2020-07-01 16:19:08 +02:00
|
|
|
"""STIX2 classes and methods to generate AST from patterns"""
|
|
|
|
|
2018-12-07 18:43:23 +01:00
|
|
|
import importlib
|
|
|
|
import inspect
|
|
|
|
|
2020-02-19 22:45:15 +01:00
|
|
|
from stix2patterns.exceptions import ParseException
|
2020-03-27 16:22:00 +01:00
|
|
|
from stix2patterns.grammars.STIXPatternParser import TerminalNode
|
2020-03-27 17:33:24 +01:00
|
|
|
from stix2patterns.v20.grammars.STIXPatternParser import \
|
|
|
|
STIXPatternParser as STIXPatternParser20
|
|
|
|
from stix2patterns.v20.grammars.STIXPatternVisitor import \
|
|
|
|
STIXPatternVisitor as STIXPatternVisitor20
|
2020-03-27 16:22:00 +01:00
|
|
|
from stix2patterns.v20.pattern import Pattern as Pattern20
|
2020-03-27 17:33:24 +01:00
|
|
|
from stix2patterns.v21.grammars.STIXPatternParser import \
|
|
|
|
STIXPatternParser as STIXPatternParser21
|
|
|
|
from stix2patterns.v21.grammars.STIXPatternVisitor import \
|
|
|
|
STIXPatternVisitor as STIXPatternVisitor21
|
2020-03-27 16:22:00 +01:00
|
|
|
from stix2patterns.v21.pattern import Pattern as Pattern21
|
2018-12-07 18:43:23 +01:00
|
|
|
|
2020-04-03 16:45:36 +02:00
|
|
|
import stix2
|
|
|
|
|
2018-12-10 20:44:44 +01:00
|
|
|
from .patterns import *
|
|
|
|
from .patterns import _BooleanExpression
|
|
|
|
|
|
|
|
# flake8: noqa F405
|
2018-12-07 19:30:05 +01:00
|
|
|
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
def collapse_lists(lists):
|
|
|
|
result = []
|
|
|
|
for c in lists:
|
|
|
|
if isinstance(c, list):
|
|
|
|
result.extend(c)
|
|
|
|
else:
|
|
|
|
result.append(c)
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
2018-12-10 18:14:31 +01:00
|
|
|
def remove_terminal_nodes(parse_tree_nodes):
|
2018-12-07 18:43:23 +01:00
|
|
|
values = []
|
2018-12-10 18:14:31 +01:00
|
|
|
for x in parse_tree_nodes:
|
2018-12-07 18:43:23 +01:00
|
|
|
if not isinstance(x, TerminalNode):
|
|
|
|
values.append(x)
|
|
|
|
return values
|
|
|
|
|
|
|
|
|
2020-06-02 04:34:40 +02:00
|
|
|
_TIMESTAMP_RE = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{1,6})?Z')
|
|
|
|
|
|
|
|
|
|
|
|
def check_for_valid_timetamp_syntax(timestamp_string):
|
|
|
|
return _TIMESTAMP_RE.match(timestamp_string)
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
2020-03-27 16:22:00 +01:00
|
|
|
class STIXPatternVisitorForSTIX2():
|
|
|
|
classes = {}
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
def get_class(self, class_name):
|
|
|
|
if class_name in STIXPatternVisitorForSTIX2.classes:
|
|
|
|
return STIXPatternVisitorForSTIX2.classes[class_name]
|
|
|
|
else:
|
|
|
|
return None
|
|
|
|
|
|
|
|
def instantiate(self, klass_name, *args):
|
|
|
|
klass_to_instantiate = None
|
|
|
|
if self.module_suffix:
|
|
|
|
klass_to_instantiate = self.get_class(klass_name + "For" + self.module_suffix)
|
|
|
|
if not klass_to_instantiate:
|
|
|
|
# use the classes in python_stix2
|
|
|
|
klass_to_instantiate = globals()[klass_name]
|
|
|
|
return klass_to_instantiate(*args)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#pattern.
|
|
|
|
def visitPattern(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return children[0]
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressions.
|
|
|
|
def visitObservationExpressions(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if len(children) == 1:
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
return FollowedByObservationExpression([children[0], children[2]])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionOr.
|
|
|
|
def visitObservationExpressionOr(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if len(children) == 1:
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
return self.instantiate("OrObservationExpression", [children[0], children[2]])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionAnd.
