mihari 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d2122f13495ae81a98410887ee84dd41cbe5dbea0cf70b28afac5943d899a543
-  data.tar.gz: '08b3eb468a8bb767990b3bea8d2b18950d4240611fec189a9ed4d6272ba84aab'
+  metadata.gz: 0a78aa76416da5dc139e1fe11ce2d2475a45deda3a82caa1fa21eecd6e291711
+  data.tar.gz: 9958ca0873d55c20525c3fa9186b266bbfba68c957997ae14f73a1d136d2032e
 SHA512:
-  metadata.gz: b98c1c679ab601b40f918be6eb3bb4ea1c80761abe79944b1c2111abb6eec87d430ffb5e7571591875ecabf631753cb428dab98ae11dfe7708ac87ea1f6c50f8
-  data.tar.gz: 4d6a0b87a14dbb6de755f623e6544743966b26101a49b7dc71a7c4604fb662a052c52071c638e7fdedfcd918bf783cb90cd46567e0f31a30e93322181942af4a
+  metadata.gz: 4d80e8026601ca12ed90b45d21ef0eb88a53cd1312d6f29f910ded76d7fa76e72c3295051e59a91e159d88cc54b3abec627837bbb6e53eda8a75c4acc52edcb2
+  data.tar.gz: f70660b7da90c4ae9a13cfba050d775283072fbd135d30b58df6d17ae41e6799532038bef16fe76a183e81a07ab188aada365f418a733540ee15436df0b6295f

data/lib/mihari/alert_viewer.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Mihari
+  class AlertViewer
+    attr_reader :limit
+    attr_reader :the_hive
+
+    ALERT_KEYS = %w(title description artifacts tags createdAt status).freeze
+
+    def initialize(limit: 5)
+      @limit = limit
+      validate_limit
+
+      @the_hive = TheHive.new
+      raise Error, "Cannot connect to the TheHive instance" unless the_hive.valid?
+    end
+
+    def list
+      range = limit == "all" ? "all" : "0-#{limit}"
+      alerts = the_hive.alert.list(range: range)
+      alerts.map { |alert| convert alert }
+    end
+
+    private
+
+    def validate_limit
+      return true if limit == "all"
+
+      raise ArgumentError, "limit should be bigger than zero" unless limit.to_i.positive?
+    end
+
+    def convert(alert)
+      attributes = alert.select { |k, _v| ALERT_KEYS.include? k }
+      attributes["createdAt"] = Time.at(attributes["createdAt"] / 1000).to_s
+      attributes["artifacts"] = (attributes.dig("artifacts") || []).map do |artifact|
+        artifact.dig("data")
+      end.sort
+      attributes
+    end
+  end
+end

data/lib/mihari/analyzers/base.rb

@@ -57,7 +57,7 @@ module Mihari
       def unique_artifacts
         return normalized_artifacts unless the_hive.valid?
 
-        the_hive.find_non_existing_artifacts(normalized_artifacts)
+        the_hive.artifact.find_non_existing_artifacts(normalized_artifacts)
       end
     end
   end

data/lib/mihari/artifact.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "hachi"
-
 module Mihari
   class Artifact
     attr_reader :data

data/lib/mihari/cli.rb

@@ -62,10 +62,20 @@ module Mihari
       run_analyzer basic
     end
 
+    desc "alerts", "Show the alerts on TheHive"
+    method_option :limit, default: 5, desc: "Number of alerts to show (or 'all' to show all the alerts)"
+    def alerts
+      with_error_handling do
+        viewer = AlertViewer.new(limit: options["limit"])
+        alerts = viewer.list
+        puts JSON.pretty_generate(alerts)
+      end
+    end
+
     no_commands do
       def with_error_handling
         yield
-      rescue ArgumentError, Hachi::Error, Censys::ResponseError => e
+      rescue ArgumentError, Hachi::Error, Censys::ResponseError, Error => e
         puts "Warning: #{e}"
       rescue StandardError => e
         puts "Warning: #{e}"

data/lib/mihari/emitters/the_hive.rb

@@ -3,21 +3,21 @@
 module Mihari
   module Emitters
     class TheHive < Base
-      attr_reader :api
+      attr_reader :the_hive
 
       def initialize
-        @api = Mihari::TheHive.new
+        @the_hive = Mihari::TheHive.new
       end
 
       # @return [true, false]
       def valid?
-        api.valid?
+        the_hive.valid?
       end
 
       def emit(title:, description:, artifacts:, tags: [])
         return if artifacts.empty?
 
