def filter(self, record):
"""
Filter given record based on rule's condition
@note If the rule's condition is empty, record is always matched.
@return Boolean
"""
# The message must be converted via idea module
if not isinstance(record, lite.Idea):
logger.info("Converting message to IDEA")
record = lite.Idea(record)
logger.debug(record)
logger.debug(self.__condition)
if self.__condition == None or self.__condition == True:
# Rule condition is empty (tautology) - should always match the record
res = True
elif self.__condition == False:
res = False
else:
# Match the record with non-empty rule's condition
res = self.__filter.filter(self.__condition, record)
logger.debug("RESULT: %s", res)
return res
def setUp(self):
self.flt = DataObjectFilter()
self.psr = PynspectFilterParser()
self.psr.build()
self.cpl = IDEAFilterCompiler()
self.msg_idea = lite.Idea(self.test_msg1)
class TestJPath(unittest.TestCase):
msg_dict = {
"Format":
"IDEA0",
"ID":
"MESSAGE_ID",
"DetectTime":
"2016-06-21 13:08:27Z",
"Category": ["CATEGORY"],
"ConnCount":
633,
"Description":
"Ping scan",
"Source": [{
"IP4": ["192.168.1.1", "192.168.1.2"],
"Proto": ["icmp"]
}, {
"IP4": ["192.168.2.1", "192.168.2.2"],
"Proto": ["tcp"]
}],
"Target": [{
"Proto": ["udp"],
"IP4": ["192.168.3.1", "192.168.3.2"],
"Anonymised": True
}],
"Node": [{
"SW": ["KIPPO", "FAIL_TO_BAN"],
"Name": "node.name"
}]
}
msg_idea = lite.Idea(msg_dict)
def test_01_jpath_parse(self):
"""
Perform the basic JPath parsing tests.
Make sure all possible JPath forms parse correctly.
"""
self.maxDiff = None
cache_clear()
self.assertEqual(cache_size(), 0)
self.assertEqual(jpath_parse("Test"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}])
self.assertEqual(jpath_parse("Test.Path"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Test.Path'
}])
self.assertEqual(jpath_parse("Long.Test.Path"), [{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test.Path'
}])
self.assertEqual(jpath_parse("Long[1].Test.Path"),
[{
'i': 0,
'm': 'Long[1]',
'n': 'Long',
'p': 'Long[1]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[1].Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[1].Test.Path'
}])
self.assertEqual(jpath_parse("Long.Test[2].Path"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': 1,
'm': 'Test[2]',
'n': 'Test',
'p': 'Long.Test[2]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test[2].Path'
}])
self.assertEqual(jpath_parse("Long.Test.Path[3]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'i': 2,
'm': 'Path[3]',
'n': 'Path',
'p': 'Long.Test.Path[3]'
}])
self.assertEqual(jpath_parse("Long[1].Test[1].Path"),
[{
'i': 0,
'm': 'Long[1]',
'n': 'Long',
'p': 'Long[1]'
}, {
'i': 0,
'm': 'Test[1]',
'n': 'Test',
'p': 'Long[1].Test[1]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[1].Test[1].Path'
}])
self.assertEqual(jpath_parse("Long.Test[2].Path[2]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': 1,
'm': 'Test[2]',
'n': 'Test',
'p': 'Long.Test[2]'
}, {
'i': 1,
'm': 'Path[2]',
'n': 'Path',
'p': 'Long.Test[2].Path[2]'
}])
self.assertEqual(jpath_parse("Long[3].Test.Path[3]"),
[{
'i': 2,
'm': 'Long[3]',
'n': 'Long',
'p': 'Long[3]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[3].Test'
}, {
'i': 2,
'm': 'Path[3]',
'n': 'Path',
'p': 'Long[3].Test.Path[3]'
}])
self.assertEqual(jpath_parse("Long[#].Test.Path"),
[{
'i': -1,
'm': 'Long[#]',
'n': 'Long',
'p': 'Long[#]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[#].Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[#].Test.Path'
}])
self.assertEqual(jpath_parse("Long.Test[#].Path"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': -1,
'm': 'Test[#]',
'n': 'Test',
'p': 'Long.Test[#]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test[#].Path'
}])
self.assertEqual(jpath_parse("Long.Test.Path[#]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'i': -1,
'm': 'Path[#]',
'n': 'Path',
'p': 'Long.Test.Path[#]'
}])
self.assertEqual(jpath_parse("Long[#].Test[#].Path"),
[{
'i': -1,
'm': 'Long[#]',
'n': 'Long',
'p': 'Long[#]'
}, {
'i': -1,
