otx_ruby 0.7.1 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 59f7c70b2d3ead15a343ec6309d290e02810c7f9
-  data.tar.gz: 7f0473fda29c689cabf291493acbf838e476a5d0
+  metadata.gz: 7934c02ca3191b73093883c9e5c1ca6daa18d175
+  data.tar.gz: 3a0320e544d2d7f0864c64fc18c89c2d38bbc603
 SHA512:
-  metadata.gz: 6e639869d6db18a78e9d3215ec64586f2d9544592d56ff9bc69ad1a299a4339b67fe5591c0c3f7116a7c484f910fadb634401678ed4973a79f59e6269e1937f1
-  data.tar.gz: a1968a159ec1d5d0f214dcb49462c9a4313d79b256f4787d92f1c9507b78cda2608d07fc0b7e5747e2aeb9b64163fdd6ba1cb53b47d1813ae3d1b99df94ca058
+  metadata.gz: 0a89b9e968eb3ea1b53296e3d749b6da872dc389d699bfaa0927acc2636be5509c0fd2abc917b97c5e6aec7f9642ec70b8321c69ffe5748c0d19032e61ff9f7a
+  data.tar.gz: 674f4eefb4f5fc1a48bc05954e17f272f1b31cbc830e1d20abd8ff61bfec447a0757875ab4fe179bfbcd19265d59a9c47f3fcabcbe593609a2c8db51a71dbbaa

data/circle.yml

@@ -1,6 +1,6 @@
 machine:
   ruby:
-    version: 2.2.4
+    version: 2.3.5
 database:
   override:
     - echo 'no database'

data/lib/otx_ruby/activity.rb

@@ -0,0 +1,90 @@
+module OTX
+  #
+  # Within the OTX system you are able to subscribe to pulses from other users,
+  # this class allows the retreival of the currently subscribed pulse feeds and
+  # the associated pulses, as well as pulses from followed Users
+  #
+  class Activity < OTX::Base
+    #
+    # Get pulse activity from the API
+    #
+    # @param limit [Integer] Number of records returned
+    # @param page [Integer] page of records returned
+    # @param params [Hash] Addtional parameters eg `modified_since: DateTime`
+    #
+    def get_activity(limit = 10, page = 1, params = {})
+      uri = '/api/v1/pulses/activity'
+      params['limit'] = limit
+      params['page'] = page
+
+      json_data = get(uri, params)
+
+      pulses = json_data['results']
+
+      results = []
+      pulses.each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
+    #
+    # Get all pulses activity from the API, get all events in chunks defined by
+    # limit
+    #
+    # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
+    # @return [Array<OTX::Pulse>] Parsed Pulses
+    #
+    def get_all(limit = 20)
+      uri = '/api/v1/pulses/activity'
+      params = {limit: limit}
+      pulses = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        pulses += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      pulses.each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
+    #
+    # Get all pulses activity from the API, get all events in chunks defined by
+    # limit and since timestamp
+    #
+    # @param timestamp [Time] Timestamp of point in time to get records since in
+    # ISO Format
+    # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
+    # @return [Array<OTX::Pulse>] Parsed Pulses
+    #
+    def get_since(timestamp, limit = 20)
+      uri = '/api/v1/pulses/activity'
+      params = {limit: limit, modified_since: timestamp}
+      pulses = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        pulses += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      pulses.each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+  end
+end

