Re: Post-parsing and Enrichment test framework
Hi Ali, Would you consider creating a jira with some test framework requirement ideas based on your experience using GetProfileTest? On July 8, 2017 at 07:11:53, Ali Nazemian (alinazem...@gmail.com) wrote: Hi Nick, Something like GetProfileTest is exactly what I am looking for. Although following this test case is good enough at this step, It would be great if a test-framework can be implemented to make that easier. Probably it is not a very critical requirement, but it would be nice to have it. Cheers, Ali On Sat, Jul 8, 2017 at 1:02 AM, Nick Allen wrote: > > > > Is there any other approach to check > > that through writing Java test-cases? Righting test-cases would be easier > > for keeping track of changes. > > > While the Shell is great, it does not serve as an automated, repeatable > test case. > > An alternative approach along these lines, is to create your own JUnit test > cases that leverage a Stellar executor to execute arbitrary expressions and > validate the result. This is what we do in any unit tests for Stellar > functions. For example, see `GetProfileTest` that tests the Profiler's > `PROFILE_GET` function. > > Do you think these examples get you 80% there? > > > > > > > > On Fri, Jul 7, 2017 at 10:54 AM, Nick Allen wrote: > > > For experimenting or validating specific Stellar expressions, the Stellar > > Shell is perfect. To do this, you just have to remember than when your > > Stellar expressions execute all of the fields of the message are > in-scope. > > > > For example, here is a quick session where I mock-up some logic that > sends > > a message to Triage if a hypothetical "count" field is greater than 22. > In > > this example, I expect my telemetry to look-like the following. > > > > { > > "ip_src_addr": "10.0.0.2", > > "ip_dst_addr": "10.0.0.3", > > "ip_src_port": "22", > > "ip_dst_port": "12345", > > "source.type": "bro", > > "count": "22" > > } > > > > > > Like I said, when my Stellar expression executes each of the fields from > > the message are in-scope as variables. To replicate this in the shell, > all > > I have to do is create those variables as I would expect them to exist in > > the telemetry. > > > > [Stellar]>>> > > [Stellar]>>> ip_src_addr := "10.0.0.2" > > [Stellar]>>> ip_dst_addr := "10.0.0.3" > > [Stellar]>>> ip_src_port := 22 > > [Stellar]>>> ip_dst_port := 12345 > > [Stellar]>>> source.type := "bro" > > [Stellar]>>> count := 22 > > [Stellar]>>> is_alert := if count > 22 then true else false > > [Stellar]>>> is_alert > > > > false > > > > This session helped me validate the `is_alert` expression that I will add > > as an enrichment expression. > > > > Hope that answered at least some of your questions. > > > > > > > > > > On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian > > wrote: > > > >> Hi Simon, > >> > >> Yeah, it does, but we are looking for a way to mock a specific message > and > >> check some post-parse/enrichments stuff. Is that achievable via Stellar > >> shell? Right now we are checking that either through end-to-end testing, > >> or > >> changing flux files to check them section by section. Unfortunately, > both > >> approaches are time-consuming. We are using the Stellar shell for only > >> checking the validity of Stellar functions one by one right now. > >> > >> Suppose there is an approach we can define a JSON object as an output > of a > >> parser. Then, we can apply a set of post-parsing and enrichment process > on > >> that JSON object and check the output. Is that achievable via Stellar > >> shell? Do you have any sample that we can follow to understand Stellar > >> shell capabilities for this scenario? Is there any other approach to > check > >> that through writing Java test-cases? Righting test-cases would be > easier > >> for keeping track of changes. > >> > >> Cheers, > >> Ali > >> > >> > >> On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball < > >> si...@simonellistonball.com> wrote: > >> > >> > You should probably use the Stellar REPL (../metron/bin/stellar -z > $ZK) > >> > which gives you a kind of Stellar playground. > >> > > >> > Simon > >> > > >> > > On 4 Jul 2017, at 15:02, Ali Nazemian > wrote: > >> > > > >> > > Hi all, > >> > > > >> > > I was wondering if there is a test framework we can use for Stellar > >> > > post-parsing and enrichment use cases. It is very time-consuming to > >> > verify > >> > > use cases end-to-end. Therefore, I am looking for a way of mocking > use > >> > > cases step by step to speed up our development. > >> > > > >> > > Regards, > >> > > Ali > >> > > >> > > >> > >> > >> -- > >> A.Nazemian > >> > > > > > -- A.Nazemian