'm': 'Test[#]',
'n': 'Test',
'p': 'Long[#].Test[#]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[#].Test[#].Path'
}])
self.assertEqual(jpath_parse("Long.Test[#].Path[#]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': -1,
'm': 'Test[#]',
'n': 'Test',
'p': 'Long.Test[#]'
}, {
'i': -1,
'm': 'Path[#]',
'n': 'Path',
'p': 'Long.Test[#].Path[#]'
}])
self.assertEqual(jpath_parse("Long[#].Test.Path[#]"),
[{
'i': -1,
'm': 'Long[#]',
'n': 'Long',
'p': 'Long[#]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[#].Test'
}, {
'i': -1,
'm': 'Path[#]',
'n': 'Path',
'p': 'Long[#].Test.Path[#]'
}])
self.assertEqual(jpath_parse("Long[*].Test.Path"),
[{
'i': '*',
'm': 'Long[*]',
'n': 'Long',
'p': 'Long[*]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[*].Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[*].Test.Path'
}])
self.assertEqual(jpath_parse("Long.Test[*].Path"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': '*',
'm': 'Test[*]',
'n': 'Test',
'p': 'Long.Test[*]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test[*].Path'
}])
self.assertEqual(jpath_parse("Long.Test.Path[*]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'i': '*',
'm': 'Path[*]',
'n': 'Path',
'p': 'Long.Test.Path[*]'
}])
self.assertEqual(jpath_parse("Long[*].Test[*].Path"),
[{
'i': '*',
'm': 'Long[*]',
'n': 'Long',
'p': 'Long[*]'
}, {
'i': '*',
'm': 'Test[*]',
'n': 'Test',
'p': 'Long[*].Test[*]'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long[*].Test[*].Path'
}])
self.assertEqual(jpath_parse("Long.Test[*].Path[*]"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'i': '*',
'm': 'Test[*]',
'n': 'Test',
'p': 'Long.Test[*]'
}, {
'i': '*',
'm': 'Path[*]',
'n': 'Path',
'p': 'Long.Test[*].Path[*]'
}])
self.assertEqual(jpath_parse("Long[*].Test.Path[*]"),
[{
'i': '*',
'm': 'Long[*]',
'n': 'Long',
'p': 'Long[*]'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long[*].Test'
}, {
'i': '*',
'm': 'Path[*]',
'n': 'Path',
'p': 'Long[*].Test.Path[*]'
}])
self.assertEqual(jpath_parse("Test"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}])
self.assertEqual(jpath_parse("test"), [{
'm': 'test',
'n': 'test',
'p': 'test'
}])
self.assertEqual(jpath_parse("TEST"), [{
'm': 'TEST',
'n': 'TEST',
'p': 'TEST'
}])
self.assertEqual(jpath_parse("_test"), [{
'm': '_test',
'n': '_test',
'p': '_test'
}])
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test/Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test|Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test-Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test-.Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test[]Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'TestValue[]')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test[1]Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test[].Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test.Value[]')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test[-1].Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test.[1].Value')
self.assertRaisesRegex(JPathException, "Invalid JPath chunk",
jpath_parse, 'Test.Value.[1]')
self.assertEqual(jpath_parse_c("Test"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}])
self.assertEqual(jpath_parse_c("Test.Path"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Test.Path'
}])
self.assertEqual(jpath_parse_c("Long.Test.Path"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test.Path'
}])
self.assertEqual(jpath_parse_c("Test"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}])
self.assertEqual(jpath_parse_c("Test.Path"), [{
'm': 'Test',
'n': 'Test',
'p': 'Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Test.Path'
}])
self.assertEqual(jpath_parse_c("Long.Test.Path"),
[{
'm': 'Long',
'n': 'Long',
'p': 'Long'
}, {
'm': 'Test',
'n': 'Test',
'p': 'Long.Test'
}, {
'm': 'Path',
'n': 'Path',
'p': 'Long.Test.Path'
}])
self.assertEqual(cache_size(), 3)
cache_clear()
self.assertEqual(cache_size(), 0)
def test_02_jpath_values(self):
"""
Perform the basic JPath values retrieval tests.
Make sure all possible JPath forms return expected results.
"""
self.maxDiff = None
self.assertEqual(jpath_values(self.msg_dict, 'Format'), ['IDEA0'])
self.assertEqual(jpath_values(self.msg_dict, 'Format[1]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Format[#]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Format[*]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Category'), ['CATEGORY'])
self.assertEqual(jpath_values(self.msg_dict, 'Category[1]'),
['CATEGORY'])
self.assertEqual(jpath_values(self.msg_dict, 'Category[2]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Category[#]'),
['CATEGORY'])
self.assertEqual(jpath_values(self.msg_dict, 'Category[*]'),
['CATEGORY'])
self.assertEqual(jpath_values(self.msg_dict, 'Node.SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[1].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[*].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].SW[1]'),
['KIPPO'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].SW[2]'),
['FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].SW[#]'),
['FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].SW[*]'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_dict, 'Node.Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[1].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[*].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_dict, 'Node[1].Name[1]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Node[#].Name[#]'), [])
self.assertEqual(jpath_values(self.msg_dict, 'Node[*].Name[*]'), [])
self.assertEqual(
jpath_values(self.msg_dict, 'Source.IP4'),
['192.168.1.1', '192.168.1.2', '192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[1].IP4'),
['192.168.1.1', '192.168.1.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[2].IP4'),
['192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[#].IP4'),
['192.168.2.1', '192.168.2.2'])
self.assertEqual(
jpath_values(self.msg_dict, 'Source[*].IP4'),
['192.168.1.1', '192.168.1.2', '192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source.IP4[1]'),
['192.168.1.1', '192.168.2.1'])
self.assertEqual(jpath_values(self.msg_dict, 'Source.IP4[2]'),
['192.168.1.2', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source.IP4[#]'),
['192.168.1.2', '192.168.2.2'])
self.assertEqual(
jpath_values(self.msg_dict, 'Source.IP4[*]'),
['192.168.1.1', '192.168.1.2', '192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[1].IP4[1]'),
['192.168.1.1'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[1].IP4[2]'),
['192.168.1.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[1].IP4[#]'),
['192.168.1.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[1].IP4[*]'),
['192.168.1.1', '192.168.1.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[2].IP4[1]'),
['192.168.2.1'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[2].IP4[2]'),
['192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[2].IP4[#]'),
['192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[2].IP4[*]'),
['192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[#].IP4[1]'),
['192.168.2.1'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[#].IP4[2]'),
['192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[#].IP4[#]'),
['192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[#].IP4[*]'),
['192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[*].IP4[1]'),
['192.168.1.1', '192.168.2.1'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[*].IP4[2]'),
['192.168.1.2', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_dict, 'Source[*].IP4[#]'),
['192.168.1.2', '192.168.2.2'])
self.assertEqual(
jpath_values(self.msg_dict, 'Source[*].IP4[*]'),
['192.168.1.1', '192.168.1.2', '192.168.2.1', '192.168.2.2'])
self.assertEqual(jpath_values(self.msg_idea, 'Format'), ['IDEA0'])
self.assertEqual(jpath_values(self.msg_idea, 'Node.Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[1].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[*].Name'),
['node.name'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[1].Name[1]'), [])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].Name[#]'), [])
self.assertEqual(jpath_values(self.msg_idea, 'Node[*].Name[*]'), [])
self.assertEqual(jpath_values(self.msg_idea, 'Node.SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[1].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[*].SW'),
['KIPPO', 'FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].SW[1]'),
['KIPPO'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].SW[2]'),
['FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].SW[#]'),
['FAIL_TO_BAN'])
self.assertEqual(jpath_values(self.msg_idea, 'Node[#].SW[*]'),
['KIPPO', 'FAIL_TO_BAN'])
def test_03_jpath_value(self):
"""
Perform the basic JPath value retrieval tests.
Make sure all possible JPath forms return expected results.
"""
self.maxDiff = None
self.assertEqual(jpath_value(self.msg_dict, 'Format'), 'IDEA0')
self.assertEqual(jpath_value(self.msg_dict, 'Format[1]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Format[#]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Format[*]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Category'), 'CATEGORY')
self.assertEqual(jpath_value(self.msg_dict, 'Category[1]'), 'CATEGORY')
self.assertEqual(jpath_value(self.msg_dict, 'Category[2]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Category[#]'), 'CATEGORY')
self.assertEqual(jpath_value(self.msg_dict, 'Category[*]'), 'CATEGORY')
self.assertEqual(jpath_value(self.msg_dict, 'Node.SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node[1].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node[*].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].SW[1]'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].SW[2]'),
'FAIL_TO_BAN')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].SW[#]'),
'FAIL_TO_BAN')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].SW[*]'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_dict, 'Node.Name'), 'node.name')
self.assertEqual(jpath_value(self.msg_dict, 'Node[1].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_dict, 'Node[*].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_dict, 'Node[1].Name[1]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Node[#].Name[#]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Node[*].Name[*]'), None)
self.assertEqual(jpath_value(self.msg_dict, 'Source.IP4'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[1].IP4'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[2].IP4'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[#].IP4'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[*].IP4'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source.IP4[1]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source.IP4[2]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source.IP4[#]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source.IP4[*]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[1].IP4[1]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[1].IP4[2]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[1].IP4[#]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[1].IP4[*]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[2].IP4[1]'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[2].IP4[2]'),
'192.168.2.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[2].IP4[#]'),
'192.168.2.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[2].IP4[*]'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[#].IP4[1]'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[#].IP4[2]'),
'192.168.2.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[#].IP4[#]'),
'192.168.2.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[#].IP4[*]'),
'192.168.2.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[*].IP4[1]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_dict, 'Source[*].IP4[2]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[*].IP4[#]'),
'192.168.1.2')
self.assertEqual(jpath_value(self.msg_dict, 'Source[*].IP4[*]'),
'192.168.1.1')
self.assertEqual(jpath_value(self.msg_idea, 'Format'), 'IDEA0')
self.assertEqual(jpath_value(self.msg_idea, 'Node.Name'), 'node.name')
self.assertEqual(jpath_value(self.msg_idea, 'Node[1].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_idea, 'Node[*].Name'),
'node.name')
self.assertEqual(jpath_value(self.msg_idea, 'Node[1].Name[1]'), None)
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].Name[#]'), None)
self.assertEqual(jpath_value(self.msg_idea, 'Node[*].Name[*]'), None)
self.assertEqual(jpath_value(self.msg_idea, 'Node.SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_idea, 'Node[1].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_idea, 'Node[*].SW'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].SW[1]'), 'KIPPO')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].SW[2]'),
'FAIL_TO_BAN')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].SW[#]'),
'FAIL_TO_BAN')
self.assertEqual(jpath_value(self.msg_idea, 'Node[#].SW[*]'), 'KIPPO')
def test_04_jpath_exists(self):
"""
Perform the basic JPath elements existence tests.
Make sure all possible JPath forms return expected results.