|
|
|
|
def visitObservationExpressionAnd(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if len(children) == 1:
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
return self.instantiate("AndObservationExpression", [children[0], children[2]])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionRepeated.
|
|
|
|
def visitObservationExpressionRepeated(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("QualifiedObservationExpression", children[0], children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionSimple.
|
|
|
|
def visitObservationExpressionSimple(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("ObservationExpression", children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionCompound.
|
|
|
|
def visitObservationExpressionCompound(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
2020-03-27 18:59:03 +01:00
|
|
|
if isinstance(children[0], TerminalNode) and children[0].symbol.type == self.parser_class.LPAREN:
|
|
|
|
return self.instantiate("ParentheticalExpression", children[1])
|
|
|
|
else:
|
|
|
|
return self.instantiate("ObservationExpression", children[0])
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionWithin.
|
|
|
|
def visitObservationExpressionWithin(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("QualifiedObservationExpression", children[0], children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#observationExpressionStartStop.
|
|
|
|
def visitObservationExpressionStartStop(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("QualifiedObservationExpression", children[0], children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#comparisonExpression.
|
|
|
|
def visitComparisonExpression(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if len(children) == 1:
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
if isinstance(children[0], _BooleanExpression):
|
|
|
|
children[0].operands.append(children[2])
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
return self.instantiate("OrBooleanExpression", [children[0], children[2]])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#comparisonExpressionAnd.
|
|
|
|
def visitComparisonExpressionAnd(self, ctx):
|
|
|
|
# TODO: NOT
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if len(children) == 1:
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
if isinstance(children[0], _BooleanExpression):
|
|
|
|
children[0].operands.append(children[2])
|
|
|
|
return children[0]
|
|
|
|
else:
|
|
|
|
return self.instantiate("AndBooleanExpression", [children[0], children[2]])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestEqual.
|
|
|
|
def visitPropTestEqual(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
operator = children[1].symbol.type
|
2020-03-27 16:22:00 +01:00
|
|
|
negated = operator != self.parser_class.EQ
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"EqualityComparisonExpression", children[0], children[3 if len(children) > 3 else 2],
|
|
|
|
negated,
|
|
|
|
)
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestOrder.
|
|
|
|
def visitPropTestOrder(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
operator = children[1].symbol.type
|
2020-03-27 16:22:00 +01:00
|
|
|
if operator == self.parser_class.GT:
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"GreaterThanComparisonExpression", children[0],
|
|
|
|
children[3 if len(children) > 3 else 2], False,
|
|
|
|
)
|
2020-03-27 16:22:00 +01:00
|
|
|
elif operator == self.parser_class.LT:
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"LessThanComparisonExpression", children[0],
|
|
|
|
children[3 if len(children) > 3 else 2], False,
|
|
|
|
)
|
2020-03-27 16:22:00 +01:00
|
|
|
elif operator == self.parser_class.GE:
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"GreaterThanEqualComparisonExpression", children[0],
|
|
|
|
children[3 if len(children) > 3 else 2], False,
|
|
|
|
)
|
2020-03-27 16:22:00 +01:00
|
|
|
elif operator == self.parser_class.LE:
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"LessThanEqualComparisonExpression", children[0],
|
|
|
|
children[3 if len(children) > 3 else 2], False,
|
|
|
|
)
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestSet.
|
|
|
|
def visitPropTestSet(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("InComparisonExpression", children[0], children[3 if len(children) > 3 else 2], False)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestLike.
|
|
|
|
def visitPropTestLike(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("LikeComparisonExpression", children[0], children[3 if len(children) > 3 else 2], False)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestRegex.
|
|
|
|
def visitPropTestRegex(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
2018-12-11 19:23:43 +01:00
|
|
|
return self.instantiate(
|
|
|
|
"MatchesComparisonExpression", children[0], children[3 if len(children) > 3 else 2],
|
|
|
|
False,
|
|
|
|
)
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestIsSubset.
|
|
|
|
def visitPropTestIsSubset(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("IsSubsetComparisonExpression", children[0], children[3 if len(children) > 3 else 2])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestIsSuperset.
|
|
|
|
def visitPropTestIsSuperset(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("IsSupersetComparisonExpression", children[0], children[3 if len(children) > 3 else 2])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#propTestParen.
|
|
|
|
def visitPropTestParen(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return self.instantiate("ParentheticalExpression", children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#startStopQualifier.
