Merge pull request #31 from UncoderIO/spl-keywords-improvements

spl keywords improvements, refactoring

Author: saltar-ua

translator/.gitignore

@@ -197,7 +197,3 @@ test_data
 
 # backup_logs
 .backup_logs
-
-# sigmac tests stuff
-tactics.json
-techniques.json

…-converter/app/dictionaries/tactics.json translator/app/dictionaries/tactics.jsonsiem-converter/app/dictionaries/tactics.json renamed to translator/app/dictionaries/tactics.json siem-converter/app/dictionaries/tactics.json renamed to translator/app/dictionaries/tactics.json

@@ -43,35 +43,34 @@ def tokenize(self, query: str) -> List[Union[Field, Keyword, Identifier]]:
 
 
 class QueryTokenizer(BaseTokenizer):
-    field_pattern = r"(?P<field_name>[a-zA-Z\._\-]+)"
-    operator_pattern = r"\s?(?P<operator>and|or|not|AND|OR|NOT)\s?"
-    field_value_pattern = r"""^___field___\s*___match_operator___\s*___value___"""
-    match_operator_pattern = r"""(?:___field___\s?(?P<match_operator>ilike|contains|endswith|startswith|in|>=|<=|==|>|<|=~|!=|=|:|\:))\s?"""
+    single_value_operators_map: dict[str, str] = {}  # used to generate re pattern. so the keys order is important
+    multi_value_operators_map: dict[str, str] = {}  # used to generate re pattern. so the keys order is important
+    operators_map: dict[str, str] = {}  # used to generate re pattern. so the keys order is important
+
+    logical_operator_pattern = r"\s?(?P<logical_operator>and|or|not|AND|OR|NOT)\s?"
+    field_value_pattern = r"""^___field___\s*___operator___\s*___value___"""
     base_value_pattern = r"(?:___value_pattern___)"
-    _value_pattern = r"""(?:\"|\')*(?P<value>[:a-zA-Z\*0-9=+%#\-_\/\\'\,.&^@!\(\s]*)(?:\*|\'|\"|\s|\$)*"""
-    value_pattern = base_value_pattern.replace('___value_pattern___', _value_pattern)
-    multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\s]*)\)"""
-    keyword_pattern = None  # do not modify, use subclasses to define this attribute
 
-    multi_value_operators = tuple()
+    # do not modify, use subclasses to define this attribute
+    field_pattern: str = None
+    _value_pattern: str = None
+    value_pattern: str = None
+    multi_value_pattern: str = None
+    keyword_pattern: str = None
+
     multi_value_delimiter = ","
     wildcard_symbol = None
 
-    operators_map = {
-        "=": OperatorType.EQ,
-        "in": OperatorType.EQ,
-        "<": OperatorType.LT,
-        "<=": OperatorType.LTE,
-        ">": OperatorType.GT,
-        ">=": OperatorType.GTE,
-        "!=": OperatorType.NEQ,
-        "contains": OperatorType.CONTAINS,
-        "startswith": OperatorType.STARTSWITH,
-        "endswith": OperatorType.ENDSWITH
-    }
-
     def __init_subclass__(cls, **kwargs):
+        cls._validate_re_patterns()
         cls.value_pattern = cls.base_value_pattern.replace('___value_pattern___', cls._value_pattern)
+        cls.operators_map = {**cls.single_value_operators_map, **cls.multi_value_operators_map}
+        cls.operator_pattern = fr"""(?:___field___\s*(?P<operator>(?:{'|'.join(cls.operators_map)})))\s*"""
+
+    @classmethod
+    def _validate_re_patterns(cls):
+        if not all([cls.field_pattern, cls._value_pattern]):
+            raise ValueError(f"{cls.__name__} re patterns must be set")
 
     def map_operator(self, operator: str) -> str:
         try:
@@ -89,16 +88,16 @@ def search_field(self, query):
     def escape_field_name(self, field_name):
         return field_name.replace(".", r"\.")
 