"""
self.maxDiff = None
self.assertEqual(jpath_exists(self.msg_dict, 'Format'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Format[1]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Format[#]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Format[*]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Category'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Category[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Category[2]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Category[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Category[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node.SW'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[1].SW'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].SW'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[*].SW'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].SW[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].SW[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].SW[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].SW[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node.Name'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[1].Name'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].Name'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[*].Name'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[1].Name[1]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[#].Name[#]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Node[*].Name[*]'), False)
self.assertEqual(jpath_exists(self.msg_dict, 'Source.IP4'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[1].IP4'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[2].IP4'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[#].IP4'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[*].IP4'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source.IP4[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source.IP4[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source.IP4[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source.IP4[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[1].IP4[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[1].IP4[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[1].IP4[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[1].IP4[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[2].IP4[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[2].IP4[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[2].IP4[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[2].IP4[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[#].IP4[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[#].IP4[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[#].IP4[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[#].IP4[*]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[*].IP4[1]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[*].IP4[2]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[*].IP4[#]'), True)
self.assertEqual(jpath_exists(self.msg_dict, 'Source[*].IP4[*]'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Format'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node.Name'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[1].Name'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].Name'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[*].Name'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[1].Name[1]'), False)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].Name[#]'), False)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[*].Name[*]'), False)
self.assertEqual(jpath_exists(self.msg_idea, 'Node.SW'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[1].SW'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].SW'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[*].SW'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].SW[1]'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].SW[2]'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].SW[#]'), True)
self.assertEqual(jpath_exists(self.msg_idea, 'Node[#].SW[*]'), True)
def test_05_jpath_set(self):
"""
Perform the basic JPath value setting tests.
"""
self.maxDiff = None
msg = {}
self.assertEqual(jpath_set(msg, 'TestA.ValueA1', 'A1'), RC_VALUE_SET)
self.assertEqual(msg, {'TestA': {'ValueA1': 'A1'}})
self.assertEqual(jpath_set(msg, 'TestA.ValueA2', 'A2'), RC_VALUE_SET)
self.assertEqual(msg, {'TestA': {'ValueA1': 'A1', 'ValueA2': 'A2'}})
self.assertEqual(jpath_set(msg, 'TestB[1].ValueB1', 'B1'),
RC_VALUE_SET)
self.assertEqual(
msg, {
'TestA': {
'ValueA1': 'A1',
'ValueA2': 'A2'
},
'TestB': [{
'ValueB1': 'B1'
}]
})
self.assertEqual(jpath_set(msg, 'TestB[#].ValueB2', 'B2'),
RC_VALUE_SET)
self.assertEqual(
msg, {
'TestA': {
'ValueA1': 'A1',
'ValueA2': 'A2'
},
'TestB': [{
'ValueB1': 'B1',
'ValueB2': 'B2'
}]
})
self.assertEqual(jpath_set(msg, 'TestB[*].ValueB3', 'B3'),
RC_VALUE_SET)
self.assertEqual(
msg, {
'TestA': {
'ValueA1': 'A1',
'ValueA2': 'A2'
},
'TestB': [{
'ValueB1': 'B1',
'ValueB2': 'B2'
}, {
'ValueB3': 'B3'
}]
})
self.assertEqual(jpath_set(msg, 'TestB[#].ValueB4', 'B4'),
RC_VALUE_SET)
self.assertEqual(
msg, {
'TestA': {
'ValueA1': 'A1',
'ValueA2': 'A2'
},
'TestB': [{
'ValueB1': 'B1',
'ValueB2': 'B2'
}, {
'ValueB3': 'B3',
'ValueB4': 'B4'
}]
})
self.assertEqual(jpath_set(msg, 'TestB[#]', 'DROP'), RC_VALUE_SET)
self.assertEqual(
msg, {
'TestA': {
'ValueA1': 'A1',
'ValueA2': 'A2'
},
'TestB': [{
'ValueB1': 'B1',
'ValueB2': 'B2'
}, "DROP"]
})
# This will fail, because "TestA" node is not a list
self.assertRaisesRegex(
JPathException, "Expected list-like object under structure key",
jpath_set, msg, 'TestA[#].ValueC1', 'C1')
# This will fail, because "TestA.ValueA1" node is not a dict
self.assertRaisesRegex(
JPathException, "Expected dict-like object under structure key",
jpath_set, msg, 'TestA.ValueA1.ValueC1', 'C1')
# This will fail, because we try to attach a node to scalar "TestB[#]"
self.assertRaisesRegex(JPathException,
"Expected dict-like structure to attach node",
jpath_set, msg, 'TestB[#].ValueB5',
'RAISE EXCEPTION')
def test_06_jpath_set_unique(self):
"""
Perform JPath value setting tests with unique flag.
