mihari 7.4.0 → 7.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ec4774493a408eb666c7a33e671c977f7c400356758aab00ba776b36910bc42
-  data.tar.gz: bf0e0269c1e12d73b064d06ebf41e10686caeb66aaf70ec39f4e3ce7843bc51a
+  metadata.gz: aa05d5cca592eb276667bc95e7c7a88c12be39bb547ffb4f3bac810f9e5a72a6
+  data.tar.gz: 81a9a73171dbb4c5171893cb23cc47963fcfef38d441cfebd37005e6e6dc6202
 SHA512:
-  metadata.gz: 6dff8b5b3bcd3098bb90e84f1d026325ca5a24d2cffb30761e2c243dfbc81bfef8093bd885ef7e9b07a2338ef2ca1cba10686fd7612a6261205c08f0b9258a15
-  data.tar.gz: 6958e9d9e344b98c29209ce4d5501ded9b8584367cf5556c99e351913e0fe8800d829ccedb53704951a7b29eb5b73950e071ff2460e95ad067aff81dbef2c81d
+  metadata.gz: d6623c5441e14cf967987c2341349e9973922fdb18dc5d9c3473bcc8fbc7aaf813f9a48c8384331e49a4ada370ebd270d3cd68cbc7dcc6481f1bb886b0923109
+  data.tar.gz: 0d112b4740054b7afe79effff48016b8549bf6ef45b337ba43b44fba13f162f7cc8b5f2bfe653bfacf4bb356c2f1b32c7a5964be174d028b877372d642aedfea

data/Rakefile

@@ -55,17 +55,21 @@ namespace :build do
 
     puts "Swagger doc is built in #{elapsed}s"
   end
+
+  desc "Build frontend assets"
+  task :frontend do
+    # Build frontend assets
+    sh "cd frontend && npm install && npm run docs && npm run build-only"
+    # Copy built assets into ./lib/web/public/
+    sh "rm -rf ./lib/mihari/web/public/"
+    sh "mkdir -p ./lib/mihari/web/public/"
+    sh "cp -r frontend/dist/* ./lib/mihari/web/public"
+  end
 end
 
 task :build do
   Rake::Task["build:swagger"].invoke
-
-  # Build ReDocs docs & frontend assets
-  sh "cd frontend && npm install && npm run docs && npm run build-only"
-  # Copy built assets into ./lib/web/public/
-  sh "rm -rf ./lib/mihari/web/public/"
-  sh "mkdir -p ./lib/mihari/web/public/"
-  sh "cp -r frontend/dist/* ./lib/mihari/web/public"
+  Rake::Task["build:frontend"].invoke
 end
 
 # require it later enables doing pre-build step (= build the frontend app)

data/lib/mihari/clients/base.rb

@@ -87,11 +87,12 @@ module Mihari
       #
       # @param [String] path
       # @param [Hash, nil] json
+      # @param [Hash, nil] headers
       #
       # @return [Hash]
       #
-      def post_json(path, json: {})
-        res = http.post(url_for(path), json:)
+      def post_json(path, json: {}, headers: nil)
+        res = http.post(url_for(path), json:, headers: headers || {})
         JSON.parse res.body.to_s
       end
     end

data/lib/mihari/clients/whois.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require "whois-parser"
+
+module Mihari
+  module Clients
+    #
+    # Whois client
+    #
+    class Whois
+      # @return [Integer, nil]
+      attr_reader :timeout
+
+      # @return [::Whois::Client]
+      attr_reader :client
+
+      #
+      # @param [Integer, nil] timeout
+      #
+      def initialize(timeout: nil)
+        @timeout = timeout
+
+        @client = lambda do
+          return ::Whois::Client.new if timeout.nil?
+
+          ::Whois::Client.new(timeout:)
+        end.call
+      end
+
+      #
+      # Query IAIA Whois API
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @param [Object] domain
+      def lookup(domain)
+        record = client.lookup(domain)
+        return if record.parser.available?
+
+        Models::WhoisRecord.new(
+          domain:,
+          created_on: get_created_on(record.parser),
+          updated_on: get_updated_on(record.parser),
+          expires_on: get_expires_on(record.parser),
+          registrar: get_registrar(record.parser),
+          contacts: get_contacts(record.parser)
+        )
+      end
+
+      private
+
+      #
+      # Get created_on
+      #
+      # @param [::Whois::Parser] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_created_on(parser)
+        parser.created_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get updated_on
+      #
+      # @param [::Whois::Parser] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_updated_on(parser)
+        parser.updated_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get expires_on
+      #
+      # @param [::Whois::Parser] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_expires_on(parser)
+        parser.expires_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get registrar
+      #
+      # @param [::Whois::Parser] parser
+      #
+      # @return [Hash, nil]
+      #
+      def get_registrar(parser)
+        parser.registrar&.to_h
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get contacts
+      #
+      # @param [::Whois::Parser] parser
+      #
+      # @return [Array<Hash>, nil]
+      #
+      def get_contacts(parser)
+        parser.contacts.map(&:to_h)
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/clients/yeti.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Clients
+    #
+    # Yeti API client
+    #
+    class Yeti < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      # @param [Integer, nil] timeout
+      #
+      def initialize(base_url, api_key:, headers: {}, timeout: nil)
+        raise(ArgumentError, "api_key is required") unless api_key
+
+        headers["x-yeti-apikey"] = api_key
+        super(base_url, headers:, timeout:)
+      end
+
+      def get_token
+        res = post_json("/api/v2/auth/api-token")
+        res["access_token"]
+      end
+
+      #
+      # @param [Hash] json
+      #
+      # @return [Hash]
+      #
+      def create_observables(json)
+        token = get_token
+        post_json("/api/v2/observables/bulk", json:, headers: {authorization: "Bearer #{token}"})
+      end
+    end
+  end
+end

