuid4())}) for e in events]
# Then send them to all the search platforms. Need to include what data model because some platforms need to
# format data per data model
connector.push(model, events)
# Then, run the tests. The GUIDs in "matches" should be in the results, the GUIDs in "nonmatches" should not.
query = translate(data['stix-input'], platform, model)
results = connector.query(query, model)
# Perform the comparison of GUIDs
self.assertEqual(set([e['guid'] for e in data['matches'][model.value]]), set(results))
def cim_splunk():
outputLanguage = SearchPlatforms.SPLUNK
outputDataModel = DataModels.CIM
if request.data:
pattern = request.data.decode("utf-8") # decode the input string
output = translate(pattern, outputLanguage, outputDataModel)
return output
else:
print("No Request Data") # when issues with input data
return "No Request Data"
def car_elastic():
outputLanguage = SearchPlatforms.ELASTIC
outputDataModel = DataModels.CAR
if request.data:
pattern = request.data.decode("utf-8") # decode the input string
output = translate(pattern, outputLanguage, outputDataModel)
return output
else:
print("No Request Data") # when issues with input data
return "No Request Data"
def build_translation(request_translation, request_data):
"""
Function that will convert the REST input and call the appriate translation
"""
if request_data:
pattern = request_data.decode('utf-8') # decode the input string
pattern_object = json.loads(pattern)
return_object = {
'pattern': pattern_object['pattern']
}
try:
return_object['validated'] = pass_test = validate(
pattern_object['pattern'], ret_errs=False, print_errs=True)
except Exception as e:
return_object['validated'] = False
return json.dumps(return_object)
for translation in request_translation:
if translation == 'car-elastic':
output_language = SearchPlatforms.ELASTIC
output_data_model = DataModels.CAR
elif translation == 'car-splunk':
output_language = SearchPlatforms.SPLUNK
output_data_model = DataModels.CAR
elif translation == 'cim-splunk':
output_language = SearchPlatforms.SPLUNK
output_data_model = DataModels.CIM
else:
raise InvalidUsage('Invalid Request Data', status_code=400)
try:
return_object[translation] = None
return_object[translation] = translate(
pattern_object['pattern'], output_language, output_data_model)
except Exception as e:
pass
return json.dumps(return_object)
else:
raise InvalidUsage('No Request Data', status_code=400)
def test(self):
with self.assertRaises(Exception):
res = translate(pattern, search_platform, data_model)
def test(self):
res = translate(pattern, search_platform, data_model)
self.assertEqual(normalize_spacing(res),
normalize_spacing(expected_result))
def test_elastic_followedby(self):
pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']"
with self.assertRaises(SearchFeatureNotSupportedError):
res = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR)