mihari 5.6.1 → 5.6.2

data/lib/mihari/web/public/index.html

@@ -6,7 +6,7 @@
     <meta name="viewport" content="width=device-width,initial-scale=1.0" />
     <link rel="icon" href="/favicon.ico" />
     <title>Mihari</title>
-    <script type="module" crossorigin src="/assets/index-9cc489e6.js"></script>
+    <script type="module" crossorigin src="/assets/index-28d4c79d.js"></script>
     <link rel="stylesheet" href="/assets/index-56fc2187.css">
   </head>
   <body>

data/lib/mihari.rb

@@ -35,7 +35,6 @@ require "addressable/uri"
 require "awrence"
 require "email_address"
 require "memist"
-require "net/ping"
 require "parallel"
 require "plissken"
 require "public_suffix"
@@ -74,7 +73,7 @@ module Mihari
     #
     def emitter_to_class
       @emitter_to_class ||= emitters.flat_map do |klass|
-        klass.class_keys.map { |key| [key.downcase, klass] }
+        klass.class_keys.map { |key| [key, klass] }
       end.to_h
     end
 
@@ -88,7 +87,7 @@ module Mihari
     #
     def analyzer_to_class
       @analyzer_to_class ||= analyzers.flat_map do |klass|
-        klass.class_keys.map { |key| [key.downcase, klass] }
+        klass.class_keys.map { |key| [key, klass] }
       end.to_h
     end
 
@@ -102,7 +101,7 @@ module Mihari
     #
     def enricher_to_class
       @enricher_to_class ||= enrichers.flat_map do |klass|
-        klass.class_keys.map { |key| [key.downcase, klass] }
+        klass.class_keys.map { |key| [key, klass] }
       end.to_h
     end
 
@@ -131,10 +130,11 @@ module Mihari
 end
 
 # Core classes
-require "mihari/base"
+require "mihari/actor"
 require "mihari/database"
 require "mihari/http"
 require "mihari/type_checker"
+require "mihari/rule"
 
 # Enrichers
 require "mihari/enrichers/base"
@@ -210,8 +210,6 @@ require "mihari/analyzers/virustotal_intelligence"
 require "mihari/analyzers/virustotal"
 require "mihari/analyzers/zoomeye"
 
-require "mihari/analyzers/rule"
-
 # Types
 require "mihari/types"
 
@@ -234,6 +232,7 @@ require "mihari/structs/virustotal_intelligence"
 
 # Schemas
 require "mihari/schemas/macros"
+require "mihari/schemas/mixins"
 
 require "mihari/schemas/options"
 
@@ -243,7 +242,6 @@ require "mihari/schemas/rule"
 
 # Services
 require "mihari/services/rule_builder"
-require "mihari/services/rule_proxy"
 require "mihari/services/rule_runner"
 
 require "mihari/services/alert_builder"

data/mihari.gemspec

@@ -48,7 +48,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rb-fsevent", "~> 0.11"
   spec.add_development_dependency "rerun", "~> 0.14"
   spec.add_development_dependency "rspec", "~> 3.12"
-  spec.add_development_dependency "rubocop-rspec", "~> 2.24"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.25"
   spec.add_development_dependency "simplecov-lcov", "~> 0.8"
   spec.add_development_dependency "standard", "~> 1.31"
   spec.add_development_dependency "test-prof", "~> 1.2"
@@ -80,7 +80,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "jr-cli", "0.6.0"
   spec.add_dependency "launchy", "2.5.2"
   spec.add_dependency "memist", "2.0.2"
-  spec.add_dependency "net-ping", "2.0.8"
   spec.add_dependency "normalize_country", "0.3.2"
   spec.add_dependency "parallel", "1.23.0"
   spec.add_dependency "plissken", "2.0.1"

