Class: Mihari::Analyzers::Rule

Inherits:
Base
  • Object
show all
Includes:
Mixins::DisallowedDataValue
Defined in:
lib/mihari/analyzers/rule.rb

Constant Summary

Constants included from Mixins::Retriable

Mixins::Retriable::DEFAULT_ON

Instance Attribute Summary collapse

Attributes inherited from Base

#ignore_old_artifacts, #ignore_threshold

Instance Method Summary collapse

Methods included from Mixins::DisallowedDataValue

#normalize_disallowed_data_value, #valid_disallowed_data_value?

Methods inherited from Base

#description, inherited, #run, #run_emitter, #tags, #title

Methods included from Mixins::Retriable

#retry_on_error

Methods included from Mixins::Database

#with_db_connection

Methods included from Mixins::Configurable

#configuration_keys, #configuration_values, #configured?

Methods included from Mixins::AutonomousSystem

#normalize_asn

Constructor Details

#initialize(**kwargs) ⇒ Rule

Returns a new instance of Rule.



57
58
59
60
61
62
63
64
65
66
 
# File 'lib/mihari/analyzers/rule.rb', line 57

def initialize(**kwargs)
  super(**kwargs)

  @source = id

  @emitters = emitters || DEFAULT_EMITTERS
  @enrichers = enrichers || DEFAULT_ENRICHERS

  validate_analyzer_configurations
end

Instance Attribute Details

#sourceObject (readonly)

Returns the value of attribute source.



55
56
57
 
# File 'lib/mihari/analyzers/rule.rb', line 55

def source
  @source
end

Instance Method Details

#artifactsArray<Mihari::Artifact>

Returns a list of artifacts matched with queries

Returns:



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/mihari/analyzers/rule.rb', line 73

def artifacts
  artifacts = []

  queries.each do |original_params|
    parmas = original_params.deep_dup

    analyzer_name = parmas[:analyzer]
    klass = get_analyzer_class(analyzer_name)

    query = parmas[:query]

    # set interval in the top level
    options = parmas[:options] || {}
    interval = options[:interval]
    parmas[:interval] = interval if interval

    analyzer = klass.new(query, **parmas)

    # Use #normalized_artifacts method to get atrifacts as Array<Mihari::Artifact>
    # So Mihari::Artifact object has "source" attribute (e.g. "Shodan")
    artifacts << analyzer.normalized_artifacts
  end

  artifacts.flatten
end

#disallowed_data_value?(value) ⇒ Boolean

Check whether a value is a disallowed data value or not

Returns:

  • (Boolean) 


145
146
147
148
149
150
151
152
153
 
# File 'lib/mihari/analyzers/rule.rb', line 145

def disallowed_data_value?(value)
  return true if normalized_disallowed_data_values.include?(value)

  normalized_disallowed_data_values.select do |disallowed_data_value|
    disallowed_data_value.is_a?(Regexp)
  end.any? do |disallowed_data_value|
    disallowed_data_value.match?(value)
  end
end

#enriched_artifactsArray<Mihari::Artifact>

Enriched artifacts

Returns:



121
122
123
124
125
126
127
128
129
 
# File 'lib/mihari/analyzers/rule.rb', line 121

def enriched_artifacts
  @enriched_artifacts ||= Parallel.map(unique_artifacts) do |artifact|
    enrichers.each do |enricher|
      artifact.enrich_by_enricher(enricher[:enricher])
    end

    artifact
  end
end

#normalized_artifactsArray<Mihari::Artifact>

Normalize artifacts

  • Uniquefy artifacts by #uniq(&:data)

  • Reject an invalid artifact (for just in case)

  • Select artifacts with allowed data types

  • Reject artifacts with disallowed data values

Returns:



108
109
110
111
112
113
114
 
# File 'lib/mihari/analyzers/rule.rb', line 108

def normalized_artifacts
  @normalized_artifacts ||= artifacts.uniq(&:data).select(&:valid?).select do |artifact|
    allowed_data_types.include? artifact.data_type
  end.reject do |artifact|
    disallowed_data_value? artifact.data
  end
end

#normalized_disallowed_data_valuesArray<Regexp, String>

Normalized disallowed data values

Returns:

  • (Array<Regexp, String>) 


136
137
138
 
# File 'lib/mihari/analyzers/rule.rb', line 136

def normalized_disallowed_data_values
  @normalized_disallowed_data_values ||= disallowed_data_values.map { |v| normalize_disallowed_data_value v }
end