mihari 4.7.0 → 4.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '091892853042ab3f1010c89b943eb2a885370da2d619016f3f3cd9dcb59e80cf'
-  data.tar.gz: 119ccbb407a49c741a4bf6c7cfafc7cd99855c3af950af9d0f1dc3735fc24672
+  metadata.gz: c96da785a17ea290f65f5ce17b43d7fa4a57086d8de7ee867e8369f832f7c25c
+  data.tar.gz: 7b5c2d5e14d4b1a6c6c4434387881d34d3b04c33802ad84a4430d360b4d22e6c
 SHA512:
-  metadata.gz: 5364837634a6cde1b370db5613e745f05b40bf7321a5b7fcc4a2c7d32b1d395fa45e4472ef2a5f9f28d664f0b45e31d0554acec7bb641a21ce179ebf70bf9317
-  data.tar.gz: 57ca2f920db2da9e8c9a10f59aa81984dff0a81f0073ba839c351f3fe5e7979358ce44d87f48adcffd7df1bf7268bab178fec82731f72d62c24aa9ce04eed026
+  metadata.gz: f7d66fcac98d91d6910bcabc9a7a2b29f96e562619bcf0615e2f10e2bd25c72f5439f390836d27f083f5b8da4f6696a23358881a4d6b78a6e1ae5e5b57aaa70e
+  data.tar.gz: 4476349d708f35c064af3c4a1d126790fbb008af34a62e2a485d1f0ef72a097723233e046985cc4f88f6543f84caba480dd85f1076c3ba0638951fdcae07e8dd

data/lib/mihari/analyzers/clients/otx.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Analyzers
+    module Clients
+      class OTX
+        attr_reader :api_key
+
+        def initialize(api_key)
+          @api_key = api_key
+        end
+
+        def query_by_ip(ip)
+          get "https://otx.alienvault.com/api/v1/indicators/IPv4/#{ip}/passive_dns"
+        end
+
+        def query_by_domain(domain)
+          get "https://otx.alienvault.com/api/v1/indicators/domain/#{domain}/passive_dns"
+        end
+
+        private
+
+        def headers
+          { "x-otx-api-key": api_key }
+        end
+
+        def get(url)
+          res = HTTP.get(url, headers: headers)
+          JSON.parse(res.body.to_s)
+        rescue HTTPError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/otx.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "otx_ruby"
+require "mihari/analyzers/clients/otx"
 
 module Mihari
   module Analyzers
@@ -34,12 +34,8 @@ module Mihari
         %w[otx_api_key]
       end
 
-      def domain_client
-        @domain_client ||= ::OTX::Domain.new(api_key)
-      end
-
-      def ip_client
-        @ip_client ||= ::OTX::IP.new(api_key)
+      def client
+        @client ||= Mihari::Analyzers::Clients::OTX.new(api_key)
       end
 
       #
@@ -73,9 +69,15 @@ module Mihari
       # @return [Array<String>]
       #
       def domain_search
-        records = domain_client.get_passive_dns(query)
+        res = client.query_by_domain(query)
+        return [] if res.nil?
+
+        records = res["passive_dns"] || []
         records.filter_map do |record|
-          record.address if record.record_type == "A"
+          record_type = record["record_type"]
+          address = record["address"]
+
+          address if record_type == "A"
         end.uniq
       end
 
@@ -85,9 +87,15 @@ module Mihari
       # @return [Array<String>]
       #
       def ip_search
-        records = ip_client.get_passive_dns(query)
+        res = client.query_by_ip(query)
+        return [] if res.nil?
+
+        records = res["passive_dns"] || []
         records.filter_map do |record|
-          record.hostname if record.record_type == "A"
+          record_type = record["record_type"]
+          hostname = record["hostname"]
+
+          hostname if record_type == "A"
         end.uniq
       end
     end

data/lib/mihari/analyzers/rule.rb

@@ -39,7 +39,6 @@ module Mihari
 
     class Rule < Base
       include Mixins::DisallowedDataValue
-      include Mixins::Rule
 
       option :title
       option :description

data/lib/mihari/commands/init.rb

@@ -3,8 +3,6 @@
 module Mihari
   module Commands
     module Initialization
-      include Mixins::Rule
-
       def self.included(thor)
         thor.class_eval do
           desc "rule", "Create a rule file"
@@ -21,6 +19,31 @@ module Mihari
 
             Mihari.logger.info "The rule file is initialized as #{filename}."
           end
+
+          no_commands do
+            #
+            # Returns a template for rule
+            #
+            # @return [String] A template for rule
+            #
+            def rule_template
+              rule = Structs::Rule.from_path_or_id File.expand_path("../templates/rule.yml.erb", __dir__)
+              rule.yaml
+            end
+
+            #
+            # Create (blank) rule file
+            #
+            # @param [String] filename
+            # @param [Dry::Files] files
+            # @param [String] template
+            #
+            # @return [nil]
+            #
+            def initialize_rule_yaml(filename, files = Dry::Files.new, template: rule_template)
+              files.write(filename, template)
+            end
+          end
         end
       end
     end

data/lib/mihari/commands/search.rb

@@ -4,7 +4,6 @@ module Mihari
   module Commands
     module Search
       include Mixins::Database
-      include Mixins::Rule
       include Mixins::ErrorNotification
 
       def self.included(thor)
@@ -12,14 +11,10 @@ module Mihari
           desc "search [RULE]", "Search by a rule"
           method_option :yes, type: :boolean, aliases: "-y", desc: "yes to overwrite the rule in the database"
           def search_by_rule(path_or_id)
-            rule = load_rule(path_or_id)
+            rule = Structs::Rule.from_path_or_id path_or_id
 
             # validate
-            begin
-              validate_rule! rule
-            rescue RuleValidationError => e
-              raise e
-            end
+            rule.validate!
 
