sort imports
parent
7f0d6b2400
commit
9cabd9c5d9
|
@ -1,28 +1,23 @@
|
||||||
import six
|
|
||||||
from stix2patterns.grammars.STIXPatternParser import TerminalNode
|
|
||||||
from stix2patterns.grammars.STIXPatternVisitor import STIXPatternVisitor
|
|
||||||
from antlr4 import CommonTokenStream, InputStream
|
|
||||||
from stix2patterns.grammars.STIXPatternLexer import STIXPatternLexer
|
|
||||||
from stix2patterns.grammars.STIXPatternParser import STIXPatternParser
|
|
||||||
from stix2patterns.validator import STIXPatternErrorListener
|
|
||||||
import importlib
|
import importlib
|
||||||
import inspect
|
import inspect
|
||||||
|
|
||||||
from .patterns import (FollowedByObservationExpression,
|
import six
|
||||||
IsSubsetComparisonExpression,
|
from stix2patterns.grammars.STIXPatternLexer import STIXPatternLexer
|
||||||
IsSupersetComparisonExpression,
|
from stix2patterns.grammars.STIXPatternParser import (
|
||||||
StartStopQualifier,
|
STIXPatternParser, TerminalNode,
|
||||||
WithinQualifier,
|
)
|
||||||
RepeatQualifier,
|
from stix2patterns.grammars.STIXPatternVisitor import STIXPatternVisitor
|
||||||
BasicObjectPathComponent,
|
from stix2patterns.validator import STIXPatternErrorListener
|
||||||
ListObjectPathComponent,
|
|
||||||
StringConstant,
|
from antlr4 import CommonTokenStream, InputStream
|
||||||
IntegerConstant,
|
|
||||||
FloatConstant,
|
from .patterns import (
|
||||||
HexConstant,
|
BasicObjectPathComponent, BinaryConstant, BooleanConstant, FloatConstant,
|
||||||
BinaryConstant,
|
FollowedByObservationExpression, HexConstant, IntegerConstant,
|
||||||
BooleanConstant,
|
IsSubsetComparisonExpression, IsSupersetComparisonExpression,
|
||||||
TimestampConstant)
|
ListObjectPathComponent, RepeatQualifier, StartStopQualifier,
|
||||||
|
StringConstant, TimestampConstant, WithinQualifier,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def collapse_lists(lists):
|
def collapse_lists(lists):
|
||||||
|
|
|
@ -6,39 +6,57 @@ import stix2
|
||||||
|
|
||||||
|
|
||||||
def test_create_comparison_expression():
|
def test_create_comparison_expression():
|
||||||
exp = stix2.EqualityComparisonExpression("file:hashes.'SHA-256'",
|
exp = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant("aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f", "SHA-256")) # noqa
|
"file:hashes.'SHA-256'",
|
||||||
|
stix2.HashConstant("aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f", "SHA-256"),
|
||||||
|
) # noqa
|
||||||
|
|
||||||
assert str(exp) == "file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'"
|
assert str(exp) == "file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'"
|
||||||
|
|
||||||
|
|
||||||
def test_boolean_expression():
|
def test_boolean_expression():
|
||||||
exp1 = stix2.MatchesComparisonExpression("email-message:from_ref.value",
|
exp1 = stix2.MatchesComparisonExpression(
|
||||||
stix2.StringConstant(".+\\@example\\.com$"))
|
"email-message:from_ref.value",
|
||||||
exp2 = stix2.MatchesComparisonExpression("email-message:body_multipart[*].body_raw_ref.name",
|
stix2.StringConstant(".+\\@example\\.com$"),
|
||||||
stix2.StringConstant("^Final Report.+\\.exe$"))
|
)
|
||||||
|
exp2 = stix2.MatchesComparisonExpression(
|
||||||
|
"email-message:body_multipart[*].body_raw_ref.name",
|
||||||
|
stix2.StringConstant("^Final Report.+\\.exe$"),
|
||||||
|
)
|
||||||
exp = stix2.AndBooleanExpression([exp1, exp2])
|
exp = stix2.AndBooleanExpression([exp1, exp2])
|
||||||
|
|
||||||
assert str(exp) == "email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$'" # noqa
|
