cti-pattern-matcher icon indicating copy to clipboard operation
cti-pattern-matcher copied to clipboard
verified publisher icon oasis-open

Matching re-occuring value within patterns

Open muellpanda opened this issue 6 years ago • 3 comments

We propose a solution to evaluate our so called inter-observable patterns described in Issue #57. I will try to describe what our code changes do:

  • [1772-1782]: Since variables to describe inter-observables can only be defined within regular expressions, we adjusted the exitPropTestRegex-function. Whenever a regex containing a variable is successfully matched against an Observable object, we store the variable name, Observable ID and actual value the variable matched on in a nested dictionary (interobs_group_matches). Example: we have the pattern [file:name MATCHES '(?P<var>[a-z]{3})], a File-Observable with filename 'foo' and one with filename 'bar'. interobs_group_matches will look like this: {'var': {0: ['foo'], 1: ['bar']}}.
  • [2147-2151]: We need to run our checks on all found bindings. Up to this point the actual matching process is unaltered and only those bindings are considered further which fulfill a pattern ignoring any variables.
  • [2190-2209]: Check if any variables were matched, i.e. values exists within the dictionary. If not, return SDOs for bindings (original behaviour). If there are values, iterate over all found bindings. For each binding, only consider the relevant SDOs, i.e. create a copy of interobs_group_matches and remove all values of irrelevant SDOs. Then run the checks on this copy. If a check returns false, remove the current binding from found_bindings -- it does not fulfill the inter-observable pattern.
  • [2165-2189]: The actual checks. If only one SDO is present, it is considered an invalid match if a variable matched on more than one unique value. When multiple SDOs are present, we look for intersections between the values for each variable; if no intersection exist, the variable did not match on the same values for these SDOs.

Our changes to the code are as transparent as possible to the original functionality of the matcher. We also added a small test to evaluate the functionality of inter-observable patterns.

muellpanda avatar Jun 17 '19 13:06 muellpanda

Codecov Report

Merging #58 into master will increase coverage by 0.52%. The diff coverage is 98.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #58      +/-   ##
==========================================
+ Coverage   89.43%   89.95%   +0.52%     
==========================================
  Files          13       14       +1     
  Lines         937      996      +59     
==========================================
+ Hits          838      896      +58     
- Misses         99      100       +1
Impacted Files Coverage Δ
stix2matcher/test/test_inter_observable_expr.py 100% <100%> (ø)
stix2matcher/matcher.py 87.62% <98.11%> (+0.71%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update fbe7b50...9becc8e. Read the comment docs.

codecov-io avatar Jun 17 '19 14:06 codecov-io

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Apr 15 '21 16:04 CLAassistant

@muellpanda would you please resolve the conflicts. we would like to verify the changes and see if this can be merged

mdazam1942 avatar Mar 16 '22 18:03 mdazam1942