Skip to content
Permalink
Browse files

Add SubnetMatch query model class and update mozdef-util version

  • Loading branch information...
pwnbus committed Sep 19, 2019
1 parent a69da87 commit 81b3596d586d4cf4992590b3705096e49dd3edbe
@@ -125,6 +125,19 @@ Uses a custom query string to generate the "match" based on (Similar to what you
QueryStringMatch('summary: test')
SubnetMatch
^^^^^^^^^^^^^^^^

Checks if an IP field is within the bounds of a subnet

.. code-block:: python
:linenos:
from mozdef_util.query_models import SubnetMatch
SubnetMatch('details.sourceipaddress', '10.1.1.0/24')
Aggregation
^^^^^^^^^^^

@@ -104,3 +104,8 @@ Add is_ip utility function
------------------

* Added ElasticsearchClient.get_open_indices()

3.0.4 (2019-09-19)
------------------

* Added SubnetMatch query model
@@ -7,6 +7,7 @@
from .range_match import RangeMatch
from .search_query import SearchQuery
from .simple_results import SimpleResults
from .subnet_match import SubnetMatch
from .term_match import TermMatch
from .terms_match import TermsMatch
from .wildcard_match import WildcardMatch
@@ -0,0 +1,16 @@
#!/usr/bin/env python

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at https://mozilla.org/MPL/2.0/.
# Copyright (c) 2017 Mozilla Corporation


import ipaddress
from .query_string_match import QueryStringMatch


def SubnetMatch(key, value):
ips = [str(ip) for ip in ipaddress.IPv4Network(value)]
subnet_str = "{0}: [{1} TO {2}]".format(key, ips[0], ips[-1])
return QueryStringMatch(subnet_str)
@@ -58,6 +58,6 @@
test_suite='tests',
tests_require=[],
url='https://github.com/mozilla/MozDef/tree/master/lib',
version='3.0.3',
version='3.0.4',
zip_safe=False,
)
@@ -30,7 +30,7 @@ jmespath==0.9.3
kombu==4.1.0
meld3==1.0.2
mozdef-client==1.0.11
mozdef-util==3.0.3
mozdef-util==3.0.4
netaddr==0.7.19
nose==1.3.7
oauth2client==1.4.12
@@ -0,0 +1,61 @@
from .positive_test_suite import PositiveTestSuite
from .negative_test_suite import NegativeTestSuite

from mozdef_util.query_models import SubnetMatch


class TestSubnetMatchPositiveTestSuite(PositiveTestSuite):
def query_tests(self):
tests = [
[
SubnetMatch('details.sourceipaddress', '10.1.1.0/24'), [
{
'details': {
'sourceipaddress': '10.1.1.1'
}
},
{
'details': {
'sourceipaddress': '10.1.1.200'
}
},
{
'details': {
'sourceipaddress': '10.1.1.255'
}
},
],
],
]
return tests


class TestSubnetMatchNegativeTestSuite(NegativeTestSuite):
def query_tests(self):
tests = [
[
SubnetMatch('details.sourceipaddress', '10.1.2.0/24'), [
{
'details': {
'sourceipaddress': '10.1.1.1'
}
},
{
'details': {
'sourceipaddress': '10.1.1.200'
}
},
{
'details': {
'sourceipaddress': '10.1.1.255'
}
},
{
'details': {
'sourceipaddress': '8.1.1.2'
}
},
],
],
]
return tests

0 comments on commit 81b3596

Please sign in to comment.
You can’t perform that action at this time.