-    def search_match_operator(self, query, field_name) -> str:
+    def search_operator(self, query, field_name) -> str:
         field_name = self.escape_field_name(field_name)
-        match_operator_pattern = self.match_operator_pattern.replace("___field___", field_name)
-        match_operator_regex = re.compile(match_operator_pattern, re.IGNORECASE)
-        match_operator_search = re.search(match_operator_regex, query)
-        if match_operator_search is None:
+        operator_pattern = self.operator_pattern.replace("___field___", field_name)
+        compiled_operator_regex = re.compile(operator_pattern, re.IGNORECASE)
+        if (operator_search := re.search(compiled_operator_regex, query)) is None:
             raise TokenizerGeneralException(error=f"Operator couldn't be found in query part: {query}")
-        match_operator = match_operator_search.group("match_operator")
-        match_operator = match_operator.strip(" ")
-        return match_operator
+
+        operator = operator_search.group("operator")
+        operator = operator.strip(" ")
+        return operator
 
     def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.EQ) -> Tuple[str, Any]:
         return operator, get_match_group(match, group_name='value')
@@ -118,7 +117,7 @@ def search_value(self, query: str, operator: str, field_name: str) -> Tuple[str,
         field_value_pattern = self.get_field_value_pattern(operator, field_name)
         value_pattern = self.value_pattern
         is_multi = False
-        if operator.lower() in self.multi_value_operators:
+        if operator.lower() in self.multi_value_operators_map:
             value_pattern = self.multi_value_pattern
             is_multi = True
 
@@ -142,7 +141,7 @@ def search_keyword(self, query: str) -> Tuple[Keyword, str]:
 
     def get_field_value_pattern(self, operator, field_name):
         field_value_pattern = self.field_value_pattern.replace("___field___", self.escape_field_name(field_name))
-        return field_value_pattern.replace("___match_operator___", operator)
+        return field_value_pattern.replace("___operator___", operator)
 
     @staticmethod
     def _clean_value(value: str, wildcard_symbol: str) -> str:
@@ -183,28 +182,45 @@ def create_field(field_name: str, operator: Identifier, value: Union[str, List])
 
     def search_field_value(self, query):
         field_name = self.search_field(query)
-        operator = self.search_match_operator(query, field_name)
+        operator = self.search_operator(query, field_name)
         query, operator, value = self.search_value(query=query, operator=operator, field_name=field_name)
         value, operator_token = self.process_value_wildcard_symbols(value=value,
                                                                     operator=operator,
                                                                     wildcard_symbol=self.wildcard_symbol)
         field = self.create_field(field_name=field_name, operator=operator_token, value=value)
         return field, query
 
-    def __get_identifier(self, query: str) -> Tuple[Union[Field, Keyword, Identifier], str]:
+    def _match_field_value(self, query: str, white_space_pattern: str = r"\s+") -> bool:
+        single_value_operator_group = fr"(?:{'|'.join(self.single_value_operators_map)})"
+        single_value_pattern = fr"""{self.field_pattern}\s*{single_value_operator_group}\s*{self.value_pattern}\s*"""
+        if re.match(single_value_pattern, query, re.IGNORECASE):
+            return True
+
+        if self.multi_value_operators_map:
+            multi_value_operator_group = fr"(?:{'|'.join(self.multi_value_operators_map)})"
+            pattern = f"{self.field_pattern}{white_space_pattern}{multi_value_operator_group}{white_space_pattern}"
+            multi_value_pattern = fr"{pattern}{self.multi_value_pattern}"
+            if re.match(multi_value_pattern, query, re.IGNORECASE):
+                return True
+
+        return False
+
+    def _get_identifier(self, query: str) -> Tuple[Union[Field, Keyword, Identifier], str]:
         query = query.strip("\n").strip(" ").strip("\n")
         if query.startswith(GroupType.L_PAREN):
             return Identifier(token_type=GroupType.L_PAREN), query[1:]
         elif query.startswith(GroupType.R_PAREN):
             return Identifier(token_type=GroupType.R_PAREN), query[1:]
-        elif operator_search := re.match(self.operator_pattern, query):
-            operator = operator_search.group("operator")
-            pos = operator_search.end()
-            return Identifier(token_type=operator.lower()), query[pos:]
+        elif logical_operator_search := re.match(self.logical_operator_pattern, query):
+            logical_operator = logical_operator_search.group("logical_operator")
+            pos = logical_operator_search.end()
+            return Identifier(token_type=logical_operator.lower()), query[pos:]
+        elif self._match_field_value(query):
+            return self.search_field_value(query)
         elif self.keyword_pattern and re.match(self.keyword_pattern, query):
             return self.search_keyword(query)
-        else:
-            return self.search_field_value(query)
+
+        raise TokenizerGeneralException("Unsupported query entry")
 
