mihari 0.17.5 → 1.0.0

data/lib/mihari/analyzers/basic.rb

@@ -6,12 +6,14 @@ module Mihari
       attr_accessor :title
       attr_reader :description
       attr_reader :artifacts
+      attr_reader :source
       attr_reader :tags
 
-      def initialize(title:, description:, artifacts:, tags: [])
+      def initialize(title:, description:, artifacts:, source:, tags: [])
         @title = title
         @description = description
         @artifacts = artifacts
+        @source = source
         @tags = tags
       end
     end

data/lib/mihari/analyzers/binaryedge.rb

@@ -52,11 +52,11 @@ module Mihari
       end
 
       def config_keys
-        %w(BINARYEDGE_API_KEY)
+        [Mihari.config.binaryedge_api_key]
       end
 
       def api
-        @api ||= ::BinaryEdge::API.new
+        @api ||= ::BinaryEdge::API.new(Mihari.config.binaryedge_api_key)
       end
     end
   end

data/lib/mihari/analyzers/censys.rb

@@ -86,11 +86,11 @@ module Mihari
       end
 
       def config_keys
-        %w(CENSYS_ID CENSYS_SECRET)
+        [Mihari.config.censys_id, Mihari.config.censys_secret]
       end
 
       def api
-        @api ||= ::Censys::API.new
+        @api ||= ::Censys::API.new(Mihari.config.censys_id, Mihari.config.censys_secret)
       end
     end
   end

data/lib/mihari/analyzers/circl.rb

@@ -27,11 +27,11 @@ module Mihari
       private
 
       def config_keys
-        %w(CIRCL_PASSIVE_USERNAME CIRCL_PASSIVE_PASSWORD)
+        [Mihari.config.circl_passive_password, Mihari.config.circl_passive_username]
       end
 
       def api
-        @api ||= ::PassiveCIRCL::API.new
+        @api ||= ::PassiveCIRCL::API.new(username: Mihari.config.circl_passive_username, password: Mihari.config.circl_passive_password)
       end
 
       def lookup

data/lib/mihari/analyzers/onyphe.rb

@@ -35,15 +35,15 @@ module Mihari
       PAGE_SIZE = 10
 
       def config_keys
-        %w(ONYPHE_API_KEY)
+        [Mihari.config.onyphe_api_key]
       end
 
       def api
-        @api ||= ::Onyphe::API.new
+        @api ||= ::Onyphe::API.new(Mihari.config.onyphe_api_key)
       end
 
       def search_with_page(query, page: 1)
-        api.datascan(query, page: page)
+        api.simple.datascan(query, page: page)
       end
 
       def search

data/lib/mihari/analyzers/passivetotal.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(PASSIVETOTAL_USERNAME PASSIVETOTAL_API_KEY)
+        [Mihari.config.passivetotal_username, Mihari.config.passivetotal_api_key]
       end
 
       def api
-        @api ||= ::PassiveTotal::API.new
+        @api ||= ::PassiveTotal::API.new(username: Mihari.config.passivetotal_username, api_key: Mihari.config.passivetotal_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/pulsedive.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(PULSEDIVE_API_KEY)
+        [Mihari.config.pulsedive_api_key]
       end
 
       def api
-        @api ||= ::Pulsedive::API.new
+        @api ||= ::Pulsedive::API.new(Mihari.config.pulsedive_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/securitytrails.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(SECURITYTRAILS_API_KEY)
+        [Mihari.config.securitytrails_api_key]
       end
 
       def api
-        @api ||= ::SecurityTrails::API.new
+        @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/securitytrails_domain_feed.rb

@@ -32,11 +32,11 @@ module Mihari
       private
 
       def config_keys
-        %w(SECURITYTRAILS_API_KEY)
+        [Mihari.config.securitytrails_api_key]
       end
 
       def api
-        @api ||= ::SecurityTrails::API.new
+        @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/shodan.rb

@@ -36,11 +36,11 @@ module Mihari
       PAGE_SIZE = 100
 
       def config_keys
-        %w(SHODAN_API_KEY)
+        [Mihari.config.shodan_api_key]
       end
 
       def api
-        @api ||= ::Shodan::API.new
+        @api ||= ::Shodan::API.new(key: Mihari.config.shodan_api_key)
       end
 
       def search_with_page(query, page: 1)

data/lib/mihari/analyzers/virustotal.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(VIRUSTOTAL_API_KEY)
+        [Mihari.config.virustotal_api_key]
       end
 
       def api
-        @api = ::VirusTotal::API.new
+        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/zoomeye.rb

