lib/mihari/analyzers/base.rb in mihari-4.12.0 vs lib/mihari/analyzers/base.rb in mihari-5.0.0

@@ -3,49 +3,36 @@
 module Mihari
   module Analyzers
     class Base
       extend Dry::Initializer
 
+      option :rule, default: proc {}
+
       include Mixins::AutonomousSystem
       include Mixins::Configurable
       include Mixins::Database
       include Mixins::Retriable
 
-      attr_accessor :ignore_old_artifacts, :ignore_threshold
+      # @return [Mihari::Structs::Rule, nil]
+      attr_reader :rule
 
       def initialize(*args, **kwargs)
-        super
+        super(*args, **kwargs)
 
-        @ignore_old_artifacts = false
-        @ignore_threshold = 0
+        @base_time = Time.now.utc
       end
 
       # @return [Array<String>, Array<Mihari::Artifact>]
       def artifacts
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
 
       # @return [String]
-      def title
-        self.class.to_s.split("::").last.to_s
-      end
-
-      # @return [String]
-      def description
-        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
-      end
-
-      # @return [String]
       def source
         self.class.to_s.split("::").last.to_s
       end
 
-      # @return [Array<String>]
-      def tags
-        []
-      end
-
       #
       # Set artifacts & run emitters in parallel
       #
       # @return [Mihari::Alert, nil]
       #
@@ -75,17 +62,11 @@
       # @return [Mihari::Alert, nil]
       #
       def run_emitter(emitter)
         return if enriched_artifacts.empty?
 
-        alert_or_something = emitter.run(
-          title: title,
-          description: description,
-          artifacts: enriched_artifacts,
-          source: source,
-          tags: tags
-        )
+        alert_or_something = emitter.run(artifacts: enriched_artifacts, rule: rule)
 
         Mihari.logger.info "Emission by #{emitter.class} is succedded"
 
         alert_or_something
       rescue StandardError => e
@@ -110,11 +91,14 @@
       def normalized_artifacts
         @normalized_artifacts ||= artifacts.compact.sort.map do |artifact|
           # No need to set data_type manually
           # It is set automatically in #initialize
           artifact.is_a?(Artifact) ? artifact : Artifact.new(data: artifact, source: source)
-        end.select(&:valid?).uniq(&:data)
+        end.select(&:valid?).uniq(&:data).map do |artifact|
+          artifact.rule_id = rule&.id
+          artifact
+        end
       end
 
       private
 
       #
@@ -122,10 +106,10 @@
       #
       # @return [Array<Mihari::Artifact>]
       #
       def unique_artifacts
         @unique_artifacts ||= normalized_artifacts.select do |artifact|
-          artifact.unique?(ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold)
+          artifact.unique?(base_time: @base_time, artifact_lifetime: rule&.artifact_lifetime)
         end
       end
 
       #
       # Enriched artifacts