     @staticmethod
     def _validate_parentheses(tokens):
@@ -224,7 +240,7 @@ def _validate_parentheses(tokens):
     def tokenize(self, query: str) -> List[Union[Field, Keyword, Identifier]]:
         tokenized = []
         while query:
-            identifier, query = self.__get_identifier(query=query)
+            identifier, query = self._get_identifier(query=query)
             tokenized.append(identifier)
         self._validate_parentheses(tokenized)
         return tokenized

…nverter/app/dictionaries/techniques.json …nslator/app/dictionaries/techniques.jsonsiem-converter/app/dictionaries/techniques.json renamed to translator/app/dictionaries/techniques.json siem-converter/app/dictionaries/techniques.json renamed to translator/app/dictionaries/techniques.json

@@ -26,23 +26,28 @@
 
 
 class AthenaTokenizer(QueryTokenizer):
+    single_value_operators_map = {
+        "=": OperatorType.EQ,
+        "<=": OperatorType.LTE,
+        "<": OperatorType.LT,
+        ">=": OperatorType.GTE,
+        ">": OperatorType.GT,
+        "!=": OperatorType.NEQ,
+        "<>": OperatorType.NEQ,
+        "like": OperatorType.EQ
+    }
+    multi_value_operators_map = {
+        "in": OperatorType.EQ
+    }
+
     field_pattern = r'(?P<field_name>"[a-zA-Z\._\-\s]+"|[a-zA-Z\._\-]+)'
-    match_operator_pattern = r"""(?:___field___\s?(?P<match_operator>like|in|<=|>=|==|>|<|<>|!=|=))\s?"""
     num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
     bool_value_pattern = r"(?P<bool_value>true|false)\s*"
     single_quotes_value_pattern = r"""'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')*)'"""
     _value_pattern = fr"{num_value_pattern}|{bool_value_pattern}|{single_quotes_value_pattern}"
     multi_value_pattern = r"""\((?P<value>\d+(?:,\s*\d+)*|'(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')*'(?:,\s*'(?:[:a-zA-Z\*0-9=+%#\-\/\\,_".$&^@!\(\)\{\}\s]|'')*')*)\)"""
 
-    multi_value_operators = ("in",)
     wildcard_symbol = "%"
-    operators_map = {
-        "like": OperatorType.EQ
-    }
-
-    def __init__(self):
-        super().__init__()
-        self.operators_map.update(super().operators_map)
 
     @staticmethod
     def should_process_value_wildcard_symbols(operator: str) -> bool:
@@ -62,7 +67,7 @@ def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.E
 
     def search_field_value(self, query):
         field_name = self.search_field(query)
-        operator = self.search_match_operator(query, field_name)
+        operator = self.search_operator(query, field_name)
         should_process_value_wildcard_symbols = self.should_process_value_wildcard_symbols(operator)
         query, operator, value = self.search_value(query=query, operator=operator, field_name=field_name)
 

translator/app/translator/core/tokenizer.py

@@ -26,34 +26,36 @@
 from app.translator.core.tokenizer import QueryTokenizer
 from app.translator.core.custom_types.tokens import OperatorType
 from app.translator.tools.utils import get_match_group
-from app.translator.platforms.base.lucene.const import COMPARISON_OPERATORS_MAP
 
