RubyGems - fushin - Versions diffs - 0.1.1 → 0.2.0 - Mend

fushin 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +2 -1
data/fushin.gemspec +1 -0
data/lib/fushin.rb +3 -0
data/lib/fushin/http/headers.rb +0 -0
data/lib/fushin/hybrid_analysis.rb +42 -0
data/lib/fushin/models/attachment.rb +39 -0
data/lib/fushin/monitor.rb +1 -0
data/lib/fushin/posts/post.rb +4 -0
data/lib/fushin/posts/shinobi.rb +9 -0
data/lib/fushin/version.rb +1 -1
metadata +19 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45e5e429220ee4897053cd2cf732ccf3423b0d5aab53423f8aec57549a0a240e
-  data.tar.gz: 072a988d06cca8c2f211767a1ea4dda589282ea630cabc3b6e41afde3dfe2097
+  metadata.gz: 2886480988a7953bf20c22ffd1ab3590926c5121700b2aaf007bebe3c93438fd
+  data.tar.gz: abbf709568fc79ff6d57aee267d0cf4b3875a783410b2594a40430126c734db1
 SHA512:
-  metadata.gz: 51c711d46af5097f286d9a218a54dffa60ed378e19f5ec4fdf6570994499c760ed48e273672e6ded1eaa9c3740f91f3c927d634b306964ede4788e1cebf2d119
-  data.tar.gz: 6beb9229082f2233c50cc62c23098a5d20fee1b2bca5d04725f397412861e05cae273d2932cbffd8a1eb040053d282b66e69a122015232af8edfb58006ed11d3
+  metadata.gz: '098de7ee37619d0403ed2f94bebad99e740bbbeb358fd364247a3f9990cebab816d16974188f70d35500d4c0d09ab1b128b492278c162a5306c030e5c6d4840e'
+  data.tar.gz: 9bb31068ef6d71371ae3fb6507f18fc8f49bb4de02c4703f8691e60fdbdcc412d9f3d8fa1b33ea6b22b4e71cb0a3e7e6ef2294f7dd15feed457634fdfd13588f

data/README.md CHANGED

@@ -11,7 +11,8 @@ A malicious blog posts monitoring tool.
 - [x] Subscribe [a malicious blog posts feed](https://www.inoreader.com/stream/user/1006141524/tag/%E4%B8%8D%E5%AF%A9%E3%83%A1%E3%83%BC%E3%83%AB) (by [@catnap707](https://twitter.com/catnap707))
 - [x] Extract IoCs(BTC, URL) from a blog post
 - [x] Post extracted IoCs to Slack (or STDOUT) with enrichment
-- [ ] Attachment handling
+- [x] Attachment handling
+  - Scan a URL via Hybrid Analysis
 ## Supported blog types

data/fushin.gemspec CHANGED

@@ -26,6 +26,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "coveralls", "~> 0.8"
+  spec.add_development_dependency "dotenv", "~> 2.6"
   spec.add_development_dependency "rake", "~> 12.3"
   spec.add_development_dependency "rspec", "~> 3.8"
   spec.add_development_dependency "vcr", "~> 4.0"

data/lib/fushin.rb CHANGED

@@ -4,7 +4,10 @@ require "fushin/version"
 require "fushin/erros"
+require "fushin/hybrid_analysis"
 require "fushin/models/model"
+require "fushin/models/attachment"
 require "fushin/models/btc"
 require "fushin/models/website"

data/lib/fushin/http/headers.rb ADDED

File without changes

data/lib/fushin/hybrid_analysis.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+require "json"
+require "http"
+module Fushin
+  class HybridAnalysis
+    BASE_URL = "https://www.hybrid-analysis.com"
+    VERSION = "v2"
+    def quick_url_scan(url)
+      payload = {
+        scan_type: "all",
+        url: url
+      }
+      res = HTTP.headers(default_headers).post(url_for("/quick-scan/url-to-file"), form: payload)
+      res.code == 200 ? JSON.parse(res.body.to_s) : nil
+    end
+    def self.quick_url_scan(url)
+      new.quick_url_scan(url)
+    end
+    private
+    def api_key
+      @api_key ||= ENV.fetch("HA_API_KEY")
+    end
+    def default_headers
+      {
+        "accept" => "application/json",
+        "api-key" => api_key,
+        "user-agent" => "Falcon Sandbox",
+      }
+    end
+    def url_for(path)
+      "#{BASE_URL}/api/#{VERSION}#{path}"
+    end
+  end
+end

data/lib/fushin/models/attachment.rb ADDED

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+module Fushin
+  module Models
+    class Attachment < Model
+      attr_reader :url
+      def initialize(url)
+        @url = url
+      end
+      def sha256
+        @sha256 ||= [].tap do |out|
+          res = HybridAnalysis.quick_url_scan(url)
+          out << res.dig("sha256")
+        end.first
+      end
+      def title
+        "HA: #{sha256}"
+      end
+      def ha_link
+        "https://www.hybrid-analysis.com/sample/#{sha256}/"
+      end
+      def to_attachements
+        [
+          {
+            fallback: "HA link",
+            title: title,
+            title_link: ha_link,
+            footer: "hybrid-analysis.com",
+            footer_icon: "http://www.google.com/s2/favicons?domain=hybrid-analysis.com"
+          }
+        ]
+      end
+    end
+  end
+end

data/lib/fushin/monitor.rb CHANGED

@@ -15,6 +15,7 @@ module Fushin
           out << item.post.btcs.map(&:to_attachements)
           out << item.post.urls.map(&:to_attachements)
           out << item.post.links.map(&:to_attachements)
+          out << item.post.attachements.map(&:to_attachements)
         end.flatten
         attachements << { text: "IoC is not found." } if attachements.empty?
         Notifier.notify("#{item.title} (#{item.link})", attachements)

data/lib/fushin/posts/post.rb CHANGED

@@ -57,6 +57,10 @@ module Fushin
         end.compact
       end
+      def attachements
+        []
+      end
       private
       def main_selector

data/lib/fushin/posts/shinobi.rb CHANGED

@@ -10,6 +10,15 @@ module Fushin
       def main_cleanup_selectors
         %w(script)
       end
+      def attachements
+        @attachements ||= doc.css("#primary > div.inner > div > div:nth-child(3) > a").map do |a|
+          url = a.get("href")
+          next unless url
+          Models::Attachment.new url
+        end.compact
+      end
     end
   end
 end

data/lib/fushin/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Fushin
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fushin
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-01-31 00:00:00.000000000 Z
+date: 2019-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -215,7 +229,10 @@ files:
 - lib/fushin/cache.rb
 - lib/fushin/config/whitelisted_domains.yml
 - lib/fushin/erros.rb
+- lib/fushin/http/headers.rb
+- lib/fushin/hybrid_analysis.rb
 - lib/fushin/item.rb
+- lib/fushin/models/attachment.rb
 - lib/fushin/models/btc.rb
 - lib/fushin/models/model.rb
 - lib/fushin/models/website.rb