assert str(exp) == "email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$'" # noqa
|
||||||
|
|
||||||
|
|
||||||
def test_boolean_expression_with_parentheses():
|
def test_boolean_expression_with_parentheses():
|
||||||
exp1 = stix2.MatchesComparisonExpression(stix2.ObjectPath("email-message",
|
exp1 = stix2.MatchesComparisonExpression(
|
||||||
[stix2.ReferenceObjectPathComponent("from_ref"),
|
stix2.ObjectPath(
|
||||||
stix2.BasicObjectPathComponent("value")]),
|
"email-message",
|
||||||
stix2.StringConstant(".+\\@example\\.com$"))
|
[
|
||||||
exp2 = stix2.MatchesComparisonExpression("email-message:body_multipart[*].body_raw_ref.name",
|
stix2.ReferenceObjectPathComponent("from_ref"),
|
||||||
stix2.StringConstant("^Final Report.+\\.exe$"))
|
stix2.BasicObjectPathComponent("value"),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
stix2.StringConstant(".+\\@example\\.com$"),
|
||||||
|
)
|
||||||
|
exp2 = stix2.MatchesComparisonExpression(
|
||||||
|
"email-message:body_multipart[*].body_raw_ref.name",
|
||||||
|
stix2.StringConstant("^Final Report.+\\.exe$"),
|
||||||
|
)
|
||||||
exp = stix2.ParentheticalExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
exp = stix2.ParentheticalExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
||||||
assert str(exp) == "(email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$')" # noqa
|
assert str(exp) == "(email-message:from_ref.value MATCHES '.+\\\\@example\\\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\\\.exe$')" # noqa
|
||||||
|
|
||||||
|
|
||||||
def test_hash_followed_by_registryKey_expression_python_constant():
|
def test_hash_followed_by_registryKey_expression_python_constant():
|
||||||
hash_exp = stix2.EqualityComparisonExpression("file:hashes.MD5",
|
hash_exp = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant("79054025255fb1a26e4bc422aef54eb4", "MD5"))
|
"file:hashes.MD5",
|
||||||
|
stix2.HashConstant("79054025255fb1a26e4bc422aef54eb4", "MD5"),
|
||||||
|
)
|
||||||
o_exp1 = stix2.ObservationExpression(hash_exp)
|
o_exp1 = stix2.ObservationExpression(hash_exp)
|
||||||
reg_exp = stix2.EqualityComparisonExpression(stix2.ObjectPath("windows-registry-key", ["key"]),
|
reg_exp = stix2.EqualityComparisonExpression(
|
||||||
stix2.StringConstant("HKEY_LOCAL_MACHINE\\foo\\bar"))
|
stix2.ObjectPath("windows-registry-key", ["key"]),
|
||||||
|
stix2.StringConstant("HKEY_LOCAL_MACHINE\\foo\\bar"),
|
||||||
|
)
|
||||||
o_exp2 = stix2.ObservationExpression(reg_exp)
|
o_exp2 = stix2.ObservationExpression(reg_exp)
|
||||||
fb_exp = stix2.FollowedByObservationExpression([o_exp1, o_exp2])
|
fb_exp = stix2.FollowedByObservationExpression([o_exp1, o_exp2])
|
||||||
para_exp = stix2.ParentheticalExpression(fb_exp)
|
para_exp = stix2.ParentheticalExpression(fb_exp)
|
||||||
|
@ -48,11 +66,15 @@ def test_hash_followed_by_registryKey_expression_python_constant():
|
||||||
|
|
||||||
|
|
||||||
def test_hash_followed_by_registryKey_expression():
|
def test_hash_followed_by_registryKey_expression():
|
||||||
hash_exp = stix2.EqualityComparisonExpression("file:hashes.MD5",
|
hash_exp = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant("79054025255fb1a26e4bc422aef54eb4", "MD5"))
|
"file:hashes.MD5",
|
||||||
|
stix2.HashConstant("79054025255fb1a26e4bc422aef54eb4", "MD5"),
|
||||||
|
)
|
||||||
o_exp1 = stix2.ObservationExpression(hash_exp)
|
o_exp1 = stix2.ObservationExpression(hash_exp)
|
||||||
reg_exp = stix2.EqualityComparisonExpression(stix2.ObjectPath("windows-registry-key", ["key"]),
|
reg_exp = stix2.EqualityComparisonExpression(
|
||||||
