From 285afc037310b708ffba70098936d599f5d58df7 Mon Sep 17 00:00:00 2001 From: Paul Coccoli Date: Fri, 8 Mar 2024 14:49:32 -0500 Subject: [PATCH 1/4] cli/diag: change default timeframe to last 5 minutes --- .../src/kestrel_datasource_stixshifter/cli.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py index 3cc90fb5..eee76b4e 100644 --- a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py +++ b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py @@ -6,13 +6,12 @@ from firepit.timestamp import timefmt -def default_patterns(use_now_as_stop_time: bool): - start_time = "START t'2000-01-01T00:00:00.000Z'" - stop_time = ( - f"STOP t'{timefmt(datetime.datetime.utcnow())}'" - if use_now_as_stop_time - else "STOP t'3000-01-01T00:00:00.000Z'" - ) +def default_patterns(_use_now_as_stop_time: bool): + to_time = datetime.datetime.utcnow() + from_time = (to_time - datetime.timedelta(minutes=5)).strftime("%Y-%m-%dT%H:%M:%S.%fZ") + to_time = to_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") + start_time = f"START t'{from_time}'" + stop_time = f"STOP t'{to_time}'" patterns = [ "[ipv4-addr:value != '255.255.255.255']", "[process:pid > 0]", @@ -45,7 +44,7 @@ def stix_shifter_diag(): ) parser.add_argument( "--stop-at-now", - help="use the current timestamp as the STOP time instead of default year 3000 for default patterns", + help="ignored (retained for backwards compatibility)", action="store_true", ) parser.add_argument( From 13264c80efadf19110e144b8ea3bc4b22b001cf3 Mon Sep 17 00:00:00 2001 From: Paul Coccoli Date: Fri, 8 Mar 2024 14:52:24 -0500 Subject: [PATCH 2/4] cli/diag: use firepit timefmt function --- .../src/kestrel_datasource_stixshifter/cli.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py index eee76b4e..3943fd21 100644 --- a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py +++ b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py @@ -8,8 +8,8 @@ def default_patterns(_use_now_as_stop_time: bool): to_time = datetime.datetime.utcnow() - from_time = (to_time - datetime.timedelta(minutes=5)).strftime("%Y-%m-%dT%H:%M:%S.%fZ") - to_time = to_time.strftime("%Y-%m-%dT%H:%M:%S.%fZ") + from_time = timefmt(to_time - datetime.timedelta(minutes=5)) + to_time = timefmt(to_time) start_time = f"START t'{from_time}'" stop_time = f"STOP t'{to_time}'" patterns = [ From a366f35a41deeafd5b5efc875776931fb9e969df Mon Sep 17 00:00:00 2001 From: Paul Coccoli Date: Fri, 8 Mar 2024 16:05:04 -0500 Subject: [PATCH 3/4] cli/diag: add start/stop/last options --- .../src/kestrel_datasource_stixshifter/cli.py | 38 +++++++++++++++---- .../tests/test_stixshifter_diagnosis.py | 2 +- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py index 3943fd21..c37fc70a 100644 --- a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py +++ b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py @@ -1,17 +1,22 @@ import argparse import datetime import logging +import sys from kestrel_datasource_stixshifter.diagnosis import Diagnosis from kestrel_datasource_stixshifter.connector import setup_connector_module from firepit.timestamp import timefmt -def default_patterns(_use_now_as_stop_time: bool): - to_time = datetime.datetime.utcnow() - from_time = timefmt(to_time - datetime.timedelta(minutes=5)) - to_time = timefmt(to_time) - start_time = f"START t'{from_time}'" - stop_time = f"STOP t'{to_time}'" +def default_patterns(start=None, stop=None, last_minutes=0): + if start: + start_time = f"START t'{start}'" + stop_time = f"STOP t'{stop}'" + else: + to_time = datetime.datetime.utcnow() + from_time = timefmt(to_time - datetime.timedelta(minutes=last_minutes)) + to_time = timefmt(to_time) + start_time = f"START t'{from_time}'" + stop_time = f"STOP t'{to_time}'" patterns = [ "[ipv4-addr:value != '255.255.255.255']", "[process:pid > 0]", @@ -47,6 +52,20 @@ def stix_shifter_diag(): help="ignored (retained for backwards compatibility)", action="store_true", ) + parser.add_argument( + "--start", + help="start time for default pattern search (%Y-%m-%dT%H:%M:%S.%fZ)", + ) + parser.add_argument( + "--stop", + help="stop time for default pattern search (%Y-%m-%dT%H:%M:%S.%fZ)", + ) + parser.add_argument( + "--last-minutes", + help="relative timespan for default pattern searches in minutes", + default=5, + type=int, + ) parser.add_argument( "-t", "--translate-only", @@ -67,13 +86,18 @@ def stix_shifter_diag(): ch.setFormatter(formatter) logger.addHandler(ch) + if (args.start and not args.stop) or (args.stop and not args.start): + print("Must specify both --start and --stop for absolute time range; else use --last-minutes", file=sys.stderr) + parser.print_usage(sys.stderr) + sys.exit(1) + if args.stix_pattern: patterns = [args.stix_pattern] elif args.pattern_file: with open(args.pattern_file) as pf: patterns = [pf.read()] else: - patterns = default_patterns(args.stop_at_now) + patterns = default_patterns(args.start, args.stop, args.last_minutes) diag = Diagnosis(args.datasource) diff --git a/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py b/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py index e406306b..5da98eb9 100644 --- a/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py +++ b/packages/kestrel_datasource_stixshifter/tests/test_stixshifter_diagnosis.py @@ -78,7 +78,7 @@ def test_cli(stixshifter_profile_lab101): """ result = subprocess.run( - args=[STIX_SHIFTER_DIAG, "lab101"], + args=[STIX_SHIFTER_DIAG, "--start=2000-01-01T00:00:00.000Z", "--stop=3000-01-01T00:00:00.000Z", "lab101"], universal_newlines=True, stdout=subprocess.PIPE, ) From 72cae871d1a7da814df475c892a6cc1f35c6f717 Mon Sep 17 00:00:00 2001 From: Paul Coccoli Date: Fri, 8 Mar 2024 16:24:34 -0500 Subject: [PATCH 4/4] reformat --- .../src/kestrel_datasource_stixshifter/cli.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py index c37fc70a..b4cc2df6 100644 --- a/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py +++ b/packages/kestrel_datasource_stixshifter/src/kestrel_datasource_stixshifter/cli.py @@ -87,7 +87,10 @@ def stix_shifter_diag(): logger.addHandler(ch) if (args.start and not args.stop) or (args.stop and not args.start): - print("Must specify both --start and --stop for absolute time range; else use --last-minutes", file=sys.stderr) + print( + "Must specify both --start and --stop for absolute time range; else use --last-minutes", + file=sys.stderr, + ) parser.print_usage(sys.stderr) sys.exit(1)