data/lib/otx_ruby/base.rb

@@ -21,7 +21,7 @@ module OTX
     end
 
     #
-    # Get the provided URL
+    # GET the provided URL
     #
     # @param url [String] URL to make API request to
     # @param params [Hash] Additional parameters to be added to the requests
@@ -36,6 +36,40 @@ module OTX
       # Parse and return JSON object as hash to caller
       return Oj.load(response.body)
     end
+
+    #
+    # POST to the provided URL
+    #
+    # @param url [String] URL to make API request to
+    # @param params [Hash] Additional parameters to be added to the requests
+    #
+    def post(url, params={})
+      response = @conn.post do |req|
+        req.url url
+        req.headers['X-OTX-API-KEY'] = @key
+        req.params = params
+      end
+
+      # Parse and return JSON object as hash to caller
+      return Oj.load(response.body)
+    end
+
+    #
+    # PATCH to the provided URL
+    #
+    # @param url [String] URL to make API request to
+    # @param params [Hash] Additional parameters to be added to the requests
+    #
+    def patch(url, params={})
+      response = @conn.patch do |req|
+        req.url url
+        req.headers['X-OTX-API-KEY'] = @key
+        req.params = params
+      end
+
+      # Parse and return JSON object as hash to caller
+      return Oj.load(response.body)
+    end
   end
 end
 
@@ -68,7 +102,13 @@ module OTX
 
       def initialize(attributes={})
         attributes.each do |key, value|
-          send("#{key}=", value)
+          _key = key.gsub('-', '_')
+
+          unless self.respond_to?(_key.downcase)
+            self.class.send(:attr_accessor, _key.downcase)
+          end
+
+          send("#{_key.downcase}=", value)
         end
       end
     end

data/lib/otx_ruby/correlation_rule.rb

@@ -0,0 +1,13 @@
+module OTX
+  class CorrelationRule < OTX::Base
+    def get_general(correlation_rule)
+      uri = "/api/v1/indicators/correlation-rule/#{correlation_rule}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::CorrelationRule.new(json_data)
+
+      return general
+    end
+  end
+end

data/lib/otx_ruby/cve.rb

@@ -0,0 +1,22 @@
+module OTX
+  #
+  # Retrieve and parse into the appropriate object the reputation for an IP Address from the OTX System
+  #
+  class CVE < OTX::Base
+    #
+    # Download an individually identified IP Address Reputation and parse the output
+    #
+    # @param cve [String] The CVE ID to check
+    # @return [OTX::Pulse] Parsed CVE Indicator
+    #
+    def get_general(cve)
+      uri = "api/v1/indicators/cve/#{cve}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::CVE::General.new(json_data)
+
+      return general
+    end
+  end
+end

data/lib/otx_ruby/domain.rb

@@ -0,0 +1,90 @@
+module OTX
+  class Domain < OTX::Base
+    def get_general(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+
+    def get_geo(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/geo"
+
+      json_data = get(uri)
+
+      geo = OTX::Indicator::IP::Geo.new(json_data)
+
+      return geo
+    end
+
+    def get_malware(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/malware"
+      malwares = []
+      params = {}
+
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        malwares += json_data['data']
+      end while page && !json_data['data'].empty?
+
+      results = []
+      malwares.each do |malware|
+        results << OTX::Indicator::IP::Malware.new(malware)
+      end
+
+      return results
+    end
+
+    def get_url_list(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/url_list"
+
+      page = 0
+      url_list = []
+      begin
+        page += 1
+        params = {limit: 20, page: page}
+        json_data = get(uri, params)
+        has_next = json_data['has_next']
+
+        url_list += json_data['url_list']
+      end while has_next
+
+      results = []
+      url_list.each do |url|
+        results << OTX::Indicator::IP::URL.new(url)
+      end
+
+      return results
+    end
+
+    def get_passive_dns(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/passive_dns"
+
+      json_data = get(uri)
+
+      results = []
+      json_data['passive_dns'].each do |dns|
+        results << OTX::Indicator::IP::DNS.new(dns)
+      end
+
+      return results
+    end
+
+    def whois(domain)
+      uri = "/api/v1/indicators/domain/#{domain}/whois"
+
+      json_data = get(uri)
+
+      whois = OTX::Indicator::IP::Whois.new(json_data)
+
+      return whois
+    end
+  end
+end

