예제 #1
0
 def test_gt_and_is_equal_cim_splunk(self):
     res = translate(
         "[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe']    TO   ",
         res)
예제 #2
0
 def test_md5_hash_car_elastic(self):
     res = translate(
         "[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']    TO   ",
         res)
예제 #3
0
 def test_followedby_obs_expressi_car_splunk(self):
     res = translate(
         "[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']",
         SearchPlatforms.SPLUNK, DataModels.CAR)
     print(
         "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']    TO   ",
         res)
예제 #4
0
 def test_gt_and_is_equal_car_elastic(self):
     res = translate(
         "[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe']    TO   ",
         res)
예제 #5
0
 def test_car_2014_11_004_cim_splunk(self):
     res = translate(
         "[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']    TO   ",
         res)
예제 #6
0
 def test_followedby_obs_expressi_cim_elastic(self):
     res = translate(
         "[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']",
         SearchPlatforms.ELASTIC, DataModels.CIM)
     print(
         "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']    TO   ",
         res)
예제 #7
0
 def test_car_2013_05_002_car_splunk(self):
     res = translate(
         "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
         SearchPlatforms.SPLUNK, DataModels.CAR)
     print(
         "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']    TO   ",
         res)
예제 #8
0
 def test_car_2014_11_004_car_elastic(self):
     res = translate(
         "[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']    TO   ",
         res)
예제 #9
0
 def test_car_2013_03_001_cim_splunk(self):
     res = translate(
         "[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']    TO   ",
         res)
예제 #10
0
 def test_car_2013_03_001_car_elastic(self):
     res = translate(
         "[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']    TO   ",
         res)
예제 #11
0
 def test_and_not_in_set_cim_splunk(self):
     res = translate(
         "[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']    TO   ",
         res)
예제 #12
0
 def test_md5_hash_cim_splunk(self):
     res = translate(
         "[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']    TO   ",
         res)
예제 #13
0
 def test_anded_two_regex_cim_splunk(self):
     res = translate(
         "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']    TO   ",
         res)
예제 #14
0
        def test(self):
            # Collect all of the events
            nonmatches = data['nonmatches'].get(model.value, [])
            matches = data['matches'].get(model.value, [])
            events = nonmatches + matches
            connector = None

            if platform == SearchPlatforms.SPLUNK:
                connector = self.splunk
            elif platform == SearchPlatforms.ELASTIC:
                connector = self.elastic

            # Add the GUID, which is how we line up the data after the search
            [e.update({'guid': str(uuid4())}) for e in events]

            # Then send them to all the search platforms. Need to include what data model because some platforms need to
            # format data per data model
            connector.push(model, events)

            # Then, run the tests. The GUIDs in "matches" should be in the results, the GUIDs in "nonmatches" should not.
            query = translate(data['stix-input'], platform, model)
            results = connector.query(query, model)

            # Perform the comparison of GUIDs
            self.assertEqual(
                set([e['guid'] for e in data['matches'][model.value]]),
                set(results))
예제 #15
0
 def test_regex_no_anchor_cim_splunk(self):
     res = translate(
         "[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation']    TO   ",
         res)
예제 #16
0
 def test_anded_obs_expressi_car_elastic(self):
     res = translate(
         "[ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10']    TO   ",
         res)
예제 #17
0
 def test_anded_two_regex_car_elastic(self):
     res = translate(
         "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']    TO   ",
         res)
예제 #18
0
 def test_regex_front_anchor_cim_elastic(self):
     res = translate(
         "[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation']",
         SearchPlatforms.ELASTIC, DataModels.CIM)
     print(
         "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation']    TO   ",
         res)
예제 #19
0
 def test_regex_car_elastic(self):
     res = translate(
         "[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']    TO   ",
         res)
예제 #20
0
 def test_regex_cim_splunk(self):
     res = translate(
         "[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']    TO   ",
         res)
예제 #21
0
 def test_and_not_in_set_car_elastic(self):
     res = translate(
         "[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']",
         SearchPlatforms.ELASTIC, DataModels.CAR)
     print(
         "CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']    TO   ",
         res)
예제 #22
0
 def test_ored_obs_expressi_cim_splunk(self):
     res = translate(
         "[ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10']",
         SearchPlatforms.SPLUNK, DataModels.CIM)
     print(
         "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10']    TO   ",
         res)
예제 #23
0
 def test_neq_cim_splunk(self):
     res = translate("[process:name != 'wsmprovhost.exe']",
                     SearchPlatforms.SPLUNK, DataModels.CIM)
     print("CONVERTED: [process:name != 'wsmprovhost.exe']    TO   ", res)
예제 #24
0
 def test_timestamp_cim_splunk(self):
     res = translate("[file:created = t'2014-01-13T07:03:17Z']",
                     SearchPlatforms.SPLUNK, DataModels.CIM)
     print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z']    TO   ",
           res)
예제 #25
0
 def test_timestamp_cim_elastic(self):
     res = translate("[file:created = t'2014-01-13T07:03:17Z']",
                     SearchPlatforms.ELASTIC, DataModels.CIM)
     print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z']    TO   ",
           res)
예제 #26
0
 def test_not_like_cim_splunk(self):
     res = translate("[file:name NOT LIKE '%.exe']", SearchPlatforms.SPLUNK,
                     DataModels.CIM)
     print("CONVERTED: [file:name NOT LIKE '%.exe']    TO   ", res)
예제 #27
0
 def test_not_like_cim_elastic(self):
     res = translate("[file:name NOT LIKE '%.exe']",
                     SearchPlatforms.ELASTIC, DataModels.CIM)
     print("CONVERTED: [file:name NOT LIKE '%.exe']    TO   ", res)
예제 #28
0
 def test_not_in_set_cim_splunk(self):
     res = translate("[process:pid NOT IN (1, 2, 3)]",
                     SearchPlatforms.SPLUNK, DataModels.CIM)
     print("CONVERTED: [process:pid NOT IN (1, 2, 3)]    TO   ", res)
예제 #29
0
 def test_not_in_set_cim_elastic(self):
     res = translate("[process:pid NOT IN (1, 2, 3)]",
                     SearchPlatforms.ELASTIC, DataModels.CIM)
     print("CONVERTED: [process:pid NOT IN (1, 2, 3)]    TO   ", res)
예제 #30
0
 def test_neq_cim_elastic(self):
     res = translate("[process:name != 'wsmprovhost.exe']",
                     SearchPlatforms.ELASTIC, DataModels.CIM)
     print("CONVERTED: [process:name != 'wsmprovhost.exe']    TO   ", res)