mihari 4.7.1 → 4.7.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38f68ec091b2469095f321f104c1e238599c56afa7f55763920cfeef0df03ca0
-  data.tar.gz: 625bbd99f92e4af768b76db15ab72cd53dba6a04150acc3ddfe7feb7d1a82bf7
+  metadata.gz: 4afac31be7c26f9357097db69a0f5e8e175b9d7bb14f66adc85d38f8d5606dad
+  data.tar.gz: c6259db1f4f4ed657993e817d3f8fafec5632370f0d21e761ee1dba5fb490321
 SHA512:
-  metadata.gz: fe847e37658ede26d1910e8c73ee1726e2b32335571e03c97c891b2d799380397ed1d32de7e4ed31ae57c861b4a6aa74433454d4871e38e2137100ce342894a1
-  data.tar.gz: 688c3adcf6ebb754d02b0fecde033602b47fe23ae11fffaff329ce53b93c268ab274319fdb630c819163856ce9708f2658bfe6fe7790e54ab1488e8d2af90245
+  metadata.gz: 0dff43154e317cc31dc13a85f3d7ae14c362ea23ccec2f0d48cff1f12ffb5a0f8f292465888ca9044234963bf5ba5fe5c4ce920111d9b0a8f083c067896e2efa
+  data.tar.gz: 46e9e1a2fd39d1bb61d8f3db73362074df83d80c5b37c39923a71ed9388059eef249b257116944016c33199c17dd283bbae41325ea29e74dd9759f0acfd6a14c

data/.github/workflows/test.yml

@@ -56,6 +56,7 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
+          bundler: latest
           bundler-cache: true
 
       - name: Test with PostgreSQL

data/lib/mihari/analyzers/rule.rb

@@ -39,7 +39,6 @@ module Mihari
 
     class Rule < Base
       include Mixins::DisallowedDataValue
-      include Mixins::Rule
 
       option :title
       option :description

data/lib/mihari/commands/init.rb

@@ -3,8 +3,6 @@
 module Mihari
   module Commands
     module Initialization
-      include Mixins::Rule
-
       def self.included(thor)
         thor.class_eval do
           desc "rule", "Create a rule file"
@@ -21,6 +19,31 @@ module Mihari
 
             Mihari.logger.info "The rule file is initialized as #{filename}."
           end
+
+          no_commands do
+            #
+            # Returns a template for rule
+            #
+            # @return [String] A template for rule
+            #
+            def rule_template
+              rule = Structs::Rule.from_path_or_id File.expand_path("../templates/rule.yml.erb", __dir__)
+              rule.yaml
+            end
+
+            #
+            # Create (blank) rule file
+            #
+            # @param [String] filename
+            # @param [Dry::Files] files
+            # @param [String] template
+            #
+            # @return [nil]
+            #
+            def initialize_rule_yaml(filename, files = Dry::Files.new, template: rule_template)
+              files.write(filename, template)
+            end
+          end
         end
       end
     end

data/lib/mihari/commands/search.rb

@@ -4,7 +4,6 @@ module Mihari
   module Commands
     module Search
       include Mixins::Database
-      include Mixins::Rule
       include Mixins::ErrorNotification
 
       def self.included(thor)
@@ -12,14 +11,10 @@ module Mihari
           desc "search [RULE]", "Search by a rule"
           method_option :yes, type: :boolean, aliases: "-y", desc: "yes to overwrite the rule in the database"
           def search_by_rule(path_or_id)
-            rule = load_rule(path_or_id)
+            rule = Structs::Rule.from_path_or_id path_or_id
 
             # validate
-            begin
-              validate_rule! rule
-            rescue RuleValidationError => e
-              raise e
-            end
+            rule.validate!
 
             # check update
             id = rule.id

data/lib/mihari/commands/validator.rb

@@ -3,16 +3,21 @@
 module Mihari
   module Commands
     module Validator
-      include Mixins::Rule
-
       def self.included(thor)
         thor.class_eval do
-          desc "rule [PATH]", "Validate format of a rule file"
+          desc "rule [PATH]", "Validate rule file format"
+          #
+          # Validate format of a rule
+          #
+          # @param [String] path
+          #
+          # @return [nil]
+          #
           def rule(path)
-            rule = load_rule(path)
+            rule = Structs::Rule.from_path_or_id(path)
 
             begin
-              validate_rule! rule
+              rule.validate!
               Mihari.logger.info "Valid format. The input is parsed as the following:\n#{rule.data.to_yaml}"
             rescue RuleValidationError
               nil

data/lib/mihari/errors.rb

@@ -15,6 +15,8 @@ module Mihari
 
   class RuleValidationError < Error; end
 
+  class YAMLSyntaxError < Error; end
+
   class ConfigurationError < Error; end
 
   class HTTPError < Error; end

data/lib/mihari/models/alert.rb

@@ -12,7 +12,7 @@ module Mihari
       #
       # Search alerts
       #
-      # @param [Structs::Alert::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Alert::SearchFilterWithPagination] filter
       #
       # @return [Array<Alert>]
       #
@@ -58,6 +58,11 @@ module Mihari
 