|
|
|
|
def visitStartStopQualifier(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
2020-06-05 15:25:06 +02:00
|
|
|
# 2.0 parser will accept any string, need to make sure it is a full STIX timestamp
|
|
|
|
if isinstance(children[1], StringConstant):
|
|
|
|
if not check_for_valid_timetamp_syntax(children[1].value):
|
|
|
|
raise (ValueError("Start time is not a legal timestamp"))
|
|
|
|
if isinstance(children[3], StringConstant):
|
|
|
|
if not check_for_valid_timetamp_syntax(children[3].value):
|
|
|
|
raise (ValueError("Stop time is not a legal timestamp"))
|
|
|
|
|
2018-12-07 18:43:23 +01:00
|
|
|
return StartStopQualifier(children[1], children[3])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#withinQualifier.
|
|
|
|
def visitWithinQualifier(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return WithinQualifier(children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#repeatedQualifier.
|
|
|
|
def visitRepeatedQualifier(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return RepeatQualifier(children[1])
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#objectPath.
|
|
|
|
def visitObjectPath(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
flat_list = collapse_lists(children[2:])
|
|
|
|
property_path = []
|
|
|
|
i = 0
|
|
|
|
while i < len(flat_list):
|
|
|
|
current = flat_list[i]
|
|
|
|
if i == len(flat_list)-1:
|
|
|
|
property_path.append(current)
|
|
|
|
break
|
|
|
|
next = flat_list[i+1]
|
|
|
|
if isinstance(next, TerminalNode):
|
|
|
|
property_path.append(self.instantiate("ListObjectPathComponent", current.property_name, next.getText()))
|
|
|
|
i += 2
|
|
|
|
else:
|
|
|
|
property_path.append(current)
|
|
|
|
i += 1
|
|
|
|
return self.instantiate("ObjectPath", children[0].getText(), property_path)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#objectType.
|
|
|
|
def visitObjectType(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return children[0]
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#firstPathComponent.
|
|
|
|
def visitFirstPathComponent(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
step = children[0].getText()
|
|
|
|
# if step.endswith("_ref"):
|
|
|
|
# return stix2.ReferenceObjectPathComponent(step)
|
|
|
|
# else:
|
|
|
|
return self.instantiate("BasicObjectPathComponent", step, False)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#indexPathStep.
|
|
|
|
def visitIndexPathStep(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return children[1]
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#pathStep.
|
|
|
|
def visitPathStep(self, ctx):
|
|
|
|
return collapse_lists(self.visitChildren(ctx))
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#keyPathStep.
|
|
|
|
def visitKeyPathStep(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
if isinstance(children[1], StringConstant):
|
|
|
|
# special case for hashes
|
|
|
|
return children[1].value
|
|
|
|
else:
|
|
|
|
return self.instantiate("BasicObjectPathComponent", children[1].getText(), True)
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#setLiteral.
|
|
|
|
def visitSetLiteral(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
2018-12-10 18:14:31 +01:00
|
|
|
return self.instantiate("ListConstant", remove_terminal_nodes(children))
|
2018-12-07 18:43:23 +01:00
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#primitiveLiteral.
|
|
|
|
def visitPrimitiveLiteral(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return children[0]
