mihari 4.12.0 → 5.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (148) hide show
  1. checksums.yaml +4 -4
  2. data/Steepfile +0 -1
  3. data/lib/mihari/analyzers/base.rb +18 -37
  4. data/lib/mihari/analyzers/rule.rb +23 -36
  5. data/lib/mihari/cli/main.rb +6 -11
  6. data/lib/mihari/commands/initializer.rb +47 -0
  7. data/lib/mihari/commands/searcher.rb +57 -0
  8. data/lib/mihari/commands/validator.rb +2 -2
  9. data/lib/mihari/constants.rb +3 -3
  10. data/lib/mihari/database.rb +52 -87
  11. data/lib/mihari/emitters/database.rb +16 -7
  12. data/lib/mihari/emitters/misp.rb +13 -5
  13. data/lib/mihari/emitters/slack.rb +15 -8
  14. data/lib/mihari/emitters/the_hive.rb +42 -21
  15. data/lib/mihari/emitters/webhook.rb +99 -31
  16. data/lib/mihari/entities/alert.rb +7 -5
  17. data/lib/mihari/entities/artifact.rb +20 -8
  18. data/lib/mihari/entities/config.rb +2 -6
  19. data/lib/mihari/entities/rule.rb +8 -0
  20. data/lib/mihari/http.rb +13 -13
  21. data/lib/mihari/mixins/{disallowed_data_value.rb → falsepositive.rb} +8 -8
  22. data/lib/mihari/models/alert.rb +2 -15
  23. data/lib/mihari/models/artifact.rb +28 -17
  24. data/lib/mihari/models/rule.rb +7 -13
  25. data/lib/mihari/schemas/emitter.rb +6 -8
  26. data/lib/mihari/schemas/rule.rb +11 -13
  27. data/lib/mihari/structs/config.rb +41 -0
  28. data/lib/mihari/structs/filters.rb +2 -2
  29. data/lib/mihari/structs/rule.rb +94 -85
  30. data/lib/mihari/templates/rule.yml.erb +5 -23
  31. data/lib/mihari/types.rb +1 -1
  32. data/lib/mihari/version.rb +1 -1
  33. data/lib/mihari/web/api.rb +0 -2
  34. data/lib/mihari/web/endpoints/alerts.rb +11 -3
  35. data/lib/mihari/web/endpoints/configs.rb +1 -6
  36. data/lib/mihari/web/endpoints/rules.rb +27 -15
  37. data/lib/mihari/web/public/assets/{fa-brands-400-b1d1c1b0.ttf → fa-brands-400-2ef6fdde.ttf} +0 -0
  38. data/lib/mihari/web/public/assets/fa-brands-400-f4617423.woff2 +0 -0
  39. data/lib/mihari/web/public/assets/fa-regular-400-12dea17b.ttf +0 -0
  40. data/lib/mihari/web/public/assets/fa-regular-400-7ba24c41.woff2 +0 -0
  41. data/lib/mihari/web/public/assets/fa-solid-900-67a880b4.ttf +0 -0
  42. data/lib/mihari/web/public/assets/fa-solid-900-e2c5cf54.woff2 +0 -0
  43. data/lib/mihari/web/public/assets/fa-v4compatibility-7c377405.woff2 +0 -0
  44. data/lib/mihari/web/public/assets/fa-v4compatibility-8d9500e8.ttf +0 -0
  45. data/lib/mihari/web/public/assets/{index-07aa1ba2.css → index-625e95fe.css} +3 -3
  46. data/lib/mihari/web/public/assets/index-63900d73.js +50 -0
  47. data/lib/mihari/web/public/index.html +2 -2
  48. data/lib/mihari/web/public/redoc-static.html +26 -27
  49. data/lib/mihari.rb +11 -21
  50. data/mihari.gemspec +4 -4
  51. metadata +25 -111
  52. data/lib/mihari/cli/init.rb +0 -11
  53. data/lib/mihari/cli/validator.rb +0 -11
  54. data/lib/mihari/commands/init.rb +0 -51
  55. data/lib/mihari/commands/search.rb +0 -63
  56. data/lib/mihari/emitters/http.rb +0 -127
  57. data/lib/mihari/entities/source.rb +0 -9
  58. data/lib/mihari/status.rb +0 -55
  59. data/lib/mihari/web/endpoints/sources.rb +0 -19
  60. data/lib/mihari/web/public/assets/fa-brands-400-c61287c2.woff2 +0 -0
  61. data/lib/mihari/web/public/assets/fa-regular-400-5da313b0.woff2 +0 -0
  62. data/lib/mihari/web/public/assets/fa-regular-400-d7b19fe2.ttf +0 -0
  63. data/lib/mihari/web/public/assets/fa-solid-900-8f06540f.woff2 +0 -0
  64. data/lib/mihari/web/public/assets/fa-solid-900-e4f6a7e9.ttf +0 -0
  65. data/lib/mihari/web/public/assets/fa-v4compatibility-2ddb3b41.ttf +0 -0
  66. data/lib/mihari/web/public/assets/fa-v4compatibility-f46715c9.woff2 +0 -0
  67. data/lib/mihari/web/public/assets/index-a7fe697b.js +0 -63
  68. data/sig/lib/mihari/analyzers/base.rbs +0 -90
  69. data/sig/lib/mihari/analyzers/binaryedge.rbs +0 -26
  70. data/sig/lib/mihari/analyzers/censys.rbs +0 -41
  71. data/sig/lib/mihari/analyzers/circl.rbs +0 -31
  72. data/sig/lib/mihari/analyzers/crtsh.rbs +0 -17
  73. data/sig/lib/mihari/analyzers/dnpedia.rbs +0 -15
