mihari 5.2.2 → 5.2.4

data/lib/mihari/analyzers/rule.rb

@@ -46,7 +46,7 @@ module Mihari
       #
       # @param [Mihari::Structs::Rule] rule
       #
-      def initialize(rule:)
+      def initialize(rule)
         @rule = rule
         @base_time = Time.now.utc
 
@@ -54,12 +54,12 @@ module Mihari
       end
 
       #
-      # Returns a list of artifacts matched with queries
+      # Returns a list of artifacts matched with queries/analyzers
       #
       # @return [Array<Mihari::Artifact>]
       #
       def artifacts
-        rule.queries.map { |params| run_query(params.deep_dup) }.flatten
+        analyzers.flat_map(&:normalized_artifacts)
       end
 
       #
@@ -111,26 +111,15 @@ module Mihari
       # @return [Array<Mihari::Alert>]
       #
       def bulk_emit
-        Parallel.map(valid_emitters) { |emitter| emit emitter }.compact
-      end
-
-      #
-      # Emit an alert
-      #
-      # @param [Mihari::Emitters::Base] emitter
-      #
-      # @return [Mihari::Alert, nil]
-      #
-      def emit(emitter)
-        return if enriched_artifacts.empty?
-
-        alert_or_something = emitter.run(artifacts: enriched_artifacts, rule: rule)
-
-        Mihari.logger.info "Emission by #{emitter.class} is succeeded"
-
-        alert_or_something
-      rescue StandardError => e
-        Mihari.logger.info "Emission by #{emitter.class} is failed: #{e}"
+        return [] if enriched_artifacts.empty?
+
+        Parallel.map(valid_emitters) do |emitter|
+          emission = emitter.emit
+          Mihari.logger.info "Emission by #{emitter.class} is succeeded"
+          emission
+        rescue StandardError => e
+          Mihari.logger.info "Emission by #{emitter.class} is failed: #{e}"
+        end.compact
       end
 
       #
@@ -165,27 +154,28 @@ module Mihari
       end
 
       #
-      # @param [Hash] params
+      # Get analyzer class
+      #
+      # @param [String] analyzer_name
       #
-      # @return [Array<Mihari::Artifact>]
+      # @return [Class<Mihari::Analyzers::Base>] analyzer class
       #
-      def run_query(params)
-        analyzer_name = params[:analyzer]
-        klass = get_analyzer_class(analyzer_name)
-
-        # set interval in the top level
-        options = params[:options] || {}
-        interval = options[:interval]
-        params[:interval] = interval if interval
+      def get_analyzer_class(analyzer_name)
+        analyzer = ANALYZER_TO_CLASS[analyzer_name]
+        return analyzer if analyzer
 
-        # set rule
-        params[:rule] = rule
-        query = params[:query]
-        analyzer = klass.new(query, **params)
+        raise ArgumentError, "#{analyzer_name} is not supported"
+      end
 
-        # Use #normalized_artifacts method to get artifacts as Array<Mihari::Artifact>
-        # So Mihari::Artifact object has "source" attribute (e.g. "Shodan")
-        analyzer.normalized_artifacts
+      #
+      # @return [Array<Mihari::Analyzers::Base>]
+      #
+      def analyzers
+        @analyzers ||= rule.queries.map do |query_params|
+          analyzer_name = query_params[:analyzer]
+          klass = get_analyzer_class(analyzer_name)
+          klass.from_query(query_params)
+        end
       end
 
       #
@@ -203,53 +193,33 @@ module Mihari
       end
 
       #
-      # @param [Hash] params
+      # Deep copied emitters
       #
-      # @return [Mihari::Emitter:Base]
+      # @return [Array<Mihari::Emitters::Base>]
       #
-      def validate_emitter(params)
-        name = params[:emitter]
-        params.delete(:emitter)
+      def emitters
+        rule.emitters.map(&:deep_dup).map do |params|
+          name = params[:emitter]
+          params.delete(:emitter)
 
