mihari 4.12.0 → 5.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Steepfile +0 -1
- data/lib/mihari/analyzers/base.rb +12 -28
- data/lib/mihari/analyzers/rule.rb +23 -36
- data/lib/mihari/cli/main.rb +6 -11
- data/lib/mihari/commands/initializer.rb +47 -0
- data/lib/mihari/commands/{search.rb → searcher.rb} +9 -20
- data/lib/mihari/commands/validator.rb +2 -2
- data/lib/mihari/constants.rb +3 -3
- data/lib/mihari/database.rb +52 -87
- data/lib/mihari/emitters/database.rb +16 -7
- data/lib/mihari/emitters/misp.rb +13 -5
- data/lib/mihari/emitters/slack.rb +15 -8
- data/lib/mihari/emitters/the_hive.rb +42 -21
- data/lib/mihari/emitters/webhook.rb +99 -31
- data/lib/mihari/entities/alert.rb +7 -5
- data/lib/mihari/entities/artifact.rb +20 -8
- data/lib/mihari/entities/config.rb +2 -6
- data/lib/mihari/entities/rule.rb +8 -0
- data/lib/mihari/http.rb +13 -13
- data/lib/mihari/mixins/{disallowed_data_value.rb → falsepositive.rb} +8 -8
- data/lib/mihari/models/alert.rb +2 -15
- data/lib/mihari/models/artifact.rb +28 -17
- data/lib/mihari/models/rule.rb +7 -13
- data/lib/mihari/schemas/emitter.rb +6 -8
- data/lib/mihari/schemas/rule.rb +11 -13
- data/lib/mihari/structs/config.rb +41 -0
- data/lib/mihari/structs/filters.rb +2 -2
- data/lib/mihari/structs/rule.rb +96 -83
- data/lib/mihari/templates/rule.yml.erb +5 -23
- data/lib/mihari/types.rb +1 -1
- data/lib/mihari/version.rb +1 -1
- data/lib/mihari/web/api.rb +0 -2
- data/lib/mihari/web/endpoints/alerts.rb +11 -3
- data/lib/mihari/web/endpoints/configs.rb +1 -6
- data/lib/mihari/web/endpoints/rules.rb +27 -15
- data/lib/mihari/web/public/assets/{fa-brands-400-b1d1c1b0.ttf → fa-brands-400-2ef6fdde.ttf} +0 -0
- data/lib/mihari/web/public/assets/fa-brands-400-f4617423.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-regular-400-12dea17b.ttf +0 -0
- data/lib/mihari/web/public/assets/fa-regular-400-7ba24c41.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-solid-900-67a880b4.ttf +0 -0
- data/lib/mihari/web/public/assets/fa-solid-900-e2c5cf54.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-v4compatibility-7c377405.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-v4compatibility-8d9500e8.ttf +0 -0
- data/lib/mihari/web/public/assets/{index-07aa1ba2.css → index-625e95fe.css} +3 -3
- data/lib/mihari/web/public/assets/index-63900d73.js +50 -0
- data/lib/mihari/web/public/index.html +2 -2
- data/lib/mihari/web/public/redoc-static.html +26 -27
- data/lib/mihari.rb +11 -21
- data/mihari.gemspec +4 -4
- metadata +25 -111
- data/lib/mihari/cli/init.rb +0 -11
- data/lib/mihari/cli/validator.rb +0 -11
- data/lib/mihari/commands/init.rb +0 -51
- data/lib/mihari/emitters/http.rb +0 -127
- data/lib/mihari/entities/source.rb +0 -9
- data/lib/mihari/status.rb +0 -55
- data/lib/mihari/web/endpoints/sources.rb +0 -19
- data/lib/mihari/web/public/assets/fa-brands-400-c61287c2.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-regular-400-5da313b0.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-regular-400-d7b19fe2.ttf +0 -0
- data/lib/mihari/web/public/assets/fa-solid-900-8f06540f.woff2 +0 -0
- data/lib/mihari/web/public/assets/fa-solid-900-e4f6a7e9.ttf +0 -0