 
 class LuceneTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
+    single_value_operators_map = {
+        ":>": OperatorType.GT,
+        ":<": OperatorType.LT,
+        ":": OperatorType.EQ
+    }
+    multi_value_operators_map = {
+        ":": OperatorType.EQ
+    }
+
     field_pattern = r"(?P<field_name>[a-zA-Z\.\-_]+)"
     match_operator_pattern = r"(?:___field___\s*(?P<match_operator>:\[\*\sTO|:\[|:<|:>|:))\s*"
-    num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
+    _num_value_pattern = r"\d+(?:\.\d+)*"
+    num_value_pattern = fr"(?P<num_value>{_num_value_pattern})\s*"
     double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*'
     no_quotes_value_pattern = r"(?P<n_q_value>(?:[a-zA-Z\*0-9=%#_/,\'\.$@]|\\\"|\\\\)+)\s*"
     re_value_pattern = r"/(?P<re_value>[:a-zA-Z\*0-9=+%#\\\-_\,\"\'\.$&^@!\(\)\{\}\[\]\s?]+)/\s*"
-    _value_pattern = fr"{num_value_pattern}|{re_value_pattern}|{no_quotes_value_pattern}|{double_quotes_value_pattern}"
+    gte_value_pattern = fr"\[\s*(?P<gte_value>{_num_value_pattern})\s+TO\s+\*\s*\]"
+    lte_value_pattern = fr"\[\s*\*\s+TO\s+(?P<lte_value>{_num_value_pattern})\s*\]"
+    range_value_pattern = fr"{gte_value_pattern}|{lte_value_pattern}"
+    _value_pattern = fr"{num_value_pattern}|{re_value_pattern}|{no_quotes_value_pattern}|{double_quotes_value_pattern}|{range_value_pattern}"
     keyword_pattern = r"(?P<n_q_value>(?:[a-zA-Z\*0-9=%#_/,\'\.$@]|\\\"|\\\(|\\\)|\\\[|\\\]|\\\{|\\\}|\\\:|\\)+)(?:\s+|\)|$)"
 
     multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,.&^@!\(\[\]\s]+)\)"""
     multi_value_check_pattern = r"___field___\s*___operator___\s*\("
 
     wildcard_symbol = "*"
 
-    operators_map = {
-        ":": OperatorType.EQ,
-        ":>": OperatorType.GT,
-        ":<": OperatorType.LT
-    }
-
-    def __init__(self):
-        super().__init__()
-        self.operators_map.update(super().operators_map)
-
     @staticmethod
     def create_field(field_name: str, operator: Identifier, value: Union[str, List]) -> Field:
         field_name = field_name.replace(".text", "")
@@ -79,11 +81,15 @@ def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.E
         elif (d_q_value := get_match_group(match, group_name='d_q_value')) is not None:
             return operator, d_q_value
 
+        elif (gte_value := get_match_group(match, group_name='gte_value')) is not None:
+            return OperatorType.GTE, gte_value
+
+        elif (lte_value := get_match_group(match, group_name='lte_value')) is not None:
+            return OperatorType.LTE, lte_value
+
         return super().get_operator_and_value(match, operator)
 
     def search_value(self, query: str, operator: str, field_name: str) -> Tuple[str, str, Union[str, List[str]]]:
-        if operator in COMPARISON_OPERATORS_MAP.keys():
-            return self.search_value_gte_lte(query, operator, field_name)
         check_pattern = self.multi_value_check_pattern
         check_regex = check_pattern.replace('___field___', field_name).replace('___operator___', operator)
         if re.match(check_regex, query):
@@ -105,14 +111,6 @@ def search_value(self, query: str, operator: str, field_name: str) -> Tuple[str,
         pos = field_value_search.end()
         return query[pos:], operator, value
 
-    def search_value_gte_lte(self, query: str, operator: str, field_name: str) -> Tuple[str, str, Union[str, List[str]]]:
-        query_list = query.split("]")
-        to_replace = [v for val in COMPARISON_OPERATORS_MAP.values() for v in val["replace"]]
-        to_replace.append(field_name)
-        regex = re.compile('|'.join(to_replace))
-        value = re.sub(regex, '', query_list.pop(0))
-        return "".join(query_list), COMPARISON_OPERATORS_MAP.get(operator, {}).get("default_op"), value.strip()
-
     def search_keyword(self, query: str) -> Tuple[Keyword, str]:
         keyword_search = re.search(self.keyword_pattern, query)
         _, value = self.get_operator_and_value(keyword_search)
@@ -121,6 +119,14 @@ def search_keyword(self, query: str) -> Tuple[Keyword, str]:
         pos = keyword_search.end() - 1
         return keyword, query[pos:]
 
