def test_comparison_expression_root_types(pattern, root_types): ast = create_pattern_object(pattern) assert ast.operand.root_types == root_types
def test_parsing_followed_by(): patt_obj = create_pattern_object("([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']) WITHIN 300 SECONDS", version="2.1") # noqa assert str(patt_obj) == "([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\\\foo\\\\bar']) WITHIN 300 SECONDS" # noqa
def test_parsing_or_observable_expression(): exp = create_pattern_object("[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = '******'] OR [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = '******']", version="2.1") # noqa assert str(exp) == "[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = '******'] OR [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = '******']" # noqa
def test_parsing_like(): patt_obj = create_pattern_object("[directory:path LIKE 'C:\\\\Windows\\\\%\\\\foo']", version="2.1") assert str(patt_obj) == "[directory:path LIKE 'C:\\\\Windows\\\\%\\\\foo']"
def test_parsing_match(): patt_obj = create_pattern_object("[process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachine Root$'] FOLLOWEDBY [process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachineTrustedPublisher$'] WITHIN 300 SECONDS", version="2.1") # noqa assert str(patt_obj) == "[process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachine Root$'] FOLLOWEDBY [process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachineTrustedPublisher$'] WITHIN 300 SECONDS" # noqa
def test_parsing_binary(): patt_obj = create_pattern_object("[artifact:payload_bin = b'dGhpcyBpcyBhIHRlc3Q=']", version="2.1") assert str(patt_obj) == "[artifact:payload_bin = b'dGhpcyBpcyBhIHRlc3Q=']"
def test_list_constant(): patt_obj = create_pattern_object("[network-traffic:src_ref.value IN ('10.0.0.0', '10.0.0.1', '10.0.0.2')]", version="2.1") assert str(patt_obj) == "[network-traffic:src_ref.value IN ('10.0.0.0', '10.0.0.1', '10.0.0.2')]"
def test_parse_error(): with pytest.raises(ParseException): create_pattern_object("[ file: name = 'weirdname]", version="2.1")
def test_parsing_greater_than(): patt_obj = create_pattern_object("[file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.478901]", version="2.1") assert str(patt_obj) == "[file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.478901]"
def test_parsing_quoted_second_path_component(): patt_obj = create_pattern_object("[a:b.'b'[1]=2]") assert str(patt_obj) == "[a:b.'b'[1] = 2]"
def test_parsing_multiple_slashes_quotes(): patt_obj = create_pattern_object("[ file:name = 'weird_name\\'' ]", version="2.1") assert str(patt_obj) == "[file:name = 'weird_name\\'']"
def test_parsing_integer_index(): patt_obj = create_pattern_object("[a:b[1]=2]") assert str(patt_obj) == "[a:b[1] = 2]"
def test_parsing_mixed_boolean_expression_2(): patt_obj = create_pattern_object("[a:b = 1 OR a:b = 2 AND a:b = 3]",) assert str(patt_obj) == "[a:b = 1 OR a:b = 2 AND a:b = 3]"
def test_parsing_boolean(): patt_obj = create_pattern_object("[network-traffic:is_active = true]", version="2.1") assert str(patt_obj) == "[network-traffic:is_active = true]"
def test_comparison_expression_root_types_error(pattern): with pytest.raises(ValueError): create_pattern_object(pattern)
def test_parsing_less_than_or_equal(): patt_obj = create_pattern_object("[file:size <= 1024]", version="2.1") assert str(patt_obj) == "[file:size <= 1024]"
def test_parsing_hex(): patt_obj = create_pattern_object("[file:magic_number_hex = h'ffd8']", version="2.1") assert str(patt_obj) == "[file:magic_number_hex = h'ffd8']"
def test_parsing_issuperset(): patt_obj = create_pattern_object("[network-traffic:dst_ref.value ISSUPERSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']", version="2.1") assert str(patt_obj) == "[network-traffic:dst_ref.value ISSUPERSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']"
def test_parsing_comparison_expression(): patt_obj = create_pattern_object("[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']", version="2.1") assert str(patt_obj) == "[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']"
def test_parsing_illegal_start_stop_qualified_expression(): with pytest.raises(ValueError): create_pattern_object( "[ipv4-addr:value = '1.2.3.4'] START '2016-06-01' STOP '2017-03-12T08:30:00Z'", version="2.0")