- data/lib/mihari/web/public/assets/fa-v4compatibility-2ddb3b41.ttf +0 -0
- data/lib/mihari/web/public/assets/fa-v4compatibility-f46715c9.woff2 +0 -0
- data/lib/mihari/web/public/assets/index-a7fe697b.js +0 -63
- data/sig/lib/mihari/analyzers/base.rbs +0 -90
- data/sig/lib/mihari/analyzers/binaryedge.rbs +0 -26
- data/sig/lib/mihari/analyzers/censys.rbs +0 -41
- data/sig/lib/mihari/analyzers/circl.rbs +0 -31
- data/sig/lib/mihari/analyzers/crtsh.rbs +0 -17
- data/sig/lib/mihari/analyzers/dnpedia.rbs +0 -15
- data/sig/lib/mihari/analyzers/dnstwister.rbs +0 -25
- data/sig/lib/mihari/analyzers/feed.rbs +0 -20
- data/sig/lib/mihari/analyzers/onyphe.rbs +0 -34
- data/sig/lib/mihari/analyzers/otx.rbs +0 -33
- data/sig/lib/mihari/analyzers/passivetotal.rbs +0 -35
- data/sig/lib/mihari/analyzers/pulsedive.rbs +0 -27
- data/sig/lib/mihari/analyzers/rule.rbs +0 -68
- data/sig/lib/mihari/analyzers/securitytrails.rbs +0 -33
- data/sig/lib/mihari/analyzers/shodan.rbs +0 -36
- data/sig/lib/mihari/analyzers/urlscan.rbs +0 -31
- data/sig/lib/mihari/analyzers/virustotal.rbs +0 -31
- data/sig/lib/mihari/analyzers/virustotal_intelligence.rbs +0 -33
- data/sig/lib/mihari/analyzers/zoomeye.rbs +0 -35
- data/sig/lib/mihari/cli/base.rbs +0 -9
- data/sig/lib/mihari/cli/init.rbs +0 -7
- data/sig/lib/mihari/cli/main.rbs +0 -9
- data/sig/lib/mihari/cli/validator.rbs +0 -7
- data/sig/lib/mihari/commands/init.rbs +0 -9
- data/sig/lib/mihari/commands/json.rbs +0 -7
- data/sig/lib/mihari/commands/search.rbs +0 -35
- data/sig/lib/mihari/commands/validator.rbs +0 -9
- data/sig/lib/mihari/commands/web.rbs +0 -7
- data/sig/lib/mihari/constants.rbs +0 -5
- data/sig/lib/mihari/database.rbs +0 -25
- data/sig/lib/mihari/emitters/base.rbs +0 -18
- data/sig/lib/mihari/emitters/database.rbs +0 -9
- data/sig/lib/mihari/emitters/http.rbs +0 -35
- data/sig/lib/mihari/emitters/misp.rbs +0 -34
- data/sig/lib/mihari/emitters/slack.rbs +0 -73
- data/sig/lib/mihari/emitters/stdout.rbs +0 -9
- data/sig/lib/mihari/emitters/the_hive.rbs +0 -32
- data/sig/lib/mihari/emitters/webhook.rbs +0 -20
- data/sig/lib/mihari/enrichers/base.rbs +0 -12
- data/sig/lib/mihari/enrichers/google_public_dns.rbs +0 -18
- data/sig/lib/mihari/enrichers/ipinfo.rbs +0 -16
- data/sig/lib/mihari/errors.rbs +0 -10
- data/sig/lib/mihari/feed/parser.rbs +0 -11
- data/sig/lib/mihari/feed/reader.rbs +0 -56
- data/sig/lib/mihari/http.rbs +0 -64
- data/sig/lib/mihari/mixins/autonomous_system.rbs +0 -14
- data/sig/lib/mihari/mixins/configurable.rbs +0 -30
- data/sig/lib/mihari/mixins/configuration.rbs +0 -45
- data/sig/lib/mihari/mixins/disallowed_data_value.rbs +0 -23
- data/sig/lib/mihari/mixins/error_notification.rbs +0 -12
- data/sig/lib/mihari/mixins/hash.rbs +0 -14
- data/sig/lib/mihari/mixins/refang.rbs +0 -14
- data/sig/lib/mihari/mixins/retriable.rbs +0 -15
- data/sig/lib/mihari/models/alert.rbs +0 -18
- data/sig/lib/mihari/models/artifact.rbs +0 -69
- data/sig/lib/mihari/models/autonomous_system.rbs +0 -14
- data/sig/lib/mihari/models/cpe.rbs +0 -7
- data/sig/lib/mihari/models/dns.rbs +0 -19
- data/sig/lib/mihari/models/geolocation.rbs +0 -15
- data/sig/lib/mihari/models/port.rbs +0 -7
- data/sig/lib/mihari/models/reverse_dns.rbs +0 -14