  74. data/sig/lib/mihari/analyzers/dnstwister.rbs +0 -25
  75. data/sig/lib/mihari/analyzers/feed.rbs +0 -20
  76. data/sig/lib/mihari/analyzers/onyphe.rbs +0 -34
  77. data/sig/lib/mihari/analyzers/otx.rbs +0 -33
  78. data/sig/lib/mihari/analyzers/passivetotal.rbs +0 -35
  79. data/sig/lib/mihari/analyzers/pulsedive.rbs +0 -27
  80. data/sig/lib/mihari/analyzers/rule.rbs +0 -68
  81. data/sig/lib/mihari/analyzers/securitytrails.rbs +0 -33
  82. data/sig/lib/mihari/analyzers/shodan.rbs +0 -36
  83. data/sig/lib/mihari/analyzers/urlscan.rbs +0 -31
  84. data/sig/lib/mihari/analyzers/virustotal.rbs +0 -31
  85. data/sig/lib/mihari/analyzers/virustotal_intelligence.rbs +0 -33
  86. data/sig/lib/mihari/analyzers/zoomeye.rbs +0 -35
  87. data/sig/lib/mihari/cli/base.rbs +0 -9
  88. data/sig/lib/mihari/cli/init.rbs +0 -7
  89. data/sig/lib/mihari/cli/main.rbs +0 -9
  90. data/sig/lib/mihari/cli/validator.rbs +0 -7
  91. data/sig/lib/mihari/commands/init.rbs +0 -9
  92. data/sig/lib/mihari/commands/json.rbs +0 -7
  93. data/sig/lib/mihari/commands/search.rbs +0 -35
  94. data/sig/lib/mihari/commands/validator.rbs +0 -9
  95. data/sig/lib/mihari/commands/web.rbs +0 -7
  96. data/sig/lib/mihari/constants.rbs +0 -5
  97. data/sig/lib/mihari/database.rbs +0 -25
  98. data/sig/lib/mihari/emitters/base.rbs +0 -18
  99. data/sig/lib/mihari/emitters/database.rbs +0 -9
  100. data/sig/lib/mihari/emitters/http.rbs +0 -35
  101. data/sig/lib/mihari/emitters/misp.rbs +0 -34
  102. data/sig/lib/mihari/emitters/slack.rbs +0 -73
  103. data/sig/lib/mihari/emitters/stdout.rbs +0 -9
  104. data/sig/lib/mihari/emitters/the_hive.rbs +0 -32
  105. data/sig/lib/mihari/emitters/webhook.rbs +0 -20
  106. data/sig/lib/mihari/enrichers/base.rbs +0 -12
  107. data/sig/lib/mihari/enrichers/google_public_dns.rbs +0 -18
  108. data/sig/lib/mihari/enrichers/ipinfo.rbs +0 -16
  109. data/sig/lib/mihari/errors.rbs +0 -10
  110. data/sig/lib/mihari/feed/parser.rbs +0 -11
  111. data/sig/lib/mihari/feed/reader.rbs +0 -56
  112. data/sig/lib/mihari/http.rbs +0 -64
  113. data/sig/lib/mihari/mixins/autonomous_system.rbs +0 -14
  114. data/sig/lib/mihari/mixins/configurable.rbs +0 -30
  115. data/sig/lib/mihari/mixins/configuration.rbs +0 -45
  116. data/sig/lib/mihari/mixins/disallowed_data_value.rbs +0 -23
  117. data/sig/lib/mihari/mixins/error_notification.rbs +0 -12
  118. data/sig/lib/mihari/mixins/hash.rbs +0 -14
  119. data/sig/lib/mihari/mixins/refang.rbs +0 -14
  120. data/sig/lib/mihari/mixins/retriable.rbs +0 -15
  121. data/sig/lib/mihari/models/alert.rbs +0 -18
  122. data/sig/lib/mihari/models/artifact.rbs +0 -69
  123. data/sig/lib/mihari/models/autonomous_system.rbs +0 -14
  124. data/sig/lib/mihari/models/cpe.rbs +0 -7
  125. data/sig/lib/mihari/models/dns.rbs +0 -19
  126. data/sig/lib/mihari/models/geolocation.rbs +0 -15
  127. data/sig/lib/mihari/models/port.rbs +0 -7
  128. data/sig/lib/mihari/models/reverse_dns.rbs +0 -14
  129. data/sig/lib/mihari/models/rule.rbs +0 -17
  130. data/sig/lib/mihari/models/tag.rbs +0 -5
  131. data/sig/lib/mihari/models/tagging.rbs +0 -4
  132. data/sig/lib/mihari/models/whois.rbs +0 -66
  133. data/sig/lib/mihari/status.rbs +0 -25
  134. data/sig/lib/mihari/structs/censys.rbs +0 -58
  135. data/sig/lib/mihari/structs/filters.rbs +0 -40
  136. data/sig/lib/mihari/structs/google_public_dns.rbs +0 -21
  137. data/sig/lib/mihari/structs/greynoise.rbs +0 -30
  138. data/sig/lib/mihari/structs/ipinfo.rbs +0 -17
  139. data/sig/lib/mihari/structs/onyphe.rbs +0 -25
  140. data/sig/lib/mihari/structs/rule.rbs +0 -57
  141. data/sig/lib/mihari/structs/shodan.rbs +0 -30
  142. data/sig/lib/mihari/structs/urlscan.rbs +0 -28
  143. data/sig/lib/mihari/structs/virustotal_intelligence.rbs +0 -33
  144. data/sig/lib/mihari/type_checker.rbs +0 -48
  145. data/sig/lib/mihari/types.rbs +0 -23
  146. data/sig/lib/mihari/version.rbs +0 -3
  147. data/sig/lib/mihari/web/app.rbs +0 -5
  148. data/sig/lib/mihari.rbs +0 -54
@@ -25,8 +25,12 @@ module Mihari
25
25
 
