Examples with MapVariableResolver org.apache.metron.stellar.dsl.MapVariableResolver used on opensource projects

Example 6 with MapVariableResolver

use of org.apache.metron.stellar.dsl.MapVariableResolver in project metron by apache.

the class StellarTransformation method map.

@Override
public Map<String, Object> map(Map<String, Object> input, List<String> outputField, LinkedHashMap<String, Object> fieldMappingConfig, Context context, Map<String, Object>... sensorConfig) {
    Map<String, Object> ret = new HashMap<>();
    Map<String, Object> intermediateVariables = new HashMap<>();
    Set<String> outputs = new HashSet<>(outputField);
    MapVariableResolver resolver = new MapVariableResolver(ret, intermediateVariables, input);
    resolver.add(sensorConfig);
    StellarProcessor processor = new StellarProcessor();
    for (Map.Entry<String, Object> kv : fieldMappingConfig.entrySet()) {
        String oField = kv.getKey();
        Object transformObj = kv.getValue();
        if (transformObj != null) {
            try {
                Object o = processor.parse(transformObj.toString(), resolver, StellarFunctions.FUNCTION_RESOLVER(), context);
                if (o != null) {
                    if (outputs.contains(oField)) {
                        ret.put(oField, o);
                    } else {
                        intermediateVariables.put(oField, o);
                    }
                } else {
                    if (outputs.contains(oField)) {
                        ret.put(oField, o);
                    }
                    if (o != null) {
                        intermediateVariables.put(oField, o);
                    } else {
                        // remove here, in case there are other statements
                        intermediateVariables.remove(oField);
                    }
                }
            } catch (Exception ex) {
                throw new IllegalStateException("Unable to process transformation: " + transformObj.toString() + " for " + oField + " because " + ex.getMessage(), ex);
            }
        }
    }
    return ret;
}

Example 7 with MapVariableResolver

use of org.apache.metron.stellar.dsl.MapVariableResolver in project metron by apache.

the class FixedPcapFilter method test.

@Override
public boolean test(PacketInfo pi) {
    Map<String, Object> fields = packetToFields(pi);
    VariableResolver resolver = new MapVariableResolver(fields);
    String srcAddrIn = (String) resolver.resolve(Constants.Fields.SRC_ADDR.getName());
    Integer srcPortIn = (Integer) resolver.resolve(Constants.Fields.SRC_PORT.getName());
    String dstAddrIn = (String) resolver.resolve(Constants.Fields.DST_ADDR.getName());
    Integer dstPortIn = (Integer) resolver.resolve(Constants.Fields.DST_PORT.getName());
    String protocolIn = "" + resolver.resolve(Constants.Fields.PROTOCOL.getName());
    if (!doHeaderFiltering || testHeader(srcAddrIn, srcPortIn, dstAddrIn, dstPortIn, protocolIn)) {
        // if we don't do header filtering *or* if we have tested the header and decided it's a match
        if (packetFilter != null) {
            // and we have a packet filter, then we need to filter the packet
            byte[] data = (byte[]) resolver.resolve(PcapHelper.PacketFields.PACKET_DATA.getName());
            try {
                return ByteArrayMatchingUtil.INSTANCE.match(packetFilter, data);
            } catch (ExecutionException e) {
                throw new IllegalStateException("Unable to perform binary filter: " + packetFilter + " on " + DatatypeConverter.printHexBinary(data), e);
            }
        } else if (!doHeaderFiltering) {
            // pass the test
            return true;
        } else {
            // and if we *are* doing header filtering and not packet filtering, then we want to pass the test
            return true;
        }
    } else {
        // in this case we're doing header filtering and we failed the header filter test.
        return false;
    }
}

Example 8 with MapVariableResolver

use of org.apache.metron.stellar.dsl.MapVariableResolver in project metron by apache.

the class QueryPcapFilter method test.

@Override
public boolean test(PacketInfo input) {
    Map<String, Object> fields = packetToFields(input);
    VariableResolver resolver = new MapVariableResolver(fields);
    return predicateProcessor.parse(queryString, resolver, StellarFunctions.FUNCTION_RESOLVER(), Context.EMPTY_CONTEXT());
}

Example 9 with MapVariableResolver

use of org.apache.metron.stellar.dsl.MapVariableResolver in project metron by apache.

the class ThreatTriageProcessor method apply.

@Nullable
@Override
public ThreatScore apply(@Nullable Map input) {
    ThreatScore threatScore = new ThreatScore();
    StellarPredicateProcessor predicateProcessor = new StellarPredicateProcessor();
    StellarProcessor processor = new StellarProcessor();
    VariableResolver resolver = new MapVariableResolver(input, sensorConfig.getConfiguration(), threatIntelConfig.getConfig());
    // attempt to apply each rule to the threat
    for (RiskLevelRule rule : threatTriageConfig.getRiskLevelRules()) {
        if (predicateProcessor.parse(rule.getRule(), resolver, functionResolver, context)) {
            // add the rule's score to the overall threat score
            String reason = execute(rule.getReason(), processor, resolver, String.class);
            RuleScore score = new RuleScore(rule, reason);
            threatScore.addRuleScore(score);
        }
    }
    // calculate the aggregate threat score
    Aggregators aggregators = threatTriageConfig.getAggregator();
    List<Number> allScores = threatScore.getRuleScores().stream().map(score -> score.getRule().getScore()).collect(Collectors.toList());
    Double aggregateScore = aggregators.aggregate(allScores, threatTriageConfig.getAggregationConfig());
    threatScore.setScore(aggregateScore);
    return threatScore;
}

Example 10 with MapVariableResolver

use of org.apache.metron.stellar.dsl.MapVariableResolver in project metron by apache.

the class DefaultStellarShellExecutor method executeStellar.

/**
 * Executes Stellar expressions.
 * @param expression The expression to execute.
 */
private StellarResult executeStellar(String expression) {
    StellarResult result;
    try {
        // execute the stellar expression
        VariableResolver variableResolver = new MapVariableResolver(getVariables());
        Object exprResult = new StellarProcessor().parse(expression, variableResolver, functionResolver, context);
        result = success(exprResult);
    } catch (Throwable t) {
        result = error(t);
    }
    return result;
}