mihari 5.6.1 → 5.6.2

data/lib/mihari/models/artifact.rb

@@ -1,229 +1,231 @@
 # frozen_string_literal: true
 
-class ArtifactValidator < ActiveModel::Validator
-  def validate(record)
-    return if record.data_type
-
-    record.errors.add :data, "#{record.data} is not supported"
-  end
-end
-
 module Mihari
-  class Artifact < ActiveRecord::Base
-    belongs_to :alert
+  module Models
+    class ArtifactValidator < ActiveModel::Validator
+      def validate(record)
+        return if record.data_type
 
-    has_one :autonomous_system, dependent: :destroy
-    has_one :geolocation, dependent: :destroy
-    has_one :whois_record, dependent: :destroy
+        record.errors.add :data, "#{record.data} is not supported"
+      end
+    end
 
-    has_many :cpes, dependent: :destroy
-    has_many :dns_records, dependent: :destroy
-    has_many :ports, dependent: :destroy
-    has_many :reverse_dns_names, dependent: :destroy
+    class Artifact < ActiveRecord::Base
+      belongs_to :alert
 
-    include ActiveModel::Validations
+      has_one :autonomous_system, dependent: :destroy
+      has_one :geolocation, dependent: :destroy
+      has_one :whois_record, dependent: :destroy
 
-    validates_with ArtifactValidator
+      has_many :cpes, dependent: :destroy
+      has_many :dns_records, dependent: :destroy
+      has_many :ports, dependent: :destroy
+      has_many :reverse_dns_names, dependent: :destroy
 
-    # @return [Array<Mihari::Tag>] Tags
-    attr_accessor :tags
+      include ActiveModel::Validations
 
-    # @return [String, nil] Rule ID
-    attr_accessor :rule_id
+      validates_with ArtifactValidator
 
-    def initialize(*args, **kwargs)
-      attrs = args.first || kwargs
-      data_ = attrs[:data]
+      # @return [Array<Mihari::Tag>] Tags
+      attr_accessor :tags
 
-      raise TypeError if data_.is_a?(Array) || data_.is_a?(Hash)
+      # @return [String, nil] Rule ID
+      attr_accessor :rule_id
 
-      super(*args, **kwargs)
+      def initialize(*args, **kwargs)
+        attrs = args.first || kwargs
+        data_ = attrs[:data]
 
-      self.data_type = TypeChecker.type(data)
+        raise TypeError if data_.is_a?(Array) || data_.is_a?(Hash)
 
-      @tags = []
-      @rule_id = ""
-    end
+        super(*args, **kwargs)
 
-    #
-    # Check uniqueness of artifact
-    #
-    # @param [Time, nil] base_time Base time to check decaying
-    # @param [Integer, nil] artifact_lifetime Artifact lifetime (TTL) in seconds
-    #
-    # @return [Boolean] true if it is unique. Otherwise false.
-    #
-    def unique?(base_time: nil, artifact_lifetime: nil)
-      artifact = self.class.joins(:alert).where(
-        data: data,
-        alert: { rule_id: rule_id }
-      ).order(created_at: :desc).first
-      return true if artifact.nil?
-
-      # check whether the artifact is decayed or not
-      return false if artifact_lifetime.nil?
-
-      # use the current UTC time if base_time is not given (for testing)
-      base_time ||= Time.now.utc
-
-      decayed_at = base_time - (artifact_lifetime || -1).seconds
-      artifact.created_at < decayed_at
-    end
+        self.data_type = TypeChecker.type(data)
 
-    #
-    # Enrich(add) whois record
-    #
-    # @param [Mihari::Enrichers::Whois] enricher
-    #
-    def enrich_whois(enricher = Enrichers::Whois.new)
-      return unless can_enrich_whois?
+        @tags = []
+        @rule_id = ""
+      end
 
-      self.whois_record = WhoisRecord.build_by_domain(normalize_as_domain(data), enricher: enricher)
-    end
+      #
+      # Check uniqueness of artifact
+      #
+      # @param [Time, nil] base_time Base time to check decaying
+      # @param [Integer, nil] artifact_lifetime Artifact lifetime (TTL) in seconds
+      #
+      # @return [Boolean] true if it is unique. Otherwise false.
+      #
+      def unique?(base_time: nil, artifact_lifetime: nil)
+        artifact = self.class.joins(:alert).where(
+          data: data,
+          alert: { rule_id: rule_id }
+        ).order(created_at: :desc).first
+        return true if artifact.nil?
+
+        # check whether the artifact is decayed or not
+        return false if artifact_lifetime.nil?
+
+        # use the current UTC time if base_time is not given (for testing)
+        base_time ||= Time.now.utc
+
+        decayed_at = base_time - (artifact_lifetime || -1).seconds
+        artifact.created_at < decayed_at
+      end
 
