def test_storm_syntax_gele(self):
insts = s_syntax.parse('foo:bar>=10')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', 10, by='ge'))
insts = s_syntax.parse('foo:bar<=10')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', 10, by='le'))
def test_storm_syntax_by(self):
insts = s_syntax.parse('woot/foo:bar*baz="hehe"')
opts = {'from': 'woot', 'by': 'baz'}
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', 'hehe', **opts))
insts = s_syntax.parse('woot/foo:bar*baz')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', None, **opts))
def test_storm_syntax_pivot(self):
insts = s_syntax.parse('foo:bar -> hehe.haha/baz:faz')
self.eq(insts[0], ('pivot', {
'args': ['foo:bar', 'baz:faz'],
'kwlist': [('from', 'hehe.haha')]
}))
insts = s_syntax.parse(' -> baz:faz')
self.eq(insts[0], ('pivot', {'args': ('baz:faz', ), 'kwlist': []}))
def test_storm_syntax_join(self):
insts = s_syntax.parse('foo:bar <- hehe.haha/baz:faz')
self.eq(insts[0], ('join', {
'args': ['foo:bar', 'baz:faz'],
'kwlist': [('from', 'hehe.haha')]
}))
insts = s_syntax.parse(' <- baz:faz')
self.eq(insts[0], ('join', {'args': ('baz:faz', ), 'kwlist': []}))
def test_storm_syntax_macro_eq(self):
###########################################################
insts = s_syntax.parse('foo:bar')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', None, by='has'))
###########################################################
insts = s_syntax.parse('foo:bar=10')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', 10, by='eq'))
###########################################################
insts = s_syntax.parse('foo:bar="woot"')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', 'woot', by='eq'))
def test_storm_syntax_gele(self):
insts = s_syntax.parse('foo:bar>=10')
self.eq(insts[0], ('lift', {
'prop': 'foo:bar',
'cmp': 'ge',
'valu': 10
}))
insts = s_syntax.parse('foo:bar<=10')
self.eq(insts[0], ('lift', {
'prop': 'foo:bar',
'cmp': 'le',
'valu': 10
}))
def test_storm_syntax_by(self):
insts = s_syntax.parse('woot/foo:bar*baz="hehe"')
self.eq(insts[0], ('lift', {
'from': 'woot',
'prop': 'foo:bar',
'valu': 'hehe',
'cmp': 'baz'
}))
insts = s_syntax.parse('woot/foo:bar*baz')
self.eq(insts[0], ('lift', {
'from': 'woot',
'prop': 'foo:bar',
'cmp': 'baz'
}))
def test_storm_syntax_lifteq(self):
insts = s_syntax.parse('foo:bar join("foo:bar","baz:quux")')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', None, by='has'))
self.eq(insts[1], ('join', {
'args': ['foo:bar', 'baz:quux'],
'kwlist': []
}))
def test_storm_syntax_lifteq(self):
insts = s_syntax.parse('foo:bar join("foo:bar","baz:quux")')
self.eq(insts[0], ('lift', {'prop': 'foo:bar', 'cmp': 'has'}))
self.eq(insts[1], ('join', {
'args': ['foo:bar', 'baz:quux'],
'kwlist': []
}))
def test_lib_syntax_assign(self):
self.raises(BadSyntaxError, s_syntax.parse, '$foo?')
self.raises(BadSyntaxError, s_syntax.parse, '$foo=?')
self.raises(BadSyntaxError, s_syntax.parse, '$foo={')
opers = s_syntax.parse('$foo={baz:faz}')
self.eq(opers[0][0], 'set')
def ask(self, text, data=(), timeout=None):
'''
Run a storm query and return the query result dict.
user= stdin=
'''
opers = s_syntax.parse(text)
return self.run(opers, data=data, timeout=timeout)
def test_storm_syntax_regex(self):
insts = s_syntax.parse('+foo:bar~="hehe" -foo:bar~="hoho"')
self.eq(insts[0], ('filt', {
'prop': 'foo:bar',
'mode': 'must',
'cmp': 're',
'valu': 'hehe'
}))
self.eq(insts[1], ('filt', {
'prop': 'foo:bar',
'mode': 'cant',
'cmp': 're',
'valu': 'hoho'
}))
# Real world example with and without quotes around the regex valu
insts = s_syntax.parse(
'#sig.mal.pennywise totags() +syn:tag~="bhv.aka" fromtags()')
self.eq(len(insts), 4)
self.eq(insts[0], ('alltag', {
'args': ('sig.mal.pennywise', ),
'kwlist': []
}))
self.eq(insts[1], ('totags', {'args': [], 'kwlist': []}))
self.eq(insts[2], ('filt', {
'cmp': 're',
'prop': 'syn:tag',
'mode': 'must',
'valu': 'bhv.aka'
}))
self.eq(insts[3], ('fromtags', {'args': [], 'kwlist': []}))
# And without quotes
insts = s_syntax.parse(
'#sig.mal.pennywise totags() +syn:tag~=bhv.aka fromtags()')
self.eq(len(insts), 4)
self.eq(insts[0], ('alltag', {
'args': ('sig.mal.pennywise', ),
'kwlist': []
}))
self.eq(insts[1], ('totags', {'args': [], 'kwlist': []}))
self.eq(insts[2], ('filt', {
'cmp': 're',
'prop': 'syn:tag',
'mode': 'must',
'valu': 'bhv.aka'
}))
self.eq(insts[3], ('fromtags', {'args': [], 'kwlist': []}))
def ask(self, text, data=(), timeout=None):
'''
Run a storm query and return the query result dict.
