mihari 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a60ee7c7a40195a7b6b49484ce1df99926278721bd77603b6c9d0f3a952c4ac2
+  data.tar.gz: 5c51449f1c2c3a7e14f745490c2bee6f2d18c3f5e5eaafc25a2ba55b15e83e12
+SHA512:
+  metadata.gz: dba9abb2e8c856bd2fc814daf4d7d4b5d63912d707c6e4e1225dc8ecb3d7f07067d6e8764509013a99621902fb24d7a74c8dd8a5dcbde00ec2469075799458db
+  data.tar.gz: 53f255209c397224a7250c5adc6323c1e99a833426f9304649c779751f0299a898c28c9b911289bf941ebed8b8ab0b61c9aef298153acf3fe269a9e9044b58e5

data/.gitignore

@@ -0,0 +1,56 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+.env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# rspec
+.rspec_status
+
+# solargraph
+.solargraph.yml

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.1
+before_install: gem install bundler -v 2.0.1

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in mihari.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Manabu Niseki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,110 @@
+# mihari
+
+[![Build Status](https://travis-ci.org/ninoseki/mihari.svg?branch=master)](https://travis-ci.org/ninoseki/mihari)
+[![Coverage Status](https://coveralls.io/repos/github/ninoseki/mihari/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/mihari?branch=master)
+
+mihari(`見張り`) is a framework for continuous malicious hosts (C2 / landing page / phishing, etc.) monitoring backended with [TheHive](https://github.com/TheHive-Project/TheHive).
+
+## How it works
+
+- mihari checks whether a TheHive instance contains given artifacts or not.
+  - If it doesn't contain the artifacts:
+    - mihari creates an alert with the artifacts on the TheHive instance.
+    - mihari sends a notification to Slack. (Optional)
+
+## Installation
+
+```bash
+gem install mihari
+```
+
+## Configuration
+
+All configuration is done via ENV variables.
+
+| Key                  | Desc.              | Required or optional           |
+|----------------------|--------------------|--------------------------------|
+| THEHIVE_API_ENDPOINT | TheHive URL        | Required                       |
+| THEHIVE_API_KEY      | TheHive API key    | Required                       |
+| SLACK_WEBHOOK_URL    | Slack Webhook URL  | Optional                       |
+| SLACK_CHANNEL        | Slack channel name | Optional (default: `#general`) |
+| CENSYS_ID            | CENSYS API ID      | Optional                       |
+| CENSYS_SECRET        | CENSYS secret      | Optional                       |
+| SHODAN_API_KEY       | Shodan API key     | Optional                       |
+
+## Basic usage
+
+### Censys
+
+```bash
+mihari censys "YOUR_QUERY"
+```
+
+### Shodan
+
+```bash
+mihari shodan "YOUR QUERY"
+```
+
+### Import from JSON
+
+```bash
+echo '{ "title": "test", "description": "test", "artifacts": ["1.1.1.1", "github.com", "2.2.2.2"] }' | mihari import_from_json
+```
+
+The input is a JSON data should have `title`, `description` and `artifacts` key.
+
+```json
+{
+  "title": "test",
+  "description": "test",
+  "artifacts": ["1.1.1.1", "github.com"]
+}
+```
+
+| Key         | Desc.                                                                      |
+|-------------|----------------------------------------------------------------------------|
+| title       | A title of an alert                                                        |
+| description | A description of an alert                                                  |
+| artifacts   | An array of artifacts (supported data types: ip, domain, url, email, hash) |
+
+## How to create a custom analyzer
+
+Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.
+
+| Name           | Desc.                                                                      | @return       |
+|----------------|----------------------------------------------------------------------------|---------------|
+| `#title`       | A title of an alert                                                        | String        |
+| `#description` | A description of an alert                                                  | String        |
+| `#artifacts`   | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> |
+
+```ruby
+require "mihari"
+
+module Mihari
+  module Analyzers
+    class Example < Base
+      def title
+        "example"
+      end
+
+      def description
+        "example"
+      end
+
+      def artifacts
+        ["9.9.9.9", "example.com"]
+      end
+    end
+  end
+end
+
+example = Mihari::Analyzers::Example.new
+example.run
+```
+
+See `/examples` for more.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "mihari"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/examples/ipinfo_hosted_domains.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "json"
+require "mihari"
+require "open-uri"
+
+module Mihari
+  module Analyzers
+    class HostedDomains < Base
+      attr_reader :ip
+
+      IPINFO_API_ENDPOINT = "https://ipinfo.io"
+
+      def initialize(ip, token: nil)
+        @ip = ip
+        @token = token
+      end
+
+      def title
+        "IPinfo hosted domains"
+      end
+
+      def description
+        "IP info hosted domains: #{ip}"
+      end
+
+      def token
+        ENV["IPINFO_TOKEN"] || @token
+      end
+
+      def artifacts
+        uri = URI("#{IPINFO_API_ENDPOINT}/domains/#{ip}?token=#{token}")
+        res = uri.read
+        json = JSON.parse(res)
+        json.dig("domains") || []
+      end
+    end
+  end
+end
+
+ip = "TARGET_IP"
+analyzer = Mihari::Analyzers::HostedDomains.new(ip)
+analyzer.run