data/requirements.txt

@@ -1,2 +1,2 @@
 mkdocs==1.5.3
-mkdocs-material==9.4.6
+mkdocs-material==9.4.7

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 5.6.1
+  version: 5.6.2
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-10-23 00:00:00.000000000 Z
+date: 2023-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -184,14 +184,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.24'
+        version: '2.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.24'
+        version: '2.25'
 - !ruby/object:Gem::Dependency
   name: simplecov-lcov
   requirement: !ruby/object:Gem::Requirement
@@ -570,20 +570,6 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.0.2
-- !ruby/object:Gem::Dependency
-  name: net-ping
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 2.0.8
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 2.0.8
 - !ruby/object:Gem::Dependency
   name: normalize_country
   requirement: !ruby/object:Gem::Requirement
@@ -970,6 +956,7 @@ files:
 - frontend/vitest.config.ts
 - lefthook.yml
 - lib/mihari.rb
+- lib/mihari/actor.rb
 - lib/mihari/analyzers/base.rb
 - lib/mihari/analyzers/binaryedge.rb
 - lib/mihari/analyzers/censys.rb
@@ -983,14 +970,12 @@ files:
 - lib/mihari/analyzers/otx.rb
 - lib/mihari/analyzers/passivetotal.rb
 - lib/mihari/analyzers/pulsedive.rb
-- lib/mihari/analyzers/rule.rb
 - lib/mihari/analyzers/securitytrails.rb
 - lib/mihari/analyzers/shodan.rb
 - lib/mihari/analyzers/urlscan.rb
 - lib/mihari/analyzers/virustotal.rb
 - lib/mihari/analyzers/virustotal_intelligence.rb
 - lib/mihari/analyzers/zoomeye.rb
-- lib/mihari/base.rb
 - lib/mihari/cli/alert.rb
 - lib/mihari/cli/base.rb
 - lib/mihari/cli/database.rb
@@ -1071,18 +1056,19 @@ files:
 - lib/mihari/models/tag.rb
 - lib/mihari/models/tagging.rb
 - lib/mihari/models/whois.rb
+- lib/mihari/rule.rb
 - lib/mihari/schemas/alert.rb
 - lib/mihari/schemas/analyzer.rb
 - lib/mihari/schemas/emitter.rb
 - lib/mihari/schemas/enricher.rb
 - lib/mihari/schemas/macros.rb
+- lib/mihari/schemas/mixins.rb
 - lib/mihari/schemas/options.rb
 - lib/mihari/schemas/rule.rb
 - lib/mihari/services/alert_builder.rb
 - lib/mihari/services/alert_proxy.rb
 - lib/mihari/services/alert_runner.rb
 - lib/mihari/services/rule_builder.rb
-- lib/mihari/services/rule_proxy.rb
 - lib/mihari/services/rule_runner.rb
 - lib/mihari/structs/binaryedge.rb
 - lib/mihari/structs/censys.rb
@@ -1110,8 +1096,8 @@ files:
 - lib/mihari/web/endpoints/tags.rb
 - lib/mihari/web/middleware/connection_adapter.rb
 - lib/mihari/web/middleware/error_notification_adapter.rb
+- lib/mihari/web/public/assets/index-28d4c79d.js
 - lib/mihari/web/public/assets/index-56fc2187.css
-- lib/mihari/web/public/assets/index-9cc489e6.js
 - lib/mihari/web/public/assets/mode-yaml-a21faa53.js
 - lib/mihari/web/public/favicon.ico
 - lib/mihari/web/public/index.html