@@ -41,11 +41,11 @@ module Mihari
       end
 
       def config_keys
-        %w(ZOOMEYE_USERNAME ZOOMEYE_PASSWORD)
+        [Mihari.config.zoomeye_password, Mihari.config.zoomeye_username]
       end
 
       def api
-        @api ||= ::ZoomEye::API.new
+        @api ||= ::ZoomEye::API.new(username: Mihari.config.zoomeye_username, password: Mihari.config.zoomeye_password)
       end
 
       def convert_responses(responses)

data/lib/mihari/cli.rb

@@ -242,7 +242,7 @@ module Mihari
         artifacts = json.dig("artifacts")
         tags = json.dig("tags") || []
 
-        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
+        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
         basic.run
       end
     end
@@ -286,7 +286,7 @@ module Mihari
 
       def load_configuration
         config = options["config"]
-        Config.load_from_yaml(config) if config
+        Config.load_configuration(config) if config
       end
 
       def run_analyzer(analyzer_class, query:, options:)

data/lib/mihari/config.rb

@@ -4,6 +4,58 @@ require "yaml"
 
 module Mihari
   class Config
+    attr_accessor :binaryedge_api_key
+    attr_accessor :censys_id
+    attr_accessor :censys_secret
+    attr_accessor :circl_passive_password
+    attr_accessor :circl_passive_username
+    attr_accessor :misp_api_endpoint
+    attr_accessor :misp_api_key
+    attr_accessor :onyphe_api_key
+    attr_accessor :passivetotal_api_key
+    attr_accessor :passivetotal_username
+    attr_accessor :pulsedive_api_key
+    attr_accessor :securitytrails_api_key
+    attr_accessor :shodan_api_key
+    attr_accessor :slack_channel
+    attr_accessor :slack_webhook_url
+    attr_accessor :thehive_api_endpoint
+    attr_accessor :thehive_api_key
+    attr_accessor :virustotal_api_key
+    attr_accessor :zoomeye_password
+    attr_accessor :zoomeye_username
+
+    attr_accessor :database
+
+    def initialize
+      load_from_env
+    end
+
+    def load_from_env
+      @binaryedge_api_key = ENV["BINARYEDGE_API_KEY"]
+      @censys_id = ENV["CENSYS_ID"]
+      @censys_secret = ENV["CENSYS_SECRET"]
+      @circl_passive_password = ENV["CIRCL_PASSIVE_PASSWORD"]
+      @circl_passive_username = ENV["CIRCL_PASSIVE_USERNAME"]
+      @misp_api_endpoint = ENV["MISP_API_ENDPOINT"]
+      @misp_api_key = ENV["MISP_API_KEY"]
+      @onyphe_api_key = ENV["ONYPHE_API_KEY"]
+      @passivetotal_api_key = ENV["PASSIVETOTAL_API_KEY"]
+      @passivetotal_username = ENV["PASSIVETOTAL_USERNAME"]
+      @pulsedive_api_key = ENV["PULSEDIVE_API_KEY"]
+      @securitytrails_api_key = ENV["SECURITYTRAILS_API_KEY"]
+      @shodan_api_key = ENV["SHODAN_API_KEY"]
+      @slack_channel = ENV["SLACK_CHANNEL"]
+      @slack_webhook_url = ENV["SLACK_WEBHOOK_URL"]
+      @thehive_api_endpoint = ENV["THEHIVE_API_ENDPOINT"]
+      @thehive_api_key = ENV["THEHIVE_API_KEY"]
+      @virustotal_api_key = ENV["VIRUSTOTAL_API_KEY"]
+      @zoomeye_password = ENV["ZOOMEYE_PASSWORD"]
+      @zoomeye_username = ENV["ZOOMEYE_USERNAME"]
+
+      @database = ENV["DATABASE"] || "mihari.db"
+    end
+
     class << self
       def load_from_yaml(path)
         raise ArgumentError, "#{path} does not exist." unless File.exist?(path)
@@ -15,10 +67,24 @@ module Mihari
           return
         end
 
