RubyGems - mihari - Versions diffs - 5.6.1 → 5.6.2 - Mend

mihari 5.6.1 → 5.6.2

Files changed (71) hide show

checksums.yaml +4 -4
data/frontend/package-lock.json +173 -176
data/frontend/package.json +9 -9
data/lib/mihari/{base.rb → actor.rb} +16 -2
data/lib/mihari/analyzers/base.rb +5 -10
data/lib/mihari/analyzers/censys.rb +1 -1
data/lib/mihari/analyzers/hunterhow.rb +1 -1
data/lib/mihari/analyzers/passivetotal.rb +1 -1
data/lib/mihari/analyzers/pulsedive.rb +1 -1
data/lib/mihari/analyzers/securitytrails.rb +1 -1
data/lib/mihari/analyzers/urlscan.rb +1 -1
data/lib/mihari/analyzers/virustotal.rb +5 -5
data/lib/mihari/analyzers/zoomeye.rb +3 -3
data/lib/mihari/clients/crtsh.rb +2 -2
data/lib/mihari/clients/passivetotal.rb +4 -4
data/lib/mihari/clients/securitytrails.rb +3 -3
data/lib/mihari/commands/rule.rb +2 -11
data/lib/mihari/commands/search.rb +1 -1
data/lib/mihari/emitters/base.rb +13 -24
data/lib/mihari/emitters/database.rb +7 -9
data/lib/mihari/emitters/misp.rb +14 -38
data/lib/mihari/emitters/slack.rb +14 -11
data/lib/mihari/emitters/the_hive.rb +16 -44
data/lib/mihari/emitters/webhook.rb +31 -21
data/lib/mihari/enrichers/base.rb +1 -6
data/lib/mihari/enrichers/whois.rb +1 -1
data/lib/mihari/models/alert.rb +75 -73
data/lib/mihari/models/artifact.rb +182 -180
data/lib/mihari/models/autonomous_system.rb +22 -20
data/lib/mihari/models/cpe.rb +21 -19
data/lib/mihari/models/dns.rb +24 -22
data/lib/mihari/models/geolocation.rb +22 -20
data/lib/mihari/models/port.rb +21 -19
data/lib/mihari/models/reverse_dns.rb +21 -19
data/lib/mihari/models/rule.rb +67 -65
data/lib/mihari/models/tag.rb +5 -3
data/lib/mihari/models/tagging.rb +5 -3
data/lib/mihari/models/whois.rb +18 -16
data/lib/mihari/rule.rb +352 -0
data/lib/mihari/schemas/analyzer.rb +94 -87
data/lib/mihari/schemas/emitter.rb +9 -5
data/lib/mihari/schemas/enricher.rb +8 -4
data/lib/mihari/schemas/mixins.rb +15 -0
data/lib/mihari/schemas/rule.rb +3 -10
data/lib/mihari/services/alert_builder.rb +1 -1
data/lib/mihari/services/alert_proxy.rb +10 -6
data/lib/mihari/services/alert_runner.rb +4 -4
data/lib/mihari/services/rule_builder.rb +3 -3
data/lib/mihari/services/rule_runner.rb +5 -5
data/lib/mihari/structs/binaryedge.rb +1 -1
data/lib/mihari/structs/censys.rb +6 -6
data/lib/mihari/structs/config.rb +1 -1
data/lib/mihari/structs/greynoise.rb +5 -5
data/lib/mihari/structs/hunterhow.rb +3 -3
data/lib/mihari/structs/onyphe.rb +5 -5
data/lib/mihari/structs/shodan.rb +6 -6
data/lib/mihari/structs/urlscan.rb +3 -3
data/lib/mihari/structs/virustotal_intelligence.rb +3 -3
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/endpoints/alerts.rb +4 -4
data/lib/mihari/web/endpoints/artifacts.rb +6 -6
data/lib/mihari/web/endpoints/rules.rb +10 -17
data/lib/mihari/web/endpoints/tags.rb +2 -2
data/lib/mihari/web/public/assets/{index-9cc489e6.js → index-28d4c79d.js} +48 -48
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari.rb +6 -8
data/mihari.gemspec +1 -2
data/requirements.txt +1 -1
metadata +8 -22
data/lib/mihari/analyzers/rule.rb +0 -232
data/lib/mihari/services/rule_proxy.rb +0 -182