- data/sig/lib/mihari/models/rule.rbs +0 -17
- data/sig/lib/mihari/models/tag.rbs +0 -5
- data/sig/lib/mihari/models/tagging.rbs +0 -4
- data/sig/lib/mihari/models/whois.rbs +0 -66
- data/sig/lib/mihari/status.rbs +0 -25
- data/sig/lib/mihari/structs/censys.rbs +0 -58
- data/sig/lib/mihari/structs/filters.rbs +0 -40
- data/sig/lib/mihari/structs/google_public_dns.rbs +0 -21
- data/sig/lib/mihari/structs/greynoise.rbs +0 -30
- data/sig/lib/mihari/structs/ipinfo.rbs +0 -17
- data/sig/lib/mihari/structs/onyphe.rbs +0 -25
- data/sig/lib/mihari/structs/rule.rbs +0 -57
- data/sig/lib/mihari/structs/shodan.rbs +0 -30
- data/sig/lib/mihari/structs/urlscan.rbs +0 -28
- data/sig/lib/mihari/structs/virustotal_intelligence.rbs +0 -33
- data/sig/lib/mihari/type_checker.rbs +0 -48
- data/sig/lib/mihari/types.rbs +0 -23
- data/sig/lib/mihari/version.rbs +0 -3
- data/sig/lib/mihari/web/app.rbs +0 -5
- data/sig/lib/mihari.rbs +0 -54
data/lib/mihari/emitters/misp.rb
CHANGED
@@ -14,7 +14,7 @@ module Mihari
|
|
14
14
|
def initialize(*args, **kwargs)
|
15
15
|
super(*args, **kwargs)
|
16
16
|
|
17
|
-
@url = kwargs[:url] ||
|
17
|
+
@url = kwargs[:url] || Mihari.config.misp_url
|
18
18
|
@api_key = kwargs[:api_key] || Mihari.config.misp_api_key
|
19
19
|
|
20
20
|
::MISP.configure do |config|
|
@@ -39,16 +39,24 @@ module Mihari
|
|
39
39
|
true
|
40
40
|
end
|
41
41
|
|
42
|
-
|
42
|
+
#
|
43
|
+
# Create a MISP event
|
44
|
+
#
|
45
|
+
# @param [Arra<Mihari::Artifact>] artifacts
|
46
|
+
# @param [Mihari::Structs::Rule] rule
|
47
|
+
#
|
48
|
+
# @return [::MISP::Event]
|
49
|
+
#
|
50
|
+
def emit(rule:, artifacts:, **_options)
|
43
51
|
return if artifacts.empty?
|
44
52
|
|
45
|
-
event = ::MISP::Event.new(info: title)
|
53
|
+
event = ::MISP::Event.new(info: rule.title)
|
46
54
|
|
47
55
|
artifacts.each do |artifact|
|
48
56
|
event.attributes << build_attribute(artifact)
|
49
57
|
end
|
50
58
|
|
51
|
-
tags.each do |tag|
|
59
|
+
rule.tags.each do |tag|
|
52
60
|
event.add_tag name: tag
|
53
61
|
end
|
54
62
|
|
@@ -66,7 +74,7 @@ module Mihari
|
|
66
74
|
#
|
67
75
|
# @param [Mihari::Artifact] artifact
|
68
76
|
#
|
69
|
-
# @return [::MISP::Attribute]
|
77
|
+
# @return [::MISP::Attribute]
|
70
78
|
#
|
71
79
|
def build_attribute(artifact)
|
72
80
|
::MISP::Attribute.new(value: artifact.data, type: to_misp_type(type: artifact.data_type, value: artifact.data))
|
@@ -167,30 +167,37 @@ module Mihari
|
|
167
167
|
#
|
168
168
|
# Build a text
|
169
169
|
#
|
170
|
-
# @param [
|
171
|
-
# @param [String] description
|
172
|
-
# @param [Array<String>] tags
|
170
|
+
# @param [Mihari::Structs::Rule] rule
|
173
171
|
#
|
174
172
|
# @return [String]
|
175
173
|
#
|
176
|
-
def to_text(
|
174
|
+
def to_text(rule)
|
175
|
+
tags = rule.tags
|
177
176
|
tags = ["N/A"] if tags.empty?
|
178
177
|
|
179
178
|
[
|
180
|
-
"*#{title}*",
|
181
|
-
"*Desc.*: #{description}",
|
179
|
+
"*#{rule.title}*",
|
180
|
+
"*Desc.*: #{rule.description}",
|
182
181
|
"*Tags*: #{tags.join(", ")}"
|
183
182
|
].join("\n")
|
184
183
|
end
|
185
184
|
|
186
|
-
def emit(
|
185
|
+
def emit(rule:, artifacts:, **_options)
|
187
186
|
return if artifacts.empty?
