def test_and_not_in_set_cim_splunk(self): res = translate( "[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe'] TO ", res)
def test_ored_obs_expressi_cim_splunk(self): res = translate( "[ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] OR [ipv4-addr:value = '198.51.100.10'] TO ", res)
def test_regex_car_elastic(self): res = translate( "[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$'] TO ", res)
def test_md5_hash_car_elastic(self): res = translate( "[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4'] TO ", res)
def test_md5_hash_cim_splunk(self): res = translate( "[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4'] TO ", res)
def test_regex_no_anchor_cim_splunk(self): res = translate( "[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '\\\\SystemVolumeInformation'] TO ", res)
def test_gt_and_is_equal_cim_splunk(self): res = translate( "[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe'] TO ", res)
def test_followedby_obs_expressi_cim_elastic(self): res = translate( "[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']", SearchPlatforms.ELASTIC, DataModels.CIM) print( "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10'] TO ", res)
def test_followedby_obs_expressi_car_splunk(self): res = translate( "[ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']", SearchPlatforms.SPLUNK, DataModels.CAR) print( "CONVERTED: [ipv4-addr:value = '198.51.100.5' ] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10'] TO ", res)
def test_car_2014_11_004_car_elastic(self): res = translate( "[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe'] TO ", res)
def test_car_2014_11_004_cim_splunk(self): res = translate( "[process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:parent_ref.name = 'svchost.exe'] TO ", res)
def test_car_2013_05_002_car_splunk(self): res = translate( "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']", SearchPlatforms.SPLUNK, DataModels.CAR) print( "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' OR process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ", res)
def test_car_2013_03_001_cim_splunk(self): res = translate( "[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe'] TO ", res)
def test_car_2013_03_001_car_elastic(self): res = translate( "[process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [process:name = 'reg.exe' AND process:parent_ref.name = 'cmd.exe' AND process:parent_ref.parent_ref.name != 'explorer.exe'] TO ", res)
def test_anded_two_regex_car_elastic(self): res = translate( "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ", res)
def test_gt_and_is_equal_car_elastic(self): res = translate( "[process:pid > 4 AND process:binary_ref.name = 'cmd.exe']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [process:pid > 4 AND process:binary_ref.name = 'cmd.exe'] TO ", res)
def test_regex_front_anchor_cim_elastic(self): res = translate( "[process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation']", SearchPlatforms.ELASTIC, DataModels.CIM) print( "CONVERTED: [process:name = 'wsmprovhost.exe' AND process:binary_ref.parent_directory_ref.path MATCHES '^\\\\SystemVolumeInformation'] TO ", res)
def test_regex_cim_splunk(self): res = translate( "[file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [file:parent_directory_ref.path MATCHES '^C:\\\\Windows\\\\w+$'] TO ", res)
def test_and_not_in_set_car_elastic(self): res = translate( "[process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [process:pid NOT IN (1, 2, 3) AND process:name = 'wsmprovhost.exe'] TO ", res)
def test(self): # Collect all of the events nonmatches = data['nonmatches'].get(model.value, []) matches = data['matches'].get(model.value, []) events = nonmatches + matches connector = None if platform == SearchPlatforms.SPLUNK: connector = self.splunk elif platform == SearchPlatforms.ELASTIC: connector = self.elastic # Add the GUID, which is how we line up the data after the search [e.update({'guid': str(uuid4())}) for e in events] # Then send them to all the search platforms. Need to include what data model because some platforms need to # format data per data model connector.push(model, events) # Then, run the tests. The GUIDs in "matches" should be in the results, the GUIDs in "nonmatches" should not. query = translate(data['stix-input'], platform, model) results = connector.query(query, model) # Perform the comparison of GUIDs self.assertEqual(set([e['guid'] for e in data['matches'][model.value]]), set(results))
def test_anded_two_regex_cim_splunk(self): res = translate( "[process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation']", SearchPlatforms.SPLUNK, DataModels.CIM) print( "CONVERTED: [process:binary_ref.parent_directory_ref.path MATCHES ':\\\\RECYCLER' AND process:binary_ref.parent_directory_ref.path MATCHES ':\\\\SystemVolumeInformation'] TO ", res)
def test_anded_obs_expressi_car_elastic(self): res = translate( "[ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10']", SearchPlatforms.ELASTIC, DataModels.CAR) print( "CONVERTED: [ipv4-addr:value = '198.51.100.5'] AND [ipv4-addr:value = '198.51.100.10'] TO ", res)
def cim_splunk(): outputLanguage = SearchPlatforms.SPLUNK outputDataModel = DataModels.CIM if request.data: pattern = request.data.decode("utf-8") # decode the input string output = translate(pattern, outputLanguage, outputDataModel) return output['queries'] else: print("No Request Data") # when issues with input data return "No Request Data"
def car_elastic(): outputLanguage = SearchPlatforms.ELASTIC outputDataModel = DataModels.CAR if request.data: pattern = request.data.decode("utf-8") # decode the input string output = translate(pattern, outputLanguage, outputDataModel) return output['queries'] else: print("No Request Data") # when issues with input data return "No Request Data"
def test_elastic_followedby(self): pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']" result = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR) assert result['success'] == False assert ErrorCode.TRANSLATION_NOTSUPPORTED.value == result['code'] assert result['error'] is not None
def test(self): with self.assertRaises(Exception): res = translate(pattern, search_platform, data_model)
def test(self): res = translate(pattern, search_platform, data_model) self.assertEqual(normalize_spacing(res['queries'][0]), normalize_spacing(expected_result))
def test_elastic_followedby(self): pattern = "[ipv4-addr:value = '198.51.100.5'] FOLLOWEDBY [ipv4-addr:value = '198.51.100.10']" with self.assertRaises(SearchFeatureNotSupportedError): res = translate(pattern, SearchPlatforms.ELASTIC, DataModels.CAR)
def test_timestamp_cim_splunk(self): res = translate("[file:created = t'2014-01-13T07:03:17Z']", SearchPlatforms.SPLUNK, DataModels.CIM) print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z'] TO ", res)
def test_timestamp_cim_elastic(self): res = translate("[file:created = t'2014-01-13T07:03:17Z']", SearchPlatforms.ELASTIC, DataModels.CIM) print("CONVERTED: [file:created = t'2014-01-13T07:03:17Z'] TO ", res)