+    def _match_field_value(self, query: str, white_space_pattern: str = r"\s*") -> bool:
+        range_value_pattern = f"(?:{self.gte_value_pattern}|{self.lte_value_pattern})"
+        range_pattern = fr"{self.field_pattern}{white_space_pattern}:\s*{range_value_pattern}"
+        if re.match(range_pattern, query, re.IGNORECASE):
+            return True
+
+        return super()._match_field_value(query, white_space_pattern=white_space_pattern)
+
     def tokenize(self, query: str) -> List[Union[Field, Keyword, Identifier]]:
         tokens = super().tokenize(query=query)
         return self.add_and_token_if_missed(tokens=tokens)

translator/app/translator/platforms/athena/tokenizer.py

@@ -28,16 +28,25 @@
 
 
 class SplTokenizer(QueryTokenizer, ANDLogicOperatorMixin):
+    single_value_operators_map = {
+        "=": OperatorType.EQ,
+        "<=": OperatorType.LTE,
+        "<": OperatorType.LT,
+        ">=": OperatorType.GTE,
+        ">": OperatorType.GT,
+        "!=": OperatorType.NEQ
+    }
+    multi_value_operators_map = {"in": OperatorType.EQ}
+
     field_pattern = r"(?P<field_name>[a-zA-Z\.\-_\{\}]+)"
-    num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
-    double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,;\'\.$&^@!\(\)\{\}\s]|\\\"|\\)*)"\s*'
+    num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)(?=$|\s|\))"
+    double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,;\'\.$&^@!\]\[\(\)\{\}\s]|\\\"|\\)*)"\s*'
     single_quotes_value_pattern = r"'(?P<s_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,;\"\.$&^@!\(\)\{\}\s]|\\\'|\\)*)'\s*"
-    no_quotes_value = r"(?P<no_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\.\\$&^@!])+)\s*"
-    _value_pattern = fr"{num_value_pattern}|{no_quotes_value}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
+    no_quotes_value_pattern = r"(?P<no_q_value>(?:[:a-zA-Z\*0-9+%#\-_/,\.$&^@!]|\\\s|\\=|\\!=|\\<|\\<=|\\>|\\>=|\\\\)+)(?=$|\s|\))"
+    _value_pattern = fr"{num_value_pattern}|{no_quotes_value_pattern}|{double_quotes_value_pattern}|{single_quotes_value_pattern}"
     multi_value_pattern = r"""\((?P<value>[:a-zA-Z\"\*0-9=+%#\-_\/\\'\,;.$&^@!\{\}\(\s]+)\)"""
-    keyword_pattern = double_quotes_value_pattern
+    keyword_pattern = fr"{double_quotes_value_pattern}|{no_quotes_value_pattern}"
 
-    multi_value_operators = ("in",)
     wildcard_symbol = "*"
 
     def get_operator_and_value(self, match: re.Match, operator: str = OperatorType.EQ) -> Tuple[str, Any]:

translator/app/translator/platforms/base/lucene/const.py

@@ -26,8 +26,16 @@
 
 
 class ChronicleQueryTokenizer(QueryTokenizer):
-    field_pattern = r"(?P<field_name>[a-zA-Z0-9\._]+)"
+    single_value_operators_map = {
+        "=": OperatorType.EQ,
+        "<=": OperatorType.LTE,
+        "<": OperatorType.LT,
+        ">=": OperatorType.GTE,
+        ">": OperatorType.GT,
+        "!=": OperatorType.NEQ
+    }
 
+    field_pattern = r"(?P<field_name>[a-zA-Z0-9\._]+)"
     num_value_pattern = r"(?P<num_value>\d+(?:\.\d+)*)\s*"
     bool_value_pattern = r"(?P<bool_value>true|false)\s*"
     double_quotes_value_pattern = r'"(?P<d_q_value>(?:[:a-zA-Z\*0-9=+%#\-_/,\'\.$&^@!\(\)\{\}\s]|\\\"|\\\\)*)"\s*(?:nocase)?'