"""
self.maxDiff = None
msg = {}
self.assertEqual(
jpath_set(msg, 'TestC[#].ListVals1[*]', 'LV1', unique=True),
RC_VALUE_SET)
self.assertEqual(msg, {'TestC': [{'ListVals1': ['LV1']}]})
self.assertEqual(
jpath_set(msg, 'TestC[#].ListVals1[*]', 'LV2', unique=True),
RC_VALUE_SET)
self.assertEqual(msg, {'TestC': [{'ListVals1': ['LV1', 'LV2']}]})
self.assertEqual(
jpath_set(msg, 'TestC[#].ListVals1[*]', 'LV1', unique=True),
RC_VALUE_DUPLICATE)
self.assertEqual(msg, {'TestC': [{'ListVals1': ['LV1', 'LV2']}]})
def test_07_jpath_set_overwrite(self):
"""
Perform JPath value setting tests with overwrite flag.
"""
self.maxDiff = None
msg = {}
#
# Overwriting in lists.
#
self.assertEqual(
jpath_set(msg, 'TestD[#].ListVals1[*]', 'LV1', overwrite=False),
RC_VALUE_SET)
self.assertEqual(msg, {'TestD': [{'ListVals1': ['LV1']}]})
self.assertEqual(
jpath_set(msg, 'TestD[#].ListVals1[*]', 'LV2', overwrite=False),
RC_VALUE_SET)
self.assertEqual(msg, {'TestD': [{'ListVals1': ['LV1', 'LV2']}]})
self.assertEqual(
jpath_set(msg, 'TestD[#].ListVals1[2]', 'LV3', overwrite=False),
RC_VALUE_EXISTS)
self.assertEqual(msg, {'TestD': [{'ListVals1': ['LV1', 'LV2']}]})
self.assertEqual(
jpath_set(msg, 'TestD[#].ListVals1[3]', 'LV3', overwrite=False),
RC_VALUE_SET)
self.assertEqual(msg,
{'TestD': [{
'ListVals1': ['LV1', 'LV2', 'LV3']
}]})
#
# Overwriting in dicts.
#
self.assertEqual(
jpath_set(msg, 'TestD[#].DictVal', 'DV1', overwrite=False),
RC_VALUE_SET)
self.assertEqual(msg, {
'TestD': [{
'ListVals1': ['LV1', 'LV2', 'LV3'],
'DictVal': 'DV1'
}]
})
self.assertEqual(
jpath_set(msg, 'TestD[#].DictVal', 'DV2', overwrite=False),
RC_VALUE_EXISTS)
self.assertEqual(msg, {
'TestD': [{
'ListVals1': ['LV1', 'LV2', 'LV3'],
'DictVal': 'DV1'
}]
})
def test_01_inspector_filters(self):
"""
Perform tests of filters currently used in mentat-inspector.py.
"""
self.maxDiff = None
inspection_rules = [{
"filter":
"Category in ['Attempt.Login'] and Target.Port in [3389]",
"str":
'((Category OP_IN ["Attempt.Login"]) OP_AND (Target.Port OP_IN [3389]))',
"tests": [[{
"Format":
"IDEA0",
"ID":
"e214d2d9-359b-443d-993d-3cc5637107a0",
"Source": [{
"IP4": ["188.14.166.39"]
}],
"Target": [{
"IP4": ["195.113.165.128/25"],
"Port": ["3389"],
"Proto": ["tcp", "ssh"]
}],
"Note":
"SSH login attempt",
"DetectTime":
"2016-06-21 13:08:27Z",
"Node": [{
"Type": ["Connection", "Honeypot"],
"SW": ["Kippo"],
"Name": "cz.uhk.apate.cowrie"
}],
"Category": ["Attempt.Login"]
}, True],
[{
"Format":
"IDEA0",
"ID":
"e214d2d9-359b-443d-993d-3cc5637107a0",
"Source": [{
"IP4": ["188.14.166.39"]
}],
"Target": [{
"IP4": ["195.113.165.128/25"],
"Port": ["338"],
"Proto": ["tcp", "ssh"]
}],
"Note":
"SSH login attempt",
"DetectTime":
"2016-06-21 13:08:27Z",
"Node": [{
"Type": ["Connection", "Honeypot"],
"SW": ["Kippo"],
"Name": "cz.uhk.apate.cowrie"
}],
"Category": ["Attempt.Login"]
}, False]],
}, {
"filter":
"Category in ['Attempt.Login'] and (Target.Proto in ['telnet'] or Source.Proto in ['telnet'] or Target.Port in [23])",
"str":
'((Category OP_IN ["Attempt.Login"]) OP_AND ((Target.Proto OP_IN ["telnet"]) OP_OR ((Source.Proto OP_IN ["telnet"]) OP_OR (Target.Port OP_IN [23]))))'
}, {
"filter":
"Category in ['Attempt.Login'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])",
"str":