|
|
|
|
|
|
|
|
# Visit a parse tree produced by STIXPatternParser#orderableLiteral.
|
|
|
|
def visitOrderableLiteral(self, ctx):
|
|
|
|
children = self.visitChildren(ctx)
|
|
|
|
return children[0]
|
|
|
|
|
|
|
|
def visitTerminal(self, node):
|
2020-03-27 16:22:00 +01:00
|
|
|
if node.symbol.type == self.parser_class.IntPosLiteral or node.symbol.type == self.parser_class.IntNegLiteral:
|
2018-12-07 18:43:23 +01:00
|
|
|
return IntegerConstant(node.getText())
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.FloatPosLiteral or node.symbol.type == self.parser_class.FloatNegLiteral:
|
2018-12-07 18:43:23 +01:00
|
|
|
return FloatConstant(node.getText())
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.HexLiteral:
|
2018-12-07 18:43:23 +01:00
|
|
|
return HexConstant(node.getText(), from_parse_tree=True)
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.BinaryLiteral:
|
2018-12-07 18:43:23 +01:00
|
|
|
return BinaryConstant(node.getText(), from_parse_tree=True)
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.StringLiteral:
|
2020-01-27 22:18:41 +01:00
|
|
|
if node.getText()[0] == "'" and node.getText()[-1] == "'":
|
|
|
|
return StringConstant(node.getText()[1:-1], from_parse_tree=True)
|
|
|
|
else:
|
|
|
|
raise ParseException("The pattern does not start and end with a single quote")
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.BoolLiteral:
|
2018-12-07 18:43:23 +01:00
|
|
|
return BooleanConstant(node.getText())
|
2020-03-27 16:22:00 +01:00
|
|
|
elif node.symbol.type == self.parser_class.TimestampLiteral:
|
2020-05-20 21:06:53 +02:00
|
|
|
value = node.getText()
|
|
|
|
# STIX 2.1 uses a special timestamp literal syntax
|
|
|
|
if value.startswith("t"):
|
|
|
|
value = value[2:-1]
|
|
|
|
return TimestampConstant(value)
|
2018-12-07 18:43:23 +01:00
|
|
|
else:
|
|
|
|
return node
|
|
|
|
|
|
|
|
def aggregateResult(self, aggregate, nextResult):
|
|
|
|
if aggregate:
|
|
|
|
aggregate.append(nextResult)
|
|
|
|
elif nextResult:
|
|
|
|
aggregate = [nextResult]
|
|
|
|
return aggregate
|
|
|
|
|
2020-03-27 16:22:00 +01:00
|
|
|
# This class defines a complete generic visitor for a parse tree produced by STIXPatternParser.
|
|
|
|
class STIXPatternVisitorForSTIX21(STIXPatternVisitorForSTIX2, STIXPatternVisitor21):
|
|
|
|
classes = {}
|
|
|
|
|
|
|
|
def __init__(self, module_suffix, module_name):
|
|
|
|
if module_suffix and module_name:
|
|
|
|
self.module_suffix = module_suffix
|
|
|
|
if not STIXPatternVisitorForSTIX2.classes:
|
|
|
|
module = importlib.import_module(module_name)
|
|
|
|
for k, c in inspect.getmembers(module, inspect.isclass):
|
|
|
|
STIXPatternVisitorForSTIX2.classes[k] = c
|
|
|
|
else:
|
|
|
|
self.module_suffix = None
|
|
|
|
self.parser_class = STIXPatternParser21
|
|
|
|
super(STIXPatternVisitor21, self).__init__()
|
|
|
|
|
|
|
|
|
2020-04-03 16:45:36 +02:00
|
|
|
class STIXPatternVisitorForSTIX20(STIXPatternVisitorForSTIX2, STIXPatternVisitor20):
|
2020-03-27 16:22:00 +01:00
|
|
|
classes = {}
|
|
|
|
|
|
|
|
def __init__(self, module_suffix, module_name):
|
|
|
|
if module_suffix and module_name:
|
|
|
|
self.module_suffix = module_suffix
|
|
|
|
if not STIXPatternVisitorForSTIX2.classes:
|
|
|
|
module = importlib.import_module(module_name)
|
|
|
|
for k, c in inspect.getmembers(module, inspect.isclass):
|
|
|
|
STIXPatternVisitorForSTIX2.classes[k] = c
|
|
|
|
else:
|
|
|
|
self.module_suffix = None
|
|
|
|
self.parser_class = STIXPatternParser20
|
|
|
|
super(STIXPatternVisitor20, self).__init__()
|
|
|
|
|
2018-12-07 18:43:23 +01:00
|
|
|
|
2020-04-03 16:45:36 +02:00
|
|
|
def create_pattern_object(pattern, module_suffix="", module_name="", version=stix2.DEFAULT_VERSION):
|
2018-12-10 21:07:38 +01:00
|
|
|
"""
|
2020-02-18 01:26:21 +01:00
|
|
|
Create a STIX pattern AST from a pattern string.
|
2018-12-10 21:07:38 +01:00
|
|
|
"""
|
2018-12-07 18:43:23 +01:00
|
|
|
|
2020-04-03 16:45:36 +02:00
|
|
|
if version == "2.1":
|
|
|
|
pattern_class = Pattern21
|
|
|
|
visitor_class = STIXPatternVisitorForSTIX21
|
|
|
|
else:
|
|
|
|
pattern_class = Pattern20
|
|
|
|
visitor_class = STIXPatternVisitorForSTIX20
|
|
|
|
|
|
|
|
pattern_obj = pattern_class(pattern)
|
|
|
|
builder = visitor_class(module_suffix, module_name)
|
2020-02-19 22:39:15 +01:00
|
|
|
return pattern_obj.visit(builder)
|