data/lib/otx_ruby/events.rb

@@ -5,13 +5,37 @@ module OTX
   # provides a wrapper around this functionality.
   #
   class Events < OTX::Base
+    #
+    # Get subscribed events from the API
+    #
+    # @param limit [Integer] Number of records returned
+    # @param page [Integer] page of records returned
+    # @param params [Hash] Addtional parameters eg `modified_since: DateTime`
+    #
+    def get_events(limit = 10, page = 1, params = {})
+      uri = '/api/v1/pulses/events'
+      params['limit'] = limit
+      params['page'] = page
+
+      json_data = get(uri, params)
+
+      events = json_data['results']
+
+      results = []
+      events.each do |event|
+        results << OTX::Event.new(event)
+      end
+
+      return results
+    end
+
     #
     # Get all events from the API, get all events in chunks defined by limit
     #
     # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
     # @return [Array] Array of OTX::Event records
     #
-    def get_all(limit=20)
+    def get_all(limit = 20)
       uri = '/api/v1/pulses/events'
       params = {limit: limit}
       events = []
@@ -22,7 +46,7 @@ module OTX
         params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
 
         events += json_data['results']
-      end while !page.nil?
+      end while page && !json_data['results'].empty?
 
       results = []
       events.each do |event|
@@ -40,7 +64,7 @@ module OTX
     # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
     # @return [Array] Array of OTX::Event records
     #
-    def get_since(timestamp, limit=20)
+    def get_since(timestamp, limit = 20)
       uri = '/api/v1/pulses/events'
       params = {limit: limit, since: timestamp}
       events = []
@@ -51,7 +75,7 @@ module OTX
         params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
 
         events += json_data['results']
-      end while !page.nil?
+      end while page && !json_data['results'].empty?
 
       results = []
       events.each do |event|

data/lib/otx_ruby/export.rb

@@ -0,0 +1,103 @@
+module OTX
+  class Export < OTX::Base
+    def get_export(limit = 10, page = 1, params = {})
+      uri = '/api/v1/indicators/export'
+
+      params['limit'] = limit
+      params['page'] = page
+      indicators = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |indicator|
+        indicators << OTX::Indicators.new(indicator)
+      end
+
+      return indicators
+    end
+
+    def get_all(limit = 20)
+      uri = '/api/v1/indicators/export'
+      params = { limit: limit }
+      indicators = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        indicators += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      indicators.each do |indicator|
+        results << OTX::Indicators.new(indicator)
+      end
+
+      return results
+    end
+
+    def get_since(timestamp, limit = 20)
+      uri = '/api/v1/indicators/export'
+      params = { limit: limit, modified_since: timestamp }
+      indicators = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        indicators += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      indicators.each do |indicator|
+        results << OTX::Indicators.new(indicator)
+      end
+
+      return results
+    end
+
+    def get_only(list_of_types, limit = 20)
+      uri = '/api/v1/indicators/export'
+      params = { limit: limit, types: list_of_types }
+      indicators = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        indicators += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      indicators.each do |indicator|
+        results << OTX::Indicator.new(indicator)
+      end
+
+      return results
+    end
+
+    def get_only_since(list_of_types, timestamp, limit = 20)
+      uri = '/api/v1/indicators/export'
+      params = { limit: limit, types: list_of_types, modified_since: timestamp }
+      indicators = []
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        indicators += json_data['results']
+      end while page && !json_data['results'].empty?
+
+      results = []
+      indicators.each do |indicator|
+        results << OTX::Indicator.new(indicator)
+      end
+
+      return results
+    end
+  end
+end

data/lib/otx_ruby/file.rb

@@ -0,0 +1,23 @@
+module OTX
+  class File < OTX::Base
+    def get_general(file_hash)
+      uri = "/api/v1/indicators/file/#{file_hash}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+
+    def get_analysis(file_hash)
+      uri = "/api/v1/indicators/file/#{file_hash}/analysis"
+
+      json_data = get(uri)
+
+      analysis = OTX::Indicator::FileAnalysis.new(json_data)
+
+      return analysis
+    end
+  end
+end