-        klass = get_emitter_class(name)
-        emitter = klass.new(**params)
-
-        emitter.valid? ? emitter : nil
+          klass = get_emitter_class(name)
+          klass.new(artifacts: enriched_artifacts, rule: rule, **params)
+        end
       end
 
       #
-      # @return [Array<Mihari::Emitter::Base>]
+      # @return [Array<Mihari::Emitters::Base>]
       #
       def valid_emitters
-        @valid_emitters ||= rule.emitters.filter_map { |params| validate_emitter(params.deep_dup) }
-      end
-
-      #
-      # Get analyzer class
-      #
-      # @param [String] analyzer_name
-      #
-      # @return [Class<Mihari::Analyzers::Base>] analyzer class
-      #
-      def get_analyzer_class(analyzer_name)
-        analyzer = ANALYZER_TO_CLASS[analyzer_name]
-        return analyzer if analyzer
-
-        raise ArgumentError, "#{analyzer_name} is not supported"
+        @valid_emitters ||= emitters.select(&:valid?)
       end
 
       #
       # Validate configuration of analyzers
       #
       def validate_analyzer_configurations
-        rule.queries.each do |params|
-          analyzer_name = params[:analyzer]
-
-          klass = get_analyzer_class(analyzer_name)
-          klass_name = klass.to_s.split("::").last
-
-          instance = klass.new("dummy")
-          raise ConfigurationError, "#{klass_name} is not configured correctly" unless instance.configured?
+        analyzers.map do |analyzer|
+          raise ConfigurationError, "#{analyzer.source} is not configured correctly" unless analyzer.configured?
         end
       end
     end

data/lib/mihari/analyzers/virustotal_intelligence.rb

@@ -25,8 +25,7 @@ module Mihari
       end
 
       def artifacts
-        responses = search_with_cursor
-        responses.map(&:to_artifacts).flatten
+        search_with_cursor.map(&:to_artifacts).flatten
       end
 
       private

data/lib/mihari/clients/base.rb

@@ -31,7 +31,7 @@ module Mihari
 
       #
       # @param [String] path
-      # @param [Hashk, nil] params
+      # @param [Hash, nil] params
       #
       # @return [String] <description>
       #

data/lib/mihari/commands/database.rb

@@ -3,18 +3,19 @@
 module Mihari
   module Commands
     module Database
-      def self.included(thor)
-        thor.class_eval do
-          desc "migrate", "Migrate DB schemas"
-          method_option :verbose, type: :boolean, default: true
-          #
-          # @param [String] direction
-          #
-          def migrate(direction = "up")
-            verbose = options["verbose"]
-            ActiveRecord::Migration.verbose = verbose
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "migrate", "Migrate DB schemas"
+            method_option :verbose, type: :boolean, default: true
+            #
+            # @param [String] direction
+            #
+            def migrate(direction = "up")
+              ActiveRecord::Migration.verbose = options["verbose"]
 
-            Mihari::Database.with_db_connection { Mihari::Database.migrate(direction.to_sym) }
+              Mihari::Database.with_db_connection { Mihari::Database.migrate direction.to_sym }
+            end
           end
         end
       end

