def test_unmapped_attribute(self): data_mapping_exception = cloudsql_data_mapping.DataMappingException interface = csa_translator.Translator(dialect='nf') input_arguments = "[network-traffic:some_invalid_attribute = 'whatever']" options = {} self.assertRaises(data_mapping_exception, lambda: interface.transform_query(input_arguments, options))
def test_domain_query(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[domain-name:value = 'example.com']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE domainname = 'example.com'" parsed_stix = [{'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_mac_address_query(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE (Link.A = '00-00-5E-00-53-00' OR Link.B = '00-00-5E-00-53-00')" parsed_stix = [{'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_url_query(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[url:value = 'http://www.testaddress.com']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE url = 'http://www.testaddress.com'" parsed_stix = [{'attribute': 'url:value', 'comparison_operator': '=', 'value': 'http://www.testaddress.com'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_ipv6_query(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[ipv6-addr:value = '192.168.122.83']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE (Network.A = '192.168.122.83' OR Network.B = '192.168.122.83')" parsed_stix = [{'attribute': 'ipv6-addr:value', 'comparison_operator': '=', 'value': '192.168.122.83'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_artifact_queries(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[artifact:payload_bin matches 'some text']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE payload MATCHES '.*some text.*'" parsed_stix = [{'attribute': 'artifact:payload_bin', 'comparison_operator': 'MATCHES', 'value': 'some text'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_network_traffic_start_stop(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[network-traffic:'start' = '2018-06-14T08:36:24.000Z' or network-traffic:end = '2018-06-14T08:36:24.000Z']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE Last = '1528965384' OR Start = '1528965384'" parsed_stix = [{'attribute': 'network-traffic:end', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z'}, {'attribute': 'network-traffic:start', 'comparison_operator': '=', 'value': '2018-06-14T08:36:24.000Z'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_user_account_query(self): interface = csa_translator.Translator(dialect='at') input_arguments = "[user-account:user_id = 'root']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE initiator.id = 'root'" parsed_stix = [{'attribute': 'user-account:user_id', 'comparison_operator': '=', 'value': 'root'}] assert query == {'sql_queries': [at_selections + at_from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_port_queries(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[network-traffic:src_port = 12345 or network-traffic:dst_port = 23456]" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE Transport.B = '23456' OR Transport.A = '12345'" parsed_stix = [{'attribute': 'network-traffic:dst_port', 'comparison_operator': '=', 'value': 23456}, {'attribute': 'network-traffic:src_port', 'comparison_operator': '=', 'value': 12345}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_ipv4_in_query(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[ipv4-addr:value in ('192.168.122.83', '192.168.122.84')]" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE (Network.A IN (192.168.122.83 OR 192.168.122.84) OR Network.B IN (192.168.122.83 OR 192.168.122.84))" # parsed_stix = [{'attribute': 'ipv4-addr:value', 'comparison_operator': 'IN', 'value': '192.168.122.84'}, {'attribute': 'ipv4-addr:value', 'comparison_operator': 'IN', 'value': '192.168.122.83'}] print(query) assert query['sql_queries'] == [selections + from_statement + where_statement]
def test_file_query(self): # TODO: Add support for file hashes. Unsure at this point how QRadar queries them interface = csa_translator.Translator(dialect='nf') input_arguments = "[file:name = 'some_file.exe']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE filename = 'some_file.exe'" parsed_stix = [{'attribute': 'file:name', 'comparison_operator': '=', 'value': 'some_file.exe'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_query_from_multiple_comparison_expressions_joined_by_and(self): interface = csa_translator.Translator(dialect='nf') input_arguments = "[domain-name:value = 'example.com' and mac-addr:value = '00-00-5E-00-53-00']" options = {} query = interface.transform_query(input_arguments, options) # Expect the STIX and to convert to an AQL AND. where_statement = "WHERE (Link.A = '00-00-5E-00-53-00' OR Link.B = '00-00-5E-00-53-00') AND domainname = 'example.com'" parsed_stix = [{'attribute': 'mac-addr:value', 'comparison_operator': '=', 'value': '00-00-5E-00-53-00'}, {'attribute': 'domain-name:value', 'comparison_operator': '=', 'value': 'example.com'}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
def test_network_traffic_protocols(self): interface = csa_translator.Translator(dialect='nf') for key, value in protocols.items(): # Test for both upper and lower case protocols in the STIX pattern if random.randint(0, 1) == 0: key = key.upper() input_arguments = "[network-traffic:protocols[*] = '" + key + "']" options = {} query = interface.transform_query(input_arguments, options) where_statement = "WHERE Transport.Protocol = '" + value + "'" parsed_stix = [{'attribute': 'network-traffic:protocols[*]', 'comparison_operator': '=', 'value': key}] assert query == {'sql_queries': [selections + from_statement + where_statement], 'parsed_stix': parsed_stix}
from stix_shifter.stix_translation.src.json_to_stix import json_to_stix_translator from stix_shifter.stix_translation.src import transformers from stix_shifter.stix_translation.src.modules.csa import csa_translator import json import unittest from os import path interface = csa_translator.Translator() map_file = open(interface.mapping_filepath).read() map_data = json.loads(map_file) data_source = { "type": "identity", "id": "identity--3532c56d-ea72-48be-a2ad-1a53f4c9c6d3", "name": "QRadar", "identity_class": "events" } options = {} class TestTransform(object): @staticmethod def get_first(itr, constraint): return next( (obj for obj in itr if constraint(obj)), None ) @staticmethod def get_first_of_type(itr, typ): return TestTransform.get_first(itr, lambda o: type(o) == dict and o.get('type') == typ)