-    #
-    # Enrich(add) DNS records
-    #
-    # @param [Mihari::Enrichers::GooglePublicDNS] enricher
-    #
-    def enrich_dns(enricher = Enrichers::GooglePublicDNS.new)
-      return unless can_enrich_dns?
+      #
+      # Enrich(add) whois record
+      #
+      # @param [Mihari::Enrichers::Whois] enricher
+      #
+      def enrich_whois(enricher = Enrichers::Whois.new)
+        return unless can_enrich_whois?
 
-      self.dns_records = DnsRecord.build_by_domain(normalize_as_domain(data), enricher: enricher)
-    end
+        self.whois_record = WhoisRecord.build_by_domain(normalize_as_domain(data), enricher: enricher)
+      end
 
-    #
-    # Enrich(add) reverse DNS names
-    #
-    # @param [Mihari::Enrichers::Shodan] enricher
-    #
-    def enrich_reverse_dns(enricher = Enrichers::Shodan.new)
-      return unless can_enrich_revese_dns?
+      #
+      # Enrich(add) DNS records
+      #
+      # @param [Mihari::Enrichers::GooglePublicDNS] enricher
+      #
+      def enrich_dns(enricher = Enrichers::GooglePublicDNS.new)
+        return unless can_enrich_dns?
 
-      self.reverse_dns_names = ReverseDnsName.build_by_ip(data, enricher: enricher)
-    end
+        self.dns_records = DnsRecord.build_by_domain(normalize_as_domain(data), enricher: enricher)
+      end
 
-    #
-    # Enrich(add) geolocation
-    #
-    # @param [Mihari::Enrichers::IPInfo] enricher
-    #
-    def enrich_geolocation(enricher = Enrichers::IPInfo.new)
-      return unless can_enrich_geolocation?
+      #
+      # Enrich(add) reverse DNS names
+      #
+      # @param [Mihari::Enrichers::Shodan] enricher
+      #
+      def enrich_reverse_dns(enricher = Enrichers::Shodan.new)
+        return unless can_enrich_revese_dns?
 
-      self.geolocation = Geolocation.build_by_ip(data, enricher: enricher)
-    end
+        self.reverse_dns_names = ReverseDnsName.build_by_ip(data, enricher: enricher)
+      end
 
-    #
-    # Enrich AS
-    #
-    # @param [Mihari::Enrichers::IPInfo] enricher
-    #
-    def enrich_autonomous_system(enricher = Enrichers::IPInfo.new)
-      return unless can_enrich_autonomous_system?
+      #
+      # Enrich(add) geolocation
+      #
+      # @param [Mihari::Enrichers::IPInfo] enricher
+      #
+      def enrich_geolocation(enricher = Enrichers::IPInfo.new)
+        return unless can_enrich_geolocation?
 
-      self.autonomous_system = AutonomousSystem.build_by_ip(data, enricher: enricher)
-    end
+        self.geolocation = Geolocation.build_by_ip(data, enricher: enricher)
+      end
 
-    #
-    # Enrich ports
-    #
-    # @param [Mihari::Enrichers::Shodan] enricher
-    #
-    def enrich_ports(enricher = Enrichers::Shodan.new)
-      return unless can_enrich_ports?
+      #
+      # Enrich AS
+      #
+      # @param [Mihari::Enrichers::IPInfo] enricher
+      #
+      def enrich_autonomous_system(enricher = Enrichers::IPInfo.new)
+        return unless can_enrich_autonomous_system?
 
-      self.ports = Port.build_by_ip(data, enricher: enricher)
-    end
+        self.autonomous_system = AutonomousSystem.build_by_ip(data, enricher: enricher)
+      end
 
-    #
-    # Enrich CPEs
-    #
-    # @param [Mihari::Enrichers::Shodan] enricher
-    #
-    def enrich_cpes(enricher = Enrichers::Shodan.new)
-      return unless can_enrich_cpes?
+      #
+      # Enrich ports
+      #
+      # @param [Mihari::Enrichers::Shodan] enricher
+      #
+      def enrich_ports(enricher = Enrichers::Shodan.new)
+        return unless can_enrich_ports?
 
