mihari 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a60ee7c7a40195a7b6b49484ce1df99926278721bd77603b6c9d0f3a952c4ac2
-  data.tar.gz: 5c51449f1c2c3a7e14f745490c2bee6f2d18c3f5e5eaafc25a2ba55b15e83e12
+  metadata.gz: 777180f61db321707c6f72c02256fd9e2da24d5cc45f66430d8666a1baf36601
+  data.tar.gz: 888a4dea9f82823635b9c45418102a57ad60865bf769ddffbc14582d6244efe1
 SHA512:
-  metadata.gz: dba9abb2e8c856bd2fc814daf4d7d4b5d63912d707c6e4e1225dc8ecb3d7f07067d6e8764509013a99621902fb24d7a74c8dd8a5dcbde00ec2469075799458db
-  data.tar.gz: 53f255209c397224a7250c5adc6323c1e99a833426f9304649c779751f0299a898c28c9b911289bf941ebed8b8ab0b61c9aef298153acf3fe269a9e9044b58e5
+  metadata.gz: 54c3574805ccd106646d4a75841d79d0ae8da6b1d1062b92d7d202439b15254772e625e6d64aeacc384c7727bc756f3452281ed1bf51ddc0a47df92c7f5873f5
+  data.tar.gz: 616b4e01a4af3454c9e1d9e5dad4834d553facff5981a462f371991ff391539335b76114652def78d19c64d10583e6bff9fa7ba2a5e475dc79f79065338916cd

data/README.md

@@ -12,27 +12,35 @@ mihari(`見張り`) is a framework for continuous malicious hosts (C2 / landing
     - mihari creates an alert with the artifacts on the TheHive instance.
     - mihari sends a notification to Slack. (Optional)
 
+### Screenshots
+
+- TheHive alert example
+
+![img](./screenshots/alert.png)
+
+- Slack notification example
+
+![img](./screenshots/slack.png)
+
 ## Installation
 
 ```bash
 gem install mihari
 ```
 
-## Configuration
-
-All configuration is done via ENV variables.
+## Basic usage
 
-| Key                  | Desc.              | Required or optional           |
-|----------------------|--------------------|--------------------------------|
-| THEHIVE_API_ENDPOINT | TheHive URL        | Required                       |
-| THEHIVE_API_KEY      | TheHive API key    | Required                       |
-| SLACK_WEBHOOK_URL    | Slack Webhook URL  | Optional                       |
-| SLACK_CHANNEL        | Slack channel name | Optional (default: `#general`) |
-| CENSYS_ID            | CENSYS API ID      | Optional                       |
-| CENSYS_SECRET        | CENSYS secret      | Optional                       |
-| SHODAN_API_KEY       | Shodan API key     | Optional                       |
+mihari supports Censys, Shodan and Onyphe by default.
 
-## Basic usage
+```bash
+$ mihari
+Commands:
+  mihari censys [QUERY]    # Censys IPv4 lookup by a given query
+  mihari help [COMMAND]    # Describe available commands or one specific command
+  mihari import_from_json  # Give a JSON input via STDIN
+  mihari onyphe [QUERY]    # Onyphe datascan lookup by a given query
+  mihari shodan [QUERY]    # Shodan host lookup by a given query
+```
 
 ### Censys
 
@@ -46,6 +54,12 @@ mihari censys "YOUR_QUERY"
 mihari shodan "YOUR QUERY"
 ```
 
+### Onyphe
+
+```bash
+mihari onyphe "YOUR QUERY"
+```
+
 ### Import from JSON
 
 ```bash
@@ -68,6 +82,21 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
 | description | A description of an alert                                                  |
 | artifacts   | An array of artifacts (supported data types: ip, domain, url, email, hash) |
 