stix2.StringConstant("HKEY_LOCAL_MACHINE\\foo\\bar"))
|
stix2.ObjectPath("windows-registry-key", ["key"]),
|
||||||
|
stix2.StringConstant("HKEY_LOCAL_MACHINE\\foo\\bar"),
|
||||||
|
)
|
||||||
o_exp2 = stix2.ObservationExpression(reg_exp)
|
o_exp2 = stix2.ObservationExpression(reg_exp)
|
||||||
fb_exp = stix2.FollowedByObservationExpression([o_exp1, o_exp2])
|
fb_exp = stix2.FollowedByObservationExpression([o_exp1, o_exp2])
|
||||||
para_exp = stix2.ParentheticalExpression(fb_exp)
|
para_exp = stix2.ParentheticalExpression(fb_exp)
|
||||||
|
@ -62,31 +84,44 @@ def test_hash_followed_by_registryKey_expression():
|
||||||
|
|
||||||
|
|
||||||
def test_file_observable_expression():
|
def test_file_observable_expression():
|
||||||
exp1 = stix2.EqualityComparisonExpression("file:hashes.'SHA-256'",
|
exp1 = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant(
|
"file:hashes.'SHA-256'",
|
||||||
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
|
stix2.HashConstant(
|
||||||
'SHA-256'))
|
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
|
||||||
|
'SHA-256',
|
||||||
|
),
|
||||||
|
)
|
||||||
exp2 = stix2.EqualityComparisonExpression("file:mime_type", stix2.StringConstant("application/x-pdf"))
|
exp2 = stix2.EqualityComparisonExpression("file:mime_type", stix2.StringConstant("application/x-pdf"))
|
||||||
bool_exp = stix2.ObservationExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
bool_exp = stix2.ObservationExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
||||||
assert str(bool_exp) == "[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f' AND file:mime_type = 'application/x-pdf']" # noqa
|
assert str(bool_exp) == "[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f' AND file:mime_type = 'application/x-pdf']" # noqa
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("observation_class, op", [
|
@pytest.mark.parametrize(
|
||||||
(stix2.AndObservationExpression, 'AND'),
|
"observation_class, op", [
|
||||||
(stix2.OrObservationExpression, 'OR'),
|
(stix2.AndObservationExpression, 'AND'),
|
||||||
])
|
(stix2.OrObservationExpression, 'OR'),
|
||||||
|
],
|
||||||
|
)
|
||||||
def test_multiple_file_observable_expression(observation_class, op):
|
def test_multiple_file_observable_expression(observation_class, op):
|
||||||
exp1 = stix2.EqualityComparisonExpression("file:hashes.'SHA-256'",
|
exp1 = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant(
|
"file:hashes.'SHA-256'",
|
||||||
"bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c",
|
stix2.HashConstant(
|
||||||
'SHA-256'))
|
"bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c",
|
||||||
exp2 = stix2.EqualityComparisonExpression("file:hashes.MD5",
|
'SHA-256',
|
||||||
stix2.HashConstant("cead3f77f6cda6ec00f57d76c9a6879f", "MD5"))
|
),
|
||||||
|
)
|
||||||
|
exp2 = stix2.EqualityComparisonExpression(
|
||||||
|
"file:hashes.MD5",
|
||||||
|
stix2.HashConstant("cead3f77f6cda6ec00f57d76c9a6879f", "MD5"),
|
||||||
|
)
|
||||||
bool1_exp = stix2.OrBooleanExpression([exp1, exp2])
|
bool1_exp = stix2.OrBooleanExpression([exp1, exp2])
|
||||||
exp3 = stix2.EqualityComparisonExpression("file:hashes.'SHA-256'",
|
exp3 = stix2.EqualityComparisonExpression(
|
||||||
stix2.HashConstant(
|
"file:hashes.'SHA-256'",
|
||||||
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
|
stix2.HashConstant(
|
||||||
'SHA-256'))
|
"aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f",
|
||||||
|
'SHA-256',
|
||||||
|
),
|
||||||
|
)
|
||||||
op1_exp = stix2.ObservationExpression(bool1_exp)
|
op1_exp = stix2.ObservationExpression(bool1_exp)
|
||||||