             # check update
             id = rule.id

data/lib/mihari/commands/validator.rb

@@ -3,16 +3,21 @@
 module Mihari
   module Commands
     module Validator
-      include Mixins::Rule
-
       def self.included(thor)
         thor.class_eval do
-          desc "rule [PATH]", "Validate format of a rule file"
+          desc "rule [PATH]", "Validate rule file format"
+          #
+          # Validate format of a rule
+          #
+          # @param [String] path
+          #
+          # @return [nil]
+          #
           def rule(path)
-            rule = load_rule(path)
+            rule = Structs::Rule.from_path_or_id(path)
 
             begin
-              validate_rule! rule
+              rule.validate!
               Mihari.logger.info "Valid format. The input is parsed as the following:\n#{rule.data.to_yaml}"
             rescue RuleValidationError
               nil

data/lib/mihari/errors.rb

@@ -15,6 +15,8 @@ module Mihari
 
   class RuleValidationError < Error; end
 
+  class YAMLSyntaxError < Error; end
+
   class ConfigurationError < Error; end
 
   class HTTPError < Error; end

data/lib/mihari/models/alert.rb

@@ -12,7 +12,7 @@ module Mihari
       #
       # Search alerts
       #
-      # @param [Structs::Alert::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Alert::SearchFilterWithPagination] filter
       #
       # @return [Array<Alert>]
       #
@@ -58,6 +58,11 @@ module Mihari
 
       private
 
+      #
+      # @param [Structs::Filters::Alert::SearchFilter] filter
+      #
+      # @return [Mihari::Alert]
+      #
       def build_relation(filter)
         artifact_ids = []
         artifact = Artifact.includes(:autonomous_system, :dns_records, :reverse_dns_names)

data/lib/mihari/models/geolocation.rb

@@ -17,11 +17,9 @@ module Mihari
       def build_by_ip(ip)
         res = Enrichers::IPInfo.query(ip)
 
-        unless res.nil?
-          return new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
-        end
+        return nil if res&.country_code.nil?
 
-        nil
+        new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
       end
     end
   end

data/lib/mihari/models/port.rb

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
 
         res.ports.map { |port| new(port: port) }
       end

data/lib/mihari/models/rule.rb

@@ -28,7 +28,7 @@ module Mihari
       #
       # Search rules
       #
-      # @param [Structs::Rule::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
       #
       # @return [Array<Rule>]
       #
@@ -51,7 +51,7 @@ module Mihari
       #
       # Count alerts
       #
-      # @param [Structs::Rule::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
       #
       # @return [Integer]
       #
@@ -62,6 +62,11 @@ module Mihari
 
       private
 
+      #
+      # @param [Structs::Filters::Rule::SearchFilter] filter
+      #
+      # @return [Mihari::Rule]
+      #
       def build_relation(filter)
         relation = self
         relation = relation.includes(alerts: :tags)

data/lib/mihari/structs/filters.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Structs
+    module Filters
+      module Alert
+        class SearchFilter < Dry::Struct
+          attribute? :artifact_data, Types::String.optional
+          attribute? :description, Types::String.optional
+          attribute? :source, Types::String.optional
+          attribute? :tag_name, Types::String.optional
+          attribute? :title, Types::String.optional
+          attribute? :from_at, Types::DateTime.optional
+          attribute? :to_at, Types::DateTime.optional
+          attribute? :asn, Types::Int.optional
+          attribute? :dns_record, Types::String.optional
+          attribute? :reverse_dns_name, Types::String.optional
+
+          def valid_artifact_filters?
+            !(artifact_data || asn || dns_record || reverse_dns_name).nil?
+          end
+        end
+
+        class SearchFilterWithPagination < SearchFilter
+          attribute? :page, Types::Int.default(1)
+          attribute? :limit, Types::Int.default(10)
+
+          def without_pagination
+            SearchFilter.new(
+              artifact_data: artifact_data,
+              description: description,
+              from_at: from_at,
+              source: source,
+              tag_name: tag_name,
+              title: title,
+              to_at: to_at,
+              asn: asn,
+              dns_record: dns_record,
+              reverse_dns_name: reverse_dns_name
+            )
+          end
+        end
+      end
+
+      module Rule
+        class SearchFilter < Dry::Struct
+          attribute? :description, Types::String.optional
+          attribute? :tag_name, Types::String.optional
+          attribute? :title, Types::String.optional
+          attribute? :from_at, Types::DateTime.optional
+          attribute? :to_at, Types::DateTime.optional
+        end
+
+        class SearchFilterWithPagination < SearchFilter
+          attribute? :page, Types::Int.default(1)
+          attribute? :limit, Types::Int.default(10)
+
+          def without_pagination
+            SearchFilter.new(
+              description: description,
+              from_at: from_at,
+              tag_name: tag_name,
+              title: title,
+              to_at: to_at
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/ipinfo.rb

@@ -6,8 +6,8 @@ module Mihari
       class Response < Dry::Struct
         attribute :ip, Types::String
         attribute :hostname, Types::String.optional
-        attribute :loc, Types::String
-        attribute :country_code, Types::String
+        attribute :loc, Types::String.optional
+        attribute :country_code, Types::String.optional
         attribute :asn, Types::Integer.optional
 
         class << self
@@ -23,9 +23,9 @@ module Mihari
 
             new(
               ip: d.fetch("ip"),
-              loc: d.fetch("loc"),
+              loc: d["loc"],
               hostname: d["hostname"],
-              country_code: d.fetch("country"),
+              country_code: d["country"],
               asn: asn
             )
           end