Testing Your Connector
Testing is important to ensure the connector is working properly. The stix-shifter developer guide walks you through testing at each step of the development process listed below. Click a command to see an example.
Translate
Translate STIX Patterns to native queries
python main.py translate dummy query '{}' "[network-traffic:src_port NOT = 37020 AND network-traffic:dst_port != 635] OR [ipv4-addr:value = '333.333.333.0'] OR [url:value = 'www.example.com']" '{"validate_pattern": "true"}'
The validate_pattern option forces validation on the submitted pattern. This check is done before the pattern enters the translation logic. Malformed patterns will throw an error.
Translate JSON results to STIX objects:
The identity object represents the data source and is automatically included during the UDI flow but must be manually included when testing in the CLI. The results JSON would normally come from the data source’s results API call, but a test payload must be included for the CLI to test results translation into STIX.
python main.py translate dummy results '{"type": "identity","id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "name": "DummyAdapter","identity_class": "system"}' '[ { "SourcePort": 1234, "EventCount": 1, "Magnitude": 4, "DestinationIpV4": "0.0.0.0", "SourceIpV4": "9.21.123.112", "DestinationPort": 5678, "UserName": "root", "StartTime": 1540312200111}]''{"stix_validator": true}'
Transmit
The transmission commands are ping, query, status, results, delete, and is_async.
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' ping
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' query "SELECT * FROM tableName"
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' status"b5751e36-1699-4d57-9f7e-a020b4f91176"
The page and offset numbers define a range (subset) of the total results returned.
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' results"b5751e36-1699-4d57-9f7e-a020b4f91176"1 3
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' delete "b5751e36-1699-4d57-9f7e-a020b4f91176"
python main.py transmit dummy '{"host":"some.fake.address.com", "port":"12345"}' '{"auth":{"username": "some_user_name", "password": "some password"}}' is_async
Execute
The execute command provides a means of testing the entire translation-transmission flow. When execute is called from the CLI, the following happens:
- The submitted pattern is first validated and then translated into a native query
- The native query is transmitted to the data source
- An is_asynccheck is made. If true, a status check is transmitted to see if the query is complete.
- Query results are fetched(transmitted)from the data source. This happens right away if the data source is synchronous, otherwise the results are looked up based on the query ID.
- The results are translated into a bundle of STIX cyber observable objects.
- STIX validation is run on each of the translated objects.
Need Help?
Join one of the developer communities. Follow this link