data/lib/otx_ruby/hostname.rb

@@ -0,0 +1,95 @@
+module OTX
+  class Hostname < OTX::Base
+    def get_general(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+
+    def get_geo(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/geo"
+
+      json_data = get(uri)
+
+      geo = OTX::Indicator::IP::Geo.new(json_data)
+
+      return geo
+    end
+
+    def get_malware(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/malware"
+      malwares = []
+      params = {}
+
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        malwares += json_data['data']
+      end while page && !json_data['data'].empty?
+
+      results = []
+      malwares.each do |malware|
+        results << OTX::Indicator::IP::Malware.new(malware)
+      end
+
+      return results
+    end
+
+    def get_url_list(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/url_list"
+
+      page = 0
+      url_list = []
+      begin
+        page += 1
+        params = {limit: 20, page: page}
+        json_data = get(uri, params)
+        has_next = json_data['has_next']
+
+        url_list += json_data['url_list']
+      end while has_next
+
+      results = []
+      url_list.each do |url|
+        results << OTX::Indicator::IP::URL.new(url)
+      end
+
+      return results
+    end
+
+    def get_passive_dns(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/passive_dns"
+
+      json_data = get(uri)
+
+      results = []
+      json_data['passive_dns'].each do |dns|
+        results << OTX::Indicator::IP::DNS.new(dns)
+      end
+
+      return results
+    end
+
+    def get_http_scans(hostname)
+      uri = "/api/v1/indicators/hostname/#{hostname}/http_scans"
+
+      json_data = get(uri)
+
+      results = []
+      unless json_data['data'].nil?
+        json_data['data'].each do |http_scan|
+          results << OTX::Indicator::IP::HTTPScan.new(http_scan)
+        end
+      end
+
+      return results
+    end
+  end
+end

data/lib/otx_ruby/ip.rb

@@ -0,0 +1,105 @@
+module OTX
+  class IP < OTX::Base
+    def get_general(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+
+    def get_reputation(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/reputation"
+
+      json_data = get(uri)
+
+      if json_data['reputation']
+        reputation = OTX::Indicator::IP::Reputation.new(json_data["reputation"])
+      end
+
+      return reputation
+    end
+
+    def get_geo(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/geo"
+
+      json_data = get(uri)
+
+      geo = OTX::Indicator::IP::Geo.new(json_data)
+
+      return geo
+    end
+
+    def get_malware(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/malware"
+      malwares = []
+      params = {}
+
+      begin
+        json_data = get(uri, params)
+        page = json_data['next']
+
+        params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
+
+        malwares += json_data['data']
+      end while page && !json_data['data'].empty?
+
+      results = []
+      malwares.each do |malware|
+        results << OTX::Indicator::IP::Malware.new(malware)
+      end
+
+      return results
+    end
+
+    def get_url_list(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/url_list"
+
+      page = 0
+      url_list = []
+      begin
+        page += 1
+        params = {limit: 20, page: page}
+        json_data = get(uri, params)
+        has_next = json_data['has_next']
+
+        url_list += json_data['url_list']
+      end while has_next
+
+      results = []
+      url_list.each do |url|
+        results << OTX::Indicator::IP::URL.new(url)
+      end
+
+      return results
+    end
+
+    def get_passive_dns(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/passive_dns"
+
+      json_data = get(uri)
+
+      results = []
+      json_data['passive_dns'].each do |dns|
+        results << OTX::Indicator::IP::DNS.new(dns)
+      end
+
+      return results
+    end
+
+    def get_http_scans(ip, type = :ipv4)
+      uri = "/api/v1/indicators/#{type == :ipv6 ? 'IPv6' : 'IPv4'}/#{ip}/http_scans"
+
+      json_data = get(uri)
+
+      results = []
+      json_data['data'].each do |http_scan|
+        results << OTX::Indicator::IP::HTTPScan.new(http_scan)
+      end
+
+      return results
+    end
+  end
+end