def test_unmapped_attribute(self):
data_mapping_exception = cloudsql_data_mapping.DataMappingException
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[network-traffic:some_invalid_attribute = 'whatever']"
options = {}
self.assertRaises(data_mapping_exception,
lambda: interface.transform_query(input_arguments, options))
def test_domain_query(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[domain-name:value = 'example.com']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE domainname = 'example.com'"
parsed_stix = [{'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_mac_address_query(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[mac-addr:value = '00-00-5E-00-53-00']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE (Link.A = '00-00-5E-00-53-00' OR Link.B = '00-00-5E-00-53-00')"
parsed_stix = [{'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_url_query(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[url:value = 'http://www.testaddress.com']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE url = 'http://www.testaddress.com'"
parsed_stix = [{'attribute': 'url:value', 'comparison_operator': '=', 'value': 'http://www.testaddress.com'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_ipv6_query(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[ipv6-addr:value = '192.168.122.83']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE (Network.A = '192.168.122.83' OR Network.B = '192.168.122.83')"
parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_artifact_queries(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[artifact:payload_bin matches 'some text']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE payload MATCHES '.*some text.*'"
parsed_stix = [{'attribute': 'artifact:payload_bin', 'comparison_operator': 'MATCHES', 'value': 'some text'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_network_traffic_start_stop(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[network-traffic:'start' = '2018-06-14T08:36:24.000Z' or network-traffic:end = '2018-06-14T08:36:24.000Z']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE Last = '1528965384' OR Start = '1528965384'"
parsed_stix = [{'attribute': 'network-traffic:end', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z'}, {'attribute': 'network-traffic:start', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_user_account_query(self):
interface = csa_translator.Translator(dialect='at')
input_arguments = "[user-account:user_id = 'root']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE initiator.id = 'root'"
parsed_stix = [{'attribute': 'user-account:user_id', 'comparison_operator': '=', 'value': 'root'}]
assert query == {'sql_queries': [at_selections + at_from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_port_queries(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[network-traffic:src_port = 12345 or network-traffic:dst_port = 23456]"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE Transport.B = '23456' OR Transport.A = '12345'"
parsed_stix = [{'attribute': 'network-traffic:dst_port', 'comparison_operator': '=', 'value': 23456}, {'attribute': 'network-traffic:src_port', 'comparison_operator': '=', 'value': 12345}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_ipv4_in_query(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[ipv4-addr:value in ('192.168.122.83', '192.168.122.84')]"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE (Network.A IN (192.168.122.83 OR 192.168.122.84) OR Network.B IN (192.168.122.83 OR 192.168.122.84))"
# parsed_stix = [{'attribute': 'ipv4-addr:value', 'comparison_operator': 'IN', 'value': '192.168.122.84'}, {'attribute': 'ipv4-addr:value', 'comparison_operator': 'IN', 'value': '192.168.122.83'}]
print(query)
assert query['sql_queries'] == [selections + from_statement + where_statement]
def test_file_query(self):
# TODO: Add support for file hashes. Unsure at this point how QRadar queries them
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[file:name = 'some_file.exe']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE filename = 'some_file.exe'"
parsed_stix = [{'attribute': 'file:name', 'comparison_operator': '=', 'value': 'some_file.exe'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_query_from_multiple_comparison_expressions_joined_by_and(self):
interface = csa_translator.Translator(dialect='nf')
input_arguments = "[domain-name:value = 'example.com' and mac-addr:value = '00-00-5E-00-53-00']"
options = {}
query = interface.transform_query(input_arguments, options)
# Expect the STIX and to convert to an AQL AND.
where_statement = "WHERE (Link.A = '00-00-5E-00-53-00' OR Link.B = '00-00-5E-00-53-00') AND domainname = 'example.com'"
parsed_stix = [{'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00'}, {'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com'}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_network_traffic_protocols(self):
interface = csa_translator.Translator(dialect='nf')
for key, value in protocols.items():
# Test for both upper and lower case protocols in the STIX pattern
if random.randint(0, 1) == 0:
key = key.upper()
input_arguments = "[network-traffic:protocols[*] = '" + key + "']"
options = {}
query = interface.transform_query(input_arguments, options)
where_statement = "WHERE Transport.Protocol = '" + value + "'"
parsed_stix = [{'attribute': 'network-traffic:protocols[*]', 'comparison_operator': '=', 'value': key}]
assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
from stix_shifter.stix_translation.src.json_to_stix import json_to_stix_translator
from stix_shifter.stix_translation.src import transformers
from stix_shifter.stix_translation.src.modules.csa import csa_translator
import json
import unittest
from os import path
interface = csa_translator.Translator()
map_file = open(interface.mapping_filepath).read()
map_data = json.loads(map_file)
data_source = {
"type": "identity",
"id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3",
"name": "QRadar",
"identity_class": "events"
}
options = {}
class TestTransform(object):
@staticmethod
def get_first(itr, constraint):
return next(
(obj for obj in itr if constraint(obj)),
None
)
@staticmethod
def get_first_of_type(itr, typ):
return TestTransform.get_first(itr, lambda o: type(o) == dict and o.get('type') == typ)