data/lib/mihari/config.rb

@@ -34,6 +34,8 @@ module Mihari
       thehive_url: nil,
       urlscan_api_key: nil,
       virustotal_api_key: nil,
+      yeti_api_key: nil,
+      yeti_url: nil,
       zoomeye_api_key: nil,
       # sidekiq
       sidekiq_redis_url: nil,
@@ -123,6 +125,12 @@ module Mihari
     # @!attribute [r] virustotal_api_key
     #   @return [String, nil]
 
+    # @!attribute [r] yeti_url
+    #   @return [String, nil]
+
+    # @!attribute [r] yeti_api_key
+    #   @return [String, nil]
+
     # @!attribute [r] zoomeye_api_key
     #   @return [String, nil]
 

data/lib/mihari/data_type.rb

@@ -26,9 +26,7 @@ module Mihari
 
     # @return [Boolean]
     def ip?
-      Try[IPAddr::InvalidAddressError] do
-        IPAddr.new(data).to_s == data
-      end.recover { false }.value!
+      Try[IPAddr::InvalidAddressError] { IPAddr.new(data).to_s == data }.recover { false }.value!
     end
 
     # @return [Boolean]

data/lib/mihari/emitters/yeti.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Emitters
+    class Yeti < Base
+      # @return [String, nil]
+      attr_reader :url
+
+      # @return [String, nil]
+      attr_reader :api_key
+
+      # @return [Array<Mihari::Models::Artifact>]
+      attr_accessor :artifacts
+
+      #
+      # @param [Mihari::Rule] rule
+      # @param [Hash, nil] options
+      # @param [Hash] params
+      #
+      def initialize(rule:, options: nil, **params)
+        super(rule:, options:)
+
+        @url = params[:url] || Mihari.config.yeti_url
+        @api_key = params[:api_key] || Mihari.config.yeti_api_key
+
+        @artifacts = []
+      end
+
+      #
+      # @return [Boolean]
+      #
+      def configured?
+        api_key? && url?
+      end
+
+      #
+      # Create a Hive alert
+      #
+      # @param [Array<Mihari::Models::Artifact>] artifacts
+      #
+      def call(artifacts)
+        return if artifacts.empty?
+
+        @artifacts = artifacts
+
+        client.create_observables({observables:})
+      end
+
+      #
+      # @return [String]
+      #
+      def target
+        URI(url).host || "N/A"
+      end
+
+      private
+
+      def client
+        Clients::Yeti.new(url, api_key:, timeout:)
+      end
+
+      #
+      # Check whether a URL is set or not
+      #
+      # @return [Boolean]
+      #
+      def url?
+        !url.nil?
+      end
+
+      def acceptable_artifacts
+        artifacts.reject { |artifact| artifact.data_type == "mail" }
+      end
+
+      #
+      # @param [Mihari::Models::Artifact] artifact
+      #
+      # @return [Hash]
+      #
+      def artifact_to_observable(artifact)
+        convert_table = {
+          domain: "hostname",
+          ip: "ipv4"
+        }
+
+        type = lambda do
+          detailed_type = DataType.detailed_type(artifact.data)
+          convert_table[detailed_type.to_sym] || detailed_type || artifact.data_type
+        end.call
+
+        {
+          tags:,
+          type:,
+          value: artifact.data
+        }
+      end
+
+      def tags
+        @tags ||= rule.tags.map(&:name)
+      end
+
+      def observables
+        acceptable_artifacts.map { |artifact| artifact_to_observable(artifact) }
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/whois.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "whois-parser"
-
 module Mihari
   module Enrichers
     #
@@ -18,22 +16,15 @@ module Mihari
       def call(artifact)
         return if artifact.domain.nil?
 
