RubyGems - mihari - Versions diffs - 4.5.1 → 4.6.0 - Mend

mihari 4.5.1 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd4057ff69b6e8ee676c7ebf7e672b6830d26a02e22ebe372d2786f5220ae8d3
-  data.tar.gz: 202c7bce234c823fb10fe40fc1f7af2c25d676f587871d0a49740fd8f3af4325
+  metadata.gz: 1f340898bd140d76041cde8c5cb266bcb379f056bac511fcd9de9a4dd20fc299
+  data.tar.gz: fb96310ecb6efb1dd5059feea692a8128bdff3610579473134653979c2f0512c
 SHA512:
-  metadata.gz: ed3c42b58a305f20e7d981a1ae5e19d6efe493d7252645cf54f78c16fe38607305497e983f80d1d04ab8964f0166f19ace1ba62bece5ecdeadb0b6041d4be49f
-  data.tar.gz: 12966b0cc1143bcff8e9a44dd5904c7fa70c234f26613df35e5be162c5e18805e15adb1a8fd1ddd8c1ad84d221b528d411daa29b764e67eed4357a86f6bf0cc7
+  metadata.gz: 8d9758d027fc056f52be261fb2d7c6fa81dc402d4f47c01a8e49c93e1bc084a501af74c0e51c73ac2967c7795529130f1c34801661f1a9935075e197eaf446b0
+  data.tar.gz: e48d29aa3756a260cc273f9b05e65aa28e6e9e67f377fcc9c4ff722931f7789f363478c9a33470aea41a1bd72a9c9e73c05b76583d52bdb80096c2fdaf627b54

data/lib/mihari/analyzers/rule.rb CHANGED Viewed

@@ -127,9 +127,12 @@ module Mihari
       # @return [Boolean]
       #
       def disallowed_data_value?(value)
-        normalized_disallowed_data_values.any? do |disallowed_data_value|
-          return value == disallowed_data_value if disallowed_data_value.is_a?(String)
-          return disallowed_data_value.match?(value) if disallowed_data_value.is_a?(Regexp)
+        return true if normalized_disallowed_data_values.include?(value)
+        normalized_disallowed_data_values.select do |disallowed_data_value|
+          disallowed_data_value.is_a?(Regexp)
+        end.any? do |disallowed_data_value|
+          disallowed_data_value.match?(value)
         end
       end

data/lib/mihari/emitters/the_hive.rb CHANGED Viewed

@@ -11,11 +11,15 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String, nil]
+      attr_reader :api_version
       def initialize(*args, **kwargs)
         super(*args, **kwargs)
         @api_endpoint = kwargs[:api_endpoint] || Mihari.config.thehive_api_endpoint
         @api_key = kwargs[:api_key] || Mihari.config.thehive_api_key
+        @api_version = kwargs[:api_version] || Mihari.config.thehive_api_version
       end
       # @return [Boolean]
@@ -26,14 +30,28 @@ module Mihari
       def emit(title:, description:, artifacts:, tags: [], **_options)
         return if artifacts.empty?
-        api.alert.create(
-          title: title,
-          description: description,
-          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
-          tags: tags,
-          type: "external",
-          source: "mihari"
-        )
+        payload = payload(title: title, description: description, artifacts: artifacts, tags: tags)
+        api.alert.create(**payload)
+      end
+      #
+      # Normalize API version for API client
+      #
+      # @param [String] version
+      #
+      # @return [String, nil]
+      #
+      def normalized_api_version
+        @normalized_api_version ||= [].tap do |out|
+          # v4 does not have version prefix in path (/api/)
+          # v5 has version prefix in path (/api/v1/)
+          table = {
+            "" => nil,
+            "v4" => nil,
+            "v5" => "v1"
+          }
+          out << table[api_version.to_s.downcase]
+        end.first
       end
       private
@@ -43,7 +61,7 @@ module Mihari
       end
       def api
-        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key)
+        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key, api_version: normalized_api_version)
       end
       #
@@ -64,6 +82,35 @@ module Mihari
         !api_key.nil?
       end
+      def payload(title:, description:, artifacts:, tags: [])
+        return v4_payload(title: title, description: description, artifacts: artifacts, tags: tags) if normalized_api_version.nil?
+        v5_payload(title: title, description: description, artifacts: artifacts, tags: tags)
+      end
+      def v4_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari"
+        }
+      end
+      def v5_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          observables: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari",
+          source_ref: "1"
+        }
+      end
       #
       # Check whether an API endpoint is reachable or not
       #
@@ -71,9 +118,21 @@ module Mihari
       #
       def ping?
         base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
-        url = "#{base_url}/index.html"
+        if normalized_api_version.nil?
+          # for v4
+          base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
+          url = "#{base_url}/index.html"
+        else
+          # for v5
+          url = "#{base_url}/api/v1/status/public"
+        end
         http = Net::Ping::HTTP.new(url)
+        # use GET for v5
+        http.get_request = true if normalized_api_version
         http.ping?
       end
     end

data/lib/mihari/emitters/webhook.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Mihari
       def emit(title:, description:, artifacts:, source:, tags:)
         return if artifacts.empty?
-        headers = { 'content-type': "application/x-www-form-urlencoded" }
+        headers = { "content-type": "application/x-www-form-urlencoded" }
         headers["content-type"] = "application/json" if use_json_body?
         emitter = Emitters::HTTP.new(uri: Mihari.config.webhook_url)

data/lib/mihari/schemas/emitter.rb CHANGED Viewed

@@ -16,6 +16,7 @@ module Mihari
       required(:emitter).value(Types::String.enum("the_hive"))
       optional(:api_endpoint).value(:string)
       optional(:api_key).value(:string)
+      optional(:api_version).value(Types::String.enum("v4", "v5")).default("v4")
     end
     Slack = Dry::Schema.Params do

data/lib/mihari/structs/rule.rb CHANGED Viewed

@@ -36,6 +36,9 @@ module Mihari
         # @return [Array, nil]
         attr_reader :errors
+        # @return [String]
+        attr_writer :id
         def initialize(data, yaml)
           @data = data.deep_symbolize_keys
           @yaml = yaml

data/lib/mihari/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "4.5.1"
+  VERSION = "4.6.0"
 end

data/lib/mihari/web/endpoints/rules.rb CHANGED Viewed

@@ -145,6 +145,7 @@ module Mihari
           end
           rule = Structs::Rule::Rule.from_yaml(yaml)
+          rule.id = id
           begin
             rule.validate!
@@ -159,7 +160,7 @@ module Mihari
             model = rule.to_model
             model.save
           rescue ActiveRecord::RecordNotUnique
-            error!({ message: "ID:#{rule.id} is already registered" }, 400)
+            error!({ message: "ID:#{model.id} is already registered" }, 400)
           end
           status 201

data/lib/mihari/web/public/index.html CHANGED Viewed

	@@ -1 +1 @@
1	- <!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.~~3bdbaffb~~.js"></script><script defer="defer" type="module" src="/static/js/app.~~afd5025f~~.js"></script><link href="/static/css/chunk-vendors.~~da2a7bfc~~.css" rel="stylesheet"><link href="/static/css/app.2a5d3d21.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.~~d6b76c57~~.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.~~c3595dce~~.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>
1	+ <!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.dde2116c.js"></script><script defer="defer" type="module" src="/static/js/app.823b5af7.js"></script><link href="/static/css/chunk-vendors.06251949.css" rel="stylesheet"><link href="/static/css/app.2a5d3d21.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.b110c129.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.9d5c9c3d.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>