|
188
187
|
|
189
188
|
attachments = to_attachments(artifacts)
|
190
|
-
text = to_text(
|
189
|
+
text = to_text(rule)
|
191
190
|
|
192
191
|
notifier.post(text: text, attachments: attachments, mrkdwn: true)
|
193
192
|
end
|
193
|
+
|
194
|
+
def configuration_keys
|
195
|
+
%w[slack_webhook_url slack_channel]
|
196
|
+
end
|
197
|
+
|
198
|
+
def configured?
|
199
|
+
valid?
|
200
|
+
end
|
194
201
|
end
|
195
202
|
end
|
196
203
|
end
|
@@ -17,7 +17,7 @@ module Mihari
|
|
17
17
|
def initialize(*args, **kwargs)
|
18
18
|
super(*args, **kwargs)
|
19
19
|
|
20
|
-
@url = kwargs[:url] ||
|
20
|
+
@url = kwargs[:url] || Mihari.config.thehive_url
|
21
21
|
@api_key = kwargs[:api_key] || Mihari.config.thehive_api_key
|
22
22
|
@api_version = kwargs[:api_version] || Mihari.config.thehive_api_version
|
23
23
|
end
|
@@ -38,10 +38,18 @@ module Mihari
|
|
38
38
|
true
|
39
39
|
end
|
40
40
|
|
41
|
-
|
41
|
+
#
|
42
|
+
# Create a Hive alert
|
43
|
+
#
|
44
|
+
# @param [Arra<Mihari::Artifact>] artifacts
|
45
|
+
# @param [Mihari::Structs::Rule] rule
|
46
|
+
#
|
47
|
+
# @return [::MISP::Event]
|
48
|
+
#
|
49
|
+
def emit(rule:, artifacts:, **_options)
|
42
50
|
return if artifacts.empty?
|
43
51
|
|
44
|
-
payload = payload(
|
52
|
+
payload = payload(rule: rule, artifacts: artifacts)
|
45
53
|
api.alert.create(**payload)
|
46
54
|
end
|
47
55
|
|
@@ -93,36 +101,49 @@ module Mihari
|
|
93
101
|
!api_key.nil?
|
94
102
|
end
|
95
103
|
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
104
|
+
#
|
105
|
+
# Build payload for alert
|
106
|
+
#
|
107
|
+
# @param [Arra<Mihari::Artifact>] artifacts
|
108
|
+
# @param [Mihari::Structs::Rule] rule
|
109
|
+
#
|
110
|
+
# @return [<Type>] <description>
|
111
|
+
#
|
112
|
+
def payload(rule:, artifacts:)
|
113
|
+
return v4_payload(rule: rule, artifacts: artifacts) if normalized_api_version.nil?
|
101
114
|
|
102
|
-
v5_payload(
|
115
|
+
v5_payload(rule: rule, artifacts: artifacts)
|
103
116
|
end
|
104
117
|
|
105
|
-
def v4_payload(
|
118
|
+
def v4_payload(rule:, artifacts:)
|
106
119
|
{
|
107
|
-
title: title,
|
108
|
-
description: description,
|
120
|
+
title: rule.title,
|
121
|
+
description: rule.description,
|
109
122
|
artifacts: artifacts.map do |artifact|
|
110
|
-
|
111
|
-
|
112
|
-
|
123
|
+
{
|
124
|
+
data: artifact.data,
|
125
|
+
data_type: artifact.data_type,
|
126
|
+
message: rule.description
|
127
|
+
}
|
128
|
+
end,
|
129
|
+
tags: rule.tags,
|
113
130
|
type: "external",
|
114
131
|
source: "mihari"
|
115
132
|
}
|
116
133
|
end
|
117
134
|
|
118
|
-
def v5_payload(
|
135
|
+
def v5_payload(rule:, artifacts:)
|
119
136
|
{
|
120
|
-
title: title,
|
121
|
-
description: description,
|
137
|
+
title: rule.title,
|
138
|
+
description: rule.description,
|
122
139
|
observables: artifacts.map do |artifact|
|
123
|
-
|
124
|
-
|
125
|
-
|
140
|
+
{
|
141
|
+
data: artifact.data,
|
142
|
+
data_type: artifact.data_type,
|
143
|
+
message: rule.description
|
144
|
+
}
|
145
|
+
end,
|
146
|
+
tags: rule.tags,
|
126
147
|
type: "external",
|
127
148
|
source: "mihari",
|
128
149
|
source_ref: "1"
|
