Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V7.1.1 #998

Merged
merged 4 commits into from
Jan 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ RSpec/MultipleMemoizedHelpers:
Max: 10
RSpec/ExampleLength:
Max: 20
RSpec/FilePath:
SpecSuffixOnly: true
require:
- rubocop-factory_bot
- rubocop-rake
Expand Down
3 changes: 0 additions & 3 deletions docs/database.md

This file was deleted.

237 changes: 237 additions & 0 deletions docs/diagrams.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
# Diagrams

## ActiveModel Class Diagram

```mermaid
classDiagram
class Rule {
string id
string title
string description
json data
datetime created_at
datetime updated_at
}
Rule *-- Alert
Rule *-- Tagging
Rule *-- Tag

class Alert {
integer id
datetime created_at
string rule_id
}
Alert --* Rule
Alert *-- Artifact
Alert *-- Tag

class Artifact {
integer id
string data
string data_type
string source
string query
json metadata
datetime created_at
integer alert_id
}
Artifact --* Alert
Artifact *-- CPE
Artifact *-- DnsRecord
Artifact *-- Port
Artifact *-- ReverseDnsName
Artifact *-- Tag
Artifact -- AutonomousSystem
Artifact -- Geolocation
Artifact -- WhoisRecord
Artifact -- Rule

class AutonomousSystem {
integer id
integer asn
datetime created_at
integer artifact_id
}
AutonomousSystem --* Artifact

class Port {
integer id
integer port
datetime created_at
integer artifact_id
}
Port --* Artifact

class CPE {
integer id
string cpe
datetime created_at
integer artifact_id
}
CPE --* Artifact

class DnsRecord {
integer id
string resource
string value
datetime created_at
integer artifact_id
}
DnsRecord --* Artifact

class ReverseDnsName {
integer id
string name
datetime created_at
integer artifact_id
}
ReverseDnsName --* Artifact

class WhoisRecord {
integer id
string domain
date created_on
date updated_on
date expires_on
json registrar
json contacts
datetime created_at
integer artifact_id
}
WhoisRecord --* Artifact

class Geolocation {
integer id
string country
string country_code
datetime created_at
integer artifact_id
}
Geolocation --* Artifact

class Tag {
integer id
string name
datetime created_at
}
Tag *-- Tagging

class Tagging {
integer id
integer tag_id
string rule_id
datetime created_at
}
Tagging --* Rule
Tagging --* Tag
```

## ER Diagram

```mermaid
erDiagram
alerts {
datetime6 created_at
INTEGER id PK
varchar rule_id FK
}

artifacts {
INTEGER alert_id FK
datetime6 created_at
varchar data
varchar data_type
INTEGER id PK
json metadata
varchar query
varchar source
}

autonomous_systems {
INTEGER artifact_id FK
INTEGER asn
datetime6 created_at
INTEGER id PK
}

cpes {
INTEGER artifact_id FK
varchar cpe
datetime6 created_at
INTEGER id PK
}

dns_records {
INTEGER artifact_id FK
datetime6 created_at
INTEGER id PK
varchar resource
varchar value
}

geolocations {
INTEGER artifact_id FK
varchar country
varchar country_code
datetime6 created_at
INTEGER id PK
}

ports {
INTEGER artifact_id FK
datetime6 created_at
INTEGER id PK
INTEGER port
}

reverse_dns_names {
INTEGER artifact_id FK
datetime6 created_at
INTEGER id PK
varchar name
}

rules {
datetime6 created_at
json data
varchar description
varchar id PK
varchar title
datetime6 updated_at
}

taggings {
datetime6 created_at
INTEGER id PK
varchar rule_id
INTEGER tag_id
}

tags {
datetime6 created_at
INTEGER id PK
varchar name
}

whois_records {
INTEGER artifact_id FK
json contacts
datetime6 created_at
date created_on
varchar domain
date expires_on
INTEGER id PK
json registrar
date updated_on
}

alerts }o--|| rules : "rule_id"
artifacts }o--|| alerts : "alert_id"
autonomous_systems }o--|| artifacts : "artifact_id"
cpes }o--|| artifacts : "artifact_id"
dns_records }o--|| artifacts : "artifact_id"
geolocations }o--|| artifacts : "artifact_id"
ports }o--|| artifacts : "artifact_id"
reverse_dns_names }o--|| artifacts : "artifact_id"
whois_records }o--|| artifacts : "artifact_id"
```
14 changes: 11 additions & 3 deletions docs/emitters/webhook.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,12 @@ template: ...

`template` (`string`) is a [Jbuilder](https://github.com/rails/jbuilder) template string (or a path to a Jbuilder template file) to customize JSON payload to send.

You can use the following attributes inside a JBuilder template.
You can use the following attributes inside a Jbuilder template.

- `rule`: a rule (= `Mihari::Rule`)
- `artifacts`: a list of artifacts (= `Array<Mihari::Models::Artifact>`)
| Key | Type | Desc. |
| ----------- | --------------------------------- | ------------------- |
| `rule` | `Mihari::Rule` | A rule |
| `artifacts` | `Array[Mihari::Models::Artifact]` | A list of artifacts |

## Examples

Expand All @@ -56,3 +58,9 @@ json.confidence_level 100
json.anonymous 0
json.iocs artifacts.map(&:data)
```

!!! warning

With great power comes great responsibility.

Jbuilder can execute anything with the same privilege Mihari has. Do not use untrusted template.
8 changes: 4 additions & 4 deletions docs/usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,9 +192,9 @@ mihari artifact list "rule.id: foo AND data_type:ip"
Additionally you can search rules, alerts and artifacts with transformation by using [Jbuilder](https://github.com/rails/jbuilder).

```bash
mihari rule list-transform -t /path/to/json.jbuilder
mihari alert list-transform -t /path/to/json.jbuilder
mihari artifact list-transform -t /path/to/json.jbuilder
mihari rule list-transform -t /path/to/template
mihari alert list-transform -t /path/to/template
mihari artifact list-transform -t /path/to/template
```

For example, you can combine IP addresses and ports by using the following template.
Expand All @@ -214,7 +214,7 @@ json.array! ip_ports
```

```bash
mihari artifact list-transform -t test.json.jbuilder
mihari artifact list-transform -t /path/to/ip_port.json.jbuilder
```

A template can use the following attributes.
Expand Down
Loading