Sha256: 42faefff96eb1b838b2a0f6d738830d223264d72fe92c05a1f60e166dc39f6cd

Contents?: true

Size: 1.51 KB

Versions: 5

Compression:

Stored size: 1.51 KB

Contents

# frozen_string_literal: true

require "virustotal"

module Mihari
  module Analyzers
    class VirusTotal < Base
      attr_reader :indicator
      attr_reader :type

      attr_reader :title
      attr_reader :description
      attr_reader :tags

      def initialize(indicator, title: nil, description: nil, tags: [])
        super()

        @indicator = indicator
        @type = TypeChecker.type(indicator)

        @title = title || "VirusTotal lookup"
        @description = description || "indicator = #{indicator}"
        @tags = tags
      end

      def artifacts
        lookup || []
      end

      private

      def config_keys
        %w(VIRUSTOTAL_API_KEY)
      end

      def api
        @api = ::VirusTotal::API.new
      end

      def valid_type?
        %w(ip domain).include? type
      end

      def lookup
        case type
        when "domain"
          domain_lookup
        when "ip"
          ip_lookup
        else
          raise InvalidInputError, "#{indicator}(type: #{type || 'unknown'}) is not supported." unless valid_type?
        end
      end

      def domain_lookup
        res = api.domain.resolutions(indicator)

        data = res.dig("data") || []
        data.map do |item|
          item.dig("attributes", "ip_address")
        end.compact.uniq
      end

      def ip_lookup
        res = api.ip_address.resolutions(indicator)

        data = res.dig("data") || []
        data.map do |item|
          item.dig("attributes", "host_name")
        end.compact.uniq
      end
    end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version Path
mihari-0.17.5 lib/mihari/analyzers/virustotal.rb
mihari-0.17.4 lib/mihari/analyzers/virustotal.rb
mihari-0.17.3 lib/mihari/analyzers/virustotal.rb
mihari-0.17.2 lib/mihari/analyzers/virustotal.rb
mihari-0.17.1 lib/mihari/analyzers/virustotal.rb