Re: Post-parsing and Enrichment test framework
Hi Nick, Something like GetProfileTest is exactly what I am looking for. Although following this test case is good enough at this step, It would be great if a test-framework can be implemented to make that easier. Probably it is not a very critical requirement, but it would be nice to have it. Cheers, Ali On Sat, Jul 8, 2017 at 1:02 AM, Nick Allen wrote: > > > > Is there any other approach to check > > that through writing Java test-cases? Righting test-cases would be easier > > for keeping track of changes. > > > While the Shell is great, it does not serve as an automated, repeatable > test case. > > An alternative approach along these lines, is to create your own JUnit test > cases that leverage a Stellar executor to execute arbitrary expressions and > validate the result. This is what we do in any unit tests for Stellar > functions. For example, see `GetProfileTest` that tests the Profiler's > `PROFILE_GET` function. > > Do you think these examples get you 80% there? > > > > > > > > On Fri, Jul 7, 2017 at 10:54 AM, Nick Allen wrote: > > > For experimenting or validating specific Stellar expressions, the Stellar > > Shell is perfect. To do this, you just have to remember than when your > > Stellar expressions execute all of the fields of the message are > in-scope. > > > > For example, here is a quick session where I mock-up some logic that > sends > > a message to Triage if a hypothetical "count" field is greater than 22. > In > > this example, I expect my telemetry to look-like the following. > > > > { > > "ip_src_addr": "10.0.0.2", > > "ip_dst_addr": "10.0.0.3", > > "ip_src_port": "22", > > "ip_dst_port": "12345", > > "source.type": "bro", > > "count": "22" > > } > > > > > > Like I said, when my Stellar expression executes each of the fields from > > the message are in-scope as variables. To replicate this in the shell, > all > > I have to do is create those variables as I would expect them to exist in > > the telemetry. > > > > [Stellar]>>> > > [Stellar]>>> ip_src_addr := "10.0.0.2" > > [Stellar]>>> ip_dst_addr := "10.0.0.3" > > [Stellar]>>> ip_src_port := 22 > > [Stellar]>>> ip_dst_port := 12345 > > [Stellar]>>> source.type := "bro" > > [Stellar]>>> count := 22 > > [Stellar]>>> is_alert := if count > 22 then true else false > > [Stellar]>>> is_alert > > > > false > > > > This session helped me validate the `is_alert` expression that I will add > > as an enrichment expression. > > > > Hope that answered at least some of your questions. > > > > > > > > > > On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian > > wrote: > > > >> Hi Simon, > >> > >> Yeah, it does, but we are looking for a way to mock a specific message > and > >> check some post-parse/enrichments stuff. Is that achievable via Stellar > >> shell? Right now we are checking that either through end-to-end testing, > >> or > >> changing flux files to check them section by section. Unfortunately, > both > >> approaches are time-consuming. We are using the Stellar shell for only > >> checking the validity of Stellar functions one by one right now. > >> > >> Suppose there is an approach we can define a JSON object as an output > of a > >> parser. Then, we can apply a set of post-parsing and enrichment process > on > >> that JSON object and check the output. Is that achievable via Stellar > >> shell? Do you have any sample that we can follow to understand Stellar > >> shell capabilities for this scenario? Is there any other approach to > check > >> that through writing Java test-cases? Righting test-cases would be > easier > >> for keeping track of changes. > >> > >> Cheers, > >> Ali > >> > >> > >> On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball < > >> si...@simonellistonball.com> wrote: > >> > >> > You should probably use the Stellar REPL (../metron/bin/stellar -z > $ZK) > >> > which gives you a kind of Stellar playground. > >> > > >> > Simon > >> > > >> > > On 4 Jul 2017, at 15:02, Ali Nazemian > wrote: > >> > > > >> > > Hi all, > >> > > > >> > > I was wondering if there is a test framework we can use for Stellar > >> > > post-parsing and enrichment use cases. It is very time-consuming to > >> > verify > >> > > use cases end-to-end. Therefore, I am looking for a way of mocking > use > >> > > cases step by step to speed up our development. > >> > > > >> > > Regards, > >> > > Ali > >> > > >> > > >> > >> > >> -- > >> A.Nazemian > >> > > > > > -- A.Nazemian
Re: Post-parsing and Enrichment test framework