-      self.cpes = CPE.build_by_ip(data, enricher: enricher)
-    end
+        self.ports = Port.build_by_ip(data, enricher: enricher)
+      end
 
-    #
-    # Enrich all the enrichable relationships of the artifact
-    #
-    def enrich_all
-      enrich_autonomous_system
-      enrich_dns
-      enrich_geolocation
-      enrich_reverse_dns
-      enrich_whois
-      enrich_ports
-      enrich_cpes
-    end
+      #
+      # Enrich CPEs
+      #
+      # @param [Mihari::Enrichers::Shodan] enricher
+      #
+      def enrich_cpes(enricher = Enrichers::Shodan.new)
+        return unless can_enrich_cpes?
 
-    ENRICH_METHODS_BY_ENRICHER = {
-      Enrichers::Whois => %i[
-        enrich_whois
-      ],
-      Enrichers::IPInfo => %i[
+        self.cpes = CPE.build_by_ip(data, enricher: enricher)
+      end
+
+      #
+      # Enrich all the enrichable relationships of the artifact
+      #
+      def enrich_all
         enrich_autonomous_system
+        enrich_dns
         enrich_geolocation
-      ],
-      Enrichers::Shodan => %i[
+        enrich_reverse_dns
+        enrich_whois
         enrich_ports
         enrich_cpes
-        enrich_reverse_dns
-      ],
-      Enrichers::GooglePublicDNS => %i[
-        enrich_dns
-      ]
-    }.freeze
-
-    #
-    # Enrich by name of enricher
-    #
-    # @param [Mihari::Enrichers::Base] enricher
-    #
-    def enrich_by_enricher(enricher)
-      methods = ENRICH_METHODS_BY_ENRICHER[enricher.class] || []
-      methods.each do |method|
-        send(method, enricher) if respond_to?(method)
       end
-    end
 
-    private
+      ENRICH_METHODS_BY_ENRICHER = {
+        Enrichers::Whois => %i[
+          enrich_whois
+        ],
+        Enrichers::IPInfo => %i[
+          enrich_autonomous_system
+          enrich_geolocation
+        ],
+        Enrichers::Shodan => %i[
+          enrich_ports
+          enrich_cpes
+          enrich_reverse_dns
+        ],
+        Enrichers::GooglePublicDNS => %i[
+          enrich_dns
+        ]
+      }.freeze
+
+      #
+      # Enrich by name of enricher
+      #
+      # @param [Mihari::Enrichers::Base] enricher
+      #
+      def enrich_by_enricher(enricher)
+        methods = ENRICH_METHODS_BY_ENRICHER[enricher.class] || []
+        methods.each do |method|
+          send(method, enricher) if respond_to?(method)
+        end
+      end
 
-    def normalize_as_domain(url_or_domain)
-      return url_or_domain if data_type == "domain"
+      private
 
-      Addressable::URI.parse(url_or_domain).host
-    end
+      def normalize_as_domain(url_or_domain)
+        return url_or_domain if data_type == "domain"
 
-    def can_enrich_whois?
-      %w[domain url].include?(data_type) && whois_record.nil?
-    end
+        Addressable::URI.parse(url_or_domain).host
+      end
 
-    def can_enrich_dns?
-      %w[domain url].include?(data_type) && dns_records.empty?
-    end
+      def can_enrich_whois?
+        %w[domain url].include?(data_type) && whois_record.nil?
+      end
 
-    def can_enrich_revese_dns?
-      data_type == "ip" && reverse_dns_names.empty?
-    end
+      def can_enrich_dns?
+        %w[domain url].include?(data_type) && dns_records.empty?
+      end
 
-    def can_enrich_geolocation?
-      data_type == "ip" && geolocation.nil?
-    end
+      def can_enrich_revese_dns?
+        data_type == "ip" && reverse_dns_names.empty?
+      end
 
-    def can_enrich_autonomous_system?
-      data_type == "ip" && autonomous_system.nil?
-    end
+      def can_enrich_geolocation?
+        data_type == "ip" && geolocation.nil?
+      end
 
-    def can_enrich_ports?
-      data_type == "ip" && ports.empty?
-    end
+      def can_enrich_autonomous_system?
+        data_type == "ip" && autonomous_system.nil?
+      end
 
-    def can_enrich_cpes?
-      data_type == "ip" && cpes.empty?
+      def can_enrich_ports?
+        data_type == "ip" && ports.empty?
+      end
+
+      def can_enrich_cpes?
+        data_type == "ip" && cpes.empty?
+      end
     end
   end
 end

data/lib/mihari/models/autonomous_system.rb

@@ -1,30 +1,32 @@
 # frozen_string_literal: true
 
 module Mihari
-  class AutonomousSystem < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    class AutonomousSystem < ActiveRecord::Base
+      belongs_to :artifact
 