26
26
  validates_with ArtifactValidator
27
27
 
28
+ # @return [Array<Mihari::Tag>] Tags
28
29
  attr_accessor :tags
29
30
 
31
+ # @return [String, nil] Rule ID
32
+ attr_accessor :rule_id
33
+
30
34
  def initialize(*args, **kwargs)
31
35
  attrs = args.first || kwargs
32
36
  data_ = attrs[:data]
@@ -36,27 +40,34 @@ module Mihari
36
40
  super(*args, **kwargs)
37
41
 
38
42
  self.data_type = TypeChecker.type(data)
39
- self.tags = []
43
+
44
+ @tags = []
45
+ @rule_id = ""
40
46
  end
41
47
 
42
48
  #
43
49
  # Check uniqueness of artifact
44
50
  #
45
- # @param [Boolean] ignore_old_artifacts
46
- # @param [Integer] ignore_threshold
51
+ # @param [Time, nil] base_time Base time to check decaying
52
+ # @param [Integer, nil] artifact_lifetime Artifact lifetime (TTL) in seconds
47
53
  #
48
54
  # @return [Boolean] true if it is unique. Otherwise false.
49
55
  #
50
- def unique?(ignore_old_artifacts: false, ignore_threshold: 0)
51
- artifact = self.class.where(data: data).order(created_at: :desc).first
56
+ def unique?(base_time: nil, artifact_lifetime: nil)
57
+ artifact = self.class.joins(:alert).where(
58
+ data: data,
59
+ alert: { rule_id: rule_id }
60
+ ).order(created_at: :desc).first
52
61
  return true if artifact.nil?
53
62
 