op2_exp = stix2.ObservationExpression(exp3)
|
op2_exp = stix2.ObservationExpression(exp3)
|
||||||
exp = observation_class([op1_exp, op2_exp])
|
exp = observation_class([op1_exp, op2_exp])
|
||||||
|
@ -96,19 +131,29 @@ def test_multiple_file_observable_expression(observation_class, op):
|
||||||
def test_root_types():
|
def test_root_types():
|
||||||
ast = stix2.ObservationExpression(
|
ast = stix2.ObservationExpression(
|
||||||
stix2.AndBooleanExpression(
|
stix2.AndBooleanExpression(
|
||||||
[stix2.ParentheticalExpression(
|
[
|
||||||
stix2.OrBooleanExpression([
|
stix2.ParentheticalExpression(
|
||||||
stix2.EqualityComparisonExpression("a:b", stix2.StringConstant("1")),
|
stix2.OrBooleanExpression([
|
||||||
stix2.EqualityComparisonExpression("b:c", stix2.StringConstant("2"))])),
|
stix2.EqualityComparisonExpression("a:b", stix2.StringConstant("1")),
|
||||||
stix2.EqualityComparisonExpression(u"b:d", stix2.StringConstant("3"))]))
|
stix2.EqualityComparisonExpression("b:c", stix2.StringConstant("2")),
|
||||||
|
]),
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(u"b:d", stix2.StringConstant("3")),
|
||||||
|
],
|
||||||
|
),
|
||||||
|
)
|
||||||
assert str(ast) == "[(a:b = '1' OR b:c = '2') AND b:d = '3']"
|
assert str(ast) == "[(a:b = '1' OR b:c = '2') AND b:d = '3']"
|
||||||
|
|
||||||
|
|
||||||
def test_artifact_payload():
|
def test_artifact_payload():
|
||||||
exp1 = stix2.EqualityComparisonExpression("artifact:mime_type",
|
exp1 = stix2.EqualityComparisonExpression(
|
||||||
"application/vnd.tcpdump.pcap")
|
"artifact:mime_type",
|
||||||
exp2 = stix2.MatchesComparisonExpression("artifact:payload_bin",
|
"application/vnd.tcpdump.pcap",
|
||||||
stix2.StringConstant("\\xd4\\xc3\\xb2\\xa1\\x02\\x00\\x04\\x00"))
|
)
|
||||||
|
exp2 = stix2.MatchesComparisonExpression(
|
||||||
|
"artifact:payload_bin",
|
||||||
|
stix2.StringConstant("\\xd4\\xc3\\xb2\\xa1\\x02\\x00\\x04\\x00"),
|
||||||
|
)
|
||||||
and_exp = stix2.ObservationExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
and_exp = stix2.ObservationExpression(stix2.AndBooleanExpression([exp1, exp2]))
|
||||||
assert str(and_exp) == "[artifact:mime_type = 'application/vnd.tcpdump.pcap' AND artifact:payload_bin MATCHES '\\\\xd4\\\\xc3\\\\xb2\\\\xa1\\\\x02\\\\x00\\\\x04\\\\x00']" # noqa
|
assert str(and_exp) == "[artifact:mime_type = 'application/vnd.tcpdump.pcap' AND artifact:payload_bin MATCHES '\\\\xd4\\\\xc3\\\\xb2\\\\xa1\\\\x02\\\\x00\\\\x04\\\\x00']" # noqa
|
||||||
|
|
||||||
|
@ -120,8 +165,10 @@ def test_greater_than_python_constant():
|
||||||
|
|
||||||
|
|
||||||
def test_greater_than():
|
def test_greater_than():
|
||||||
exp1 = stix2.GreaterThanComparisonExpression("file:extensions.windows-pebinary-ext.sections[*].entropy",
|
exp1 = stix2.GreaterThanComparisonExpression(
|
||||||
stix2.FloatConstant(7.0))
|
"file:extensions.windows-pebinary-ext.sections[*].entropy",
|
||||||
|
stix2.FloatConstant(7.0),
|
||||||
|
)
|
||||||
exp = stix2.ObservationExpression(exp1)
|
exp = stix2.ObservationExpression(exp1)
|
||||||
assert str(exp) == "[file:extensions.windows-pebinary-ext.sections[*].entropy > 7.0]"
|
assert str(exp) == "[file:extensions.windows-pebinary-ext.sections[*].entropy > 7.0]"
|
||||||
|
|
||||||
|
@ -132,73 +179,123 @@ def test_less_than():
|
||||||
|
|
||||||
|
|
||||||
def test_greater_than_or_equal():
|
def test_greater_than_or_equal():
|
||||||
exp = stix2.GreaterThanEqualComparisonExpression("file:size",
|
exp = stix2.GreaterThanEqualComparisonExpression(
|
||||||
1024)
|
"file:size",
|
||||||
|
1024,
|
||||||
|
)
|
||||||
|
|