data/lib/mihari/commands/rule.rb

@@ -5,60 +5,62 @@ require "pathname"
 module Mihari
   module Commands
     module Rule
-      def self.included(thor)
-        thor.class_eval do
-          desc "validate [PATH]", "Validate a rule file"
-          #
-          # Validate format of a rule
-          #
-          # @param [String] path
-          #
-          def validate(path)
-            rule = Structs::Rule.from_path_or_id(path)
-
-            begin
-              rule.validate!
-              Mihari.logger.info "Valid format. The input is parsed as the following:"
-              Mihari.logger.info rule.data.to_yaml
-            rescue RuleValidationError
-              nil
-            end
-          end
-
-          desc "init [PATH]", "Initialize a new rule file"
-          #
-          # Initialize a new rule file
-          #
-          # @param [String] path
-          #
-          #
-          def init(path = "./rule.yml")
-            warning = "#{path} exists. Do you want to overwrite it? (y/n)"
-            return if Pathname(path).exist? && !(yes? warning)
-
-            initialize_rule path
-
-            Mihari.logger.info "A new rule is initialized: #{path}."
-          end
-
-          no_commands do
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "validate [PATH]", "Validate a rule file"
             #
-            # @return [Mihari::Structs::Rule]
+            # Validate format of a rule
             #
-            def rule_template
-              Structs::Rule.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
+            # @param [String] path
+            #
+            def validate(path)
+              rule = Structs::Rule.from_path_or_id(path)
+
+              begin
+                rule.validate!
+                Mihari.logger.info "Valid format. The input is parsed as the following:"
+                Mihari.logger.info rule.data.to_yaml
+              rescue RuleValidationError
+                nil
+              end
             end
 
+            desc "init [PATH]", "Initialize a new rule file"
             #
-            # Create a new rule
+            # Initialize a new rule file
             #
             # @param [String] path
-            # @param [Dry::Files] files
             #
-            # @return [nil]
             #
-            def initialize_rule(path, files = Dry::Files.new)
-              files.write(path, rule_template.yaml)
+            def init(path = "./rule.yml")
+              warning = "#{path} exists. Do you want to overwrite it? (y/n)"
+              return if Pathname(path).exist? && !(yes? warning)
+
+              initialize_rule path
+
+              Mihari.logger.info "A new rule file has been initialized: #{path}."
+            end
+
+            no_commands do
+              #
+              # @return [Mihari::Structs::Rule]
+              #
+              def rule_template
+                Structs::Rule.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
+              end
+
+              #
+              # Create a new rule
+              #
+              # @param [String] path
+              # @param [Dry::Files] files
+              #
+              # @return [nil]
+              #
+              def initialize_rule(path, files = Dry::Files.new)
+                files.write(path, rule_template.yaml)
+              end
             end
           end
         end

data/lib/mihari/commands/search.rb

@@ -3,64 +3,92 @@
 module Mihari
   module Commands
     module Search
-      include Mixins::ErrorNotification
+      class << self
+        class RuleWrapper
+          include Mixins::ErrorNotification
+
+          # @return [Nihari::Structs::Rule]
+          attr_reader :rule
+
+          # @return [Boolean]
+          attr_reader :force_overwrite
+
+          def initialize(rule, force_overwrite:)
+            @rule = rule
+            @force_overwrite = force_overwrite
+          end
+
+          def force_overwrite?
+            force_overwrite
+          end
 
-      def self.included(thor)
-        thor.class_eval do
-          desc "search [PATH]", "Search by a rule"
-          method_option :force_overwrite, type: :boolean, aliases: "-f", desc: "Force an overwrite the rule"
-          #
-          # Search by a rule
           #
-          # @param [String] path_or_id
+          # @return [Boolean]
           #
-          def search(path_or_id)
-            Mihari::Database.with_db_connection do
-              rule = Structs::Rule.from_path_or_id path_or_id
+          def diff?
+            model = Mihari::Rule.find(rule.id)
+            model.data != rule.data.deep_stringify_keys
+          rescue ActiveRecord::RecordNotFound
+            false
+          end
+
+          def update_or_create
+            rule.model.save
+          end
 
-              begin
-                rule.validate!
-              rescue RuleValidationError
+          def run
+            begin
+              analyzer = rule.analyzer
+            rescue ConfigurationError => e
+              # if there is a configuration error, output that error without the stack trace
+              Mihari.logger.error e.to_s
+              return
+            end
+
+            with_error_notification do
+              alert = analyzer.run
+              if alert.nil?
+                Mihari.logger.info "There is no new artifact found"
                 return
               end
 
-              update_rule rule
-              run_rule rule
+              data = Mihari::Entities::Alert.represent(alert)
+              puts JSON.pretty_generate(data.as_json)
             end
           end
         end
-      end
 
