{ "info": { "author": "The MITRE Corporation", "author_email": "hfoster@mitre.org", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Topic :: Security" ], "description": "stix-pattern-translator\n========================\n\n\nThis repository contains a prototype analytic translator that converts `STIX2 Patterning`_\nqueries into other query languages, currently ElasticSearch and Splunk. In addition to translating\nquery syntax, the translator will also translate from STIX 2's Data Model to other target data models,\ncurrently MITRE's `Cyber Analytic Repository (CAR)`_ and Splunk's `Common Information Model (CIM)`_.\nBoth the query language translation and the data model translation are implemented as loosely-coupled\nmodules and other targets can be added simply by implementing new modules to generate them.\n\nThis functionality was originally developed for MITRE's CASCADE_ project.\nThis repository offers CASCADE's translation capability as a standalone feature,\nand replaces CASCADE's own domain-specific language (DSL) with STIX 2.0 Patterning.\n\n.. _`STIX2 Patterning`: http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html\n.. _`Cyber Analytic Repository (CAR)`: https://car.mitre.org/wiki/Data_Model\n.. _`Common Information Model (CIM)`: http://docs.splunk.com/Documentation/CIM/4.9.0/User/Overview\n.. _CASCADE: https://github.com/mitre/cascade-server\n\nRequirements\n------------\n\n- `Python `__ 3.5 or 3.6\n- ANTLR grammar runtime (4.7 or newer):\n\n - `antlr4-python3-runtime `__\n (Python 3)\n\n - `python-dateutil `__ (Python 3.3)\n\nOptionally, the Web API requires:\n\n- `Flask `__ (Python 3.3)\n\n\nInstallation\n---------------\n\nInstall with `pip `__:\n\n.. code:: bash\n\n $ pip install stix-pattern-translator\n\nOptionally, to use the Web API, install with `pip `__:\n\n.. code:: bash\n\n $ pip install stix-pattern-translator[web]\n\nNote: if you are doing development, make sure to install the development dependencies with:\n\n.. code:: bash\n\n $ pip install stix-pattern-translator[dev]\n\nUsage\n-----\n\nThe STIX Analytic Translator provides an executable script (`translate-pattern`), a simple web API provided as a Flask application, and Python translation\nmethod (`stix2patterns_translator.translate`).\n\nFrom Python Code\n~~~~~~~~~~~~~~~~\n\n.. code:: python\n\n from stix2patterns_translator.translator import *\n\n translate(\"[file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4']\", SearchPlatforms.ELASTIC, DataModels.CAR)\n\nCommand Line\n~~~~~~~~~~~~\n\nUse the command `translate-stix-pattern`, passing in the desired output language, data taxonomy, and STIX2 pattern:\n\n.. code:: bash\n\n $ translate-stix-pattern --output-language=elastic --output-data-model=car \"[file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4']\"\n\nWeb API\n~~~~~~~\n\nThe web API is provided as a Flask server that accepts the STIX pattern as input and returns the translated pattern. The path determines the output\nsearch platform and data taxonomy. To run the web server, install the 'web' extras (flask).\n\n.. code:: bash\n\n $ pip install stix-pattern-translator[web]\n\nThe server can be run directly from the source code, via a command line script, or by importing the code into an existing application. The easiest way to\ntest it is via the command line script:\n\n.. code:: bash\n\n $ pattern-translator-server\n\nWith the server running, use a command-line to send and receive from Flask instance, either locally or across a network.\nAs the below example shows, using cURL to send a POST with JSON generates results back to the calling shell:\n\n.. code:: bash\n\n $ curl -X POST -H \"Content-Type: text/plain\" -d \"[process:pid <= 5]\" http://localhost:5000/car-elastic\n\nThat yields:\n\n.. code:: bash\n\n data_model.object:\"process\" AND data_model.action:\"*\" AND (\n data_model.fields.pid:<=5\n )\n\nTesting\n-------\n\nPytest integration tests are auto generated from input patterns pulled from files in test/input_files. Input files are named by test type,\ne.g. \"md5_hash.json\" and contain json with input pattern (key = stix-input) and expected results, where the key is -\nand the value is the expected result:\n\n.. code:: json\n\n {\n \"stix-input\":\"[file:hashes.MD5 ='79054025255fb1a26e4bc422aef54eb4']\",\n \"car-elastic\":\"data_model.object:\\\"file\\\" AND data_model.action:\\\"*\\\" AND (data_model.fields.md5_hash:\\\"79054025255fb1a26e4bc422aef54eb4\\\")\",\n \"car-splunk\":\"match(tag, \\\"dm-file-.*\\\") md5_hash=\\\"79054025255fb1a26e4bc422aef54eb4\\\"\",\n \"cim-elastic\": null,\n \"cim-splunk\":null\n }\n\nExpected result can either be a string, which tests for success and a match of that string, or null, which tests for error.\nAs usual, the tests can be run by running pytest:\n\n.. code:: bash\n\n pytest\n\nTests can also be run that push events to Splunk/Elastic and then making sure the correct events match. They use the same input files, but require a few\nadditional keys. The \"matches\" key should contain a dictionary with a set of keys for each data model (currently just \"CAR\"). That dictionary then contains\na list of events that should match the pattern. The \"nonmatches\" key is identical, but obviously will be tested to make sure they don't match.\nRunning the live integration tests requires starting docker:\n\n.. code:: bash\n\n docker-compose -f test.docker-compose.yml up\n\nThey can then be run via pytest, by calling the test directly:\n\n.. code:: bash\n\n pytest test/integration_tests.py\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/mitre/stix2patterns_translator", "keywords": "stix cybersecurity analytics", "license": "Apache License 2.0", "maintainer": "", "maintainer_email": "", "name": "stix-pattern-translator", "package_url": "https://pypi.org/project/stix-pattern-translator/", "platform": "", "project_url": "https://pypi.org/project/stix-pattern-translator/", "project_urls": { "Homepage": "https://github.com/mitre/stix2patterns_translator" }, "release_url": "https://pypi.org/project/stix-pattern-translator/0.2.0/", "requires_dist": [ "antlr4-python3-runtime", "python-dateutil", "pytest; extra == 'dev'", "tox; extra == 'dev'", "flask; extra == 'dev'", "requests; extra == 'dev'", "flask; extra == 'web'" ], "requires_python": "", "summary": "A translator to convert STIX2 patterns into other search platforms (e.g., ElasticSearch) and data models (e.g., CIM)", "version": "0.2.0" }, "last_serial": 4190597, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "78596e5a31b8a2d8a29926e215a54702", "sha256": "6b640b8db74a7b7c73f68169520e5fcc77b808d3ab9f6a4f6ee804baca1c684f" }, "downloads": -1, "filename": "stix_pattern_translator-0.1.0-py3-none-any.whl", "has_sig": false, "md5_digest": "78596e5a31b8a2d8a29926e215a54702", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 75033, "upload_time": "2017-10-11T19:17:06", "url": "https://files.pythonhosted.org/packages/0a/d6/e5baae2288e64eba27df31f71e3e7878cd1c0058fd984fffc4d035ab9ae9/stix_pattern_translator-0.1.0-py3-none-any.whl" } ], "0.2.0": [ { "comment_text": "", "digests": { "md5": "76d593ca19e37ac78ebbb530f428345a", "sha256": "509488db558b8fb22663e732b3b580d717684a876ffb004fc955c3b182aadec8" }, "downloads": -1, "filename": "stix_pattern_translator-0.2.0-py3-none-any.whl", "has_sig": false, "md5_digest": "76d593ca19e37ac78ebbb530f428345a", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 42510, "upload_time": "2018-08-21T01:18:17", "url": "https://files.pythonhosted.org/packages/5f/7c/e4de3fe1a7cf2215bc6b64e1d0639060e178fec971981335eaa7031d4665/stix_pattern_translator-0.2.0-py3-none-any.whl" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "76d593ca19e37ac78ebbb530f428345a", "sha256": "509488db558b8fb22663e732b3b580d717684a876ffb004fc955c3b182aadec8" }, "downloads": -1, "filename": "stix_pattern_translator-0.2.0-py3-none-any.whl", "has_sig": false, "md5_digest": "76d593ca19e37ac78ebbb530f428345a", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 42510, "upload_time": "2018-08-21T01:18:17", "url": "https://files.pythonhosted.org/packages/5f/7c/e4de3fe1a7cf2215bc6b64e1d0639060e178fec971981335eaa7031d4665/stix_pattern_translator-0.2.0-py3-none-any.whl" } ] }