54
- return false unless ignore_old_artifacts
63
+ # check whetehr the artifact is decayed or not
64
+ return false if artifact_lifetime.nil?
65
+
66
+ # use the current UTC time if base_time is not given (for testing)
67
+ base_time ||= Time.now.utc
55
68
 
56
- days_before = (-ignore_threshold).days.from_now.utc
57
- # if an artifact is created before {ignore_threshold} days, ignore it
58
- # within {ignore_threshold} days, do not ignore it
59
- artifact.created_at < days_before
69
+ decayed_at = base_time - (artifact_lifetime || -1).seconds
70
+ artifact.created_at < decayed_at
60
71
  end
61
72
 
62
73
  #
@@ -139,14 +150,14 @@ module Mihari
139
150
  whois: [
140
151
  :enrich_whois
141
152
  ],
142
- ipinfo: [
143
- :enrich_autonomous_system,
144
- :enrich_geolocation
153
+ ipinfo: %i[
154
+ enrich_autonomous_system
155
+ enrich_geolocation
145
156
  ],
146
- shodan: [
147
- :enrich_ports,
148
- :enrich_cpes,
149
- :enrich_reverse_dns
157
+ shodan: %i[
158
+ enrich_ports
159
+ enrich_cpes
160
+ enrich_reverse_dns
150
161
  ],
151
162
  google_public_dns: [
152
163
  :enrich_dns
@@ -4,24 +4,18 @@ require "yaml"
4
4
 
5
5
  module Mihari
6
6
  class Rule < ActiveRecord::Base
7
- has_many :alerts, foreign_key: :source
7
+ has_many :alerts, dependent: :destroy
8
8
 
9
9
  def symbolized_data
10
10
  @symbolized_data ||= data.deep_symbolize_keys
11
11
  end
12
12
 
13
- #
14
- # Returns a hash representative
15
- #
16
- # @return [Hash]
17
- #
18
- def to_h
19
- {
20
- id: id,
21
- yaml: yaml || data.to_yaml,
22
- created_at: created_at,
23
- updated_at: updated_at
24
- }
13
+ def yaml
14
+ data.to_yaml
15
+ end
16
+
17
+ def tags
18
+ (data["tags"] || []).map { |tag| { name: tag } }
25
19
  end
26
20
 
27
21
  class << self
@@ -2,20 +2,18 @@
2
2
 
3
3
  module Mihari
4
4
  module Schemas
5
- Emitter = Dry::Schema.Params do
6
- required(:emitter).value(Types::EmitterTypes)
5
+ Database = Dry::Schema.Params do
6
+ required(:emitter).value(Types::String.enum("database"))
7
7
  end
8
8
 
9
9
  MISP = Dry::Schema.Params do
10
10
  required(:emitter).value(Types::String.enum("misp"))
11
- optional(:api_endpoint).value(:string)
12
11
  optional(:url).value(:string)
13
12
  optional(:api_key).value(:string)
14
13
  end
15
14
 
16
15
  TheHive = Dry::Schema.Params do
17
16
  required(:emitter).value(Types::String.enum("the_hive"))
18
- optional(:api_endpoint).value(:string)
19
17
  optional(:url).value(:string)
20
18
  optional(:api_key).value(:string)
21
19
  optional(:api_version).value(Types::String.enum("v4", "v5")).default("v4")
@@ -27,11 +25,11 @@ module Mihari
27
25
  optional(:channel).value(:string)
28
26
  end
29
27
 
30
- HTTP = Dry::Schema.Params do
31
- required(:emitter).value(Types::String.enum("http"))
28
+ Webhook = Dry::Schema.Params do
29
+ required(:emitter).value(Types::String.enum("webhook"))
32
30
  required(:url).value(:string)
33
- optional(:http_request_method).value(Types::HTTPRequestMethods).default("POST")
34
- optional(:http_request_headers).value(:hash).default({})
31
+ optional(:method).value(Types::HTTPRequestMethods).default("POST")
32
+ optional(:headers).value(:hash).default({})
35
33
  optional(:template).value(:string)
36
34
  end
37
35
  end
@@ -7,18 +7,17 @@ require "mihari/schemas/enricher"
7
7
  module Mihari
8
8
  module Schemas
9
9
  Rule = Dry::Schema.Params do
10
+ required(:id).value(:string)
10
11
  required(:title).value(:string)
11
12
  required(:description).value(:string)
12
13
 
13
14
  optional(:tags).value(array[:string]).default([])
14
- optional(:id).value(:string)
15
15
 