data/examples/vt_passive_dns.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "mihari"
+
+require "virustotal_api"
+
+module Mihari
+  module Analyzers
+    class VTPassiveDNS < Base
+      attr_reader :ip
+
+      def initialize(ip, api_key: nil)
+        @ip = ip
+        @api_key = api_key
+      end
+
+      def title
+        "VT passive DNS"
+      end
+
+      def description
+        "VT passive DNS: #{ip}"
+      end
+
+      def api_key
+        ENV["VT_API_KEY"] || @api_key
+      end
+
+      def artifacts
+        ip_report = VirustotalAPI::IPReport.find(ip, api_key)
+        return [] unless ip_report.exists?
+
+        report = ip_report.report
+        report.dig("resolutions")&.map do |resolution|
+          resolution.dig("hostname")
+        end&.compact
+      end
+    end
+  end
+end
+
+ip = "TARGET_IP"
+analyzer = Mihari::Analyzers::VTPassiveDNS.new(ip)
+analyzer.run

data/exe/mihari

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "mihari"
+
+Mihari::CLI.start

data/lib/mihari/analyzers/base.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Analyzers
+    class Base
+      attr_reader :the_hive
+
+      def initialize
+        @the_hive = TheHive.new
+      end
+
+      # @return [Array<String>, Array<Mihari::Artifact>]
+      def artifacts
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      # @return [String]
+      def title
+        self.class.to_s.split("::").last
+      end
+
+      # @return [String]
+      def description
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def run(reject_exists_ones: true)
+        unique_artifacts = normalized_artifacts.reject do |artifact|
+          reject_exists_ones & the_hive.valid? && the_hive.exists?(data: artifact.data, data_type: artifact.data_type)
+        end
+
+        Mihari.notifiers.each do |notifier_class|
+          notifier = notifier_class.new
+          next unless notifier.valid?
+
+          notifier.notify(title: title, description: description, artifacts: unique_artifacts)
+        end
+      end
+
+      private
+
+      # @return [Array<Mihari::Artifact>]
+      def normalized_artifacts
+        artifacts.map do |artifact|
+          artifact.is_a?(Artifact) ? artifact : Artifact.new(artifact)
+        end.select(&:valid?)
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/basic.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Analyzers
+    class Basic < Base
+      attr_reader :title
+      attr_reader :description
+      attr_reader :artifacts
+
+      def initialize(title:, description:, artifacts:)
+        super()
+
+        @title = title
+        @description = description
+        @artifacts = artifacts
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/censys.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "censu"
+
+module Mihari
+  module Analyzers
+    class Censys < Base
+      attr_reader :api
+      attr_reader :title
+      attr_reader :description
+      attr_reader :query
+
+      CENSYS_ID_KEY = "CENSYS_ID"
+      CENSYS_SECRET_KEY = "CENSYS_SECRET"
+
+      def initialize(query)
+        super()
+
+        raise ArgumentError, "#{CENSYS_ID_KEY} and #{CENSYS_SECRET_KEY} are required" unless valid?
+
+        @api = ::Censys::API.new
+        @query = query
+        @title = "Censys lookup"
+        @description = "Query: #{query}"
+      end
+
+      def artifacts
+        ipv4s = []
+        res = api.ipv4.search(query: query)
+        res.each_page do |page|
+          page.each { |result| ipv4s << result.ip }
+        end
+
+        ipv4s
+      end
+
+      # @return [true, false]
+      def censys_id?
+        ENV.key? CENSYS_ID_KEY
+      end
+
+      # @return [true, false]
+      def censys_secret?
+        ENV.key? CENSYS_SECRET_KEY
+      end
+
+      # @return [true, false]
+      def valid?
+        censys_id? && censys_secret?
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/shodan.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "open-uri"
+require "json"
+
+module Mihari
+  module Analyzers
+    class Shodan < Base
+      attr_reader :api_key
+      attr_reader :title
+      attr_reader :description
+      attr_reader :query
+
+      def initialize(query)
+        super()
+
+        api_key = ENV.fetch("SHODAN_API_KEY", nil)
+        raise ArgumentError, "SHODAN_API_KEY is required" unless api_key
+
+        @api_key = api_key
+        @query = query
+        @title = "Shodan lookup"
+        @description = "Query: #{query}"
+      end
+
+      def artifacts
+        result = search
+        return [] unless result
+
+        matches = result.dig("matches") || []
+        matches.map do |match|
+          match.dig "ip_str"
+        end.compact
+      end
+
+      private
+
+      def search
+        uri = URI("https://api.shodan.io/shodan/host/search?key=#{api_key}&query=#{query}")
+        begin
+          JSON.parse uri.read
+        rescue OpenURI::HTTPError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/artifact.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "hachi"
+
+module Mihari
+  class Artifact
+    attr_reader :data
+
+    #
+    # @param [String] data
+    # @param [String, nil] message
+    #
+    def initialize(data, message: nil)
+      @data = data
+      @message = message
+    end
+
+    # @return [String, nil]
+    def data_type
+      TypeChecker.type data
+    end
+
+    # @return [String]
+    def message
+      @mesasge || data
+    end
+
+    # @return [true, false]
+    def valid?
+      !data_type.nil?
+    end
+
+    # @return [Hash]
+    def to_h
+      { data: data, data_type: data_type, message: message }
+    end
+  end
+end