-        api.create_alert(
+        the_hive.alert.create(
           title: title,
           description: description,
           artifacts: artifacts.map(&:to_h),

data/lib/mihari/the_hive/alert.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Mihari
+  class TheHive
+    class Alert < Base
+      # @return [Array]
+      def list(range: "all", sort: "-date")
+        alerts = api.alert.search({ source: "mihari" }, range: range, sort: sort)
+        alerts.sort_by { |alert| -alert.dig("createdAt") }
+      end
+
+      # @return [Hash]
+      def create(title:, description:, artifacts:, tags: [])
+        api.alert.create(
+          title: title,
+          description: description,
+          artifacts: artifacts,
+          tags: tags,
+          type: "external",
+          source: "mihari"
+        )
+      end
+    end
+  end
+end

data/lib/mihari/the_hive/artifact.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Mihari
+  class TheHive
+    class Artifact < Base
+      # @return [Array]
+      def search(data:, data_type:, range: "all")
+        api.artifact.search({ data: data, data_type: data_type }, range: range)
+      end
+
+      # @return [Array]
+      def search_all(data:, range: "all")
+        api.artifact.search({ data: data }, range: range)
+      end
+
+      # @return [true, false]
+      def exists?(data:, data_type:)
+        res = search(data: data, data_type: data_type, range: "0-1")
+        !res.empty?
+      end
+
+      # @return [Array<Mihari::Artifact>]
+      def find_non_existing_artifacts(artifacts)
+        data = artifacts.map(&:data)
+        results = search_all(data: data)
+        keys = results.map { |result| result.dig("data") }.compact.uniq
+        artifacts.reject do |artifact|
+          keys.include? artifact.data
+        end
+      end
+    end
+  end
+end

data/lib/mihari/the_hive/base.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "hachi"
+
+module Mihari
+  class TheHive
+    class Base
+      # @return [Hachi::API]
+      def api
+        @api ||= Hachi::API.new
+      end
+    end
+  end
+end

data/lib/mihari/the_hive.rb

@@ -5,14 +5,12 @@ require "uri"
 
 module Mihari
   class TheHive
-    # @return [true, false]
-    def api_endpont?
-      ENV.key? "THEHIVE_API_ENDPOINT"
-    end
+    attr_reader :artifact
+    attr_reader :alert
 
-    # @return [true, false]
-    def api_key?
-      ENV.key? "THEHIVE_API_KEY"
+    def initialize
+      @artifact = Artifact.new
+      @alert = Alert.new
     end
 
     # @return [true, false]
@@ -20,51 +18,18 @@ module Mihari
       api_endpont? && api_key? && ping?
     end
 
-    # @return [Hachi::API]
-    def api
-      @api ||= Hachi::API.new
-    end
-
-    # @return [Array]
-    def search(data:, data_type:, range: "all")
-      api.artifact.search({ data: data, data_type: data_type }, range: range)
-    end
-
-    # @return [Array]
-    def search_all(data:, range: "all")
-      api.artifact.search({ data: data }, range: range)
-    end
+    private
 
     # @return [true, false]
-    def exists?(data:, data_type:)
-      res = search(data: data, data_type: data_type, range: "0-1")
-      !res.empty?
-    end
-
-    # @return [Array<Mihari::Artifact>]
-    def find_non_existing_artifacts(artifacts)
-      data = artifacts.map(&:data)
-      results = search_all(data: data)
-      keys = results.map { |result| result.dig("data") }.compact.uniq
-      artifacts.reject do |artifact|
-        keys.include? artifact.data
-      end
+    def api_endpont?
+      ENV.key? "THEHIVE_API_ENDPOINT"
     end
 
-    # @return [Hash]
-    def create_alert(title:, description:, artifacts:, tags: [])
-      api.alert.create(
-        title: title,
-        description: description,
-        artifacts: artifacts,
-        tags: tags,
-        type: "external",
-        source: "mihari"
-      )
+    # @return [true, false]
+    def api_key?
+      ENV.key? "THEHIVE_API_KEY"
     end
 
-    private
-
     def ping?
       base_url = ENV.fetch("THEHIVE_API_ENDPOINT")
       base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "0.4.2"
+  VERSION = "0.5.0"
 end

data/lib/mihari.rb

@@ -20,6 +20,9 @@ require "mihari/errors"
 require "mihari/type_checker"
 require "mihari/artifact"
 
+require "mihari/the_hive/base"
+require "mihari/the_hive/alert"
+require "mihari/the_hive/artifact"
 require "mihari/the_hive"
 
 require "mihari/analyzers/base"
@@ -35,4 +38,6 @@ require "mihari/emitters/slack"
 require "mihari/emitters/stdout"
 require "mihari/emitters/the_hive"
 
+require "mihari/alert_viewer"
+
 require "mihari/cli"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-10 00:00:00.000000000 Z
+date: 2019-08-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -297,6 +297,7 @@ files:
 - examples/vt_passive_dns.rb
 - exe/mihari
 - lib/mihari.rb
+- lib/mihari/alert_viewer.rb
 - lib/mihari/analyzers/base.rb
 - lib/mihari/analyzers/basic.rb
 - lib/mihari/analyzers/censys.rb
@@ -312,6 +313,9 @@ files:
 - lib/mihari/emitters/the_hive.rb
 - lib/mihari/errors.rb
 - lib/mihari/the_hive.rb
+- lib/mihari/the_hive/alert.rb
+- lib/mihari/the_hive/artifact.rb
+- lib/mihari/the_hive/base.rb
 - lib/mihari/type_checker.rb
 - lib/mihari/version.rb
 - mihari.gemspec