16
- optional(:status).value(:string)
17
-
18
- optional(:related).value(array[:string])
16
+ optional(:author).value(:string)
19
17
  optional(:references).value(array[:string])
18
+ optional(:related).value(array[:string])
19
+ optional(:status).value(:string)
20
20
 
21
- optional(:author).value(:string)
22
21
  optional(:created_on).value(:date)
23
22
  optional(:updated_on).value(:date)
24
23
 
@@ -26,15 +25,14 @@ module Mihari
26
25
  AnalyzerWithoutAPIKey | AnalyzerWithAPIKey | Censys | CIRCL | PassiveTotal | ZoomEye | Urlscan | Crtsh | Feed
27
26
  end
28
27
 
29
- optional(:emitters).value(:array).each { Emitter | MISP | TheHive | Slack | HTTP }
28
+ optional(:emitters).value(:array).each { Database | MISP | TheHive | Slack | Webhook }
30
29
 
31
30
  optional(:enrichers).value(:array).each(Enricher)
32
31
 
33
- optional(:allowed_data_types).value(array[Types::DataTypes]).default(ALLOWED_DATA_TYPES)
34
- optional(:disallowed_data_values).value(array[:string]).default([])
32
+ optional(:data_types).value(array[Types::DataTypes]).default(DEFAULT_DATA_TYPES)
33
+ optional(:falsepositives).value(array[:string]).default([])
35
34
 
36
- optional(:ignore_old_artifacts).value(:bool).default(false)
37
- optional(:ignore_threshold).value(:integer).default(0)
35
+ optional(:artifact_lifetime).value(:integer)
38
36
 
39
37
  before(:key_coercer) do |result|
40
38
  # it looks like that dry-schema v1.9.1 has an issue with setting an array of schemas as a default value
@@ -53,13 +51,13 @@ module Mihari
53
51
  end
54
52
 
55
53
  class RuleContract < Dry::Validation::Contract
56
- include Mihari::Mixins::DisallowedDataValue
54
+ include Mihari::Mixins::FalsePositive
57
55
 
58
56
  params(Rule)
59
57
 
60
- rule(:disallowed_data_values) do
58
+ rule(:falsepositives) do
61
59
  value.each do |v|
62
- key.failure("#{v} is not a valid format.") unless valid_disallowed_data_value?(v)
60
+ key.failure("#{v} is not a valid format.") unless valid_falsepositive?(v)
63
61
  end
64
62
  end
65
63
  end
@@ -0,0 +1,41 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Structs
5
+ class Config < Dry::Struct
6
+ attribute :name, Types::String
7
+ attribute :type, Types::String
8
+ attribute :is_configured, Types::Bool
9
+ attribute :values, Types.Array(Types::Hash).optional
10
+
11
+ #
12
+ # @param [Class<Mihari::Analyzers::Base>, Class<Mihari::Emitters::Base>] klass
13
+ #
14
+ # @return [Mihari::Structs::Config, nil] config
15
+ #
16
+ def self.from_class(klass)
17
+ return nil if klass == Mihari::Analyzers::Rule
18
+
19
+ name = klass.to_s.split("::").last.to_s
20
+
21
+ is_analyzer = klass.ancestors.include?(Mihari::Analyzers::Base)
22
+ is_emitter = klass.ancestors.include?(Mihari::Emitters::Base)
23
+ is_enricher = klass.ancestors.include?(Mihari::Enrichers::Base)
24
+
25
+ type = "Analyzer"
26
+ type = "Emitter" if is_emitter
27
+ type = "Enricher" if is_enricher
28
+
29
+ begin
30
+ instance = is_analyzer ? klass.new("dummy") : klass.new
31
+ is_configured = instance.configured?
32
+ values = instance.configuration_values
33
+
34
+ new(name: name, values: values, is_configured: is_configured, type: type)
35
+ rescue ArgumentError => _e
36
+ nil
37
+ end
38
+ end
39
+ end
40
+ end
41
+ end
@@ -7,7 +7,7 @@ module Mihari
7
7
  class SearchFilter < Dry::Struct
8
8
  attribute? :artifact_data, Types::String.optional
9
9
  attribute? :description, Types::String.optional
10
- attribute? :source, Types::String.optional
10
+ attribute? :rule_id, Types::String.optional
11
11
  attribute? :tag_name, Types::String.optional
12
12
  attribute? :title, Types::String.optional
13
13
  attribute? :from_at, Types::DateTime.optional
@@ -30,7 +30,7 @@ module Mihari
30
30
  artifact_data: artifact_data,
31
31
  description: description,
32
32
  from_at: from_at,
33
- source: source,
33
+ rule_id: rule_id,
34
34
  tag_name: tag_name,
35
35
  title: title,
36
36
  to_at: to_at,
@@ -4,6 +4,7 @@ require "date"
4
4
  require "erb"
5
5
  require "json"
6
6
  require "pathname"
7
+ require "securerandom"
7
8
  require "yaml"
8
9
 
