otx_ruby 0.7.1 → 0.8.0

data/lib/otx_ruby/nids.rb

@@ -0,0 +1,13 @@
+module OTX
+  class NIDS < OTX::Base
+    def get_general(nid)
+      uri = "/api/v1/indicators/nids/#{nid}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+  end
+end

data/lib/otx_ruby/pulses.rb

@@ -3,6 +3,30 @@ module OTX
   # Retrieve and parse into the appropriate object a pulse from the OTX System
   #
   class Pulses < OTX::Base
+    #
+    # Create a Pulse
+    #
+    # @param params [Hash] Parameters to create a Pulse
+    #
+    def create(params)
+      uri = '/api/v1/pulses/create'
+
+      pulse = { body: params }
+
+      post(uri, pulse)
+    end
+
+    #
+    # Validate a Pulse indicator
+    #
+    # @param indicator [Hash] An indicator key value pair
+    #
+    def validate_indicator(indicator)
+      uri = '/api/v1/pulses/indicators/validate'
+
+      post(uri, indicator)
+    end
+
     #
     # Download an individually identified pulse and parse the output
     #
@@ -18,5 +42,131 @@ module OTX
 
         return pulse
     end
+
+    #
+    # Search for Pulses including the query in their datafields
+    #
+    # @param query [String] Query to search
+    # @param limit [Integer] Limit results per page to this number
+    # @param page [Integer] Return results for this page
+    # @param sort [Symbol] Sort results by modified, created or subscriber_count
+    # @return [Array<OTX::Pulse>] Parsed Pulses
+    #
+    def search(query, limit = 10, page = 1, sort = :created)
+      uri = '/api/v1/search/users'
+
+      if sort == :modified || sort == :subscriber_count
+        sort_by = sort.to_s
+      else
+        sort_by = 'created'
+      end
+
+      params = { q: query, limit: limit, page: page, sort: sort_by }
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
+    #
+    # Edit a Pulses information
+    #
+    # @param id [String] The ID of the Pulse
+    # @param param [Hash] Parameters to edit
+    #
+    def edit(id, params)
+      uri = "/api/v1/pulses/#{id}"
+
+      patch(uri, params)
+    end
+
+    #
+    # GET Pulses from a user
+    #
+    # @param username [String] Name of the User to retrieve pulses from
+    # @param limit [Integer] Limit results per page to this number
+    # @param page [Integer] Return results for this page
+    # @return [Array<OTX::Pulse>] Parsed Pulses
+    #
+    def get_user_pulses(username, limit = 10, page = 1)
+      uri = "/api/v1/pulses/user/#{username}"
+      params = { limit: limit, page: page }
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
+    #
+    # GET Pulses that share indicators with a Pulse
+    #
+    # @param id [String] ID of the Pulse to retrieve related Pulses from
+    # @param limit [Integer] Limit results per page to this number
+    # @param page [Integer] Return results for this page
+    # @return [Array<OTX::Pulse>] Parsed Pulses
+    #
+    def get_related(id, limit = 10, page = 1)
+      uri = "/api/v1/pulses/#{id}/related"
+      params = { limit: limit, page: page }
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
+    #
+    # GET a Pulses Indicators
+    #
+    # @param id [String] ID of the Pulse to retrieve Indicators from
+    # @param limit [Integer] Limit results per page to this number
+    # @param page [Integer] Return results for this page
+    # @return [Array<OTX::Pulse>] Parsed Indicators
+    #
+    def get_indicators(id, limit = 10, page = 1)
+      uri = "/api/v1/pulses/#{id}/indicators"
+      params = { limit: limit, page: page }
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |indicator|
+        results << OTX::Indicators.new(indicator)
+      end
+
+      return results
+    end
+
+    #
+    # GET list of Pulse Indicator Types
+    #
+    # @return [Array<OTX::Indicator::IndicatorType>]
+    #
+    def get_indicator_types
+      uri = '/api/v1/pulses/indicators/types'
+      types = []
+
+      json_data = get(uri)
+
+      json_data['detail'].each do |type|
+        types << OTX::Indicator::IndicatorType.new(type)
+      end
+
+      return types
+    end
   end
 end