user= stdin=
'''
if self.querylog:
user = s_auth.whoami()
logger.log(self.queryloglevel, 'Executing storm query [%s] as [%s]', text, user)
opers = s_syntax.parse(text)
return self.run(opers, data=data, timeout=timeout)
def test_storm_syntax_basic(self):
insts = s_syntax.parse('foo("lol",bar=20) baz(10,faz="lol")')
self.eq(insts[0][0], 'foo')
self.eq(insts[0][1]['args'][0], 'lol')
self.eq(insts[0][1]['kwlist'][0], ('bar', 20))
self.eq(insts[1][0], 'baz')
self.eq(insts[1][1]['args'][0], 10)
self.eq(insts[1][1]['kwlist'][0], ('faz', 'lol'))
def test_storm_syntax_oper_args(self):
oper = s_syntax.parse(' woot( (1,2), lol, "hehe haha", one=(3,4), two=5, three=whee) ')[0]
args = oper[1].get('args')
opts = dict(oper[1].get('kwlist'))
self.eq(args[0], [1, 2])
self.eq(args[1], 'lol')
self.eq(args[2], 'hehe haha')
self.eq(opts.get('one'), [3, 4])
self.eq(opts.get('two'), 5)
self.eq(opts.get('three'), 'whee')
def test_storm_syntax_regex(self):
insts = s_syntax.parse('+foo:bar~="hehe" -foo:bar~="hoho"')
self.eq(insts[0], ('filt', {
'prop': 'foo:bar',
'mode': 'must',
'cmp': 're',
'valu': 'hehe'
}))
self.eq(insts[1], ('filt', {
'prop': 'foo:bar',
'mode': 'cant',
'cmp': 're',
'valu': 'hoho'
}))
self.eq({'woot': 10}, {'woot': 10})
def parse(self, text):
'''
Parse as Storm query into its operator instructions.
Args:
text (str): The Storm query to parse.
Notes:
This does not run the resulting operators through the Storm query
planner.
Returns:
((str, dict),): A list of tufos containing storm operator
instructions.
'''
return s_syntax.parse(text)
def test_storm_syntax_macro_eq(self):
###########################################################
insts = s_syntax.parse('foo:bar')
self.eq(insts[0], ('lift', {'cmp': 'has', 'prop': 'foo:bar'}))
###########################################################
insts = s_syntax.parse('foo:bar=10')
self.eq(insts[0], ('lift', {
'prop': 'foo:bar',
'valu': 10,
'cmp': 'eq'
}))
###########################################################
insts = s_syntax.parse('foo:bar="woot"')
self.eq(insts[0], ('lift', {
'prop': 'foo:bar',
'valu': 'woot',
'cmp': 'eq'
}))
###########################################################
insts = s_syntax.parse('baz.faz/foo:bar@2015,+1year#30')
self.eq(insts[0], ('lift', {
'cmp': 'has',
'from': 'baz.faz',
'prop': 'foo:bar',
'when': ('2015', '+1year'),
'limit': 30
}))
###########################################################
insts = s_syntax.parse('baz.faz/foo:bar@2015,+1year#30="woot"')
self.eq(insts[0], ('lift', {
'cmp': 'eq',
'from': 'baz.faz',
'prop': 'foo:bar',
'valu': 'woot',
'when': ('2015', '+1year'),
'limit': 30
}))
###########################################################
insts = s_syntax.parse('baz.faz/foo:bar@2015#30="woot"')
self.eq(insts[0], ('lift', {
'cmp': 'eq',
'from': 'baz.faz',
'prop': 'foo:bar',
'valu': 'woot',
'when': ('2015', None),
'limit': 30
}))
def parse(self, text):
return s_syntax.parse(text)
def norm(self, valu, oldval=None):
try:
s_syntax.parse(valu)
except Exception as e:
self._raiseBadValu(valu)
return valu, {}
def test_storm_syntax_liftlift(self):
insts = s_syntax.parse('foo:bar baz:faz')
self.eq(insts[0], ('lift', {'prop': 'foo:bar', 'cmp': 'has'}))
self.eq(insts[1], ('lift', {'prop': 'baz:faz', 'cmp': 'has'}))
def test_storm_syntax_liftlift(self):
insts = s_syntax.parse('foo:bar baz:faz')
self.eq(insts[0], s_syntax.oper('lift', 'foo:bar', None, by='has'))
self.eq(insts[1], s_syntax.oper('lift', 'baz:faz', None, by='has'))
def test_storm_syntax_whites(self):
insts = s_syntax.parse('inet:fqdn = "1.2.3.4"')
self.eq(insts[0], s_syntax.oper('lift',
'inet:fqdn',
'1.2.3.4',
by='eq'))
def test_storm_syntax_edit(self):
inst0 = s_syntax.parse('[inet:ipv4=127.0.0.1 inet:ipv4=127.0.0.2]')
inst1 = s_syntax.parse(
' [ inet:ipv4 = 127.0.0.1 inet:ipv4 = 127.0.0.2 ] '
)
self.eq(inst0, inst1)
def test_storm_syntax_uppercase_and_underscore(self):
insts = s_syntax.parse('foo_Foo("lol",bar_Bar=20)')
self.eq(insts[0], ('foo_Foo', {
'args': ['lol'],
'kwlist': [('bar_Bar', 20)]
}))