lib/mihari/analyzers/rule.rb in mihari-3.2.0 vs lib/mihari/analyzers/rule.rb in mihari-3.3.0
- old
+ new
@@ -3,17 +3,20 @@
require "uuidtools"
module Mihari
module Analyzers
class Rule < Base
+ include Mihari::Mixins::DisallowedDataValue
+
option :title
option :description
option :queries
option :id, default: proc {}
option :tags, default: proc { [] }
option :allowed_data_types, default: proc { ALLOWED_DATA_TYPES }
+ option :disallowed_data_values, default: proc { [] }
attr_reader :source
def initialize(**kwargs)
super(**kwargs)
@@ -66,15 +69,39 @@
#
# Normalize artifacts
# - Uniquefy artifacts by #uniq(&:data)
# - Reject an invalid artifact (for just in case)
# - Select artifacts with allowed data types
+ # - Reject artifacts with disallowed data values
#
# @return [Array<Mihari::Artifact>]
#
def normalized_artifacts
@normalized_artifacts ||= artifacts.uniq(&:data).select(&:valid?).select do |artifact|
allowed_data_types.include? artifact.data_type
+ end.reject do |artifact|
+ disallowed_data_value? artifact.data
+ end
+ end
+
+ #
+ # Normalized disallowed data values
+ #
+ # @return [Array<Regexp, String>]
+ #
+ def normalized_disallowed_data_values
+ @normalized_disallowed_data_values ||= disallowed_data_values.map { |v| normalize_disallowed_data_value v }
+ end
+
+ #
+ # Check whether a value is a disallowed data value or not
+ #
+ # @return [Boolean]
+ #
+ def disallowed_data_value?(value)
+ normalized_disallowed_data_values.any? do |disallowed_data_value|
+ return value == disallowed_data_value if disallowed_data_value.is_a?(String)
+ return disallowed_data_value.match?(value) if disallowed_data_value.is_a?(Regexp)
end
end
private