@@ -1,54 +1,122 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "erb"
|
4
|
+
|
3
5
|
module Mihari
|
4
6
|
module Emitters
|
5
|
-
class
|
6
|
-
|
7
|
-
|
8
|
-
|
7
|
+
class PayloadTemplate < ERB
|
8
|
+
def self.template
|
9
|
+
%{
|
10
|
+
{
|
11
|
+
"rule": {
|
12
|
+
"id": "<%= @rule.id %>",
|
13
|
+
"title": "<%= @rule.title %>",
|
14
|
+
"description": "<%= @rule.description %>"
|
15
|
+
},
|
16
|
+
"artifacts": [
|
17
|
+
<% @artifacts.each_with_index do |artifact, idx| %>
|
18
|
+
"<%= artifact.data %>"
|
19
|
+
<%= ',' if idx < (@artifacts.length - 1) %>
|
20
|
+
<% end %>
|
21
|
+
],
|
22
|
+
"tags": [
|
23
|
+
<% @rule.tags.each_with_index do |tag, idx| %>
|
24
|
+
"<%= tag %>"
|
25
|
+
<%= ',' if idx < (@rule.tags.length - 1) %>
|
26
|
+
<% end %>
|
27
|
+
]
|
28
|
+
}
|
29
|
+
}
|
9
30
|
end
|
10
31
|
|
11
|
-
def
|
12
|
-
|
32
|
+
def initialize(artifacts:, rule:, options: {})
|
33
|
+
@artifacts = artifacts
|
34
|
+
@rule = rule
|
13
35
|
|
14
|
-
|
15
|
-
|
36
|
+
@template = options.fetch(:template, self.class.template)
|
37
|
+
super(@template)
|
38
|
+
end
|
16
39
|
|
17
|
-
|
18
|
-
|
40
|
+
def result
|
41
|
+
super(binding)
|
19
42
|
end
|
43
|
+
end
|
20
44
|
|
21
|
-
|
45
|
+
class Webhook < Base
|
46
|
+
# @return [Addressable::URI, nil]
|
47
|
+
attr_reader :url
|
22
48
|
|
23
|
-
|
24
|
-
|
25
|
-
|
49
|
+
# @return [Hash]
|
50
|
+
attr_reader :headers
|
51
|
+
|
52
|
+
# @return [String]
|
53
|
+
attr_reader :method
|
26
54
|
|
27
|
-
#
|
28
|
-
# Webhook URL
|
29
|
-
#
|
30
55
|
# @return [String, nil]
|
31
|
-
|
32
|
-
|
33
|
-
|
56
|
+
attr_reader :template
|
57
|
+
|
58
|
+
def initialize(*args, **kwargs)
|
59
|
+
super(*args, **kwargs)
|
60
|
+
|
61
|
+
url = kwargs[:url]
|
62
|
+
headers = kwargs[:headers] || {}
|
63
|
+
method = kwargs[:method] || "POST"
|
64
|
+
template = kwargs[:template]
|
65
|
+
|
66
|
+
@url = Addressable::URI.parse(url)
|
67
|
+
@headers = headers
|
68
|
+
@method = method
|
69
|
+
@template = template
|
34
70
|
end
|
35
71
|
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
72
|
+
def emit(artifacts:, rule:)
|
73
|
+
return if artifacts.empty?
|
74
|
+
|
75
|
+
res = nil
|
76
|
+
|
77
|
+
payload_ = payload_as_string(artifacts: artifacts, rule: rule)
|
78
|
+
payload = JSON.parse(payload_)
|
79
|
+
|
80
|
+
client = Mihari::HTTP.new(url, headers: headers, payload: payload)
|
81
|
+
|
82
|
+
case method
|
83
|
+
when "GET"
|
84
|
+
res = client.get
|
85
|
+
when "POST"
|
86
|
+
res = client.post
|
87
|
+
end
|
88
|
+
|
89
|
+
res
|
43
90
|
end
|
44
91
|
|
92
|
+
def valid?
|
93
|
+
return false if url.nil?
|
94
|
+
|
95
|
+
%w[http https].include? url.scheme.downcase
|
96
|
+
end
|
97
|
+
|
98
|
+
private
|
99
|
+
|
45
100
|
#
|
46
|
-
#
|
101
|
+
# Convert payload into string
|
47
102
|
#
|
48
|
-
# @
|
103
|
+
# @param [Array<Mihari::Artifact>] artifacts
|
104
|
+
# @param [Mihari::Structs::Rule] rule
|
49
105
|
#
|
50
|
-
|
51
|
-
|
106
|
+
# @return [String]
|
107
|
+
#
|
108
|
+
def payload_as_string(artifacts:, rule:)
|
109
|
+
@payload_as_string ||= [].tap do |out|
|
110
|
+
options = {}
|
111
|
+
options[:template] = File.read(template) unless template.nil?