data/lib/otx_ruby/subscribed.rb

@@ -5,13 +5,28 @@ module OTX
   # associated pulses
   #
   class Subscribed < OTX::Base
+    def get_subscribed(limit = 10, page = 1, params = {})
+      uri = '/api/v1/pulses/subscribed'
+      params['limit'] = limit
+      params['page'] = page
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |pulse|
+        results << OTX::Pulse.new(pulse)
+      end
+
+      return results
+    end
+
     #
     # Get all subscribed pulses from the API, get all events in chunks defined by limit
     #
     # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
     # @return [Array] Array of OTX::Pulse records
     #
-    def get_all(limit=20)
+    def get_all(limit = 20)
       uri = '/api/v1/pulses/subscribed'
       params = {limit: limit}
       pulses = []
@@ -22,7 +37,7 @@ module OTX
         params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
 
         pulses += json_data['results']
-      end while !page.nil?
+      end while page && !json_data['results'].empty?
 
       results = []
       pulses.each do |pulse|
@@ -40,7 +55,7 @@ module OTX
     # @param limit [Integer] Size of chunk of data to be Returned (default = 20)
     # @return [Array] Array of OTX::Pulse records
     #
-    def get_since(timestamp, limit=20)
+    def get_since(timestamp, limit = 20)
       uri = '/api/v1/pulses/subscribed'
       params = {limit: limit, modified_since: timestamp}
       pulses = []
@@ -51,7 +66,7 @@ module OTX
         params = URI::decode_www_form(URI(page).query).to_h unless page.nil?
 
         pulses += json_data['results']
-      end while !page.nil?
+      end while page && !json_data['results'].empty?
 
       results = []
       pulses.each do |pulse|

data/lib/otx_ruby/types/author.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module Pulse
+      class Author < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/base_indicator.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module CVE
+      class BaseIndicator < OTX::Type::Base  
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/correlation_rule.rb

@@ -0,0 +1,21 @@
+module OTX
+  module Indicator
+    class CorrelationRule < OTX::Type::Base
+      def initialize(attributes={})
+        attributes.each do |key, value|
+          unless self.respond_to?(key)
+            self.class.send(:attr_accessor, key)
+          end
+
+          if key == 'pulse_info'
+            send("#{key.downcase}=", OTX::Indicator::CVE::PulseInfo.new(value))
+          elsif key == 'base_indicator'
+            send("#{key.downcase}=", OTX::Indicator::CVE::BaseIndicator.new(value))
+          else
+            send("#{key.downcase}=", value)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/cve.rb

@@ -0,0 +1,36 @@
+module OTX
+  module Indicator
+    module CVE
+      class General < OTX::Type::Base
+        #
+        # Needs details for attributes
+        #
+        attr_accessor :indicator, :date_modified, :pulse_info, :references, :base_indicator
+
+        def initialize(attributes={})
+          attributes.each do |key, value|
+            _key = key.gsub('-', '_')
+
+            unless self.respond_to?(key)
+              self.class.send(:attr_accessor, key)
+            end
+
+            if _key == 'pulse_info'
+              @pulse_info = OTX::Indicator::CVE::PulseInfo.new(value)
+            elsif _key == 'base_indicator'
+              @base_indicator = OTX::Indicator::CVE::BaseIndicator.new(value)
+            elsif _key == 'references'
+              @references = []
+              value.each do |reference|
+                @references << OTX::Indicator::CVE::Reference.new(reference)
+              end
+            else
+              send("#{_key.downcase}=", value)
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/file_analysis.rb