+## Configuration
+
+All configuration is done via ENV variables.
+
+| Key                  | Desc.              | Required or optional           |
+|----------------------|--------------------|--------------------------------|
+| THEHIVE_API_ENDPOINT | TheHive URL        | Required                       |
+| THEHIVE_API_KEY      | TheHive API key    | Required                       |
+| SLACK_WEBHOOK_URL    | Slack Webhook URL  | Optional                       |
+| SLACK_CHANNEL        | Slack channel name | Optional (default: `#general`) |
+| CENSYS_ID            | Censys API ID      | Optional                       |
+| CENSYS_SECRET        | Censys secret      | Optional                       |
+| SHODAN_API_KEY       | Shodan API key     | Optional                       |
+| ONYPHE_API_KEY       | Onyphe API key     | Optional                       |
+
 ## How to create a custom analyzer
 
 Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.

data/lib/mihari.rb

@@ -25,6 +25,7 @@ require "mihari/the_hive"
 require "mihari/analyzers/base"
 require "mihari/analyzers/basic"
 require "mihari/analyzers/censys"
+require "mihari/analyzers/onyphe"
 require "mihari/analyzers/shodan"
 
 require "mihari/notifiers/base"

data/lib/mihari/analyzers/onyphe.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "onyphe"
+
+module Mihari
+  module Analyzers
+    class Onyphe < Base
+      attr_reader :api
+      attr_reader :title
+      attr_reader :description
+      attr_reader :query
+
+      def initialize(query)
+        super()
+
+        @api = ::Onyphe::API.new
+        @query = query
+        @title = "Onyphe lookup"
+        @description = "Query: #{query}"
+      end
+
+      def artifacts
+        result = search
+        return [] unless result
+
+        results = result.dig("results") || []
+        results.map { |e| e.dig("ip") }.compact
+      end
+
+      private
+
+      def search
+        api.datascan(query)
+      rescue ::Onyphe::Error => _e
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/shodan.rb

@@ -1,12 +1,11 @@
 # frozen_string_literal: true
 
-require "open-uri"
-require "json"
+require "shodan"
 
 module Mihari
   module Analyzers
     class Shodan < Base
-      attr_reader :api_key
+      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,10 +13,7 @@ module Mihari
       def initialize(query)
         super()
 
-        api_key = ENV.fetch("SHODAN_API_KEY", nil)
-        raise ArgumentError, "SHODAN_API_KEY is required" unless api_key
-
-        @api_key = api_key
+        @api = ::Shodan::API.new
         @query = query
         @title = "Shodan lookup"
         @description = "Query: #{query}"
@@ -36,12 +32,9 @@ module Mihari
       private
 
       def search
-        uri = URI("https://api.shodan.io/shodan/host/search?key=#{api_key}&query=#{query}")
-        begin
-          JSON.parse uri.read
-        rescue OpenURI::HTTPError
-          nil
-        end
+        api.host.search(query)
+      rescue ::Shodan::Error => _e
+        nil
       end
     end
   end

data/lib/mihari/cli.rb

@@ -5,7 +5,7 @@ require "json"
 
 module Mihari
   class CLI < Thor
-    desc "censys [QUERY]", "Censys lookup by a given query"
+    desc "censys [QUERY]", "Censys IPv4 lookup by a given query"
     def censys(query)
       with_error_handling do
         censys = Analyzers::Censys.new(query)
@@ -13,7 +13,7 @@ module Mihari
       end
     end
 
-    desc "shodan [QUERY]", "Shodan lookup by a given query"
+    desc "shodan [QUERY]", "Shodan host lookup by a given query"
     def shodan(query)
       with_error_handling do
         shodan = Analyzers::Shodan.new(query)
@@ -21,6 +21,14 @@ module Mihari
       end
     end
 
+    desc "onyphe [QUERY]", "Onyphe datascan lookup by a given query"
+    def onyphe(query)
+      with_error_handling do
+        onyphe = Analyzers::Onyphe.new(query)
+        onyphe.run
+      end
+    end
+
     desc "import_from_json", "Give a JSON input via STDIN"
     def import_from_json(input = nil)
       json = input || STDIN.gets.chomp
@@ -51,7 +59,7 @@ module Mihari
 
       def parse_as_json(input)
         JSON.parse input
-      rescue JSON::ParserError => _
+      rescue JSON::ParserError => e
         nil
       end
 

data/lib/mihari/notifiers/slack.rb

@@ -2,10 +2,13 @@
 
 require "slack/incoming/webhooks"
 require "digest/sha2"
+require "mem"
 
 module Mihari
   module Notifiers
     class Attachment
+      include Mem
+
       attr_reader :data, :data_type
 
       def initialize(data:, data_type:)
@@ -13,8 +16,53 @@ module Mihari
         @data_type = data_type
       end
 