|
112
|
+
|
113
|
+
payload_template = PayloadTemplate.new(
|
114
|
+
artifacts: artifacts,
|
115
|
+
rule: rule,
|
116
|
+
options: options
|
117
|
+
)
|
118
|
+
out << payload_template.result
|
119
|
+
end.first
|
52
120
|
end
|
53
121
|
end
|
54
122
|
end
|
@@ -3,13 +3,15 @@
|
|
3
3
|
module Mihari
|
4
4
|
module Entities
|
5
5
|
class Alert < Grape::Entity
|
6
|
-
expose :id,
|
7
|
-
|
8
|
-
|
9
|
-
|
6
|
+
expose :id,
|
7
|
+
documentation: { type: String, required: true,
|
8
|
+
desc: "String representation of the ID" } do |alert, _options|
|
9
|
+
alert.id.to_s
|
10
|
+
end
|
11
|
+
expose :rule_id, documentation: { type: String, required: true }, as: :ruleId
|
10
12
|
expose :created_at, documentation: { type: DateTime, required: true }, as: :createdAt
|
11
13
|
|
12
|
-
expose :artifacts, using: Entities::
|
14
|
+
expose :artifacts, using: Entities::BaseArtifact, documentation: { type: Entities::BaseArtifact, is_array: true }
|
13
15
|
expose :tags, using: Entities::Tag, documentation: { type: Entities::Tag, is_array: true, required: true }
|
14
16
|
end
|
15
17
|
|
@@ -2,29 +2,41 @@
|
|
2
2
|
|
3
3
|
module Mihari
|
4
4
|
module Entities
|
5
|
-
class
|
6
|
-
expose :id,
|
5
|
+
class BaseArtifact < Grape::Entity
|
6
|
+
expose :id,
|
7
|
+
documentation: { type: String, required: true,
|
8
|
+
desc: "String representation of the ID" } do |artifact, _options|
|
9
|
+
artifact.id.to_s
|
10
|
+
end
|
7
11
|
expose :data, documentation: { type: String, required: true }
|
8
12
|
expose :data_type, documentation: { type: String, required: true }, as: :dataType
|
9
13
|
expose :source, documentation: { type: String, required: true }
|
10
14
|
expose :tags, documentation: { type: String, is_array: true }
|
11
15
|
|
12
16
|
expose :metadata, documentation: { type: Hash }
|
17
|
+
end
|
13
18
|
|
14
|
-
|
19
|
+
class Artifact < BaseArtifact
|
20
|
+
expose :autonomous_system, using: Entities::AutonomousSystem,
|
21
|
+
documentation: { type: Entities::AutonomousSystem, required: false }, as: :autonomousSystem
|
15
22
|
expose :geolocation, using: Entities::Geolocation, documentation: { type: Entities::Geolocation, required: false }
|
16
|
-
expose :whois_record, using: Entities::WhoisRecord,
|
23
|
+
expose :whois_record, using: Entities::WhoisRecord,
|
24
|
+
documentation: { type: Entities::WhoisRecord, required: false }, as: :whoisRecord
|
17
25
|
|
18
|
-
expose :reverse_dns_names, using: Entities::ReverseDnsName,
|
26
|
+
expose :reverse_dns_names, using: Entities::ReverseDnsName,
|
27
|
+
documentation: { type: Entities::ReverseDnsName, is_array: true, required: false }, as: :reverseDnsNames do |status, _options|
|
19
28
|
status.reverse_dns_names.empty? ? nil : status.reverse_dns_names
|
20
29
|
end
|
21
|
-
expose :dns_records, using: Entities::DnsRecord,
|
30
|
+
expose :dns_records, using: Entities::DnsRecord,
|
31
|
+
documentation: { type: Entities::DnsRecord, is_array: true, required: false }, as: :dnsRecords do |status, _options|
|
22
32
|
status.dns_records.empty? ? nil : status.dns_records
|
23
33
|
end
|
24
|
-
expose :ceps, using: Entities::CPE, documentation: { type: Entities::CPE, is_array: true, required: false },
|
34
|
+