'((Category OP_IN ["Attempt.Login"]) OP_AND ((Target.Proto OP_IN ["ssh"]) OP_OR ((Source.Proto OP_IN ["ssh"]) OP_OR (Target.Port OP_IN [22]))))'
}, {
"filter":
"Category in ['Attempt.Login'] and (Target.Proto in ['sip', 'sip-tls'] or Source.Proto in ['sip', 'sip-tls'] or Target.Port in [5060])",
"str":
'((Category OP_IN ["Attempt.Login"]) OP_AND ((Target.Proto OP_IN ["sip", "sip-tls"]) OP_OR ((Source.Proto OP_IN ["sip", "sip-tls"]) OP_OR (Target.Port OP_IN [5060]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Proto in ['sip', 'sip-tls'] or Source.Proto in ['sip', 'sip-tls'] or Target.Port in [5060])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Proto OP_IN ["sip", "sip-tls"]) OP_OR ((Source.Proto OP_IN ["sip", "sip-tls"]) OP_OR (Target.Port OP_IN [5060]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and Target.Port in [23]",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND (Target.Port OP_IN [23]))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [80, 443] or Source.Proto in ['http', 'https', 'http-alt'] or Target.Proto in ['http', 'https', 'http-alt'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [80, 443]) OP_OR ((Source.Proto OP_IN ["http", "https", "http-alt"]) OP_OR (Target.Proto OP_IN ["http", "https", "http-alt"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [3306] or Source.Proto in ['mysql'] or Target.Proto in ['mysql'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [3306]) OP_OR ((Source.Proto OP_IN ["mysql"]) OP_OR (Target.Proto OP_IN ["mysql"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [445] or Source.Proto in ['microsoft-ds', 'smb'] or Target.Proto in ['microsoft-ds', 'smb'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [445]) OP_OR ((Source.Proto OP_IN ["microsoft-ds", "smb"]) OP_OR (Target.Proto OP_IN ["microsoft-ds", "smb"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [135] or Source.Proto in ['loc-srv', 'epmap'] or Target.Proto in ['loc-srv', 'epmap'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [135]) OP_OR ((Source.Proto OP_IN ["loc-srv", "epmap"]) OP_OR (Target.Proto OP_IN ["loc-srv", "epmap"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [1900] or Source.Proto in ['upnp', 'ssdp'] or Target.Proto in ['upnp', 'ssdp'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [1900]) OP_OR ((Source.Proto OP_IN ["upnp", "ssdp"]) OP_OR (Target.Proto OP_IN ["upnp", "ssdp"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [20, 21, 989, 990] or Source.Proto in ['ftp', 'ftp-data', 'ftps', 'ftps-data'] or Target.Proto in ['ftp', 'ftp-data', 'ftps', 'ftps-data'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [20, 21, 989, 990]) OP_OR ((Source.Proto OP_IN ["ftp", "ftp-data", "ftps", "ftps-data"]) OP_OR (Target.Proto OP_IN ["ftp", "ftp-data", "ftps", "ftps-data"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [1433, 1434] or Source.Proto in ['ms-sql-s', 'ms-sql-m'] or Target.Proto in ['ms-sql-s', 'ms-sql-m'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [1433, 1434]) OP_OR ((Source.Proto OP_IN ["ms-sql-s", "ms-sql-m"]) OP_OR (Target.Proto OP_IN ["ms-sql-s", "ms-sql-m"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and (Target.Port in [42] or Source.Proto in ['nameserver'] or Target.Proto in ['nameserver'])",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND ((Target.Port OP_IN [42]) OP_OR ((Source.Proto OP_IN ["nameserver"]) OP_OR (Target.Proto OP_IN ["nameserver"]))))'
