mihari 0.17.4 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6a2088860e89b6cfa7ead2c47b1589ee19d6cb388051e1f5f0325c3b8eab9184
-  data.tar.gz: de9a0261e8ede8ff2bd6f93f236fd1d2eee2f8dfa7d8125e9ff2ad2b0c2089ba
+  metadata.gz: 5c43df888d661331830b74ecbf097f2bf7f0450850fca0ad8bfe86d58fe5d32f
+  data.tar.gz: 123d3a13867550f57557472e63819b1bc8a70fd80bb0ef3fa0543d9414fc84a8
 SHA512:
-  metadata.gz: 12d2823b24f99989e44a8001e50b20222a1cfea8905a2c375365ff27eb4603f0e7aaf36fcdb53aa350d30ca5774622b22f85e2c2aa049d219ea89ec154783753
-  data.tar.gz: 9fdc2753b2d480a453867e83d9c11bebf4f376aaaddfd55696569ab2c41af6386c55e2f4d08ad5976439787676fca32cd2dba13ce80c2dbc65ff0dbe693bf8a0
+  metadata.gz: 96693d5a7ca81b7a1f6834ffedb7ad9897dba6fe510dc632c204a2497595ae67c6bf7c70895bccc5738d6d83369cafc7f309962e6e29a941a2ccb5f5fc84b68a
+  data.tar.gz: 9b4d2ccb878b2aec9b82ac158b5da5bea76653b443c3d53c5d4146a4e3900f400680d690cb0ab6becb526f827d1cb482d663719625f10ee6011e598411c29b67

data/.gitignore

@@ -54,3 +54,6 @@ Gemfile.lock
 
 # solargraph
 .solargraph.yml
+
+# SQLite
+*.db

data/.rubocop.yml

@@ -0,0 +1,155 @@
+# Relaxed.Ruby.Style
+## Version 2.5
+
+require:
+  - rubocop-performance
+
+Style/Alias:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylealias
+
+Style/AsciiComments:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleasciicomments
+
+Style/BeginBlock:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylebeginblock
+
+Style/BlockDelimiters:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleblockdelimiters
+
+Style/CommentAnnotation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylecommentannotation
+
+Style/Documentation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styledocumentation
+
+Layout/DotPosition:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutdotposition
+
+Style/DoubleNegation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styledoublenegation
+
+Style/EndBlock:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleendblock
+
+Style/FormatString:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleformatstring
+
+Style/IfUnlessModifier:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleifunlessmodifier
+
+Style/Lambda:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylelambda
+
+Style/ModuleFunction:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylemodulefunction
+
+Style/MultilineBlockChain:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylemultilineblockchain
+
+Style/NegatedIf:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenegatedif
+
+Style/NegatedWhile:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenegatedwhile
+
+Style/NumericPredicate:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenumericpredicate
+
+Style/ParallelAssignment:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleparallelassignment
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylepercentliteraldelimiters
+
+Style/PerlBackrefs:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleperlbackrefs
+
+Style/Semicolon:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesemicolon
+
+Style/SignalException:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesignalexception
+
+Style/SingleLineBlockParams:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesinglelineblockparams
+
+Style/SingleLineMethods:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesinglelinemethods
+
+Layout/SpaceBeforeBlockBraces:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutspacebeforeblockbraces
+
+Layout/SpaceInsideParens:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutspaceinsideparens
+
+Style/SpecialGlobalVars:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylespecialglobalvars
+
+Style/StringLiterals:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylestringliterals
+
+Style/TrailingCommaInArguments:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainarguments
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainarrayliteral
+
+Style/TrailingCommaInHashLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainhashliteral
+
+Style/SymbolArray:
+  Enabled: false
+  StyleGuide: http://relaxed.ruby.style/#stylesymbolarray
+
+Style/WhileUntilModifier:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylewhileuntilmodifier
+
+Style/WordArray:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylewordarray
+
+Lint/AmbiguousRegexpLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#lintambiguousregexpliteral
+
+Lint/AssignmentInCondition:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#lintassignmentincondition
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics:
+  Enabled: false