expose :ceps, using: Entities::CPE, documentation: { type: Entities::CPE, is_array: true, required: false },
|
35
|
+
as: :cpes do |status, _options|
|
25
36
|
status.cpes.empty? ? nil : status.cpes
|
26
37
|
end
|
27
|
-
expose :ports, using: Entities::Port, documentation: { type: Entities::Port, is_array: true, required: false },
|
38
|
+
expose :ports, using: Entities::Port, documentation: { type: Entities::Port, is_array: true, required: false },
|
39
|
+
as: :ports do |status, _options|
|
28
40
|
status.ports.empty? ? nil : status.ports
|
29
41
|
end
|
30
42
|
end
|
@@ -2,15 +2,11 @@
|
|
2
2
|
|
3
3
|
module Mihari
|
4
4
|
module Entities
|
5
|
-
class
|
5
|
+
class Config < Grape::Entity
|
6
|
+
expose :name, documentation: { type: String, required: true }
|
6
7
|
expose :type, documentation: { type: String, required: true }
|
7
8
|
expose :values, documentation: { type: String, is_array: true, required: true }
|
8
9
|
expose :is_configured, documentation: { type: Grape::API::Boolean, required: true }, as: :isConfigured
|
9
10
|
end
|
10
|
-
|
11
|
-
class Config < Grape::Entity
|
12
|
-
expose :name, documentation: { type: String, required: true }
|
13
|
-
expose :status, using: Entities::ConfigStatus, documentation: { type: ConfigStatus, required: true }
|
14
|
-
end
|
15
11
|
end
|
16
12
|
end
|
data/lib/mihari/entities/rule.rb
CHANGED
@@ -14,9 +14,13 @@ module Mihari
|
|
14
14
|
|
15
15
|
class Rule < Grape::Entity
|
16
16
|
expose :id, documentation: { type: String, required: true }
|
17
|
+
expose :title, documentation: { type: String, required: true }
|
18
|
+
expose :description, documentation: { type: String, required: true }
|
17
19
|
expose :yaml, documentation: { type: String, required: true }
|
18
20
|
expose :created_at, documentation: { type: DateTime, required: true }, as: :createdAt
|
19
21
|
expose :updated_at, documentation: { type: DateTime, required: true }, as: :updatedAt
|
22
|
+
|
23
|
+
expose :tags, using: Entities::Tag, documentation: { type: Entities::Tag, is_array: true, required: true }
|
20
24
|
end
|
21
25
|
|
22
26
|
class RulesWithPagination < Grape::Entity
|
@@ -25,5 +29,9 @@ module Mihari
|
|
25
29
|
expose :current_page, documentation: { type: Integer, required: true }, as: :currentPage
|
26
30
|
expose :page_size, documentation: { type: Integer, required: true }, as: :pageSize
|
27
31
|
end
|
32
|
+
|
33
|
+
class RuleIDs < Grape::Entity
|
34
|
+
expose :rule_ids, documentation: { type: Array[String], required: true }, as: :ruleIds
|
35
|
+
end
|
28
36
|
end
|
29
37
|
end
|
data/lib/mihari/http.rb
CHANGED
@@ -4,10 +4,10 @@ require "insensitive_hash"
|
|
4
4
|
|
5
5
|
module Mihari
|
6
6
|
class HTTP
|
7
|
-
attr_reader :
|
7
|
+
attr_reader :url, :headers, :payload
|
8
8
|
|
9
|
-
def initialize(
|
10
|
-
@
|
9
|
+
def initialize(url, headers: {}, payload: {})
|
10
|
+
@url = url.is_a?(URI) ? url : URI(url.to_s)
|
11
11
|
@headers = headers.insensitive
|
12
12
|
@payload = payload
|
13
13
|
end
|
@@ -18,10 +18,10 @@ module Mihari
|
|
18
18
|
# @return [Net::HTTPResponse]
|
19
19
|
#
|
20
20
|
def get
|
21
|
-
|
22
|
-
|
21
|
+
new_url = url.deep_dup
|
22
|
+
new_url.query = Addressable::URI.form_encode(payload) unless payload.empty?