}, {
"filter":
"Category in ['Attempt.Exploit'] and Node.SW in ['Dionaea']",
"str":
'((Category OP_IN ["Attempt.Exploit"]) OP_AND (Node.SW OP_IN ["Dionaea"]))'
}, {
"filter":
"Category in ['Availability.DoS', 'Availability.DDoS'] and (Target.Proto in ['dns', 'domain'] or Source.Proto in ['dns', 'domain'] or Target.Port in [53] or Source.Port in [53])",
"str":
'((Category OP_IN ["Availability.DoS", "Availability.DDoS"]) OP_AND ((Target.Proto OP_IN ["dns", "domain"]) OP_OR ((Source.Proto OP_IN ["dns", "domain"]) OP_OR ((Target.Port OP_IN [53]) OP_OR (Source.Port OP_IN [53])))))'
}, {
"filter":
"Category in ['Availability.DDoS'] and Node.Type in ['Flow'] and Node.Type in ['Statistical']",
"str":
'((Category OP_IN ["Availability.DDoS"]) OP_AND ((Node.Type OP_IN ["Flow"]) OP_AND (Node.Type OP_IN ["Statistical"])))'
}, {
"filter":
"Category in ['Abusive.Spam'] and Node.SW in ['UCEPROT']",
"str":
'((Category OP_IN ["Abusive.Spam"]) OP_AND (Node.SW OP_IN ["UCEPROT"]))'
}, {
"filter":
"Category in ['Abusive.Spam'] and Node.SW in ['Fail2Ban', 'IntelMQ']",
"str":
'((Category OP_IN ["Abusive.Spam"]) OP_AND (Node.SW OP_IN ["Fail2Ban", "IntelMQ"]))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['qotd'] or Source.Port in [17])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["qotd"]) OP_OR (Source.Port OP_IN [17])))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and Source.Proto in ['ssdp']",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND (Source.Proto OP_IN ["ssdp"]))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['ntp'] or Source.Port in [123])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["ntp"]) OP_OR (Source.Port OP_IN [123])))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['domain'] or Source.Port in [53])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["domain"]) OP_OR (Source.Port OP_IN [53])))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns'] or Source.Port in [137])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["netbios-ns"]) OP_OR (Source.Port OP_IN [137])))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['ipmi'] or Source.Port in [623])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["ipmi"]) OP_OR (Source.Port OP_IN [623])))'
}, {
"filter":
"Category in ['Vulnerable.Config'] and (Source.Proto in ['chargen'] or Source.Port in [19])",
"str":
'((Category OP_IN ["Vulnerable.Config"]) OP_AND ((Source.Proto OP_IN ["chargen"]) OP_OR (Source.Port OP_IN [19])))'
}, {
"filter": "Category in ['Anomaly.Traffic']",
"str": '(Category OP_IN ["Anomaly.Traffic"])'
}, {
"filter":
"Category in ['Anomaly.Connection'] and Source.Type in ['Booter']",
"str":
'((Category OP_IN ["Anomaly.Connection"]) OP_AND (Source.Type OP_IN ["Booter"]))'
}, {
"filter":
"Category in ['Intrusion.Botnet'] and Source.Type in ['Botnet']",
"str":
'((Category OP_IN ["Intrusion.Botnet"]) OP_AND (Source.Type OP_IN ["Botnet"]))'
}, {
"filter": "Category in ['Recon.Scanning']",
"str": '(Category OP_IN ["Recon.Scanning"])'
}]
for insr in inspection_rules:
rule = self.build_rule(insr['filter'])
self.assertEqual(str(rule), insr['str'])
if 'tests' in insr:
for itemt in insr['tests']:
msg_idea = lite.Idea(itemt[0])
self.assertEqual(
[insr['filter'],
self.flt.filter(rule, msg_idea)],
[insr['filter'], itemt[1]])