mihari 7.2.0 → 7.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b91d99562526b653b793f71e8ef5575f113d26859ca86b91f1980d1c44e898c
-  data.tar.gz: 07c302ce446b0f0986bfc82dd575ebde203f4b25b73a1aee72a2ce37a08b9b87
+  metadata.gz: 328a34edf637c36456cc7de39fccabdaaf75937b449b5e8a8e0434e71b9328c2
+  data.tar.gz: 8483c669cfb3e715c86b4a3878961885e4cd4f93611e487c4360cb3030267c18
 SHA512:
-  metadata.gz: 67d607a09ab2992b6721358b9e96e0c049a355221b2e97358440d70f96ef4933ac86b337bcc12bdc4b2aafccf4e5d6cf8cd68f4b2bbe567523bfba22b7fbd88c
-  data.tar.gz: 6f73de19824d31e21bae4ee7ce456c1b15fa0a875d1f07025c33ac0356ef257ac2eb819ffd8b685bf8914a472da04f691e5ae02a361397da9a83253d5345b108
+  metadata.gz: 9858608c1ceb30f846a27b487e4bcbbad463aba56a401991fdade512bf6a7a7f028e5facecd764b200d94795a1da1a2b631b85540dfe1bbf002c756100b6627f
+  data.tar.gz: c050fdafab0e7855eb610ad3d50762583ca931d31afeeb57fc654a2dc65ff381f20cb31eb28d0a61b5888c0a19df02320b09a529830fe332389b59f739721aba

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.2.2-alpine3.19
+FROM ruby:3.3.0-alpine3.19
 
 ARG MIHARI_VERSION=0.0.0
 

data/lib/mihari/actor.rb

@@ -50,6 +50,13 @@ module Mihari
       options[:timeout]
     end
 
+    #
+    # @return [Boolean]
+    #
+    def parallel?
+      options[:parallel] || Mihari.config.parallel
+    end
+
     def validate_configuration!
       return if configured?
 

data/lib/mihari/analyzers/base.rb

@@ -40,13 +40,6 @@ module Mihari
         options[:ignore_error] || Mihari.config.ignore_error
       end
 
-      #
-      # @return [Boolean]
-      #
-      def parallel?
-        options[:parallel] || Mihari.config.parallel
-      end
-
       # @return [Array<String>, Array<Mihari::Models::Artifact>]
       def artifacts
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"

data/lib/mihari/enrichers/base.rb

@@ -6,46 +6,88 @@ module Mihari
     # Base class for enrichers
     #
     class Base < Actor
-      prepend MemoWise
-
+      #
+      # @param [Hash, nil] options
+      #
       def initialize(options: nil)
         super(options: options)
       end
 
       #
-      # @param [String] value
+      # Enrich an artifact
+      #
+      # @param [Mihari::Models::Artifact] artifact
       #
-      def call(value)
+      # @return [Mihari::Models::Artifact]
+      #
+      def call(artifact)
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
 
       #
-      # @param [Mihari::Models::Artifact] value
+      # @param [Mihari::Models::Artifact] artifact
       #
       # @return [Dry::Monads::Result::Success<Object>, Dry::Monads::Result::Failure]
       #
-      def result(value)
+      def result(artifact)
+        return unless callable?(artifact)
+
         result = Try[StandardError] do
-          retry_on_error(
-            times: retry_times,
-            interval: retry_interval,
-            exponential_backoff: retry_exponential_backoff
-          ) { call value }
+          retry_on_error(times: retry_times, interval: retry_interval,
+            exponential_backoff: retry_exponential_backoff) do
+            call artifact
+          end
         end.to_result
 
         if result.failure?
-          Mihari.logger.warn("Enricher:#{self.class.key} for #{value.truncate(32)} failed: #{result.failure}")
+          Mihari.logger.warn("Enricher:#{self.class.key} for #{artifact.data.truncate(32)} failed: #{result.failure}")
         end
 
         result
       end
 
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable?(artifact)
+        callable_data_type?(artifact) && callable_relationships?(artifact)
+      end
+
       class << self
         def inherited(child)
           super
           Mihari.enrichers << child
         end
       end
+
+      private
+
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable_data_type?(artifact)
+        supported_data_types.include? artifact.data_type
+      end
+
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable_relationships?(artifact)
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      #
+      # @return [Array<String>]
+      #
+      def supported_data_types
+        []
+      end
     end
   end
 end

data/lib/mihari/enrichers/google_public_dns.rb

@@ -7,14 +7,22 @@ module Mihari
     #
     class GooglePublicDNS < Base
       #
-      # Query Google Public DNS
+      # @param [Mihari::Models::Artifact] artifact
       #
-      # @param [String] name
+      # @return [Mihari::Models::Artifact]
       #
-      # @return [Mihari::Structs::GooglePublicDNS::Response]
-      #
-      def call(name)
-        client.query_all name
+      def call(artifact)
+        return if artifact.domain.nil?
+
+        res = client.query_all(artifact.domain)
+
+        artifact.tap do |tapped|
+          if tapped.dns_records.empty?
+            tapped.dns_records = res.answers.map do |answer|
+              Models::DnsRecord.new(resource: answer.resource_type, value: answer.data)
+            end
+          end
+        end
       end
 
       class << self
@@ -28,8 +36,21 @@ module Mihari
 
       private
 
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable_relationships?(artifact)
+        artifact.dns_records.empty?
+      end
+
+      def supported_data_types
+        %w[url domain]
+      end
+
       def client
-        Clients::GooglePublicDNS.new(timeout: timeout)
+        @client ||= Clients::GooglePublicDNS.new(timeout: timeout)
       end
     end
   end