|
23
23
|
|
24
|
-
get = Net::HTTP::Get.new(
|
24
|
+
get = Net::HTTP::Get.new(new_url)
|
25
25
|
request get
|
26
26
|
end
|
27
27
|
|
@@ -31,7 +31,7 @@ module Mihari
|
|
31
31
|
# @return [Net::HTTPResponse]
|
32
32
|
#
|
33
33
|
def post
|
34
|
-
post = Net::HTTP::Post.new(
|
34
|
+
post = Net::HTTP::Post.new(url)
|
35
35
|
|
36
36
|
case content_type
|
37
37
|
when "application/json"
|
@@ -44,13 +44,13 @@ module Mihari
|
|
44
44
|
end
|
45
45
|
|
46
46
|
class << self
|
47
|
-
def get(
|
48
|
-
client = new(
|
47
|
+
def get(url, headers: {}, params: {})
|
48
|
+
client = new(url, headers: headers, payload: params)
|
49
49
|
client.get
|
50
50
|
end
|
51
51
|
|
52
|
-
def post(
|
53
|
-
client = new(
|
52
|
+
def post(url, headers: {}, payload: {})
|
53
|
+
client = new(url, headers: headers, payload: payload)
|
54
54
|
client.post
|
55
55
|
end
|
56
56
|
end
|
@@ -67,7 +67,7 @@ module Mihari
|
|
67
67
|
# @return [Hahs]
|
68
68
|
#
|
69
69
|
def https_options
|
70
|
-
return { use_ssl: true } if
|
70
|
+
return { use_ssl: true } if url.scheme == "https"
|
71
71
|
|
72
72
|
{}
|
73
73
|
end
|
@@ -80,7 +80,7 @@ module Mihari
|
|
80
80
|
# @return [Net::HTTPResponse]
|
81
81
|
#
|
82
82
|
def request(req)
|
83
|
-
Net::HTTP.start(
|
83
|
+
Net::HTTP.start(url.host, url.port, https_options) do |http|
|
84
84
|
# set headers
|
85
85
|
headers.each do |k, v|
|
86
86
|
req[k] = v
|
@@ -2,24 +2,24 @@
|
|
2
2
|
|
3
3
|
module Mihari
|
4
4
|
module Mixins
|
5
|
-
module
|
5
|
+
module FalsePositive
|
6
6
|
include Memist::Memoizable
|
7
7
|
|
8
8
|
#
|
9
|
-
# Normalize a
|
9
|
+
# Normalize a falsepositive value
|
10
10
|
#
|
11
|
-
# @param [String] value
|
11
|
+
# @param [String] value
|
12
12
|
#
|
13
|
-
# @return [String, Regexp]
|
13
|
+
# @return [String, Regexp]
|
14
14
|
#
|
15
|
-
def
|
15
|
+
def normalize_falsepositive(value)
|
16
16
|
return value if !value.start_with?("/") || !value.end_with?("/")
|
17
17
|
|
18
18
|
# if a value is surrounded by slashes, take it as a regexp
|
19
19
|
value_without_slashes = value[1..-2]
|
20
20
|
Regexp.compile value_without_slashes.to_s
|
21
21
|
end
|
22
|
-
memoize :
|
22
|
+
memoize :normalize_falsepositive
|
23
23
|
|
24
24
|
#
|
25
25
|
# Check whetehr a value is valid format as a disallowed data value
|
@@ -28,9 +28,9 @@ module Mihari
|
|
28
28
|
#
|
29
29
|
# @return [Boolean] true if it is valid, otherwise false
|
30
30
|
#
|
31
|
-
def
|
31
|
+
def valid_falsepositive?(value)
|
32
32
|
begin
|
33
|
-
|
33
|
+
normalize_falsepositive value
|
34
34
|
rescue RegexpError
|
35
35
|
return false
|
36
36
|
end
|
data/lib/mihari/models/alert.rb
CHANGED
@@ -28,20 +28,7 @@ module Mihari
|
|
28
28
|
relation = build_relation(filter.without_pagination)
|
29
29
|
|
30
30
|
alert_ids = relation.limit(limit).offset(offset).order(id: :desc).pluck(:id).uniq
|
31
|
-
eager_load(
|
32
|
-
{
|
33
|
-
artifacts: [
|
34
|
-
:autonomous_system,
|
35
|
-
:geolocation,
|
36
|
-
:whois_record,
|
37
|
-
:dns_records,
|
38
|
-
:reverse_dns_names,
|
39
|
-
:cpes,
|
40
|
-
:ports
|
41
|
-
]
|
42
|
-
},
|
43
|
-
:tags
|
44
|
-
).where(id: [alert_ids]).order(id: :desc)
|
31
|
+
eager_load(:artifacts, :tags).where(id: [alert_ids]).order(id: :desc)
|
45
32
|
end
|
46
33
|
|
47
34
|
#
|
@@ -83,7 +70,7 @@ module Mihari
|
|
83
70
|
relation = relation.where(artifacts: { id: artifact_ids }) unless artifact_ids.empty?
|
84
71
|
relation = relation.where(tags: { name: filter.tag_name }) if filter.tag_name
|
85
72
|
|
86
|
-
relation = relation.where(
|
73
|
+
relation = relation.where(rule_id: filter.rule_id) if filter.rule_id
|
87
74
|
relation = relation.where(title: filter.title) if filter.title
|
88
75
|
|
89
76
|
relation = relation.where("description LIKE ?", "%#{filter.description}%") if filter.description
|