@@ -0,0 +1,6 @@
+module OTX
+  module Indicator
+    class FileAnalysis < OTX::Type::Base
+    end
+  end
+end

data/lib/otx_ruby/types/indicator_type.rb

@@ -0,0 +1,6 @@
+module OTX
+  module Indicator
+    class IndicatorType < OTX::Type::Base
+    end
+  end
+end

data/lib/otx_ruby/types/indicator_type_counts.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module Pulse
+      class IndicatorTypeCounts < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/dns.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module IP
+      class DNS < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/general.rb

@@ -0,0 +1,24 @@
+module OTX
+  module Indicator
+    module IP
+      class General < OTX::Type::Base
+        def initialize(attributes={})
+          attributes.each do |key, value|
+
+            unless self.respond_to?(key)
+              self.class.send(:attr_accessor, key)
+            end
+
+            if key == 'pulse_info'
+              send("#{key.downcase}=", OTX::Indicator::CVE::PulseInfo.new(value))
+            elsif key == 'base_indicator'
+              send("#{key.downcase}=", OTX::Indicator::CVE::BaseIndicator.new(value))
+            else
+              send("#{key.downcase}=", value)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/geo.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module IP
+      class Geo < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/http_scan.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module IP
+      class HTTPScan < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/malware.rb

@@ -0,0 +1,21 @@
+module OTX
+  module Indicator
+    module IP
+      class Malware < OTX::Type::Base
+        def initialize(attributes={})
+          attributes.each do |key, value|
+            if key == 'hash'
+              self.class.send(:attr_accessor, 'malware_hash')
+              send('malware_hash=', value)
+            else
+              unless self.respond_to?(key)
+                self.class.send(:attr_accessor, key)
+              end
+              send("#{key.downcase}=", value)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/url.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module IP
+      class URL < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/ip/whois.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module IP
+      class Whois < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/observation.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module Pulse
+      class Observation < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/pulse.rb

@@ -29,13 +29,24 @@ module OTX
 
     def initialize(attributes={})
       attributes.each do |key, value|
-        if key != 'indicators'
-          send("#{key.downcase}=", value)
-        else
+        # Dynamically Add any missing attributes
+        unless self.respond_to?(key)
+          self.class.send(:attr_accessor, key)
+        end
+
+        if key == 'indicators'
           @indicators = []
           value.each do |indicator|
             @indicators << OTX::Indicators.new(indicator)
           end
+        elsif key == 'observation'
+          @observation = OTX::Indicator::Pulse::Observation.new(value)
+        elsif key == 'indicator_type_counts'
+          @indicator_type_counts = OTX::Indicator::Pulse::IndicatorTypeCounts.new(value)
+        elsif key == 'author'
+          @author = OTX::Indicator::Pulse::Author.new(value)
+        else
+          send("#{key.downcase}=", value)
         end
       end
     end

data/lib/otx_ruby/types/pulse_info.rb

@@ -0,0 +1,24 @@
+module OTX
+  module Indicator
+    module CVE
+      class PulseInfo < OTX::Type::Base
+        def initialize(attributes={})
+          attributes.each do |key, value|
+            unless self.respond_to?(key)
+              self.class.send(:attr_accessor, key)
+            end
+
+            if key != 'pulses'
+              send("#{key.downcase}=", value)
+            else
+              @pulses = []
+              value.each do |pulse|
+                @pulses << OTX::Pulse.new(pulse)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/reference.rb

@@ -0,0 +1,8 @@
+module OTX
+  module Indicator
+    module CVE
+      class Reference < OTX::Type::Base
+      end
+    end
+  end
+end

data/lib/otx_ruby/types/user.rb

@@ -0,0 +1,21 @@
+module OTX
+  #
+  # AlienVault OTX User Record
+  #
+  # @attr user_id [String] User ID
+  # @attr username [String] User name
+  # @attr member_since [String] Number of days since User created their account
+  # @attr avatar_url [String] URL for Users avatar image
+  # @attr pulse_count [Integer] Number of Pulses created
+  # @attr accepted_edits_count [Integer] Number of Users edits that have been accepted
+  # @attr subscriber_count [Integer] Number of other Users subscribed to this User
+  # @attr follower_count [Integer] Number of other Users following this User
+  # @attr award_count [Integer] Number of awards this User has received
+  # @attr awards [Array<String>] Array of awards this User has received
+  #
+  class User < OTX::Type::Base
+    attr_accessor :user_id, :username, :member_since, :avatar_url, :pulse_count,
+      :accepted_edits_count, :subscriber_count, :follower_count, :award_count,
+      :awards
+  end
+end

