module Mihari::Commands::Search

Public Class Methods

included(thor) click to toggle source
# File lib/mihari/commands/search.rb, line 8
def self.included(thor)
  thor.class_eval do
    desc "search [RULE]", "Search by a rule"
    method_option :config, type: :string, desc: "Path to the config file"
    def search_by_rule(rule)
      # convert str(YAML) to hash or str(path/YAML file) to hash
      rule = load_rule(rule)

      # validate rule schema
      rule = validate_rule(rule)

      analyzer = build_rule_analyzer(
        title: rule[:title],
        description: rule[:description],
        queries: rule[:queries],
        tags: rule[:tags],
        allowed_data_types: rule[:allowed_data_types],
        disallowed_data_values: rule[:disallowed_data_values],
        source: rule[:source],
        id: rule[:id]
      )

      ignore_old_artifacts = rule[:ignore_old_artifacts]
      ignore_threshold = rule[:ignore_threshold]

      with_error_handling do
        run_rule_analyzer analyzer, ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold
      end
    end
  end
end

Public Instance Methods

search_by_rule(rule) click to toggle source
# File lib/mihari/commands/search.rb, line 12
def search_by_rule(rule)
  # convert str(YAML) to hash or str(path/YAML file) to hash
  rule = load_rule(rule)

  # validate rule schema
  rule = validate_rule(rule)

  analyzer = build_rule_analyzer(
    title: rule[:title],
    description: rule[:description],
    queries: rule[:queries],
    tags: rule[:tags],
    allowed_data_types: rule[:allowed_data_types],
    disallowed_data_values: rule[:disallowed_data_values],
    source: rule[:source],
    id: rule[:id]
  )

  ignore_old_artifacts = rule[:ignore_old_artifacts]
  ignore_threshold = rule[:ignore_threshold]

  with_error_handling do
    run_rule_analyzer analyzer, ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold
  end
end

Private Instance Methods

build_rule_analyzer(title:, description:, queries:, tags: nil, allowed_data_types: nil, disallowed_data_values: nil, source: nil, id: nil) click to toggle source

Build a rule analyzer

@param [String] title @param [String] description @param [Array<Hash>] queries @param [Array<String>, nil] tags @param [Array<String>, nil] allowed_data_types @param [Array<String>, nil] disallowed_data_values @param [String, nil] source

@return [Mihari::Analyzers::Rule]

# File lib/mihari/commands/search.rb, line 55
def build_rule_analyzer(title:, description:, queries:, tags: nil, allowed_data_types: nil, disallowed_data_values: nil, source: nil, id: nil)
  tags = [] if tags.nil?
  allowed_data_types = ALLOWED_DATA_TYPES if allowed_data_types.nil?
  disallowed_data_values = [] if disallowed_data_values.nil?

  Analyzers::Rule.new(
    title: title,
    description: description,
    tags: tags,
    queries: queries,
    allowed_data_types: allowed_data_types,
    disallowed_data_values: disallowed_data_values,
    source: source,
    id: id
  )
end
run_rule_analyzer(analyzer, ignore_old_artifacts: false, ignore_threshold: 0) click to toggle source

Run rule analyzer

@param [Mihari::Analyzer::Rule] analyzer

@return [nil]

# File lib/mihari/commands/search.rb, line 79
def run_rule_analyzer(analyzer, ignore_old_artifacts: false, ignore_threshold: 0)
  load_configuration

  analyzer.ignore_old_artifacts = ignore_old_artifacts
  analyzer.ignore_threshold = ignore_threshold

  analyzer.run
end