||||||
assert str(exp) == "file:size >= 1024"
|
assert str(exp) == "file:size >= 1024"
|
||||||
|
|
||||||
|
|
||||||
def test_less_than_or_equal():
|
def test_less_than_or_equal():
|
||||||
exp = stix2.LessThanEqualComparisonExpression("file:size",
|
exp = stix2.LessThanEqualComparisonExpression(
|
||||||
1024)
|
"file:size",
|
||||||
|
1024,
|
||||||
|
)
|
||||||
assert str(exp) == "file:size <= 1024"
|
assert str(exp) == "file:size <= 1024"
|
||||||
|
|
||||||
|
|
||||||
def test_not():
|
def test_not():
|
||||||
exp = stix2.LessThanComparisonExpression("file:size",
|
exp = stix2.LessThanComparisonExpression(
|
||||||
1024,
|
"file:size",
|
||||||
negated=True)
|
1024,
|
||||||
|
negated=True,
|
||||||
|
)
|
||||||
assert str(exp) == "file:size NOT < 1024"
|
assert str(exp) == "file:size NOT < 1024"
|
||||||
|
|
||||||
|
|
||||||
def test_and_observable_expression():
|
def test_and_observable_expression():
|
||||||
exp1 = stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("user-account:account_type",
|
exp1 = stix2.AndBooleanExpression([
|
||||||
"unix"),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("user-account:user_id",
|
"user-account:account_type",
|
||||||
stix2.StringConstant("1007")),
|
"unix",
|
||||||
stix2.EqualityComparisonExpression("user-account:account_login",
|
),
|
||||||
"Peter")])
|
stix2.EqualityComparisonExpression(
|
||||||
exp2 = stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("user-account:account_type",
|
"user-account:user_id",
|
||||||
"unix"),
|
stix2.StringConstant("1007"),
|
||||||
stix2.EqualityComparisonExpression("user-account:user_id",
|
),
|
||||||
stix2.StringConstant("1008")),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("user-account:account_login",
|
"user-account:account_login",
|
||||||
"Paul")])
|
"Peter",
|
||||||
exp3 = stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("user-account:account_type",
|
),
|
||||||
"unix"),
|
])
|
||||||
stix2.EqualityComparisonExpression("user-account:user_id",
|
exp2 = stix2.AndBooleanExpression([
|
||||||
stix2.StringConstant("1009")),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("user-account:account_login",
|
"user-account:account_type",
|
||||||
"Mary")])
|
"unix",
|
||||||
exp = stix2.AndObservationExpression([stix2.ObservationExpression(exp1),
|
),
|
||||||
stix2.ObservationExpression(exp2),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.ObservationExpression(exp3)])
|
"user-account:user_id",
|
||||||
|
stix2.StringConstant("1008"),
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"user-account:account_login",
|
||||||
|
"Paul",
|
||||||
|
),
|
||||||
|
])
|
||||||
|
exp3 = stix2.AndBooleanExpression([
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"user-account:account_type",
|
||||||
|
"unix",
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"user-account:user_id",
|
||||||
|
stix2.StringConstant("1009"),
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"user-account:account_login",
|
||||||
|
"Mary",
|
||||||
|
),
|
||||||
|
])
|
||||||
|
exp = stix2.AndObservationExpression([
|
||||||
|
stix2.ObservationExpression(exp1),
|
||||||
|
stix2.ObservationExpression(exp2),
|
||||||
|
stix2.ObservationExpression(exp3),
|
||||||
|
])
|
||||||
assert str(exp) == "[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']" # noqa
|
assert str(exp) == "[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']" # noqa
|
||||||
|
|
||||||
|
|
||||||
def test_invalid_and_observable_expression():
|
def test_invalid_and_observable_expression():
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("user-account:display_name",