-        domain = PublicSuffix.domain(artifact.domain)
-        record = memoized_lookup(domain)
-        return if record.parser.available?
-
-        artifact.whois_record ||= Models::WhoisRecord.new(
-          domain:,
-          created_on: get_created_on(record.parser),
-          updated_on: get_updated_on(record.parser),
-          expires_on: get_expires_on(record.parser),
-          registrar: get_registrar(record.parser),
-          contacts: get_contacts(record.parser)
-        )
+        artifact.whois_record ||= memoized_lookup(PublicSuffix.domain(artifact.domain))
       end
 
       private
 
+      def client
+        @client ||= Clients::Whois.new(timeout:)
+      end
+
       #
       # @param [Mihari::Models::Artifact] artifact
       #
@@ -53,85 +44,9 @@ module Mihari
       # @return [Mihari::Models::WhoisRecord, nil]
       #
       def memoized_lookup(domain)
-        whois.lookup domain
+        client.lookup domain
       end
       memo_wise :memoized_lookup
-
-      #
-      # @return [::Whois::Client]
-      #
-      def whois
-        @whois ||= lambda do
-          return ::Whois::Client.new if timeout.nil?
-
-          ::Whois::Client.new(timeout:)
-        end.call
-      end
-
-      #
-      # Get created_on
-      #
-      # @param [::Whois::Parser] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_created_on(parser)
-        parser.created_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get updated_on
-      #
-      # @param [::Whois::Parser] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_updated_on(parser)
-        parser.updated_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get expires_on
-      #
-      # @param [::Whois::Parser] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_expires_on(parser)
-        parser.expires_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get registrar
-      #
-      # @param [::Whois::Parser] parser
-      #
-      # @return [Hash, nil]
-      #
-      def get_registrar(parser)
-        parser.registrar&.to_h
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get contacts
-      #
-      # @param [::Whois::Parser] parser
-      #
-      # @return [Array<Hash>, nil]
-      #
-      def get_contacts(parser)
-        parser.contacts.map(&:to_h)
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
     end
   end
 end

data/lib/mihari/schemas/emitter.rb

@@ -29,6 +29,13 @@ module Mihari
         optional(:options).hash(EmitterOptions)
       end
 
+      Yeti = Dry::Schema.Params do
+        required(:emitter).value(Types::String.enum(*Mihari::Emitters::Yeti.keys))
+        optional(:url).filled(:string)
+        optional(:api_key).filled(:string)
+        optional(:options).hash(EmitterOptions)
+      end
+
       Slack = Dry::Schema.Params do
         required(:emitter).value(Types::String.enum(*Mihari::Emitters::Slack.keys))
         optional(:webhook_url).filled(:string)

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "7.4.0"
+  VERSION = "7.6.0"
 end

data/lib/mihari/web/endpoints/alerts.rb

@@ -52,7 +52,7 @@ module Mihari
           end
 
           desc "Delete an alert", {
-            success: {code: 204, model: Entities::Message},
+            success: {code: 204},
             failure: [{code: 404, model: Entities::ErrorMessage}],
             summary: "Delete an alert"
           }
@@ -60,11 +60,9 @@ module Mihari
             requires :id, type: Integer
           end
           delete "/:id" do
-            status 204
-
             id = params["id"].to_i
             result = Services::AlertDestroyer.result(id)
-            return present({message: ""}, with: Entities::Message) if result.success?
+            return if result.success?
 
             case result.failure
             when ActiveRecord::RecordNotFound

data/lib/mihari/web/endpoints/artifacts.rb

@@ -87,7 +87,7 @@ module Mihari
           end
 
           desc "Delete an artifact", {
-            success: {code: 204, model: Entities::Message},
+            success: {code: 204},
             failure: [{code: 404, model: Entities::ErrorMessage}],
             summary: "Delete an artifact"
           }
@@ -99,7 +99,7 @@ module Mihari
 
             id = params["id"].to_i
             result = Services::ArtifactDestroyer.result(id)
-            return present({message: ""}, with: Entities::Message) if result.success?
+            return if result.success?
 
             case result.failure
             when ActiveRecord::RecordNotFound

data/lib/mihari/web/endpoints/configs.rb

@@ -15,12 +15,7 @@ module Mihari
           }
           get "/" do
             configs = Services::ConfigSearcher.call
-            present(
-              {
-                results: configs
-              },
-              with: Entities::Configs
-            )
+            present({results: configs}, with: Entities::Configs)
           end
         end
       end

data/lib/mihari/web/endpoints/rules.rb

@@ -167,7 +167,7 @@ module Mihari
           end
 
           desc "Delete a rule", {
-            success: {code: 204, model: Entities::Message},
+            success: {code: 204},
             failure: [{code: 404, model: Entities::ErrorMessage}],
             summary: "Delete a rule"
           }
@@ -179,7 +179,7 @@ module Mihari
 
             id = params[:id].to_s
             result = Services::RuleDestroyer.result(id)
-            return present({message: "ID:#{id} is deleted"}, with: Entities::Message) if result.success?
+            return if result.success?
 
             case result.failure
             when ActiveRecord::RecordNotFound

data/lib/mihari/web/endpoints/tags.rb

@@ -32,7 +32,7 @@ module Mihari
           end
 
           desc "Delete a tag", {
-            success: {code: 204, model: Entities::Message},
+            success: {code: 204},
             failure: [{code: 404, model: Entities::ErrorMessage}],
             summary: "Delete a tag"
           }
@@ -44,7 +44,7 @@ module Mihari
 
             id = params[:id].to_i
             result = Services::TagDestroyer.result(id)
-            return present({message: ""}, with: Entities::Message) if result.success?
+            return if result.success?
 
             case result.failure
             when ActiveRecord::RecordNotFound