data/.travis.yml

@@ -1,7 +1,13 @@
 ---
-sudo: false
 language: ruby
 cache: bundler
+services:
+  - postgresql
 rvm:
   - 2.6
+  - 2.7
+env:
+  - DATABASE=":memory:"
+  - DATABASE="postgresql://postgres@0.0.0.0:5432/travis_ci_test"
 before_install: gem install bundler -v 2.1
+before_script: psql -c 'create database travis_ci_test;' -U postgres

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 # Specify your gem's dependencies in mihari.gemspec

data/README.md

@@ -10,19 +10,15 @@ Mihari is a helper to run queries & manage results continuously. Mihari can be u
 
 ## How it works
 
-- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts from the results.
-- Mihari checks whether [TheHive](https://thehive-project.org/) contains the artifacts or not.
+- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes) from the results.
+- Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
   - If it doesn't contain the artifacts:
-    - Mihari creates an alert on TheHive.
+    - Mihari creates an alert on TheHive. (Optional)
     - Mihari sends a notification to Slack. (Optional)
     - Mihari creates an event on MISP. (Optional)
 
 ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/eyecatch.png)
 
-Check this blog post for more details: [Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive](https://hackmd.io/s/SkUaSrqoE).
-
-You can use mihari without TheHive but note that mihari depends on TheHive to manage artifacts. It means mihari might make duplications when without TheHive.
-
 ### Screenshots
 
 - TheHive alert example
@@ -37,6 +33,17 @@ You can use mihari without TheHive but note that mihari depends on TheHive to ma
 
 ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
 
+## Requirements
+
+- Ruby 2.6+
+- SQLite3
+- libpq
+
+```bash
+# For Debian / Ubuntu
+apt-get install sqlite3 libsqlite3-dev libpq-dev
+```
+
 ## Installation
 
 ```bash
@@ -156,49 +163,13 @@ mihari http_hash --html /tmp/index.html
 
 ```bash
 # Censys lookup for PANDA C2
-$ mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
-{
-  "title": "PANDA C2",
-  "description": "query = (\"PANDA\" AND \"SMAdmin\" AND \"layui\")",
-  "artifacts": [
-    "154.223.165.223",
-    "154.194.2.31",
-    "45.114.127.119",
-    "..."
-  ],
-  "tags": []
-}
+mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
 
 # VirusTotal passive DNS lookup of a FAKESPY host
-$ mihari virustotal "jppost-hi.top" --title "FAKESPY host passive DNS results"
-{
-  "title": "FAKESPY host passive DNS results",
-  "description": "indicator = jppost-hi.top",
-  "artifacts": [
-    "185.22.152.28",
-    "192.236.200.44",
-    "193.148.69.12",
-    "..."
-  ],
-  "tags": []
-}
+mihari virustotal "jppost-hi.top" --title "FAKESPY passive DNS"
 