data/lib/mihari/emitters/the_hive.rb CHANGED Viewed

@@ -12,45 +12,42 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_version
+      # @return [Array<Mihari::Models::Artifact>]
+      attr_accessor :artifacts
       #
-      # @param [Array<Mihari::Artifact>] artifacts
       # @param [Mihari::Services::Rule] rule
       # @param [Hash, nil] options
       # @param [Hash] **params
       #
-      def initialize(artifacts:, rule:, options: nil, **params)
-        super(artifacts: artifacts, rule: rule, options: options)
+      def initialize(rule:, options: nil, **params)
+        super(rule: rule, options: options)
         @url = params[:url] || Mihari.config.thehive_url
         @api_key = params[:api_key] || Mihari.config.thehive_api_key
         @api_version = params[:api_version] || Mihari.config.thehive_api_version
+        @artifacts = []
       end
+      #
       # @return [Boolean]
-      def valid?
-        unless url? && api_key?
-          Mihari.logger.info("TheHive URL is not set") unless url?
-          Mihari.logger.info("TheHive API key is not set") unless api_key?
-          return false
-        end
-        unless ping?
-          Mihari.logger.info("TheHive URL (#{url}) is not reachable")
-          return false
-        end
-        true
+      #
+      def configured?
+        api_key? && url?
       end
       #
       # Create a Hive alert
       #
-      # @return [::MISP::Event]
+      # @param [Array<Mihari::Models::Artifact>] artifacts
       #
-      def emit
+      def emit(artifacts)
         return if artifacts.empty?
-        client.alert(payload)
+        @artifacts = artifacts
+        client.alert payload
       end
       #
@@ -146,31 +143,6 @@ module Mihari
           source_ref: "1"
         }
       end
-      #
-      # Check whether a URL is reachable or not
-      #
-      # @return [Boolean]
-      #
-      def ping?
-        base_url = url.end_with?("/") ? url[0..-2] : url
-        if normalized_api_version.nil?
-          # for v4
-          base_url = url.end_with?("/") ? url[0..-2] : url
-          public_url = "#{base_url}/index.html"
-        else
-          # for v5
-          public_url = "#{base_url}/api/v1/status/public"
-        end
-        http = Net::Ping::HTTP.new(public_url)
-        # use GET for v5
-        http.get_request = true if normalized_api_version
-        http.ping?
-      end
     end
   end
 end

data/lib/mihari/emitters/webhook.rb CHANGED Viewed

@@ -57,23 +57,41 @@ module Mihari
       # @return [String, nil]
       attr_reader :template
+      # @return [Array<Mihari::Models::Artifact>]
+      attr_accessor :artifacts
       #
-      # @param [Array<Mihari::Artifact>] artifacts
       # @param [Mihari::Services::Rule] rule
       # @param [Hash] **options
       #
-      def initialize(artifacts:, rule:, options: nil, **params)
-        super(artifacts: artifacts, rule: rule, options: options)
+      def initialize(rule:, options: nil, **params)
+        super(rule: rule, options: options)
         @url = Addressable::URI.parse(params[:url])
         @headers = params[:headers] || {}
         @method = params[:method] || "POST"
         @template = params[:template]
+        @artifacts = []
+      end
+      #
+      # @return [Boolean]
+      #
+      def configured?
+        return false if url.nil?
+        %w[http https].include? url.scheme.downcase
       end
-      def emit
+      #
+      # @param [Array<Mihari::Models::Artifact>] artifacts
+      #
+      def emit(artifacts)
         return if artifacts.empty?
+        @artifacts = artifacts
         # returns body to prevent Parallel issue (Parallel fails to handle HTTP:Response object)
         case method
         when "GET"
@@ -83,12 +101,6 @@ module Mihari
         end
       end
-      def valid?
-        return false if url.nil?
-        %w[http https].include? url.scheme.downcase
-      end
       private
       def http
@@ -101,17 +113,15 @@ module Mihari
       # @return [String]
       #
       def rendered_template
-        [].tap do |out|
-          options = {}
-          options[:template] = File.read(template) unless template.nil?
-          payload_template = PayloadTemplate.new(
-            artifacts: artifacts,
-            rule: rule,
-            options: options
-          )
-          out << payload_template.result
-        end.first
+        options = {}
+        options[:template] = File.read(template) unless template.nil?
+        payload_template = PayloadTemplate.new(
+          artifacts: artifacts,
+          rule: rule,
+          options: options
+        )
+        payload_template.result
       end
       #

data/lib/mihari/enrichers/base.rb CHANGED Viewed

@@ -2,12 +2,7 @@
 module Mihari
   module Enrichers
-    class Base < Mihari::Base
-      include Mixins::Configurable
-      include Mixins::Retriable
-      include Dry::Monads[:result, :try]
+    class Base < Actor
       def initialize(options: nil)
         super(options: options)
       end

data/lib/mihari/enrichers/whois.rb CHANGED Viewed

@@ -34,7 +34,7 @@ module Mihari
         parser = record.parser
         return nil if parser.available?
-        whois_record = WhoisRecord.new(
+        whois_record = Models::WhoisRecord.new(
           domain: domain,
           created_on: get_created_on(parser),
           updated_on: get_updated_on(parser),