data/lib/mihari/analyzers/rule.rb

@@ -1,232 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Analyzers
-    class Rule
-      include Mixins::FalsePositive
-
-      # @return [Mihari::Services::RuleProxy]
-      attr_reader :rule
-
-      # @return [Time]
-      attr_reader :base_time
-
-      #
-      # @param [Mihari::Services::RuleProxy] rule
-      #
-      def initialize(rule)
-        @rule = rule
-        @base_time = Time.now.utc
-
-        validate_analyzer_configurations
-      end
-
-      #
-      # Returns a list of artifacts matched with queries/analyzers (with the rule ID)
-      #
-      # @return [Array<Mihari::Artifact>]
-      #
-      def artifacts
-        analyzers.flat_map do |analyzer|
-          result = analyzer.result
-
-          raise result.failure if result.failure? && !analyzer.ignore_error?
-
-          artifacts = result.value!
-          artifacts.map do |artifact|
-            artifact.rule_id = rule.id
-            artifact
-          end
-        end
-      end
-
-      #
-      # Normalize artifacts
-      # - Reject invalid artifacts (for just in case)
-      # - Select artifacts with allowed data types
-      # - Reject artifacts with false positive values
-      # - Set rule ID
-      #
-      # @return [Array<Mihari::Artifact>]
-      #
-      def normalized_artifacts
-        valid_artifacts = artifacts.uniq(&:data).select(&:valid?)
-        date_type_allowed_artifacts = valid_artifacts.select { |artifact| rule.data_types.include? artifact.data_type }
-        date_type_allowed_artifacts.reject { |artifact| falsepositive? artifact.data }
-      end
-
-      #
-      # Uniquify artifacts (assure rule level uniqueness)
-      #
-      # @return [Array<Mihari::Artifact>]
-      #
-      def unique_artifacts
-        normalized_artifacts.select do |artifact|
-          artifact.unique?(base_time: base_time, artifact_lifetime: rule.artifact_lifetime)
-        end
-      end
-
-      #
-      # Enriched artifacts
-      #
-      # @return [Array<Mihari::Artifact>]
-      #
-      def enriched_artifacts
-        @enriched_artifacts ||= Parallel.map(unique_artifacts) do |artifact|
-          enrichers.each { |enricher| artifact.enrich_by_enricher enricher }
-          artifact
-        end
-      end
-
-      #
-      # Bulk emit
-      #
-      # @return [Array<Mihari::Alert>]
-      #
-      def bulk_emit
-        return [] if enriched_artifacts.empty?
-
-        # NOTE: separate parallel execution and logging
-        #       because the logger does not work along with Parallel
-        results = Parallel.map(valid_emitters) do |emitter|
-          emitter.result
-        end
-
-        results.zip(valid_emitters).map do |result_and_emitter|
-          result, emitter = result_and_emitter
-
-          Mihari.logger.info "Emission by #{emitter.class} is failed: #{result.failure}" if result.failure?
-          Mihari.logger.info "Emission by #{emitter.class} is succeeded" if result.success?
-
-          result.value_or nil
-        end.compact
-      end
-
-      #
-      # Set artifacts & run emitters in parallel
-      #
-      # @return [Mihari::Alert, nil]
-      #
-      def run
-        alert_or_something = bulk_emit
-        # returns Mihari::Alert created by the database emitter
-        alert_or_something.find { |res| res.is_a?(Mihari::Alert) }
-      end
-
-      private
-
-      #
-      # Check whether a value is a falsepositive value or not
-      #
-      # @return [Boolean]
-      #
-      def falsepositive?(value)
-        return true if rule.falsepositives.include?(value)
-
-        regexps = rule.falsepositives.select { |fp| fp.is_a?(Regexp) }
-        regexps.any? { |fp| fp.match?(value) }
-      end
-
-      #
-      # Get analyzer class
-      #
-      # @param [String] key
-      #
-      # @return [Class<Mihari::Analyzers::Base>] analyzer class
-      #
-      def get_analyzer_class(key)
-        raise ArgumentError, "#{key} is not supported" unless Mihari.analyzer_to_class.key?(key)
-
-        Mihari.analyzer_to_class[key]
-      end
-
-      #
-      # @return [Array<Mihari::Analyzers::Base>]
-      #
-      def analyzers
-        rule.queries.map do |query_params|
-          analyzer_name = query_params[:analyzer]
-          klass = get_analyzer_class(analyzer_name)
-          klass.from_query(query_params)
-        end
-      end
-
-      #
-      # Get emitter class
-      #
-      # @param [String] key
-      #
-      # @return [Class<Mihari::Emitters::Base>] emitter class
-      #
-      def get_emitter_class(key)
-        raise ArgumentError, "#{key} is not supported" unless Mihari.emitter_to_class.key?(key)
-
-        Mihari.emitter_to_class[key]
-      end
-
-      #
-      # @return [Array<Mihari::Emitters::Base>]
-      #
-      def emitters
-        rule.emitters.map(&:deep_dup).map do |params|
-          name = params[:emitter]
-          options = params[:options]
-
-          %i[emitter options].each { |key| params.delete key }
-
-          klass = get_emitter_class(name)
-          klass.new(artifacts: enriched_artifacts, rule: rule, options: options, **params)
-        end
-      end
-
-      #
-      # @return [Array<Mihari::Emitters::Base>]
-      #
-      def valid_emitters
-        @valid_emitters ||= emitters.select(&:valid?)
-      end
-
-      #
-      # Get enricher class
-      #
-      # @param [String] key
-      #
-      # @return [Class<Mihari::Enrichers::Base>] enricher class
-      #
-      def get_enricher_class(key)
-        raise ArgumentError, "#{key} is not supported" unless Mihari.enricher_to_class.key?(key)
-
-        Mihari.enricher_to_class[key]
-      end
-
-      #
-      # @return [Array<Mihari::Enrichers::Base>] enrichers
-      #
-      def enrichers
-        @enrichers ||= rule.enrichers.map(&:deep_dup).map do |params|
-          name = params[:enricher]
-          options = params[:options]
-
-          %i[enricher options].each { |key| params.delete key }
-
-          klass = get_enricher_class(name)
-          klass.new(options: options, **params)
-        end
-      end
-
-      #
-      # Validate configuration of analyzers
-      #
-      def validate_analyzer_configurations
-        analyzers.map do |analyzer|
-          next if analyzer.configured?
-
-          joined = analyzer.configuration_keys.join(", ")
-          be = (analyzer.configuration_keys.length > 1) ? "are" : "is"
-          message = "#{analyzer.class.class_key} is not configured correctly. #{joined} #{be} missing."
-          raise ConfigurationError, message
-        end
-      end
-    end
-  end
-end