data/lib/mihari/cli.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "thor"
+require "json"
+
+module Mihari
+  class CLI < Thor
+    desc "censys [QUERY]", "Censys lookup by a given query"
+    def censys(query)
+      with_error_handling do
+        censys = Analyzers::Censys.new(query)
+        censys.run
+      end
+    end
+
+    desc "shodan [QUERY]", "Shodan lookup by a given query"
+    def shodan(query)
+      with_error_handling do
+        shodan = Analyzers::Shodan.new(query)
+        shodan.run
+      end
+    end
+
+    desc "import_from_json", "Give a JSON input via STDIN"
+    def import_from_json(input = nil)
+      json = input || STDIN.gets.chomp
+      raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
+
+      json = parse_as_json(json)
+      raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
+
+      title = json.dig("title")
+      description = json.dig("description")
+      artifacts = json.dig("artifacts")
+
+      with_error_handling do
+        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts)
+        basic.run
+      end
+    end
+
+    no_commands do
+      def with_error_handling
+        yield
+      rescue ArgumentError, Hachi::Error, Censys::ResponseError => e
+        puts "Warning: #{e}"
+      rescue StandardError => e
+        puts "Warning: #{e}"
+        puts e.backtrace.join('\n')
+      end
+
+      def parse_as_json(input)
+        JSON.parse input
+      rescue JSON::ParserError => _
+        nil
+      end
+
+      # @return [true, false]
+      def valid_json?(json)
+        %w(title description artifacts).all? { |key| json.key? key }
+      end
+    end
+  end
+end

data/lib/mihari/errors.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Mihari
+  class Error < StandardError; end
+end

data/lib/mihari/notifiers/base.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Notifiers
+    class Base
+      def self.inherited(child)
+        Mihari.notifiers << child
+      end
+
+      # @return [true, false]
+      def valid?
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def notify(title:, description:, artifacts:)
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+    end
+  end
+end