data/lib/mihari/models/alert.rb CHANGED Viewed

@@ -1,88 +1,90 @@
 # frozen_string_literal: true
 module Mihari
-  class Alert < ActiveRecord::Base
-    has_many :taggings, dependent: :destroy
-    has_many :artifacts, dependent: :destroy
-    has_many :tags, through: :taggings
-    belongs_to :rule
-    class << self
-      #
-      # Search alerts
-      #
-      # @param [Structs::Filters::Alert::SearchFilterWithPagination] filter
-      #
-      # @return [Array<Alert>]
-      #
-      def search(filter)
-        limit = filter.limit.to_i
-        raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
-        page = filter.page.to_i
-        raise ArgumentError, "page should be bigger than zero" unless page.positive?
-        offset = (page - 1) * limit
-        relation = build_relation(filter.without_pagination)
-        alert_ids = relation.limit(limit).offset(offset).order(id: :desc).pluck(:id).uniq
-        eager_load(:artifacts, :tags).where(id: [alert_ids]).order(id: :desc)
-      end
-      #
-      # Count alerts
-      #
-      # @param [String, nil] artifact_data
-      #
-      # @return [Integer]
-      #
-      def count(filter)
-        relation = build_relation(filter)
-        relation.distinct("alerts.id").count
-      end
+  module Models
+    class Alert < ActiveRecord::Base
+      has_many :taggings, dependent: :destroy
+      has_many :artifacts, dependent: :destroy
+      has_many :tags, through: :taggings
+      belongs_to :rule
+      class << self
+        #
+        # Search alerts
+        #
+        # @param [Structs::Filters::Alert::SearchFilterWithPagination] filter
+        #
+        # @return [Array<Alert>]
+        #
+        def search(filter)
+          limit = filter.limit.to_i
+          raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+          page = filter.page.to_i
+          raise ArgumentError, "page should be bigger than zero" unless page.positive?
+          offset = (page - 1) * limit
+          relation = build_relation(filter.without_pagination)
+          alert_ids = relation.limit(limit).offset(offset).order(id: :desc).pluck(:id).uniq
+          eager_load(:artifacts, :tags).where(id: [alert_ids]).order(id: :desc)
+        end
-      private
-      #
-      # @param [Structs::Filters::Alert::SearchFilter] filter
-      #
-      # @return [Array<Integer>]
-      #
-      def get_artifact_ids_by_filter(filter)
-        artifact_ids = []
-        if filter.artifact_data
-          artifact = Artifact.where(data: filter.artifact_data)
-          artifact_ids = artifact.pluck(:id)
-          # set invalid ID if nothing is matched with the filters
-          artifact_ids = [-1] if artifact_ids.empty?
+        #
+        # Count alerts
+        #
+        # @param [String, nil] artifact_data
+        #
+        # @return [Integer]
+        #
+        def count(filter)
+          relation = build_relation(filter)
+          relation.distinct("alerts.id").count
         end
-        artifact_ids
-      end
+        private
-      #
-      # @param [Structs::Filters::Alert::SearchFilter] filter
-      #
-      # @return [Mihari::Alert]
-      #
-      def build_relation(filter)
-        artifact_ids = get_artifact_ids_by_filter(filter)
+        #
+        # @param [Structs::Filters::Alert::SearchFilter] filter
+        #
+        # @return [Array<Integer>]
+        #
+        def get_artifact_ids_by_filter(filter)
+          artifact_ids = []
-        relation = self
-        relation = relation.includes(:artifacts, :tags)
+          if filter.artifact_data
+            artifact = Artifact.where(data: filter.artifact_data)
+            artifact_ids = artifact.pluck(:id)
+            # set invalid ID if nothing is matched with the filters
+            artifact_ids = [-1] if artifact_ids.empty?
+          end
-        relation = relation.where(artifacts: { id: artifact_ids }) unless artifact_ids.empty?
-        relation = relation.where(tags: { name: filter.tag_name }) if filter.tag_name
+          artifact_ids
+        end
+        #
+        # @param [Structs::Filters::Alert::SearchFilter] filter
+        #
+        # @return [Mihari::Models::Alert]
+        #
+        def build_relation(filter)
+          artifact_ids = get_artifact_ids_by_filter(filter)
+          relation = self
+          relation = relation.includes(:artifacts, :tags)
-        relation = relation.where(rule_id: filter.rule_id) if filter.rule_id
+          relation = relation.where(artifacts: { id: artifact_ids }) unless artifact_ids.empty?
+          relation = relation.where(tags: { name: filter.tag_name }) if filter.tag_name
-        relation = relation.where("alerts.created_at >= ?", filter.from_at) if filter.from_at
-        relation = relation.where("alerts.created_at <= ?", filter.to_at) if filter.to_at
+          relation = relation.where(rule_id: filter.rule_id) if filter.rule_id
-        relation
+          relation = relation.where("alerts.created_at >= ?", filter.from_at) if filter.from_at
+          relation = relation.where("alerts.created_at <= ?", filter.to_at) if filter.to_at
+          relation
+        end
       end
     end
   end