data/lib/mihari/enrichers/mmdb.rb

@@ -7,18 +7,36 @@ module Mihari
     #
     class MMDB < Base
       #
-      # Query MMDB
+      # @param [Mihari::Models::Artifact] artifact
       #
-      # @param [String] ip
+      def call(artifact)
+        res = client.query(artifact.data)
+
+        artifact.tap do |tapped|
+          tapped.autonomous_system ||= Models::AutonomousSystem.new(number: res.asn) if res.asn
+          if res.country_code
+            tapped.geolocation ||= Models::Geolocation.new(
+              country: NormalizeCountry(res.country_code, to: :short),
+              country_code: res.country_code
+            )
+          end
+        end
+      end
+
+      private
+
+      #
+      # @param [Mihari::Models::Artifact] artifact
       #
-      # @return [Mihari::Structs::MMDB::Response]
+      # @return [Boolean]
       #
-      def call(ip)
-        client.query ip
+      def callable_relationships?(artifact)
+        artifact.geolocation.nil? || artifact.autonomous_system.nil?
       end
-      memo_wise :call
 
-      private
+      def supported_data_types
+        %w[ip]
+      end
 
       def client
         @client ||= Clients::MMDB.new(timeout: timeout)

data/lib/mihari/enrichers/shodan.rb

@@ -9,17 +9,48 @@ module Mihari
       #
       # Query Shodan Internet DB
       #
-      # @param [String] ip
+      # @param [Mihari::Models::Artifact] artifact
       #
       # @return [Mihari::Structs::Shodan::InternetDBResponse, nil]
       #
-      def call(ip)
-        client.query ip
+      def call(artifact)
+        res = client.query(artifact.data)
+
+        artifact.tap do |tapped|
+          tapped.cpes = (res&.cpes || []).map { |cpe| Models::CPE.new(name: cpe) } if tapped.cpes.empty?
+          tapped.ports = (res&.ports || []).map { |port| Models::Port.new(number: port) } if tapped.ports.empty?
+          if tapped.reverse_dns_names.empty?
+            tapped.reverse_dns_names = (res&.hostnames || []).map do |name|
+              Models::ReverseDnsName.new(name: name)
+            end
+          end
+        end
+      end
+
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable?(artifact)
+        false unless supported_data_types.include?(artifact.data_type)
       end
-      memo_wise :call
 
       private
 
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Boolean]
+      #
+      def callable_relationships?(artifact)
+        artifact.cpes.empty? || artifact.ports.empty? || artifact.reverse_dns_names.empty?
+      end
+
+      def supported_data_types
+        %w[ip]
+      end
+
       def client
         @client ||= Clients::ShodanInternetDB.new(timeout: timeout)
       end

data/lib/mihari/enrichers/whois.rb

@@ -8,46 +8,54 @@ module Mihari
     # Whois enricher
     #
     class Whois < Base
+      prepend MemoWise
+
+      #
+      # Query IAIA Whois API
       #
-      # @param [Hash, nil] options
+      # @param [Mihari::Models::Artifact] artifact
       #
-      def initialize(options: nil)
-        super(options: options)
+      def call(artifact)
+        return if artifact.domain.nil?
+
+        domain = PublicSuffix.domain(artifact.domain)
+        record = memoized_lookup(domain)
+        return if record.parser.available?
+
+        artifact.whois_record ||= Models::WhoisRecord.new(
+          domain: domain,
+          created_on: get_created_on(record.parser),
+          updated_on: get_updated_on(record.parser),
+          expires_on: get_expires_on(record.parser),
+          registrar: get_registrar(record.parser),
+          contacts: get_contacts(record.parser)
+        )
       end
 
+      private
+
       #
-      # Query IAIA Whois API
-      #
-      # @param [String] domain
+      # @param [Mihari::Models::Artifact] artifact
       #
-      # @return [Mihari::Models::WhoisRecord, nil]
+      # @return [Boolean]
       #
-      def call(domain)
-        memoized_call PublicSuffix.domain(domain)
+      def callable_relationships?(artifact)
+        artifact.whois_record.nil?
       end
 
-      private
+      def supported_data_types
+        %w[url domain]
+      end
 
       #
       # @param [String] domain
       #
       # @return [Mihari::Models::WhoisRecord, nil]
       #
-      def memoized_call(domain)
-        record = whois.lookup(domain)
-        parser = record.parser
-        return nil if parser.available?
-
-        Models::WhoisRecord.new(
-          domain: domain,
-          created_on: get_created_on(parser),
-          updated_on: get_updated_on(parser),
-          expires_on: get_expires_on(parser),
-          registrar: get_registrar(parser),
-          contacts: get_contacts(parser)
-        )
+      def memoized_lookup(domain)
+        whois.lookup domain
       end
-      memo_wise :memoized_call
+      memo_wise :memoized_lookup
 
       #
       # @return [::Whois::Client]

data/lib/mihari/models/alert.rb

@@ -6,6 +6,18 @@ module Mihari
     # Alert model
     #
     class Alert < ActiveRecord::Base
+      # @!attribute [r] id
+      #   @return [Integer, nil]
+
+      # @!attribute [rw] created_at
+      #   @return [DateTime]
+
+      # @!attribute [r] rule
+      #   @return [Mihari::Models::Rule]
+
+      # @!attribute [r] artifacts
+      #   @return [Array<Mihari::Models::Artifact>]
+
       belongs_to :rule
 
       has_many :artifacts, dependent: :destroy