> > Is there any other approach to check > that through writing Java test-cases? Righting test-cases would be easier > for keeping track of changes. While the Shell is great, it does not serve as an automated, repeatable test case. An alternative approach along these lines, is to create your own JUnit test cases that leverage a Stellar executor to execute arbitrary expressions and validate the result. This is what we do in any unit tests for Stellar functions. For example, see `GetProfileTest` that tests the Profiler's `PROFILE_GET` function. Do you think these examples get you 80% there? On Fri, Jul 7, 2017 at 10:54 AM, Nick Allen wrote: > For experimenting or validating specific Stellar expressions, the Stellar > Shell is perfect. To do this, you just have to remember than when your > Stellar expressions execute all of the fields of the message are in-scope. > > For example, here is a quick session where I mock-up some logic that sends > a message to Triage if a hypothetical "count" field is greater than 22. In > this example, I expect my telemetry to look-like the following. > > { > "ip_src_addr": "10.0.0.2", > "ip_dst_addr": "10.0.0.3", > "ip_src_port": "22", > "ip_dst_port": "12345", > "source.type": "bro", > "count": "22" > } > > > Like I said, when my Stellar expression executes each of the fields from > the message are in-scope as variables. To replicate this in the shell, all > I have to do is create those variables as I would expect them to exist in > the telemetry. > > [Stellar]>>> > [Stellar]>>> ip_src_addr := "10.0.0.2" > [Stellar]>>> ip_dst_addr := "10.0.0.3" > [Stellar]>>> ip_src_port := 22 > [Stellar]>>> ip_dst_port := 12345 > [Stellar]>>> source.type := "bro" > [Stellar]>>> count := 22 > [Stellar]>>> is_alert := if count > 22 then true else false > [Stellar]>>> is_alert > > false > > This session helped me validate the `is_alert` expression that I will add > as an enrichment expression. > > Hope that answered at least some of your questions. > > > > > On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian > wrote: > >> Hi Simon, >> >> Yeah, it does, but we are looking for a way to mock a specific message and >> check some post-parse/enrichments stuff. Is that achievable via Stellar >> shell? Right now we are checking that either through end-to-end testing, >> or >> changing flux files to check them section by section. Unfortunately, both >> approaches are time-consuming. We are using the Stellar shell for only >> checking the validity of Stellar functions one by one right now. >> >> Suppose there is an approach we can define a JSON object as an output of a >> parser. Then, we can apply a set of post-parsing and enrichment process on >> that JSON object and check the output. Is that achievable via Stellar >> shell? Do you have any sample that we can follow to understand Stellar >> shell capabilities for this scenario? Is there any other approach to check >> that through writing Java test-cases? Righting test-cases would be easier >> for keeping track of changes. >> >> Cheers, >> Ali >> >> >> On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball < >> si...@simonellistonball.com> wrote: >> >> > You should probably use the Stellar REPL (../metron/bin/stellar -z $ZK) >> > which gives you a kind of Stellar playground. >> > >> > Simon >> > >> > > On 4 Jul 2017, at 15:02, Ali Nazemian wrote: >> > > >> > > Hi all, >> > > >> > > I was wondering if there is a test framework we can use for Stellar >> > > post-parsing and enrichment use cases. It is very time-consuming to >> > verify >> > > use cases end-to-end. Therefore, I am looking for a way of mocking use >> > > cases step by step to speed up our development. >> > > >> > > Regards, >> > > Ali >> > >> > >> >> >> -- >> A.Nazemian >> > >
Re: Post-parsing and Enrichment test framework
For experimenting or validating specific Stellar expressions, the Stellar Shell is perfect. To do this, you just have to remember than when your Stellar expressions execute all of the fields of the message are in-scope. For example, here is a quick session where I mock-up some logic that sends a message to Triage if a hypothetical "count" field is greater than 22. In this example, I expect my telemetry to look-like the following. { "ip_src_addr": "10.0.0.2", "ip_dst_addr": "10.0.0.3", "ip_src_port": "22", "ip_dst_port": "12345", "source.type": "bro", "count": "22" } Like I said, when my Stellar expression executes each of the fields from the message are in-scope as variables. To replicate this in the shell, all I have to do is create those variables as I would expect them to exist in the