-      # @param [Mihari::Structs::Rule] rule
-      #
-      def update_rule(rule)
-        force_overwrite = options["force_overwrite"] || false
-        begin
-          rule_model = Mihari::Rule.find(rule.id)
-          has_change = rule_model.data != rule.data.deep_stringify_keys
-          has_change_and_not_force_overwrite = has_change & !force_overwrite
+        def included(thor)
+          thor.class_eval do
+            desc "search [PATH]", "Search by a rule"
+            method_option :force_overwrite, type: :boolean, aliases: "-f", desc: "Force an overwrite the rule"
+            #
+            # Search by a rule
+            #
+            # @param [String] path_or_id
+            #
+            def search(path_or_id)
+              Mihari::Database.with_db_connection do
+                rule = Structs::Rule.from_path_or_id path_or_id
 
-          confirm_message = "This operation will overwrite the rule in the database (Rule ID: #{rule.id}). Are you sure you want to update the rule? (y/n)"
-          return if has_change_and_not_force_overwrite && !yes?(confirm_message)
-          # update the rule
-          rule.model.save
-        rescue ActiveRecord::RecordNotFound
-          # create a new rule
-          rule.model.save
-        end
-      end
+                begin
+                  rule.validate!
+                rescue RuleValidationError
+                  return
+                end
 
-      #
-      # @param [Mihari::Structs::Rule] rule
-      #
-      def run_rule(rule)
-        with_error_notification do
-          alert = rule.analyzer.run
-          if alert
-            data = Mihari::Entities::Alert.represent(alert)
-            puts JSON.pretty_generate(data.as_json)
-          else
-            Mihari.logger.info "There is no new alert created in the database"
+                force_overwrite = options["force_overwrite"] || false
+                wrapper = RuleWrapper.new(rule, force_overwrite: force_overwrite)
+
+                if wrapper.diff? && !force_overwrite
+                  message = "There is diff in the rule (#{rule.id}). Are you sure you want to overwrite the rule? (y/n)"
+                  return unless yes?(message)
+                end
+
+                wrapper.update_or_create
+                wrapper.run
+              end
+            end
           end
         end
       end

data/lib/mihari/commands/version.rb

@@ -3,13 +3,15 @@
 module Mihari
   module Commands
     module Version
-      def self.included(thor)
-        thor.class_eval do
-          map %w[--version -v] => :__print_version
+      class << self
+        def included(thor)
+          thor.class_eval do
+            map %w[--version -v] => :__print_version
 
-          desc "--version, -v", "Print the version"
-          def __print_version
-            puts Mihari::VERSION
+            desc "--version, -v", "Print the version"
+            def __print_version
+              puts Mihari::VERSION
+            end
           end
         end
       end