9
10
  module Mihari
@@ -12,24 +13,16 @@ module Mihari
12
13
  # @return [Hash]
13
14
  attr_reader :data
14
15
 
15
- # @return [String]
16
- attr_reader :yaml
17
-
18
16
  # @return [Array, nil]
19
17
  attr_reader :errors
20
18
 
21
- # @return [String]
22
- attr_writer :id
23
-
24
19
  #
25
20
  # Initialize
26
21
  #
27
22
  # @param [Hash] data
28
- # @param [String] yaml
29
23
  #
30
- def initialize(data, yaml)
24
+ def initialize(data)
31
25
  @data = data.deep_symbolize_keys
32
- @yaml = yaml
33
26
 
34
27
  @errors = nil
35
28
 
@@ -70,7 +63,7 @@ module Mihari
70
63
  # @return [String]
71
64
  #
72
65
  def id
73
- @id ||= data[:id] || UUIDTools::UUID.md5_create(UUIDTools::UUID_URL_NAMESPACE, data.to_yaml).to_s
66
+ @id ||= data[:id]
74
67
  end
75
68
 
76
69
  #
@@ -87,16 +80,71 @@ module Mihari
87
80
  @description ||= data[:description]
88
81
  end
89
82
 
83
+ #
84
+ # @return [String]
85
+ #
86
+ def yaml
87
+ @yaml ||= data.deep_stringify_keys.to_yaml
88
+ end
89
+
90
+ #
91
+ # @return [Array<Hash>]
92
+ #
93
+ def queries
94
+ @queries ||= data[:queries]
95
+ end
96
+
97
+ #
98
+ # @return [Array<String>]
99
+ #
100
+ def data_types
101
+ @data_types ||= data[:data_types]
102
+ end
103
+
104
+ #
105
+ # @return [Array<String>]
106
+ #
107
+ def tags
108
+ @tags ||= data[:tags]
109
+ end
110
+
111
+ #
112
+ # @return [Array<String>]
113
+ #
114
+ def falsepositives
115
+ @falsepositives ||= data[:falsepositives]
116
+ end
117
+
118
+ #
119
+ # @return [Array<Hash>]
120
+ #
121
+ def emitters
122
+ @emitters ||= data[:emitters]
123
+ end
124
+
125
+ #
126
+ # @return [Array<Hash>]
127
+ #
128
+ def enrichers
129
+ @enrichers ||= data[:enrichers]
130
+ end
131
+
132
+ #
133
+ # @return [Integer, nil]
134
+ #
135
+ def artifact_lifetime
136
+ @artifact_lifetime ||= data[:artifact_lifetime]
137
+ end
138
+
90
139
  #
91
140
  # @return [Mihari::Rule]
92
141
  #
93
- def to_model
142
+ def model
94
143
  rule = Mihari::Rule.find(id)
95
144
 
96
145
  rule.title = title
97
146
  rule.description = description
98
147
  rule.data = data
99
- rule.yaml = yaml
100
148
 
101
149
  rule
102
150
  rescue ActiveRecord::RecordNotFound
@@ -104,118 +152,79 @@ module Mihari
104
152
  id: id,
105
153
  title: title,
106
154
  description: description,
107
- data: data,
108
- yaml: yaml
155
+ data: data
109
156
  )
110
157
  end
111
158
 
112
159
  #
113
160
  # @return [Mihari::Analyzers::Rule]
114
161
  #
115
- def to_analyzer
116
- analyzer = Mihari::Analyzers::Rule.new(
117
- title: self[:title],
118
- description: self[:description],
119
- tags: self[:tags],
120
- queries: self[:queries],
121
- allowed_data_types: self[:allowed_data_types],
122
- disallowed_data_values: self[:disallowed_data_values],
123
- emitters: self[:emitters],
124
- enrichers: self[:enrichers],
125
- id: id
126
- )
127
- analyzer.ignore_old_artifacts = self[:ignore_old_artifacts]
128
- analyzer.ignore_threshold = self[:ignore_threshold]
129
-
130
- analyzer
162
+ def analyzer
163
+ Mihari::Analyzers::Rule.new(rule: self)
131
164
  end
132
165
 