data/lib/mihari/services/rule_proxy.rb

@@ -1,182 +0,0 @@
-# frozen_string_literal: true
-
-require "json"
-
-module Mihari
-  module Services
-    #
-    # proxy (or converter) class for rule
-    # proxying rule schema data into analyzer & model
-    #
-    class RuleProxy
-      include Mixins::FalsePositive
-
-      # @return [Hash]
-      attr_reader :data
-
-      # @return [Array, nil]
-      attr_reader :errors
-
-      #
-      # Initialize
-      #
-      # @param [Hash] data
-      #
-      def initialize(data)
-        @data = data.deep_symbolize_keys
-        @errors = nil
-
-        validate!
-      end
-
-      #
-      # @return [Boolean]
-      #
-      def errors?
-        return false if @errors.nil?
-
-        !@errors.empty?
-      end
-
-      def validate!
-        contract = Schemas::RuleContract.new
-        result = contract.call(data)
-
-        @data = result.to_h
-        @errors = result.errors
-
-        raise ValidationError.new("Validation failed", errors) if errors?
-      end
-
-      def [](key)
-        data key.to_sym
-      end
-
-      #
-      # @return [String]
-      #
-      def id
-        @id ||= data[:id]
-      end
-
-      #
-      # @return [String]
-      #
-      def title
-        @title ||= data[:title]
-      end
-
-      #
-      # @return [String]
-      #
-      def description
-        @description ||= data[:description]
-      end
-
-      #
-      # @return [String]
-      #
-      def yaml
-        @yaml ||= data.deep_stringify_keys.to_yaml
-      end
-
-      #
-      # @return [Array<Hash>]
-      #
-      def queries
-        @queries ||= data[:queries]
-      end
-
-      #
-      # @return [Array<String>]
-      #
-      def data_types
-        @data_types ||= data[:data_types]
-      end
-
-      #
-      # @return [Array<String>]
-      #
-      def tags
-        @tags ||= data[:tags]
-      end
-
-      #
-      # @return [Array<String, RegExp>]
-      #
-      def falsepositives
-        @falsepositives ||= data[:falsepositives].map { |fp| normalize_falsepositive fp }
-      end
-
-      #
-      # @return [Array<Hash>]
-      #
-      def emitters
-        @emitters ||= data[:emitters]
-      end
-
-      #
-      # @return [Array<Hash>]
-      #
-      def enrichers
-        @enrichers ||= data[:enrichers]
-      end
-
-      #
-      # @return [Integer, nil]
-      #
-      def artifact_lifetime
-        @artifact_lifetime ||= data[:artifact_lifetime] || data[:artifact_ttl]
-      end
-
-      #
-      # @return [Mihari::Rule]
-      #
-      def model
-        rule = Mihari::Rule.find(id)
-
-        rule.title = title
-        rule.description = description
-        rule.data = data
-
-        rule
-      rescue ActiveRecord::RecordNotFound
-        Mihari::Rule.new(
-          id: id,
-          title: title,
-          description: description,
-          data: data
-        )
-      end
-
-      #
-      # @return [Mihari::Analyzers::Rule]
-      #
-      def analyzer
-        Mihari::Analyzers::Rule.new self
-      end
-
-      class << self
-        #
-        # Load rule from YAML string
-        #
-        # @param [String] yaml
-        #
-        # @return [Mihari::Services::Rule]
-        #
-        def from_yaml(yaml)
-          new YAML.safe_load(ERB.new(yaml).result, permitted_classes: [Date, Symbol])
-        end
-
-        #
-        # @param [Mihari::Rule] model
-        #
-        # @return [Mihari::Services::Rule]
-        #
-        def from_model(model)
-          new model.data
-        end
-      end
-    end
-  end
-end