|
stix2.AndBooleanExpression([
|
||||||
"admin"),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("email-addr:display_name",
|
"user-account:display_name",
|
||||||
stix2.StringConstant("admin"))])
|
"admin",
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"email-addr:display_name",
|
||||||
|
stix2.StringConstant("admin"),
|
||||||
|
),
|
||||||
|
])
|
||||||
assert "All operands to an 'AND' expression must have the same object type" in str(excinfo)
|
assert "All operands to an 'AND' expression must have the same object type" in str(excinfo)
|
||||||
|
|
||||||
|
|
||||||
def test_hex():
|
def test_hex():
|
||||||
exp_and = stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("file:mime_type",
|
exp_and = stix2.AndBooleanExpression([
|
||||||
"image/bmp"),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("file:magic_number_hex",
|
"file:mime_type",
|
||||||
stix2.HexConstant("ffd8"))])
|
"image/bmp",
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"file:magic_number_hex",
|
||||||
|
stix2.HexConstant("ffd8"),
|
||||||
|
),
|
||||||
|
])
|
||||||
exp = stix2.ObservationExpression(exp_and)
|
exp = stix2.ObservationExpression(exp_and)
|
||||||
assert str(exp) == "[file:mime_type = 'image/bmp' AND file:magic_number_hex = h'ffd8']"
|
assert str(exp) == "[file:mime_type = 'image/bmp' AND file:magic_number_hex = h'ffd8']"
|
||||||
|
|
||||||
|
|
||||||
def test_multiple_qualifiers():
|
def test_multiple_qualifiers():
|
||||||
exp_and = stix2.AndBooleanExpression([stix2.EqualityComparisonExpression("network-traffic:dst_ref.type",
|
exp_and = stix2.AndBooleanExpression([
|
||||||
"domain-name"),
|
stix2.EqualityComparisonExpression(
|
||||||
stix2.EqualityComparisonExpression("network-traffic:dst_ref.value",
|
"network-traffic:dst_ref.type",
|
||||||
"example.com")])
|
"domain-name",
|
||||||
|
),
|
||||||
|
stix2.EqualityComparisonExpression(
|
||||||
|
"network-traffic:dst_ref.value",
|
||||||
|
"example.com",
|
||||||
|
),
|
||||||
|
])
|
||||||
exp_ob = stix2.ObservationExpression(exp_and)
|
exp_ob = stix2.ObservationExpression(exp_and)
|
||||||
qual_rep = stix2.RepeatQualifier(5)
|
qual_rep = stix2.RepeatQualifier(5)
|
||||||
qual_within = stix2.WithinQualifier(stix2.IntegerConstant(1800))
|
qual_within = stix2.WithinQualifier(stix2.IntegerConstant(1800))
|
||||||
|
@ -207,8 +304,10 @@ def test_multiple_qualifiers():
|
||||||
|
|
||||||
|
|
||||||
def test_set_op():
|
def test_set_op():
|
||||||
exp = stix2.ObservationExpression(stix2.IsSubsetComparisonExpression("network-traffic:dst_ref.value",
|
exp = stix2.ObservationExpression(stix2.IsSubsetComparisonExpression(
|
||||||
"2001:0db8:dead:beef:0000:0000:0000:0000/64"))
|
"network-traffic:dst_ref.value",
|
||||||
|
"2001:0db8:dead:beef:0000:0000:0000:0000/64",
|
||||||
|
))
|
||||||
assert str(exp) == "[network-traffic:dst_ref.value ISSUBSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']"
|
assert str(exp) == "[network-traffic:dst_ref.value ISSUBSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']"
|
||||||
|
|
||||||
|
|
||||||
|
@ -218,35 +317,45 @@ def test_timestamp():
|
||||||
|
|
||||||
|
|
||||||
def test_boolean():
|
def test_boolean():
|
||||||
exp = stix2.EqualityComparisonExpression("email-message:is_multipart",
|
exp = stix2.EqualityComparisonExpression(
|
||||||
True)
|
"email-message:is_multipart",
|
||||||
|
True,
|
||||||
|
)
|
||||||
assert str(exp) == "email-message:is_multipart = true"
|
assert str(exp) == "email-message:is_multipart = true"
|
||||||
|
|
||||||
|
|
||||||
def test_binary():
|
