Class: Mihari::Analyzers::Rule

Inherits:
Base
  • Object
show all
Includes:
Mixins::DisallowedDataValue, Mixins::Rule
Defined in:
lib/mihari/analyzers/rule.rb

Constant Summary

Constants included from Mixins::Retriable

Mixins::Retriable::DEFAULT_ON

Instance Attribute Summary collapse

Attributes inherited from Base

#ignore_old_artifacts, #ignore_threshold

Instance Method Summary collapse

Methods included from Mixins::Rule

#initialize_rule_yaml, #load_erb_yaml, #load_rule, #load_yaml_from_db, #load_yaml_from_file, #rule_template, #validate_rule!

Methods included from Mixins::Database

#with_db_connection

Methods included from Mixins::DisallowedDataValue

#normalize_disallowed_data_value, #valid_disallowed_data_value?

Methods inherited from Base

#description, inherited, #run, #run_emitter, #tags, #title

Methods included from Mixins::Retriable

#retry_on_error

Methods included from Mixins::Configurable

#configuration_keys, #configuration_values, #configured?

Methods included from Mixins::AutonomousSystem

#normalize_asn

Constructor Details

#initialize(**kwargs) ⇒ Rule

Returns a new instance of Rule.



57
58
59
60
61
62
63
64
65
 
# File 'lib/mihari/analyzers/rule.rb', line 57

def initialize(**kwargs)
  super(**kwargs)

  @source = id

  @emitters = emitters || DEFAULT_EMITTERS

  validate_analyzer_configurations
end

Instance Attribute Details

#sourceObject (readonly)

Returns the value of attribute source.



55
56
57
 
# File 'lib/mihari/analyzers/rule.rb', line 55

def source
  @source
end

Instance Method Details

#artifactsArray<Mihari::Artifact>

Returns a list of artifacts matched with queries

Returns:



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/mihari/analyzers/rule.rb', line 72

def artifacts
  artifacts = []

  queries.each do |original_params|
    parmas = original_params.deep_dup

    analyzer_name = parmas[:analyzer]
    klass = get_analyzer_class(analyzer_name)

    query = parmas[:query]

    # set interval in the top level
    options = parmas[:options] || {}
    interval = options[:interval]
    parmas[:interval] = interval if interval

    analyzer = klass.new(query, **parmas)

    # Use #normalized_artifacts method to get atrifacts as Array<Mihari::Artifact>
    # So Mihari::Artifact object has "source" attribute (e.g. "Shodan")
    artifacts << analyzer.normalized_artifacts
  end

  artifacts.flatten
end

#disallowed_data_value?(value) ⇒ Boolean

Check whether a value is a disallowed data value or not

Returns:

  • (Boolean) 


129
130
131
132
133
134
135
136
137
 
# File 'lib/mihari/analyzers/rule.rb', line 129

def disallowed_data_value?(value)
  return true if normalized_disallowed_data_values.include?(value)

  normalized_disallowed_data_values.select do |disallowed_data_value|
    disallowed_data_value.is_a?(Regexp)
  end.any? do |disallowed_data_value|
    disallowed_data_value.match?(value)
  end
end

#normalized_artifactsArray<Mihari::Artifact>

Normalize artifacts

  • Uniquefy artifacts by #uniq(&:data)

  • Reject an invalid artifact (for just in case)

  • Select artifacts with allowed data types

  • Reject artifacts with disallowed data values

Returns:



107
108
109
110
111
112
113
 
# File 'lib/mihari/analyzers/rule.rb', line 107

def normalized_artifacts
  @normalized_artifacts ||= artifacts.uniq(&:data).select(&:valid?).select do |artifact|
    allowed_data_types.include? artifact.data_type
  end.reject do |artifact|
    disallowed_data_value? artifact.data
  end
end

#normalized_disallowed_data_valuesArray<Regexp, String>

Normalized disallowed data values

Returns:

  • (Array<Regexp, String>) 


120
121
122
 
# File 'lib/mihari/analyzers/rule.rb', line 120

def normalized_disallowed_data_values
  @normalized_disallowed_data_values ||= disallowed_data_values.map { |v| normalize_disallowed_data_value v }
end