class Mihari::Emitters::MISP

Public Class Methods

new() click to toggle source
Calls superclass method
# File lib/mihari/emitters/misp.rb, line 9
def initialize
  super()

  ::MISP.configure do |config|
    config.api_endpoint = Mihari.config.misp_api_endpoint
    config.api_key = Mihari.config.misp_api_key
  end
end

Public Instance Methods

emit(title:, artifacts:, tags: [], **_options) click to toggle source
# File lib/mihari/emitters/misp.rb, line 23
def emit(title:, artifacts:, tags: [], **_options)
  return if artifacts.empty?

  event = ::MISP::Event.new(info: title)

  artifacts.each do |artifact|
    event.attributes << build_attribute(artifact)
  end

  tags.each do |tag|
    event.add_tag name: tag
  end

  event.create
end
valid?() click to toggle source

@return [Boolean]

# File lib/mihari/emitters/misp.rb, line 19
def valid?
  api_endpoint? && api_key? && ping?
end

Private Instance Methods

api_endpoint?() click to toggle source

Check whether an API endpoint is set or not

@return [Boolean]

# File lib/mihari/emitters/misp.rb, line 102
def api_endpoint?
  api_endpoint = ::MISP.configuration.api_endpoint
  !api_endpoint.nil? && !api_endpoint.empty?
end
api_key?() click to toggle source

Check whether an API key is set or not

@return [Boolean]

# File lib/mihari/emitters/misp.rb, line 112
def api_key?
  api_key = ::MISP.configuration.api_key
  !api_key.nil? && !api_key.empty?
end
build_attribute(artifact) click to toggle source

Build a MISP attribute

@param [Mihari::Artifact] artifact

@return [::MISP::Attribute] <description>

# File lib/mihari/emitters/misp.rb, line 52
def build_attribute(artifact)
  ::MISP::Attribute.new(value: artifact.data, type: to_misp_type(type: artifact.data_type, value: artifact.data))
end
configuration_keys() click to toggle source
# File lib/mihari/emitters/misp.rb, line 41
def configuration_keys
  %w[misp_api_endpoint misp_api_key]
end
hash_type(value) click to toggle source

Get a type of a hash

@param [String] value

@return [String]

# File lib/mihari/emitters/misp.rb, line 63
def hash_type(value)
  case value.length
  when 32
    "md5"
  when 40
    "sha1"
  when 64
    "sha256"
  when 128
    "sha512"
  end
end
ping?() click to toggle source

Check whether an API endpoint is reachable or not

@return [Boolean]

# File lib/mihari/emitters/misp.rb, line 122
def ping?
  base_url = ::MISP.configuration.api_endpoint
  base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url
  url = "#{base_url}/users/login"

  http = Net::Ping::HTTP.new(url)
  http.ping?
end
to_misp_type(type:, value:) click to toggle source

Convert a type to a MISP type

@param [String] type @param [String] value

@return [String]

# File lib/mihari/emitters/misp.rb, line 84
def to_misp_type(type:, value:)
  type = type.to_sym
  table = {
    ip: "ip-dst",
    mail: "email-dst",
    url: "url",
    domain: "domain"
  }
  return table[type] if table.key?(type)

  hash_type value
end