data/lib/otx_ruby/url.rb

@@ -0,0 +1,35 @@
+module OTX
+  class URL < OTX::Base
+    def get_general(url)
+      uri = "/api/v1/indicators/url/#{url}/general"
+
+      json_data = get(uri)
+
+      general = OTX::Indicator::IP::General.new(json_data)
+
+      return general
+    end
+
+    def get_url_list(url)
+      uri = "/api/v1/indicators/url/#{url}/url_list"
+
+      page = 0
+      url_list = []
+      begin
+        page += 1
+        params = {limit: 20, page: page}
+        json_data = get(uri, params)
+        has_next = json_data['has_next']
+
+        url_list += json_data['url_list']
+      end while has_next
+
+      results = []
+      url_list.each do |url|
+        results << OTX::Indicator::IP::URL.new(url)
+      end
+
+      return results
+    end
+  end
+end

data/lib/otx_ruby/users.rb

@@ -0,0 +1,97 @@
+module OTX
+  #
+  # Search for, subscribe to, unsubscribe from, follow and unfollow users
+  #
+  class Users < OTX::Base
+    #
+    # Validate your API Key configuration. If valid, some basic information about the user account corresponding to the API Key supplied will be returned.
+    #
+    # @return [OTX::User] Parsed User
+    #
+    def me
+      uri = "/api/v1/users/me"
+
+      json_data = get(uri)
+
+      user = OTX::User.new(json_data)
+
+      return user
+    end
+
+    #
+    # Search for Users by username
+    #
+    # @param query [String] Full or partial username to search
+    # @param limit [Integer] Limit results per page to this number
+    # @param page [Integer] Return results for this page
+    # @param sort [Symbol] Sort results by username or pulse_count
+    # @return [Array<OTX::User>] Parsed Users
+    #
+    def search(query, limit = 10, page = 1, sort = :username)
+      uri = '/api/v1/search/users'
+      params = {
+        q: query,
+        limit: limit,
+        page: page,
+        sort: sort == :pulse_count ? 'pulse_count' : 'username'
+      }
+      results = []
+
+      json_data = get(uri, params)
+
+      json_data['results'].each do |user|
+        results << OTX::User.new(user)
+      end
+
+      return results
+    end
+
+    #
+    # Subscribe to a User
+    #
+    # @param useranme [String] Username of the User you wish to subscribe to
+    #
+    def subscribe_to(username)
+      action(username, 'subscribe')
+    end
+
+    #
+    # Unsubscribe from a User
+    #
+    # @param useranme [String] Username of the User you wish to unsubscribe from
+    #
+    def unsubscribe_from(username)
+      action(username, 'unsubscribe')
+    end
+
+    #
+    # Follow a User
+    #
+    # @param useranme [String] Username of the User you wish to follow
+    #
+    def follow(username)
+      action(username, 'follow')
+    end
+
+    #
+    # Unfollow a User
+    #
+    # @param useranme [String] Username of the User you wish to unfollow
+    #
+    def unfollow(username)
+      action(username, 'unfollow')
+    end
+
+    #
+    # Perform an action on a User
+    #
+    # @param useranme [String] Username of the User you wish to perform an action on
+    # @param action [String] Action you wish to perform on the User
+    #
+    def action(username, action)
+      uri = "/api/v1/users/#{username}/#{action}"
+
+      post(uri)
+    end
+  end
+end

data/lib/otx_ruby/version.rb

@@ -1,4 +1,4 @@
 module OTX
   # Library Version Number
-  VERSION = "0.7.1"
+  VERSION = "0.8.0"
 end