def test_binary():
|
||||||
const = stix2.BinaryConstant("dGhpcyBpcyBhIHRlc3Q=")
|
const = stix2.BinaryConstant("dGhpcyBpcyBhIHRlc3Q=")
|
||||||
exp = stix2.EqualityComparisonExpression("artifact:payload_bin",
|
exp = stix2.EqualityComparisonExpression(
|
||||||
const)
|
"artifact:payload_bin",
|
||||||
|
const,
|
||||||
|
)
|
||||||
assert str(exp) == "artifact:payload_bin = b'dGhpcyBpcyBhIHRlc3Q='"
|
assert str(exp) == "artifact:payload_bin = b'dGhpcyBpcyBhIHRlc3Q='"
|
||||||
|
|
||||||
|
|
||||||
def test_list():
|
def test_list():
|
||||||
exp = stix2.InComparisonExpression("process:name",
|
exp = stix2.InComparisonExpression(
|
||||||
['proccy', 'proximus', 'badproc'])
|
"process:name",
|
||||||
|
['proccy', 'proximus', 'badproc'],
|
||||||
|
)
|
||||||
assert str(exp) == "process:name IN ('proccy', 'proximus', 'badproc')"
|
assert str(exp) == "process:name IN ('proccy', 'proximus', 'badproc')"
|
||||||
|
|
||||||
|
|
||||||
def test_list2():
|
def test_list2():
|
||||||
# alternate way to construct an "IN" Comparison Expression
|
# alternate way to construct an "IN" Comparison Expression
|
||||||
exp = stix2.EqualityComparisonExpression("process:name",
|
exp = stix2.EqualityComparisonExpression(
|
||||||
['proccy', 'proximus', 'badproc'])
|
"process:name",
|
||||||
|
['proccy', 'proximus', 'badproc'],
|
||||||
|
)
|
||||||
assert str(exp) == "process:name IN ('proccy', 'proximus', 'badproc')"
|
assert str(exp) == "process:name IN ('proccy', 'proximus', 'badproc')"
|
||||||
|
|
||||||
|
|
||||||
def test_invalid_constant_type():
|
def test_invalid_constant_type():
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.EqualityComparisonExpression("artifact:payload_bin",
|
stix2.EqualityComparisonExpression(
|
||||||
{'foo': 'bar'})
|
"artifact:payload_bin",
|
||||||
|
{'foo': 'bar'},
|
||||||
|
)
|
||||||
assert 'Unable to create a constant' in str(excinfo)
|
assert 'Unable to create a constant' in str(excinfo)
|
||||||
|
|
||||||
|
|
||||||
|
@ -268,20 +377,22 @@ def test_invalid_float_constant():
|
||||||
assert 'must be a float' in str(excinfo)
|
assert 'must be a float' in str(excinfo)
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("data, result", [
|
@pytest.mark.parametrize(
|
||||||
(True, True),
|
"data, result", [
|
||||||
(False, False),
|
(True, True),
|
||||||
('True', True),
|
(False, False),
|
||||||
('False', False),
|
('True', True),
|
||||||
('true', True),
|
('False', False),
|
||||||
('false', False),
|
('true', True),
|
||||||
('t', True),
|
('false', False),
|
||||||
('f', False),
|
('t', True),
|
||||||
('T', True),
|
('f', False),
|
||||||
('F', False),
|
('T', True),
|
||||||
(1, True),
|
('F', False),
|
||||||
(0, False),
|
(1, True),
|
||||||
])
|
(0, False),
|
||||||
|
],
|
||||||
|
)
|
||||||
def test_boolean_constant(data, result):
|
def test_boolean_constant(data, result):
|
||||||
boolean = stix2.BooleanConstant(data)
|
boolean = stix2.BooleanConstant(data)
|
||||||
assert boolean.value == result
|
assert boolean.value == result
|
||||||
|
@ -293,10 +404,12 @@ def test_invalid_boolean_constant():
|
||||||
assert 'must be a boolean' in str(excinfo)
|
assert 'must be a boolean' in str(excinfo)
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.parametrize("hashtype, data", [
|
@pytest.mark.parametrize(
|
||||||
('MD5', 'zzz'),
|
"hashtype, data", [
|
||||||
('ssdeep', 'zzz=='),
|
('MD5', 'zzz'),
|
||||||
])
|
('ssdeep', 'zzz=='),
|
||||||
|
],
|
||||||
|
)
|
||||||
def test_invalid_hash_constant(hashtype, data):
|
def test_invalid_hash_constant(hashtype, data):