133
166
  class << self
134
- include Mixins::Database
135
-
136
167
  #
137
- # @param [Mihari::Rule] model
138
- #
139
- # @return [Mihari::Structs::Rule]
140
- #
141
- def from_model(model)
142
- data = model.data.deep_symbolize_keys
143
- # set ID if YAML data do not have ID
144
- data[:id] = model.id unless data.key?(:id)
145
-
146
- Structs::Rule.new(data, model.yaml)
147
- end
148
-
168
+ # Load rule from YAML string
149
169
  #
150
170
  # @param [String] yaml
151
171
  #
152
172
  # @return [Mihari::Structs::Rule]
153
- # @param [String, nil] id
154
173
  #
155
- def from_yaml(yaml, id: nil)
156
- data = load_erb_yaml(yaml)
157
- # set ID if id is given & YAML data do not have ID
158
- data[:id] = id if !id.nil? && !data.key?(:id)
159
-
160
- Structs::Rule.new(data, yaml)
174
+ def from_yaml(yaml)
175
+ Structs::Rule.new YAML.safe_load(ERB.new(yaml).result, permitted_classes: [Date, Symbol])
176
+ rescue Psych::SyntaxError => e
177
+ raise YAMLSyntaxError, e.message
161
178
  end
162
179
 
163
180
  #
164
- # @param [String] path_or_id Path to YAML file or YAML string or ID of a rule in the database
181
+ # @param [Mihari::Rule] model
165
182
  #
166
183
  # @return [Mihari::Structs::Rule]
167
184
  #
168
- def from_path_or_id(path_or_id)
169
- yaml = nil
170
-
171
- yaml = load_yaml_from_file(path_or_id) if File.exist?(path_or_id)
172
- yaml = load_yaml_from_db(path_or_id) if yaml.nil?
173
-
174
- Structs::Rule.from_yaml yaml
185
+ def from_model(model)
186
+ Structs::Rule.new(model.data)
175
187
  end
176
188
 
177
- private
178
-
179
189
  #
180
- # Load ERR templated YAML
190
+ # Load a rule from path
181
191
  #
182
- # @param [String] yaml
192
+ # @param [String] path
183
193
  #
184
- # @return [Hash]
194
+ # @return [Mihari::Structs::Rule, nil]
185
195
  #
186
- def load_erb_yaml(yaml)
187
- YAML.safe_load(ERB.new(yaml).result, permitted_classes: [Date, Symbol], symbolize_names: true)
188
- rescue Psych::SyntaxError => e
189
- raise YAMLSyntaxError, e.message
196
+ def from_path(path)
197
+ return nil unless Pathname(path).exist?
198
+
199
+ from_yaml File.read(path)
190
200
  end
191
201
 
192
202
  #
193
- # Load YAML string from path
203
+ # Load a rule from DB
194
204
  #
195
- # @param [String] path
205
+ # @param [String] id
196
206
  #
197
- # @return [String, nil]
207
+ # @return [Mihari::Structs::Rule, nil]
198
208
  #
199
- def load_yaml_from_file(path)
200
- return nil unless Pathname(path).exist?
209
+ def from_id(id)
210
+ return nil unless Mihari::Rule.exists?(id)
201
211
 
202
- File.read path
212
+ Structs::Rule.from_model Mihari::Rule.find(id)
203
213
  end
204
214
 