       private
 
+      #
+      # @param [Structs::Filters::Alert::SearchFilter] filter
+      #
+      # @return [Mihari::Alert]
+      #
       def build_relation(filter)
         artifact_ids = []
         artifact = Artifact.includes(:autonomous_system, :dns_records, :reverse_dns_names)

data/lib/mihari/models/geolocation.rb

@@ -17,11 +17,9 @@ module Mihari
       def build_by_ip(ip)
         res = Enrichers::IPInfo.query(ip)
 
-        unless res.nil?
-          return new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
-        end
+        return nil if res&.country_code.nil?
 
-        nil
+        new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
       end
     end
   end

data/lib/mihari/models/port.rb

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
 
         res.ports.map { |port| new(port: port) }
       end

data/lib/mihari/models/rule.rb

@@ -28,7 +28,7 @@ module Mihari
       #
       # Search rules
       #
-      # @param [Structs::Rule::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
       #
       # @return [Array<Rule>]
       #
@@ -51,7 +51,7 @@ module Mihari
       #
       # Count alerts
       #
-      # @param [Structs::Rule::SearchFilterWithPagination] filter
+      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
       #
       # @return [Integer]
       #
@@ -62,6 +62,11 @@ module Mihari
 
       private
 
+      #
+      # @param [Structs::Filters::Rule::SearchFilter] filter
+      #
+      # @return [Mihari::Rule]
+      #
       def build_relation(filter)
         relation = self
         relation = relation.includes(alerts: :tags)

data/lib/mihari/schemas/rule.rb

@@ -13,6 +13,11 @@ module Mihari
       optional(:tags).value(array[:string]).default([])
       optional(:id).value(:string)
 
+      optional(:status).value(:string)
+
+      optional(:related).value(array[:string])
+      optional(:references).value(array[:string])
+
       optional(:author).value(:string)
       optional(:created_on).value(:date)
       optional(:updated_on).value(:date)

data/lib/mihari/structs/filters.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Structs
+    module Filters
+      module Alert
+        class SearchFilter < Dry::Struct
+          attribute? :artifact_data, Types::String.optional
+          attribute? :description, Types::String.optional
+          attribute? :source, Types::String.optional
+          attribute? :tag_name, Types::String.optional
+          attribute? :title, Types::String.optional
+          attribute? :from_at, Types::DateTime.optional
+          attribute? :to_at, Types::DateTime.optional
+          attribute? :asn, Types::Int.optional
+          attribute? :dns_record, Types::String.optional
+          attribute? :reverse_dns_name, Types::String.optional
+
+          def valid_artifact_filters?
+            !(artifact_data || asn || dns_record || reverse_dns_name).nil?
+          end
+        end
+
+        class SearchFilterWithPagination < SearchFilter
+          attribute? :page, Types::Int.default(1)
+          attribute? :limit, Types::Int.default(10)
+
+          def without_pagination
+            SearchFilter.new(
+              artifact_data: artifact_data,
+              description: description,
+              from_at: from_at,
+              source: source,
+              tag_name: tag_name,
+              title: title,
+              to_at: to_at,
+              asn: asn,
+              dns_record: dns_record,
+              reverse_dns_name: reverse_dns_name
+            )
+          end
+        end
+      end
+
+      module Rule
+        class SearchFilter < Dry::Struct
+          attribute? :description, Types::String.optional
+          attribute? :tag_name, Types::String.optional
+          attribute? :title, Types::String.optional
+          attribute? :from_at, Types::DateTime.optional
+          attribute? :to_at, Types::DateTime.optional
+        end
+
+        class SearchFilterWithPagination < SearchFilter
+          attribute? :page, Types::Int.default(1)
+          attribute? :limit, Types::Int.default(10)
+
+          def without_pagination
+            SearchFilter.new(
+              description: description,
+              from_at: from_at,
+              tag_name: tag_name,
+              title: title,
+              to_at: to_at
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/ipinfo.rb

@@ -6,8 +6,8 @@ module Mihari
       class Response < Dry::Struct
         attribute :ip, Types::String
         attribute :hostname, Types::String.optional
-        attribute :loc, Types::String
-        attribute :country_code, Types::String
+        attribute :loc, Types::String.optional
+        attribute :country_code, Types::String.optional
         attribute :asn, Types::Integer.optional
 
         class << self
@@ -23,9 +23,9 @@ module Mihari
 
             new(
               ip: d.fetch("ip"),
-              loc: d.fetch("loc"),
+              loc: d["loc"],
               hostname: d["hostname"],
-              country_code: d.fetch("country"),
+              country_code: d["country"],
               asn: asn
             )
           end