data/lib/mihari/notifiers/slack.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "slack/incoming/webhooks"
+require "digest/sha2"
+
+module Mihari
+  module Notifiers
+    class Attachment
+      attr_reader :data, :data_type
+
+      def initialize(data:, data_type:)
+        @data = data
+        @data_type = data_type
+      end
+
+      # @return [String]
+      def link
+        case data_type
+        when "hash"
+          "https://www.virustotal.com/#/file/#{data}"
+        when "ip"
+          "https://www.virustotal.com/#/ip-address/#{data}"
+        when "domain"
+          "https://www.virustotal.com/#/domain/#{data}"
+        when "url"
+          "https://www.virustotal.com/#/url/#{sha256}"
+        when "mail"
+          "https://www.virustotal.com/#/search/#{data}"
+        else
+          ""
+        end
+      end
+
+      # @return [Hash]
+      def to_h
+        {
+          fallback: "VT link",
+          title: data,
+          title_link: link,
+          footer: "virustotal.com",
+          footer_icon: "http://www.google.com/s2/favicons?domain=virustotal.com"
+        }
+      end
+
+      private
+
+      # @return [String]
+      def sha256
+        Digest::SHA256.hexdigest data
+      end
+    end
+
+    class Slack < Base
+      SLACK_WEBHOOK_URL_KEY = "SLACK_WEBHOOK_URL"
+      SLACK_CHANNEL_KEY = "SLACK_CHANNEL"
+
+      def slack_channel
+        ENV.fetch SLACK_CHANNEL_KEY, "#general"
+      end
+
+      def slack_webhook_url
+        ENV.fetch SLACK_WEBHOOK_URL_KEY
+      end
+
+      def slack_webhook_url?
+        ENV.key? SLACK_WEBHOOK_URL_KEY
+      end
+
+      def valid?
+        slack_webhook_url?
+      end
+
+      def to_attachments(artifacts)
+        artifacts.map do |artifact|
+          Attachment.new(data: artifact.data, data_type: artifact.data_type).to_h
+        end
+      end
+
+      def notify(title:, description:, artifacts:)
+        return if artifacts.empty?
+
+        attachments = to_attachments(artifacts)
+
+        slack = ::Slack::Incoming::Webhooks.new(slack_webhook_url, channel: slack_channel)
+        slack.post("#{title} (#{description})", attachments: attachments)
+      end
+    end
+  end
+end

data/lib/mihari/notifiers/the_hive.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Notifiers
+    class TheHive < Base
+      attr_reader :api
+
+      def initialize
+        @api = Mihari::TheHive.new
+      end
+
+      # @return [true, false]
+      def valid?
+        api.valid?
+      end
+
+      def notify(title:, description:, artifacts:)
+        return if artifacts.empty?
+
+        res = api.create_alert(title: title, description: description, artifacts: artifacts.map(&:to_h))
+        id = res.dig("id")
+        puts "A new alret is created. (id: #{id})"
+      end
+    end
+  end
+end

data/lib/mihari/the_hive.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Mihari
+  class TheHive
+    # @return [true, false]
+    def api_endpont?
+      ENV.key? "THEHIVE_API_ENDPOINT"
+    end
+
+    # @return [true, false]
+    def api_key?
+      ENV.key? "THEHIVE_API_KEY"
+    end
+
+    # @return [true, false]
+    def valid?
+      api_endpont? && api_key?
+    end
+
+    # @return [Hachi::API]
+    def api
+      @api ||= Hachi::API.new
+    end
+
+    # @return [Hash]
+    def search(data:, data_type:, range: "all")
+      api.artifact.search(data: data, data_type: data_type, range: range)
+    end
+
+    # @return [true, false]
+    def exists?(data:, data_type:)
+      res = search(data: data, data_type: data_type, range: "0-1")
+      !res.empty?
+    end
+
+    # @return [Hash]
+    def create_alert(title:, description:, artifacts:)
+      api.alert.create(title: title, description: description, artifacts: artifacts, type: "external", source: "mihari")
+    end
+  end
+end