205
215
  #
206
- # Load YAML string from the database
207
- #
208
- # @param [String] id <description>
216
+ # @param [String] path_or_id Path to YAML file or YAML string or ID of a rule in the database
209
217
  #
210
- # @return [Hash]
218
+ # @return [Mihari::Structs::Rule]
211
219
  #
212
- def load_yaml_from_db(id)
213
- with_db_connection do
214
- rule = Mihari::Rule.find(id)
215
- rule.yaml || rule.symbolized_data.to_yaml
216
- rescue ActiveRecord::RecordNotFound
217
- raise ArgumentError, "ID:#{id} is not found in the database"
218
- end
220
+ def from_path_or_id(path_or_id)
221
+ rule = from_path(path_or_id)
222
+ return rule unless rule.nil?
223
+
224
+ rule = from_id(path_or_id)
225
+ return rule unless rule.nil?
226
+
227
+ raise ArgumentError, "#{path_or_id} does not exist"
219
228
  end
220
229
  end
221
230
  end
@@ -1,23 +1,5 @@
1
- title: ... # String (required)
2
- description: ... # String (required)
3
-
4
- id: ... # String (optional)
5
- author: ... # String (optional)
6
- created_on: <%= Date.today %> # Date (optional)
7
- updated_on: <%= Date.today %> # Date (optional)
8
-
9
- tags: [] # Array<String> (Optional, defaults to [])
10
- allowed_data_types: # Array<String> (Optional, defaults to ["hash", "ip", "domain", "url", "mail"])
11
- - hash
12
- - ip
13
- - domain
14
- - url
15
- - mail
16
- disallowed_data_values: [] # Array<String> (Optional, defaults to [])
17
-
18
- ignore_old_artifacts: true # Whether to ignore old artifacts from checking or not (Optional, defaults to true)
19
- ignore_threshold: 0 # Number of days to define whether an artifact is old or not (Optional, defaults to 0)
20
-
21
- queries: # Array<Hash> (required)
22
- - analyzer: shodan # String (required)
23
- query: ... # String (required)
1
+ id: <%= SecureRandom.uuid %>
2
+ title: Title goes here
3
+ description: Description goes here
4
+ created_on: <%= Date.today %>
5
+ queries: []
data/lib/mihari/types.rb CHANGED
@@ -12,7 +12,7 @@ module Mihari
12
12
  Double = Strict::Float | Strict::Integer
13
13
  DateTime = Strict::DateTime
14
14
 
15
- DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
15
+ DataTypes = Types::String.enum(*DEFAULT_DATA_TYPES)
16
16
 
17
17
  HTTPRequestMethods = Types::String.enum("GET", "POST")
18
18
  HTTPRequestPayloadTypes = Types::String.enum("application/json", "application/x-www-form-urlencoded")
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Mihari
4
- VERSION = "4.12.0"
4
+ VERSION = "5.0.1"
5
5
  end
@@ -6,7 +6,6 @@ require "mihari/web/endpoints/artifacts"
6
6
  require "mihari/web/endpoints/configs"
7
7
  require "mihari/web/endpoints/ip_addresses"
8
8
  require "mihari/web/endpoints/rules"
9
- require "mihari/web/endpoints/sources"
10
9
  require "mihari/web/endpoints/tags"
11
10
 
12
11
  module Mihari
@@ -19,7 +18,6 @@ module Mihari
19
18
  mount Endpoints::Configs
20
19
  mount Endpoints::IPAddresses
21
20
  mount Endpoints::Rules
22
- mount Endpoints::Sources
23
21
  mount Endpoints::Tags
24
22
 
25
23
  add_swagger_documentation(api_version: "v1", info: { title: "Mihari API" })
@@ -6,7 +6,7 @@ module Mihari
6
6
  namespace :alerts do
7
7
  desc "Search alerts", {
8
8
  is_array: true,
9
- success: Entities::Alert,
9
+ success: Entities::AlertsWithPagination,
10
10
  failure: [{ code: 404, message: "Not found", model: Entities::Message }],
11
11
  summary: "Search alerts"
12
12
  }
@@ -15,7 +15,7 @@ module Mihari
15
15
 
16
16
  optional :artifact, type: String
17
17
  optional :description, type: String
18
- optional :source, type: String
18
+ optional :rule_id, type: String
19
19
  optional :tag, type: String
20
20
  optional :title, type: String
21
21
 
@@ -47,7 +47,15 @@ module Mihari
47
47
  alerts = Mihari::Alert.search(search_filter_with_pagenation)
48
48
  total = Mihari::Alert.count(search_filter_with_pagenation.without_pagination)
49
49
 
50
- present({ alerts: alerts, total: total, current_page: page, page_size: limit }, with: Entities::AlertsWithPagination)
50
+ present(
51
+ {
52
+ alerts: alerts,
53
+ total: total,
54
+ current_page: page,
55
+ page_size: limit
56
+ },
57
+ with: Entities::AlertsWithPagination
58
+ )
51
59
  end
52
60
 
53
61
  desc "Delete an alert", {
@@ -10,12 +10,7 @@ module Mihari
10
10
  summary: "Get configs"
11
11
  }
12
12
  get "/" do
13
- statuses = Status.check
14
-
15
- configs = statuses.map do |key, value|
16
- { name: key, status: value }
17
- end
18
- present(configs, with: Entities::Config)
13
+ present(Mihari.configs, with: Entities::Config)
19
14
  end
20
15
  end
21
16
  end