+      def vt_link
+        return nil unless _vt_link
+
+        {
+          fallback: "VT link",
+          title: data,
+          title_link: _vt_link,
+          footer: "virustotal.com",
+          footer_icon: "http://www.google.com/s2/favicons?domain=virustotal.com"
+        }
+      end
+
+      def urlscan_link
+        return nil unless _urlscan_link
+
+        {
+          fallback: "urlscan.io link",
+          title: data,
+          title_link: _urlscan_link,
+          footer: "urlscan.io",
+          footer_icon: "http://www.google.com/s2/favicons?domain=urlscan.io"
+        }
+      end
+
+      # @return [Array]
+      def to_a
+        [vt_link, urlscan_link].compact
+      end
+
+      private
+
       # @return [String]
-      def link
+      def _urlscan_link
+        case data_type
+        when "ip"
+          "https://urlscan.io/ip/#{data}"
+        when "domain"
+          "https://urlscan.io/domain/#{data}"
+        when "url"
+          uri = URI(data)
+          "https://urlscan.io/domain/#{uri.hostname}"
+        end
+      end
+      memoize :_urlscan_link
+
+      # @return [String]
+      def _vt_link
         case data_type
         when "hash"
           "https://www.virustotal.com/#/file/#{data}"
@@ -26,23 +74,9 @@ module Mihari
           "https://www.virustotal.com/#/url/#{sha256}"
         when "mail"
           "https://www.virustotal.com/#/search/#{data}"
-        else
-          ""
         end
       end
-
-      # @return [Hash]
-      def to_h
-        {
-          fallback: "VT link",
-          title: data,
-          title_link: link,
-          footer: "virustotal.com",
-          footer_icon: "http://www.google.com/s2/favicons?domain=virustotal.com"
-        }
-      end
-
-      private
+      memoize :_vt_link
 
       # @return [String]
       def sha256
@@ -72,8 +106,8 @@ module Mihari
 
       def to_attachments(artifacts)
         artifacts.map do |artifact|
-          Attachment.new(data: artifact.data, data_type: artifact.data_type).to_h
-        end
+          Attachment.new(data: artifact.data, data_type: artifact.data_type).to_a
+        end.flatten
       end
 
       def notify(title:, description:, artifacts:)

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/mihari.gemspec

@@ -36,7 +36,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "email_address", "~> 0.1"
   spec.add_dependency "hachi", "~> 0.1"
   spec.add_dependency "mem", "~> 0.1"
+  spec.add_dependency "onyphe", "~> 0.2"
   spec.add_dependency "public_suffix", "~> 3.0"
+  spec.add_dependency "shodanx", "~> 0.1"
   spec.add_dependency "slack-incoming-webhooks", "~> 0.2"
   spec.add_dependency "thor", "~> 0.19"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-23 00:00:00.000000000 Z
+date: 2019-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -164,6 +164,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: onyphe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
 - !ruby/object:Gem::Dependency
   name: public_suffix
   requirement: !ruby/object:Gem::Requirement
@@ -178,6 +192,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: shodanx
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: slack-incoming-webhooks
   requirement: !ruby/object:Gem::Requirement
@@ -230,6 +258,7 @@ files:
 - lib/mihari/analyzers/base.rb
 - lib/mihari/analyzers/basic.rb
 - lib/mihari/analyzers/censys.rb
+- lib/mihari/analyzers/onyphe.rb
 - lib/mihari/analyzers/shodan.rb
 - lib/mihari/artifact.rb
 - lib/mihari/cli.rb
@@ -241,6 +270,8 @@ files:
 - lib/mihari/type_checker.rb
 - lib/mihari/version.rb
 - mihari.gemspec
+- screenshots/alert.png
+- screenshots/slack.png
 homepage: https://github.com/ninoseki/mihari
 licenses:
 - MIT