 # You can pass a "defanged" indicator as an input
-$ mihari virustotal "jppost-hi[.]top" --title "FAKESPY host passive DNS results"
-
-# SecurityTrails domain feed lookup for finding (possibly) Apple phishing websites
-$ mihari securitytrails_domain_feed "apple-" --type new
-{
-  "title": "SecurityTrails domain feed lookup",
-  "description": "Regexp = /apple-/",
-  "artifacts": [
-    "apple-sign.online",
-    "apple-log-in.com",
-    "apple-locator-id.info",
-    "..."
-  ],
-  "tags": []
-}
+mihari virustotal "jppost-hi[.]top" --title "FAKESPY passive DNS"
 ```
 
 ### Import from JSON
@@ -229,28 +200,29 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
 
 Configuration can be done via environment variables or a YAML file.
 
-| Key                    | Desc.                          | Recommended or optional        |
-|------------------------|--------------------------------|--------------------------------|
-| THEHIVE_API_ENDPOINT   | TheHive URL                    | Recommended                    |
-| THEHIVE_API_KEY        | TheHive API key                | Recommended                    |
-| MISP_API_ENDPOINT      | MISP URL                       | Optional                       |
-| MISP_API_KEY           | MISP API key                   | Optional                       |
-| SLACK_WEBHOOK_URL      | Slack Webhook URL              | Optional                       |
-| SLACK_CHANNEL          | Slack channel name             | Optional (default: `#general`) |
-| BINARYEDGE_API_KEY     | BinaryEdge API key             | Optional                       |
-| CENSYS_ID              | Censys API ID                  | Optional                       |
-| CENSYS_SECRET          | Censys secret                  | Optional                       |
-| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | Optional                       |
-| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | Optional                       |
-| ONYPHE_API_KEY         | Onyphe API key                 | Optional                       |
-| PASSIVETOTAL_API_KEY   | PassiveTotal API key           | Optional                       |
-| PASSIVETOTAL_USERNAME  | PassiveTotal username          | Optional                       |
-| PULSEDIVE_API_KEY      | Pulsedive API key              | Optional                       |
-| SECURITYTRAILS_API_KEY | SecurityTrails API key         | Optional                       |
-| SHODAN_API_KEY         | Shodan API key                 | Optional                       |
-| VIRUSTOTAL_API_KEY     | VirusTotal API key             | Optional                       |
-| ZOOMEYE_USERNAMME      | ZoomEye username               | Optional                       |
-| ZOOMEYE_PASSWORD       | ZoomEye password               | Optional                       |
+| Key                    | Description                                                                                     | Default     |
+|------------------------|-------------------------------------------------------------------------------------------------|-------------|
+| DATABASE               | A path to the SQLite database or a DB URL (e.g. `postgres://postgres:pass@db.host:5432/somedb`) | `mihari.db` |
+| BINARYEDGE_API_KEY     | BinaryEdge API key                                                                              |             |
+| CENSYS_ID              | Censys API ID                                                                                   |             |
+| CENSYS_SECRET          | Censys secret                                                                                   |             |
+| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password                                                                  |             |
+| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username                                                                  |             |
+| MISP_API_ENDPOINT      | MISP URL                                                                                        |             |
+| MISP_API_KEY           | MISP API key                                                                                    |             |
+| ONYPHE_API_KEY         | Onyphe API key                                                                                  |             |
+| PASSIVETOTAL_API_KEY   | PassiveTotal API key                                                                            |             |
+| PASSIVETOTAL_USERNAME  | PassiveTotal username                                                                           |             |
+| PULSEDIVE_API_KEY      | Pulsedive API key                                                                               |             |
+| SECURITYTRAILS_API_KEY | SecurityTrails API key                                                                          |             |
+| SHODAN_API_KEY         | Shodan API key                                                                                  |             |
+| SLACK_CHANNEL          | Slack channel name                                                                              | `#general`  |
+| SLACK_WEBHOOK_URL      | Slack Webhook URL                                                                               |             |
+| THEHIVE_API_ENDPOINT   | TheHive URL                                                                                     |             |
+| THEHIVE_API_KEY        | TheHive API key                                                                                 |             |
+| VIRUSTOTAL_API_KEY     | VirusTotal API key                                                                              |             |
+| ZOOMEYE_PASSWORD       | ZoomEye password                                                                                |             |
+| ZOOMEYE_USERNAMME      | ZoomEye username                                                                                |             |
 
 Instead of using environment variables, you can use a YAML file for configuration.
 
@@ -261,6 +233,7 @@ mihari virustotal 1.1.1.1 --config /path/to/yaml.yml
 The YAML file should be a YAML hash like below:
 
 ```yaml
+database: /tmp/mihari.db
 thehive_api_endpoint: https://localhost
 thehive_api_key: foo
 virustotal_api_key: foo
@@ -314,10 +287,6 @@ example.run
 
 See `/examples` for more.
 
