def test_and_not_in_set_cim_splunk(self):
res = translate(
"[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe'] TO ",
res)
def test_ored_obs_expressi_cim_splunk(self):
res = translate(
"[ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10'] TO ",
res)
def test_regex_car_elastic(self):
res = translate(
"[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$'] TO ",
res)
def test_md5_hash_car_elastic(self):
res = translate(
"[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4'] TO ",
res)
def test_md5_hash_cim_splunk(self):
res = translate(
"[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4'] TO ",
res)
def test_regex_no_anchor_cim_splunk(self):
res = translate(
"[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation'] TO ",
res)
def test_gt_and_is_equal_cim_splunk(self):
res = translate(
"[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe'] TO ",
res)
def test_followedby_obs_expressi_cim_elastic(self):
res = translate(
"[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']",
SearchPlatforms.ELASTIC, DataModels.CIM)
print(
"CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10'] TO ",
res)
def test_followedby_obs_expressi_car_splunk(self):
res = translate(
"[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']",
SearchPlatforms.SPLUNK, DataModels.CAR)
print(
"CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10'] TO ",
res)
def test_car_2014_11_004_car_elastic(self):
res = translate(
"[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe'] TO ",
res)
def test_car_2014_11_004_cim_splunk(self):
res = translate(
"[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe'] TO ",
res)
def test_car_2013_05_002_car_splunk(self):
res = translate(
"[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
SearchPlatforms.SPLUNK, DataModels.CAR)
print(
"CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ",
res)
def test_car_2013_03_001_cim_splunk(self):
res = translate(
"[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe'] TO ",
res)
def test_car_2013_03_001_car_elastic(self):
res = translate(
"[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe'] TO ",
res)
def test_anded_two_regex_car_elastic(self):
res = translate(
"[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ",
res)
def test_gt_and_is_equal_car_elastic(self):
res = translate(
"[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe'] TO ",
res)
def test_regex_front_anchor_cim_elastic(self):
res = translate(
"[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation']",
SearchPlatforms.ELASTIC, DataModels.CIM)
print(
"CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation'] TO ",
res)
def test_regex_cim_splunk(self):
res = translate(
"[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$'] TO ",
res)
def test_and_not_in_set_car_elastic(self):
res = translate(
"[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe'] TO ",
res)
def test(self):
# Collect all of the events
nonmatches = data['nonmatches'].get(model.value, [])
matches = data['matches'].get(model.value, [])
events = nonmatches + matches
connector = None
if platform == SearchPlatforms.SPLUNK:
connector = self.splunk
elif platform == SearchPlatforms.ELASTIC:
connector = self.elastic
# Add the GUID, which is how we line up the data after the search
[e.update({'guid': str(uuid4())}) for e in events]
# Then send them to all the search platforms. Need to include what data model because some platforms need to
# format data per data model
connector.push(model, events)
# Then, run the tests. The GUIDs in "matches" should be in the results, the GUIDs in "nonmatches" should not.
query = translate(data['stix-input'], platform, model)
results = connector.query(query, model)
# Perform the comparison of GUIDs
self.assertEqual(set([e['guid'] for e in data['matches'][model.value]]), set(results))
def test_anded_two_regex_cim_splunk(self):
res = translate(
"[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print(
"CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ",
res)
def test_anded_obs_expressi_car_elastic(self):
res = translate(
"[ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10']",
SearchPlatforms.ELASTIC, DataModels.CAR)
print(
"CONVERTED: [ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10'] TO ",
res)
def cim_splunk():
outputLanguage = SearchPlatforms.SPLUNK
outputDataModel = DataModels.CIM
if request.data:
pattern = request.data.decode("utf-8") # decode the input string
output = translate(pattern, outputLanguage, outputDataModel)
return output['queries']
else:
print("No Request Data") # when issues with input data
return "No Request Data"
def car_elastic():
outputLanguage = SearchPlatforms.ELASTIC
outputDataModel = DataModels.CAR
if request.data:
pattern = request.data.decode("utf-8") # decode the input string
output = translate(pattern, outputLanguage, outputDataModel)
return output['queries']
else:
print("No Request Data") # when issues with input data
return "No Request Data"
def test_elastic_followedby(self):
pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']"
result = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR)
assert result['success'] == False
assert ErrorCode.TRANSLATION_NOTSUPPORTED.value == result['code']
assert result['error'] is not None
def test(self):
with self.assertRaises(Exception):
res = translate(pattern, search_platform, data_model)
def test(self):
res = translate(pattern, search_platform, data_model)
self.assertEqual(normalize_spacing(res['queries'][0]),
normalize_spacing(expected_result))
def test_elastic_followedby(self):
pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']"
with self.assertRaises(SearchFeatureNotSupportedError):
res = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR)
def test_timestamp_cim_splunk(self):
res = translate("[file:created = t'2014-01-13T07:03:17Z']",
SearchPlatforms.SPLUNK, DataModels.CIM)
print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z'] TO ",
res)
def test_timestamp_cim_elastic(self):
res = translate("[file:created = t'2014-01-13T07:03:17Z']",
SearchPlatforms.ELASTIC, DataModels.CIM)
print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z'] TO ",
res)