data/lib/mihari/type_checker.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "addressable/uri"
+require "email_address"
+require "ipaddr"
+require "public_suffix"
+
+module Mihari
+  class TypeChecker
+    attr_reader :data
+
+    def initialize(data)
+      @data = data
+    end
+
+    # @return [true, false]
+    def hash?
+      md5? || sha1? || sha256? || sha512?
+    end
+
+    # @return [true, false]
+    def ip?
+      IPAddr.new data
+      true
+    rescue IPAddr::InvalidAddressError => _
+      false
+    end
+
+    # @return [true, false]
+    def domain?
+      uri = Addressable::URI.parse("http://#{data}")
+      uri.host == data && PublicSuffix.valid?(uri.host)
+    rescue Addressable::URI::InvalidURIError => _
+      false
+    end
+
+    # @return [true, false]
+    def url?
+      uri = Addressable::URI.parse(data)
+      uri.scheme && uri.host && uri.path && PublicSuffix.valid?(uri.host)
+    rescue Addressable::URI::InvalidURIError => _
+      false
+    end
+
+    # @return [true, false]
+    def mail?
+      EmailAddress.valid? data
+    end
+
+    # @return [String, nil]
+    def type
+      return "hash" if hash?
+      return "ip" if ip?
+      return "domain" if domain?
+      return "url" if url?
+      return "mail" if mail?
+    end
+
+    # @return [String, nil]
+    def self.type(data)
+      new(data).type
+    end
+
+    private
+
+    # @return [true, false]
+    def md5?
+      data.match? /^[A-Fa-f0-9]{32}$/
+    end
+
+    # @return [true, false]
+    def sha1?
+      data.match? /^[A-Fa-f0-9]{40}$/
+    end
+
+    # @return [true, false]
+    def sha256?
+      data.match? /^[A-Fa-f0-9]{64}$/
+    end
+
+    # @return [true, false]
+    def sha512?
+      data.match? /^[A-Fa-f0-9]{128}$/
+    end
+  end
+end

data/lib/mihari/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Mihari
+  VERSION = "0.1.0"
+end

data/lib/mihari.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "mem"
+
+module Mihari
+  class << self
+    include Mem
+
+    def notifiers
+      []
+    end
+    memoize :notifiers
+  end
+end
+
+require "mihari/version"
+
+require "mihari/errors"
+
+require "mihari/type_checker"
+require "mihari/artifact"
+
+require "mihari/the_hive"
+
+require "mihari/analyzers/base"
+require "mihari/analyzers/basic"
+require "mihari/analyzers/censys"
+require "mihari/analyzers/shodan"
+
+require "mihari/notifiers/base"
+require "mihari/notifiers/slack"
+require "mihari/notifiers/the_hive"
+
+require "mihari/cli"

data/mihari.gemspec

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "mihari/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "mihari"
+  spec.version       = Mihari::VERSION
+  spec.authors       = ["Manabu Niseki"]
+  spec.email         = ["manabu.niseki@gmail.com"]
+
+  spec.summary       = "A framework for continuous malicious hosts monitoring."
+  spec.description   = "A framework for continuous malicious hosts monitoring."
+  spec.homepage      = "https://github.com/ninoseki/mihari"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "coveralls", "~> 0.8"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "vcr", "~> 4.0"
+  spec.add_development_dependency "webmock", "~> 3.5"
+
+  spec.add_dependency "addressable", "~> 2.6"
+  spec.add_dependency "censu", "~> 0.2"
+  spec.add_dependency "email_address", "~> 0.1"
+  spec.add_dependency "hachi", "~> 0.1"
+  spec.add_dependency "mem", "~> 0.1"
+  spec.add_dependency "public_suffix", "~> 3.0"
+  spec.add_dependency "slack-incoming-webhooks", "~> 0.2"
+  spec.add_dependency "thor", "~> 0.19"
+end

metadata

@@ -0,0 +1,267 @@
+--- !ruby/object:Gem::Specification
+name: mihari
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Manabu Niseki
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-04-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: censu
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: email_address
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: hachi
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: mem
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: public_suffix
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: slack-incoming-webhooks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: A framework for continuous malicious hosts monitoring.
+email:
+- manabu.niseki@gmail.com
+executables:
+- mihari
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- examples/ipinfo_hosted_domains.rb
+- examples/vt_passive_dns.rb
+- exe/mihari
+- lib/mihari.rb
+- lib/mihari/analyzers/base.rb
+- lib/mihari/analyzers/basic.rb
+- lib/mihari/analyzers/censys.rb
+- lib/mihari/analyzers/shodan.rb
+- lib/mihari/artifact.rb
+- lib/mihari/cli.rb
+- lib/mihari/errors.rb
+- lib/mihari/notifiers/base.rb
+- lib/mihari/notifiers/slack.rb
+- lib/mihari/notifiers/the_hive.rb
+- lib/mihari/the_hive.rb
+- lib/mihari/type_checker.rb
+- lib/mihari/version.rb
+- mihari.gemspec
+homepage: https://github.com/ninoseki/mihari
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: A framework for continuous malicious hosts monitoring.
+test_files: []