-## Caching
-
-Mihari caches execution results in `/tmp/mihari` and the default cache duration is 7 days. If you want to clear the cache, please clear `/tmp/mihari`.
-
 ## Using it with Docker
 
 ```bash

data/config/pre_commit.yml

@@ -0,0 +1,3 @@
+---
+:checks_add:
+  - :rubocop

data/docker/Dockerfile

@@ -1,5 +1,5 @@
 FROM ruby:2.6-alpine3.10
-RUN apk --no-cache add git build-base ruby-dev \
+RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev \
   && cd /tmp/ \
   && git clone https://github.com/ninoseki/mihari.git \
   && cd mihari \

data/lib/mihari.rb

@@ -19,24 +19,27 @@ module Mihari
 end
 
 require "mihari/version"
-
 require "mihari/errors"
 
-require "mihari/artifact"
-require "mihari/cache"
 require "mihari/config"
+
+require "mihari/database"
 require "mihari/type_checker"
 
+require "mihari/models/alert"
+require "mihari/models/artifact"
+require "mihari/models/tag"
+require "mihari/models/tagging"
+
+require "mihari/serializers/alert"
+require "mihari/serializers/artifact"
+require "mihari/serializers/tag"
+
 require "mihari/html"
 
 require "mihari/configurable"
 require "mihari/retriable"
 
-require "mihari/the_hive/base"
-require "mihari/the_hive/alert"
-require "mihari/the_hive/artifact"
-require "mihari/the_hive"
-
 require "mihari/analyzers/base"
 require "mihari/analyzers/basic"
 
@@ -68,6 +71,7 @@ require "mihari/notifiers/slack"
 require "mihari/notifiers/exception_notifier"
 
 require "mihari/emitters/base"
+require "mihari/emitters/database"
 require "mihari/emitters/misp"
 require "mihari/emitters/slack"
 require "mihari/emitters/stdout"

data/lib/mihari/alert_viewer.rb

@@ -2,40 +2,22 @@
 
 module Mihari
   class AlertViewer
-    attr_reader :limit
-    attr_reader :the_hive
-
-    ALERT_KEYS = %w(title description artifacts tags createdAt status).freeze
-
-    def initialize(limit: 5)
-      @limit = limit
-      validate_limit
-
-      @the_hive = TheHive.new
-      raise Error, "Cannot connect to the TheHive instance" unless the_hive.valid?
-    end
-
-    def list
-      range = limit == "all" ? "all" : "0-#{limit}"
-      alerts = the_hive.alert.list(range: range)
-      alerts.map { |alert| convert alert }
-    end
-
-    private
-
-    def validate_limit
-      return true if limit == "all"
-
-      raise ArgumentError, "limit should be bigger than zero" unless limit.to_i.positive?
-    end
-
-    def convert(alert)
-      attributes = alert.select { |k, _v| ALERT_KEYS.include? k }
-      attributes["createdAt"] = Time.at(attributes["createdAt"] / 1000).to_s
-      attributes["artifacts"] = (attributes.dig("artifacts") || []).map do |artifact|
-        artifact.dig("data")
-      end.sort
-      attributes
+    def list(title: nil, source: nil, tag: nil, limit: 5)
+      limit = limit.to_i
+      raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+
+      relation = Alert.includes(:tags, :artifacts)
+      relation = relation.where(title: title) if title
+      relation = relation.where(source: source) if source
+      relation = relation.where(tags: { name: tag } ) if tag
+
+      alerts = relation.limit(limit).order(id: :desc)
+      alerts.map do |alert|
+        json = AlertSerializer.new(alert).as_json
+        json[:artifacts] = (json.dig(:artifacts) || []).map { |artifact_| artifact_.dig(:data) }
+        json[:tags] = (json.dig(:tags) || []).map { |tag_| tag_.dig(:name) }
+        json
+      end
     end
   end
 end