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
 
-      #
-      # Build AS
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::IPInfo] enricher
-      #
-      # @return [Mihari::AutonomousSystem, nil]
-      #
-      def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
-        result = enricher.query_result(ip).bind do |res|
-          value = res&.asn
-          if value.nil?
-            Success nil
-          else
-            Success new(asn: value)
+        #
+        # Build AS
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::IPInfo] enricher
+        #
+        # @return [Mihari::AutonomousSystem, nil]
+        #
+        def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
+          result = enricher.query_result(ip).bind do |res|
+            value = res&.asn
+            if value.nil?
+              Success nil
+            else
+              Success new(asn: value)
+            end
           end
+          result.value_or nil
         end
-        result.value_or nil
       end
     end
   end

data/lib/mihari/models/cpe.rb

@@ -1,29 +1,31 @@
 # frozen_string_literal: true
 
 module Mihari
-  class CPE < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    class CPE < ActiveRecord::Base
+      belongs_to :artifact
 
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
 
-      #
-      # Build CPEs
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::CPE>]
-      #
-      def build_by_ip(ip, enricher: Enrichers::Shodan.new)
-        result = enricher.query_result(ip).bind do |res|
-          if res.nil?
-            Success []
-          else
-            Success(res.cpes.map { |cpe| new(cpe: cpe) })
+        #
+        # Build CPEs
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::CPE>]
+        #
+        def build_by_ip(ip, enricher: Enrichers::Shodan.new)
+          result = enricher.query_result(ip).bind do |res|
+            if res.nil?
+              Success []
+            else
+              Success(res.cpes.map { |cpe| new(cpe: cpe) })
+            end
           end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/dns.rb

@@ -1,31 +1,33 @@
 # frozen_string_literal: true
 
 module Mihari
-  class DnsRecord < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    class DnsRecord < ActiveRecord::Base
+      belongs_to :artifact
 
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
 
-      #
-      # Build DNS records
-      #
-      # @param [String] domain
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::DnsRecord>]
-      #
-      def build_by_domain(domain, enricher: Enrichers::GooglePublicDNS.new)
-        result = enricher.query_result(domain).bind do |responses|
-          Success(
-            responses.map do |res|
-              res.answers.map do |answer|
-                new(resource: answer.resource_type, value: answer.data)
-              end
-            end.flatten
-          )
+        #
+        # Build DNS records
+        #
+        # @param [String] domain
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::Models::DnsRecord>]
+        #
+        def build_by_domain(domain, enricher: Enrichers::GooglePublicDNS.new)
+          result = enricher.query_result(domain).bind do |responses|
+            Success(
+              responses.map do |res|
+                res.answers.map do |answer|
+                  new(resource: answer.resource_type, value: answer.data)
+                end
+              end.flatten
+            )
+          end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/geolocation.rb

@@ -3,30 +3,32 @@
 require "normalize_country"
 
 module Mihari
-  class Geolocation < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    class Geolocation < ActiveRecord::Base
+      belongs_to :artifact
 
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
 
-      #
-      # Build Geolocation
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::IPinfo] enricher
-      #
-      # @return [Mihari::Geolocation, nil]
-      #
-      def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
-        result = enricher.query_result(ip).bind do |res|
-          value = res&.country_code
-          if value.nil?
-            Success nil
-          else
-            Success new(country: NormalizeCountry(value, to: :short), country_code: value)
+        #
+        # Build Geolocation
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::IPinfo] enricher
+        #
+        # @return [Mihari::Geolocation, nil]
+        #
+        def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
+          result = enricher.query_result(ip).bind do |res|
+            value = res&.country_code
+            if value.nil?
+              Success nil
+            else
+              Success new(country: NormalizeCountry(value, to: :short), country_code: value)
+            end
           end
+          result.value_or nil
         end
-        result.value_or nil
       end
     end
   end

data/lib/mihari/models/port.rb

@@ -1,29 +1,31 @@
 # frozen_string_literal: true
 
 module Mihari
-  class Port < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    class Port < ActiveRecord::Base
+      belongs_to :artifact
 
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
 
-      #
-      # Build ports
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::Port>]
-      #
-      def build_by_ip(ip, enricher: Enrichers::Shodan.new)
-        result = enricher.query_result(ip).bind do |res|
-          if res.nil?
-            Success []
-          else
-            Success(res.ports.map { |port| new(port: port) })
+        #
+        # Build ports
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::Port>]
+        #
+        def build_by_ip(ip, enricher: Enrichers::Shodan.new)
+          result = enricher.query_result(ip).bind do |res|
+            if res.nil?
+              Success []
+            else
+              Success(res.ports.map { |port| new(port: port) })
+            end
           end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end