mihari 4.5.1 → 4.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd4057ff69b6e8ee676c7ebf7e672b6830d26a02e22ebe372d2786f5220ae8d3
-  data.tar.gz: 202c7bce234c823fb10fe40fc1f7af2c25d676f587871d0a49740fd8f3af4325
+  metadata.gz: 1f340898bd140d76041cde8c5cb266bcb379f056bac511fcd9de9a4dd20fc299
+  data.tar.gz: fb96310ecb6efb1dd5059feea692a8128bdff3610579473134653979c2f0512c
 SHA512:
-  metadata.gz: ed3c42b58a305f20e7d981a1ae5e19d6efe493d7252645cf54f78c16fe38607305497e983f80d1d04ab8964f0166f19ace1ba62bece5ecdeadb0b6041d4be49f
-  data.tar.gz: 12966b0cc1143bcff8e9a44dd5904c7fa70c234f26613df35e5be162c5e18805e15adb1a8fd1ddd8c1ad84d221b528d411daa29b764e67eed4357a86f6bf0cc7
+  metadata.gz: 8d9758d027fc056f52be261fb2d7c6fa81dc402d4f47c01a8e49c93e1bc084a501af74c0e51c73ac2967c7795529130f1c34801661f1a9935075e197eaf446b0
+  data.tar.gz: e48d29aa3756a260cc273f9b05e65aa28e6e9e67f377fcc9c4ff722931f7789f363478c9a33470aea41a1bd72a9c9e73c05b76583d52bdb80096c2fdaf627b54

data/lib/mihari/analyzers/rule.rb

@@ -127,9 +127,12 @@ module Mihari
       # @return [Boolean]
       #
       def disallowed_data_value?(value)
-        normalized_disallowed_data_values.any? do |disallowed_data_value|
-          return value == disallowed_data_value if disallowed_data_value.is_a?(String)
-          return disallowed_data_value.match?(value) if disallowed_data_value.is_a?(Regexp)
+        return true if normalized_disallowed_data_values.include?(value)
+
+        normalized_disallowed_data_values.select do |disallowed_data_value|
+          disallowed_data_value.is_a?(Regexp)
+        end.any? do |disallowed_data_value|
+          disallowed_data_value.match?(value)
         end
       end
 

data/lib/mihari/emitters/the_hive.rb

@@ -11,11 +11,15 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
 
+      # @return [String, nil]
+      attr_reader :api_version
+
       def initialize(*args, **kwargs)
         super(*args, **kwargs)
 
         @api_endpoint = kwargs[:api_endpoint] || Mihari.config.thehive_api_endpoint
         @api_key = kwargs[:api_key] || Mihari.config.thehive_api_key
+        @api_version = kwargs[:api_version] || Mihari.config.thehive_api_version
       end
 
       # @return [Boolean]
@@ -26,14 +30,28 @@ module Mihari
       def emit(title:, description:, artifacts:, tags: [], **_options)
         return if artifacts.empty?
 
-        api.alert.create(
-          title: title,
-          description: description,
-          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
-          tags: tags,
-          type: "external",
-          source: "mihari"
-        )
+        payload = payload(title: title, description: description, artifacts: artifacts, tags: tags)
+        api.alert.create(**payload)
+      end
+
+      #
+      # Normalize API version for API client
+      #
+      # @param [String] version
+      #
+      # @return [String, nil]
+      #
+      def normalized_api_version
+        @normalized_api_version ||= [].tap do |out|
+          # v4 does not have version prefix in path (/api/)
+          # v5 has version prefix in path (/api/v1/)
+          table = {
+            "" => nil,
+            "v4" => nil,
+            "v5" => "v1"
+          }
+          out << table[api_version.to_s.downcase]
+        end.first
       end
 
       private
@@ -43,7 +61,7 @@ module Mihari
       end
 
       def api
-        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key)
+        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key, api_version: normalized_api_version)
       end
 
       #
@@ -64,6 +82,35 @@ module Mihari
         !api_key.nil?
       end
 
+      def payload(title:, description:, artifacts:, tags: [])
+        return v4_payload(title: title, description: description, artifacts: artifacts, tags: tags) if normalized_api_version.nil?
+
+        v5_payload(title: title, description: description, artifacts: artifacts, tags: tags)
+      end
+
+      def v4_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari"
+        }
+      end
+
+      def v5_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          observables: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari",
+          source_ref: "1"
+        }
+      end
+
       #
       # Check whether an API endpoint is reachable or not
       #
@@ -71,9 +118,21 @@ module Mihari
       #
       def ping?
         base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
-        url = "#{base_url}/index.html"
+
+        if normalized_api_version.nil?
+          # for v4
+          base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
+          url = "#{base_url}/index.html"
+        else
+          # for v5
+          url = "#{base_url}/api/v1/status/public"
+        end
 
         http = Net::Ping::HTTP.new(url)
+
+        # use GET for v5
+        http.get_request = true if normalized_api_version
+
         http.ping?
       end
     end

data/lib/mihari/emitters/webhook.rb

@@ -11,7 +11,7 @@ module Mihari
       def emit(title:, description:, artifacts:, source:, tags:)
         return if artifacts.empty?
 
-        headers = { 'content-type': "application/x-www-form-urlencoded" }
+        headers = { "content-type": "application/x-www-form-urlencoded" }
         headers["content-type"] = "application/json" if use_json_body?
 
         emitter = Emitters::HTTP.new(uri: Mihari.config.webhook_url)

data/lib/mihari/schemas/emitter.rb

@@ -16,6 +16,7 @@ module Mihari
       required(:emitter).value(Types::String.enum("the_hive"))
       optional(:api_endpoint).value(:string)
       optional(:api_key).value(:string)
+      optional(:api_version).value(Types::String.enum("v4", "v5")).default("v4")
     end
 
     Slack = Dry::Schema.Params do

data/lib/mihari/structs/rule.rb

@@ -36,6 +36,9 @@ module Mihari
         # @return [Array, nil]
         attr_reader :errors
 
+        # @return [String]
+        attr_writer :id
+
         def initialize(data, yaml)
           @data = data.deep_symbolize_keys
           @yaml = yaml

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "4.5.1"
+  VERSION = "4.6.0"
 end

data/lib/mihari/web/endpoints/rules.rb

@@ -145,6 +145,7 @@ module Mihari
           end
 
           rule = Structs::Rule::Rule.from_yaml(yaml)
+          rule.id = id
 
           begin
             rule.validate!
@@ -159,7 +160,7 @@ module Mihari
             model = rule.to_model
             model.save
           rescue ActiveRecord::RecordNotUnique
-            error!({ message: "ID:#{rule.id} is already registered" }, 400)
+            error!({ message: "ID:#{model.id} is already registered" }, 400)
           end
 
           status 201

data/lib/mihari/web/public/index.html

@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.3bdbaffb.js"></script><script defer="defer" type="module" src="/static/js/app.afd5025f.js"></script><link href="/static/css/chunk-vendors.da2a7bfc.css" rel="stylesheet"><link href="/static/css/app.2a5d3d21.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.d6b76c57.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.c3595dce.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.dde2116c.js"></script><script defer="defer" type="module" src="/static/js/app.823b5af7.js"></script><link href="/static/css/chunk-vendors.06251949.css" rel="stylesheet"><link href="/static/css/app.2a5d3d21.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.b110c129.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.9d5c9c3d.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>