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.HashConstant(data, hashtype)
|
stix2.HashConstant(data, hashtype)
|
||||||
|
@ -316,20 +429,26 @@ def test_invalid_binary_constant():
|
||||||
|
|
||||||
|
|
||||||
def test_escape_quotes_and_backslashes():
|
def test_escape_quotes_and_backslashes():
|
||||||
exp = stix2.MatchesComparisonExpression("file:name",
|
exp = stix2.MatchesComparisonExpression(
|
||||||
"^Final Report.+\\.exe$")
|
"file:name",
|
||||||
|
"^Final Report.+\\.exe$",
|
||||||
|
)
|
||||||
assert str(exp) == "file:name MATCHES '^Final Report.+\\\\.exe$'"
|
assert str(exp) == "file:name MATCHES '^Final Report.+\\\\.exe$'"
|
||||||
|
|
||||||
|
|
||||||
def test_like():
|
def test_like():
|
||||||
exp = stix2.LikeComparisonExpression("directory:path",
|
exp = stix2.LikeComparisonExpression(
|
||||||
"C:\\Windows\\%\\foo")
|
"directory:path",
|
||||||
|
"C:\\Windows\\%\\foo",
|
||||||
|
)
|
||||||
assert str(exp) == "directory:path LIKE 'C:\\\\Windows\\\\%\\\\foo'"
|
assert str(exp) == "directory:path LIKE 'C:\\\\Windows\\\\%\\\\foo'"
|
||||||
|
|
||||||
|
|
||||||
def test_issuperset():
|
def test_issuperset():
|
||||||
exp = stix2.IsSupersetComparisonExpression("ipv4-addr:value",
|
exp = stix2.IsSupersetComparisonExpression(
|
||||||
"198.51.100.0/24")
|
"ipv4-addr:value",
|
||||||
|
"198.51.100.0/24",
|
||||||
|
)
|
||||||
assert str(exp) == "ipv4-addr:value ISSUPERSET '198.51.100.0/24'"
|
assert str(exp) == "ipv4-addr:value ISSUPERSET '198.51.100.0/24'"
|
||||||
|
|
||||||
|
|
||||||
|
@ -351,24 +470,32 @@ def test_invalid_within_qualifier():
|
||||||
|
|
||||||
|
|
||||||
def test_startstop_qualifier():
|
def test_startstop_qualifier():
|
||||||
qual = stix2.StartStopQualifier(stix2.TimestampConstant('2016-06-01T00:00:00Z'),
|
qual = stix2.StartStopQualifier(
|
||||||
datetime.datetime(2017, 3, 12, 8, 30, 0))
|
stix2.TimestampConstant('2016-06-01T00:00:00Z'),
|
||||||
|
datetime.datetime(2017, 3, 12, 8, 30, 0),
|
||||||
|
)
|
||||||
assert str(qual) == "START t'2016-06-01T00:00:00Z' STOP t'2017-03-12T08:30:00Z'"
|
assert str(qual) == "START t'2016-06-01T00:00:00Z' STOP t'2017-03-12T08:30:00Z'"
|
||||||
|
|
||||||
qual2 = stix2.StartStopQualifier(datetime.date(2016, 6, 1),
|
qual2 = stix2.StartStopQualifier(
|
||||||
stix2.TimestampConstant('2016-07-01T00:00:00Z'))
|
datetime.date(2016, 6, 1),
|
||||||
|
stix2.TimestampConstant('2016-07-01T00:00:00Z'),
|
||||||
|
)
|
||||||
assert str(qual2) == "START t'2016-06-01T00:00:00Z' STOP t'2016-07-01T00:00:00Z'"
|
assert str(qual2) == "START t'2016-06-01T00:00:00Z' STOP t'2016-07-01T00:00:00Z'"
|
||||||
|
|
||||||
|
|
||||||
def test_invalid_startstop_qualifier():
|
def test_invalid_startstop_qualifier():
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.StartStopQualifier('foo',
|
stix2.StartStopQualifier(
|
||||||
stix2.TimestampConstant('2016-06-01T00:00:00Z'))
|
'foo',
|
||||||
|
stix2.TimestampConstant('2016-06-01T00:00:00Z'),
|
||||||
|
)
|
||||||
assert 'is not a valid argument for a Start/Stop Qualifier' in str(excinfo)
|
assert 'is not a valid argument for a Start/Stop Qualifier' in str(excinfo)
|
||||||
|
|
||||||
with pytest.raises(ValueError) as excinfo:
|
with pytest.raises(ValueError) as excinfo:
|
||||||
stix2.StartStopQualifier(datetime.date(2016, 6, 1),
|
stix2.StartStopQualifier(
|
||||||
'foo')
|
datetime.date(2016, 6, 1),
|
||||||
|
'foo',
|
||||||
|
)
|
||||||
assert 'is not a valid argument for a Start/Stop Qualifier' in str(excinfo)
|
assert 'is not a valid argument for a Start/Stop Qualifier' in str(excinfo)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue