Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Splunk: Fix MAC address to display in proper STIX format #1386

Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,8 @@
"src_mac": [
{
"key": "mac-addr.value",
"object": "src_mac"
"object": "src_mac",
"transformer": "SplunkMacFormatChange"
},
{
"key": "ipv4-addr.resolves_to_refs",
Expand All @@ -417,7 +418,8 @@
"dest_mac": [
{
"key": "mac-addr.value",
"object": "dst_mac"
"object": "dst_mac",
"transformer": "SplunkMacFormatChange"
},
{
"key": "ipv4-addr.resolves_to_refs",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -397,7 +397,8 @@
"src_mac": [
{
"key": "mac-addr.value",
"object": "src_mac"
"object": "src_mac",
"transformer": "SplunkMacFormatChange"
},
{
"key": "ipv4-addr.resolves_to_refs",
Expand All @@ -417,7 +418,8 @@
"dest_mac": [
{
"key": "mac-addr.value",
"object": "dst_mac"
"object": "dst_mac",
"transformer": "SplunkMacFormatChange"
},
{
"key": "ipv4-addr.resolves_to_refs",
Expand Down
19 changes: 18 additions & 1 deletion stix_shifter_modules/splunk/stix_translation/transformers.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from stix_shifter_utils.stix_translation.src.utils.transformers import ValueTransformer

import re

class SplunkToTimestamp(ValueTransformer):
"""A value transformer for converting Splunk timestamp to regular timestamp"""
Expand Down Expand Up @@ -46,3 +46,20 @@ def get_pair_of_hash(hash_raw):
return obj
hashes = dict(map(lambda x: get_pair_of_hash(x), hashes))
return hashes


class SplunkMacFormatChange(ValueTransformer):
""" A value transformer for converting MAC value into stix format(using : separator) """

@staticmethod
def transform(macvalue):
"""correcting mac address presentation, it should be 6 octate separated
by only colon (:) not by any other special character """
macvalue = re.sub("[^A-Za-z0-9]", "", macvalue)
delliott90 marked this conversation as resolved.
Show resolved Hide resolved
maclenth = len(macvalue)
delliott90 marked this conversation as resolved.
Show resolved Hide resolved
if (maclenth<12):
for i in range(maclenth, 12):
macvalue = "0" + macvalue

value = ':'.join([macvalue[i:i + 2] for i in range(0, len(macvalue), 2)])
return value.lower()
19 changes: 10 additions & 9 deletions stix_shifter_modules/splunk/stix_transmission/api_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def __init__(self, connection, configuration):
# This version of the Splunk APIClient is designed to function with
# Splunk Enterprise version >= 6.5.0 and <= 7.1.2
# http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTprolog

self.output_mode = 'json'
self.endpoint_start = 'services/'
self.authenticated = False
Expand All @@ -30,9 +30,9 @@ def __init__(self, connection, configuration):
self.headers = headers
self.timeout = connection['options'].get('timeout')

def authenticate(self):
async def authenticate(self):
if not self.authenticated:
self.set_splunk_auth_token(self.auth, self.headers)
await self.set_splunk_auth_token(self.auth, self.headers)
self.authenticated = True

async def set_splunk_auth_token(self, auth, headers):
Expand All @@ -45,25 +45,26 @@ async def set_splunk_auth_token(self, auth, headers):
except KeyError as e:
raise Exception('Authentication error occured while getting auth token: ' + str(e))


async def ping_box(self):
self.authenticate()
await self.authenticate()
endpoint = self.endpoint_start + 'server/status'
data = {'output_mode': self.output_mode}
return await self.client.call_api(endpoint, 'GET', data=data, timeout=self.timeout)

async def create_search(self, query_expression):
# sends a POST request to
# https://<server_ip>:<port>/services/search/jobs
self.authenticate()
await self.authenticate()
endpoint = self.endpoint_start + "search/jobs"
data = {'search': query_expression, 'output_mode': self.output_mode}
return await self.client.call_api(endpoint, 'POST', data=data, timeout=self.timeout)

async def get_search(self, search_id):
# sends a GET request to
# https://<server_ip>:<port>/services/search/jobs/<search_id>
# http]s://<server_ip>:<port>/services/search/jobs/<search_id>
delliott90 marked this conversation as resolved.
Show resolved Hide resolved
# returns information about the search job and its properties.
self.authenticate()
await self.authenticate()
endpoint = self.endpoint_start + 'search/jobs/' + search_id
data = {'output_mode': self.output_mode}
return await self.client.call_api(endpoint, 'GET', data=data, timeout=self.timeout)
Expand All @@ -72,7 +73,7 @@ async def get_search_results(self, search_id, offset, count):
# sends a GET request to
# https://<server_ip>:<port>/services/search/jobs/<search_id>/results
# returns results associated with the search job.
self.authenticate()
await self.authenticate()
endpoint = self.endpoint_start + "search/jobs/" + search_id + '/results'
data = {'output_mode': self.output_mode}
if ((offset is not None) and (count is not None)):
Expand All @@ -85,7 +86,7 @@ async def delete_search(self, search_id):
# sends a DELETE request to
# https://<server_ip>:<port>/services/search/jobs/<search_id>
# cancels and deletes search created earlier.
self.authenticate()
await self.authenticate()
endpoint = self.endpoint_start + 'search/jobs/' + search_id
data = {'output_mode': self.output_mode}
return await self.client.call_api(endpoint, 'DELETE', data=data, timeout=self.timeout)
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

sample_splunk_data_x_oca = {
"src_ip": "123.123.123.123",
"src_mac": "12-5d-6a-52.78",
"src_port": "56109",
"dest_ip": "1.1.1.1",
"dest_port": "9389",
Expand Down Expand Up @@ -251,7 +252,6 @@ def test_process_cim_to_stix(self):

proc_obj = TestTransform.get_first_of_type(objects.values(), 'process')
assert (proc_obj is not None), 'process object type not found'
assert (proc_obj.keys() == {'type', 'name', 'pid', 'binary_ref'})
assert (proc_obj['name'] == "test_process")
assert (proc_obj['pid'] == 0)

Expand Down Expand Up @@ -721,5 +721,22 @@ def test_x_oca_asset(self):
x_oca_asset = TestTransform.get_first_of_type(object_vals, 'x-oca-asset')
self.assertEqual(x_oca_asset['hostname'], 'WIN01')


def test_mac_addr(self):
result_bundle = json_to_stix_translator.convert_to_stix(
data_source, map_data, [sample_splunk_data_x_oca], get_module_transformers(MODULE), options,
callback=hash_type_lookup)

assert (result_bundle['type'] == 'bundle')
result_bundle_objects = result_bundle['objects']
observed_data = result_bundle_objects[1]

assert ('objects' in observed_data)
objects = observed_data['objects']
object_vals = objects.values()

mac = TestTransform.get_first_of_type(object_vals, 'mac-addr')
self.assertEqual(mac['value'], '00:12:5d:6a:52:78')

if __name__ == '__main__':
unittest.main()