data/lib/mihari/commands/web.rb

@@ -3,29 +3,32 @@
 module Mihari
   module Commands
     module Web
-      def self.included(thor)
-        thor.class_eval do
-          desc "web", "Launch the web app"
-          method_option :port, type: :numeric, default: 9292, desc: "Hostname to listen on"
-          method_option :host, type: :string, default: "localhost", desc: "Port to listen on"
-          method_option :threads, type: :string, default: "0:5", desc: "min:max threads to use"
-          method_option :verbose, type: :boolean, default: true, desc: "Report each request"
-          method_option :worker_timeout, type: :numeric, default: 60, desc: "Worker timeout value (in seconds)"
-          method_option :hide_config_values, type: :boolean, default: false,
-            desc: "Whether to hide config values or not"
-          method_option :open, type: :boolean, default: true, desc: "Whether to open the app in browser or not"
-          def web
-            Mihari.config.hide_config_values = options["hide_config_values"]
-            # set rack env as production
-            ENV["RACK_ENV"] ||= "production"
-            Mihari::App.run!(
-              port: options["port"],
-              host: options["host"],
-              threads: options["threads"],
-              verbose: options["verbose"],
-              worker_timeout: options["worker_timeout"],
-              open: options["open"]
-            )
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "web", "Launch the web app"
+            method_option :port, type: :numeric, default: 9292, desc: "Hostname to listen on"
+            method_option :host, type: :string, default: "localhost", desc: "Port to listen on"
+            method_option :threads, type: :string, default: "0:5", desc: "min:max threads to use"
+            method_option :verbose, type: :boolean, default: true, desc: "Report each request"
+            method_option :worker_timeout, type: :numeric, default: 60, desc: "Worker timeout value (in seconds)"
+            method_option :hide_config_values, type: :boolean, default: false,
+              desc: "Whether to hide config values or not"
+            method_option :open, type: :boolean, default: true, desc: "Whether to open the app in browser or not"
+            method_option :rack_env, type: :string, default: "production", desc: "Rack environment"
+            def web
+              Mihari.config.hide_config_values = options["hide_config_values"]
+              # set rack env as production
+              ENV["RACK_ENV"] ||= options["rack_env"]
+              Mihari::App.run!(
+                port: options["port"],
+                host: options["host"],
+                threads: options["threads"],
+                verbose: options["verbose"],
+                worker_timeout: options["worker_timeout"],
+                open: options["open"]
+              )
+            end
           end
         end
       end

data/lib/mihari/emitters/base.rb

@@ -6,7 +6,20 @@ module Mihari
       include Mixins::Configurable
       include Mixins::Retriable
 
-      def initialize(*)
+      # @return [Array<Mihari::Artifact>]
+      attr_reader :artifacts
+
+      # @return [Mihari::Structs::Rule]
+      attr_reader :rule
+
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **_options
+      #
+      def initialize(artifacts:, rule:, **_options)
+        @artifacts = artifacts
+        @rule = rule
       end
 
       class << self

data/lib/mihari/emitters/database.rb

@@ -4,28 +4,21 @@ module Mihari
   module Emitters
     class Database < Base
       def valid?
-        true
+        configured?
       end
 
       #
       # Create an alert
       #
-      # @param [Arra<Mihari::Artifact>] artifacts
-      # @param [Mihari::Structs::Rule] rule
-      #
       # @return [Mihari::Alert]
       #
-      def emit(artifacts:, rule:)
+      def emit
         return if artifacts.empty?
 
         tags = rule.tags.filter_map { |name| Tag.find_or_create_by(name: name) }.uniq
         taggings = tags.map { |tag| Tagging.new(tag_id: tag.id) }
 
-        alert = Alert.new(
-          artifacts: artifacts,
-          taggings: taggings,
-          rule_id: rule.id
-        )
+        alert = Alert.new(artifacts: artifacts, taggings: taggings, rule_id: rule.id)
         alert.save
         alert
       end

data/lib/mihari/emitters/misp.rb

@@ -9,11 +9,22 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
 
-      def initialize(*args, **kwargs)
-        super(*args, **kwargs)
+      # @return [Array<Mihari::Artifact>]
+      attr_reader :artifacts
 
-        @url = kwargs[:url] || Mihari.config.misp_url
-        @api_key = kwargs[:api_key] || Mihari.config.misp_api_key
+      # @return [Mihari::Structs::Rule]
+      attr_reader :rule
+
+      #
+      # @param [Array<Mihari::Artifact>] artifacts
+      # @param [Mihari::Structs::Rule] rule
+      # @param [Hash] **options
+      #
+      def initialize(artifacts:, rule:, **options)
+        super(artifacts: artifacts, rule: rule, **options)
+
+        @url = options[:url] || Mihari.config.misp_url
+        @api_key = options[:api_key] || Mihari.config.misp_api_key
       end
 
       # @return [Boolean]
@@ -40,7 +51,7 @@ module Mihari
       #
       # @return [::MISP::Event]
       #
-      def emit(rule:, artifacts:, **_options)
+      def emit
         return if artifacts.empty?
 
         client.create_event({