telemetry. [Stellar]>>> [Stellar]>>> ip_src_addr := "10.0.0.2" [Stellar]>>> ip_dst_addr := "10.0.0.3" [Stellar]>>> ip_src_port := 22 [Stellar]>>> ip_dst_port := 12345 [Stellar]>>> source.type := "bro" [Stellar]>>> count := 22 [Stellar]>>> is_alert := if count > 22 then true else false [Stellar]>>> is_alert false This session helped me validate the `is_alert` expression that I will add as an enrichment expression. Hope that answered at least some of your questions. On Tue, Jul 4, 2017 at 10:23 AM, Ali Nazemian wrote: > Hi Simon, > > Yeah, it does, but we are looking for a way to mock a specific message and > check some post-parse/enrichments stuff. Is that achievable via Stellar > shell? Right now we are checking that either through end-to-end testing, or > changing flux files to check them section by section. Unfortunately, both > approaches are time-consuming. We are using the Stellar shell for only > checking the validity of Stellar functions one by one right now. > > Suppose there is an approach we can define a JSON object as an output of a > parser. Then, we can apply a set of post-parsing and enrichment process on > that JSON object and check the output. Is that achievable via Stellar > shell? Do you have any sample that we can follow to understand Stellar > shell capabilities for this scenario? Is there any other approach to check > that through writing Java test-cases? Righting test-cases would be easier > for keeping track of changes. > > Cheers, > Ali > > > On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball < > si...@simonellistonball.com> wrote: > > > You should probably use the Stellar REPL (../metron/bin/stellar -z $ZK) > > which gives you a kind of Stellar playground. > > > > Simon > > > > > On 4 Jul 2017, at 15:02, Ali Nazemian wrote: > > > > > > Hi all, > > > > > > I was wondering if there is a test framework we can use for Stellar > > > post-parsing and enrichment use cases. It is very time-consuming to > > verify > > > use cases end-to-end. Therefore, I am looking for a way of mocking use > > > cases step by step to speed up our development. > > > > > > Regards, > > > Ali > > > > > > > -- > A.Nazemian >
Re: Post-parsing and Enrichment test framework
Hi Simon, Yeah, it does, but we are looking for a way to mock a specific message and check some post-parse/enrichments stuff. Is that achievable via Stellar shell? Right now we are checking that either through end-to-end testing, or changing flux files to check them section by section. Unfortunately, both approaches are time-consuming. We are using the Stellar shell for only checking the validity of Stellar functions one by one right now. Suppose there is an approach we can define a JSON object as an output of a parser. Then, we can apply a set of post-parsing and enrichment process on that JSON object and check the output. Is that achievable via Stellar shell? Do you have any sample that we can follow to understand Stellar shell capabilities for this scenario? Is there any other approach to check that through writing Java test-cases? Righting test-cases would be easier for keeping track of changes. Cheers, Ali On Wed, Jul 5, 2017 at 12:06 AM, Simon Elliston Ball < si...@simonellistonball.com> wrote: > You should probably use the Stellar REPL (../metron/bin/stellar -z $ZK) > which gives you a kind of Stellar playground. > > Simon > > > On 4 Jul 2017, at 15:02, Ali Nazemian wrote: > > > > Hi all, > > > > I was wondering if there is a test framework we can use for Stellar > > post-parsing and enrichment use cases. It is very time-consuming to > verify > > use cases end-to-end. Therefore, I am looking for a way of mocking use > > cases step by step to speed up our development. > > > > Regards, > > Ali > > -- A.Nazemian
Re: Post-parsing and Enrichment test framework
You should probably use the Stellar REPL (../metron/bin/stellar -z $ZK) which gives you a kind of Stellar playground. Simon > On 4 Jul 2017, at 15:02, Ali Nazemian wrote: > > Hi all, > > I was wondering if there is a test framework we can use for Stellar > post-parsing and enrichment use cases. It is very time-consuming to verify > use cases end-to-end. Therefore, I am looking for a way of mocking use > cases step by step to speed up our development. > > Regards, > Ali
Post-parsing and Enrichment test framework
Hi all, I was wondering if there is a test framework we can use for Stellar post-parsing and enrichment use cases. It is very time-consuming to verify use cases end-to-end. Therefore, I am looking for a way of mocking use cases step by step to speed up our development. Regards, Ali