def test(self): # Collect all of the events nonmatches = data['nonmatches'].get(model.value, []) matches = data['matches'].get(model.value, []) events = nonmatches + matches connector = None if platform == SearchPlatforms.SPLUNK: connector = self.splunk elif platform == SearchPlatforms.ELASTIC: connector = self.elastic # Add the GUID, which is how we line up the data after the search [e.update({'guid': str(uuid4())}) for e in events] # Then send them to all the search platforms. Need to include what data model because some platforms need to # format data per data model connector.push(model, events) # Then, run the tests. The GUIDs in "matches" should be in the results, the GUIDs in "nonmatches" should not. query = translate(data['stix-input'], platform, model) results = connector.query(query, model) # Perform the comparison of GUIDs self.assertEqual(set([e['guid'] for e in data['matches'][model.value]]), set(results))
def cim_splunk(): outputLanguage = SearchPlatforms.SPLUNK outputDataModel = DataModels.CIM if request.data: pattern = request.data.decode("utf-8") # decode the input string output = translate(pattern, outputLanguage, outputDataModel) return output else: print("No Request Data") # when issues with input data return "No Request Data"
def car_elastic(): outputLanguage = SearchPlatforms.ELASTIC outputDataModel = DataModels.CAR if request.data: pattern = request.data.decode("utf-8") # decode the input string output = translate(pattern, outputLanguage, outputDataModel) return output else: print("No Request Data") # when issues with input data return "No Request Data"
def build_translation(request_translation, request_data): """ Function that will convert the REST input and call the appriate translation """ if request_data: pattern = request_data.decode('utf-8') # decode the input string pattern_object = json.loads(pattern) return_object = { 'pattern': pattern_object['pattern'] } try: return_object['validated'] = pass_test = validate( pattern_object['pattern'], ret_errs=False, print_errs=True) except Exception as e: return_object['validated'] = False return json.dumps(return_object) for translation in request_translation: if translation == 'car-elastic': output_language = SearchPlatforms.ELASTIC output_data_model = DataModels.CAR elif translation == 'car-splunk': output_language = SearchPlatforms.SPLUNK output_data_model = DataModels.CAR elif translation == 'cim-splunk': output_language = SearchPlatforms.SPLUNK output_data_model = DataModels.CIM else: raise InvalidUsage('Invalid Request Data', status_code=400) try: return_object[translation] = None return_object[translation] = translate( pattern_object['pattern'], output_language, output_data_model) except Exception as e: pass return json.dumps(return_object) else: raise InvalidUsage('No Request Data', status_code=400)
def test(self): with self.assertRaises(Exception): res = translate(pattern, search_platform, data_model)
def test(self): res = translate(pattern, search_platform, data_model) self.assertEqual(normalize_spacing(res), normalize_spacing(expected_result))
def test_elastic_followedby(self): pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']" with self.assertRaises(SearchFeatureNotSupportedError): res = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR)