Contents

# frozen_string_literal: true

module Mihari
  module Analyzers
    class VirusTotalIntelligence < Base
      param :query

      option :interval, default: proc { 0 }

      # @return [String, nil]
      attr_reader :api_key

      # @return [String]
      attr_reader :query

      # @return [Integer]
      attr_reader :interval

      def initialize(*args, **kwargs)
        super

        @query = query

        @api_key = kwargs[:api_key] || Mihari.config.virustotal_api_key
      end

      def artifacts
        responses = search_with_cursor
        responses.map do |response|
          response.data.map do |datum|
            Artifact.new(data: datum.value, source: source, metadata: datum.metadata)
          end
        end.flatten
      end

      private

      def configuration_keys
        %w[virustotal_api_key]
      end

      #
      # VT API
      #
      # @return [::VirusTotal::API]
      #
      def client
        @client = Clients::VirusTotal.new(api_key: api_key)
      end

      #
      # Search with cursor
      #
      # @return [Array<Structs::VirusTotalIntelligence::Response>]
      #
      def search_with_cursor
        cursor = nil
        responses = []

        loop do
          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(client.intel_search(query, cursor: cursor))
          responses << response
          break if response.meta.cursor.nil?

          cursor = response.meta.cursor
          # sleep #{interval} seconds to avoid the rate limitation (if it is set)
          sleep interval
        end

        responses
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version	Path
mihari-5.2.1	lib/mihari/analyzers/virustotal_intelligence.rb
mihari-5.2.0	lib/mihari/analyzers/virustotal_intelligence.rb
mihari-5.1.4	lib/mihari/analyzers/virustotal_intelligence.rb
mihari-5.1.3	lib/mihari/analyzers/virustotal_intelligence.rb