-        yaml.each do |key, value|
-          ENV[key.upcase] = value
+        Mihari.configure do |config|
+          yaml.each do |key, value|
+            config.send("#{key.downcase}=".to_sym, value)
+          end
         end
       end
     end
   end
+
+  class << self
+    def config
+      @config ||= Config.new
+    end
+
+    attr_writer :config
+
+    def configure
+      yield config
+    end
+  end
 end

data/lib/mihari/configurable.rb

@@ -3,7 +3,7 @@
 module Mihari
   module Configurable
     def configured?
-      config_keys.all? { |key| ENV.key? key }
+      config_keys.all? { |key| !key.nil? }
     end
 
     def configuration_status

data/lib/mihari/database.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require "active_record"
+
+ActiveRecord::Base.establish_connection(
+  adapter: "sqlite3",
+  database: Mihari.config.database
+)
+
+class InitialSchema < ActiveRecord::Migration[6.0]
+  def change
+    create_table :tags, if_not_exists: true do |t|
+      t.string :name, null: false
+    end
+
+    create_table :alerts, if_not_exists: true do |t|
+      t.string :title, null: false
+      t.string :description, null: true
+      t.string :source, null: false
+      t.timestamps
+    end
+
+    create_table :artifacts, if_not_exists: true do |t|
+      t.string :data, null: false
+      t.string :data_type, null: false
+      t.belongs_to :alert, foreign_key: true
+      t.timestamps
+    end
+
+    create_table :taggings, if_not_exists: true do |t|
+      t.integer :tag_id
+      t.integer :alert_id
+    end
+
+    add_index :taggings, :tag_id, if_not_exists: true
+    add_index :taggings, [:tag_id, :alert_id], unique: true, if_not_exists: true
+  end
+end
+
+begin
+  ActiveRecord::Migration.verbose = false
+  InitialSchema.migrate(:up)
+rescue StandardError
+  # Do nothing
+end

data/lib/mihari/emitters/base.rb

@@ -16,7 +16,7 @@ module Mihari
       end
 
       def run(**params)
-        retry_on_error { emit(params) }
+        retry_on_error { emit(**params) }
       end
 
       def emit(*)

data/lib/mihari/emitters/misp.rb

@@ -6,6 +6,13 @@ require "net/ping"
 module Mihari
   module Emitters
     class MISP < Base
+      def initialize
+        ::MISP.configure do |config|
+          config.api_endpoint = Mihari.config.misp_api_endpoint
+          config.api_key = Mihari.config.misp_api_key
+        end
+      end
+
       # @return [true, false]
       def valid?
         api_endpoint? && api_key? && ping?
@@ -28,7 +35,7 @@ module Mihari
       private
 
       def config_keys
-        %w(MISP_API_ENDPOINT MISP_API_KEY)
+        [Mihari.config.misp_api_endpoint, Mihari.config.misp_api_key]
       end
 
       def build_attribute(artifact)

data/lib/mihari/emitters/slack.rb

@@ -123,7 +123,7 @@ module Mihari
         ].join("\n")
       end
 
-      def emit(title:, description:, artifacts:, tags: [])
+      def emit(title:, description:, artifacts:, tags: [], **_options)
         return if artifacts.empty?
 
         attachments = to_attachments(artifacts)
@@ -135,7 +135,7 @@ module Mihari
       private
 
       def config_keys
-        %w(SLACK_WEBHOOK_URL)
+        [Mihari.config.slack_webhook_url]
       end
     end
   end

data/lib/mihari/emitters/sqlite.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Emitters
+    class SQLite < Base
+      def valid?
+        true
+      end
+
+      def emit(title:, description:, artifacts:, source:, tags: [])
+        return if artifacts.empty?
+
+        tags = tags.map { |name| Tag.find_or_create_by(name: name) }.compact.uniq
+        taggings = tags.map { |tag| Tagging.new(tag_id: tag.id) }
+
+        alert = Alert.new(
+          title: title,
+          description: description,
+          artifacts: artifacts,
+          source: source,
+          taggings: taggings
+        )
+
+        alert.save
+        alert
+      end
+    end
+  end
+end

data/lib/mihari/emitters/stdout.rb

@@ -9,11 +9,12 @@ module Mihari
         true
       end
 
-      def emit(title:, description:, artifacts:, tags:)
+      def emit(title:, description:, artifacts:, source:, tags:)
         h = {
           title: title,
           description: description,
           artifacts: artifacts.map(&:data),
+          source: source,
           tags: tags
         }
         puts JSON.pretty_generate(h)

data/lib/mihari/emitters/the_hive.rb

@@ -1,42 +1,56 @@
 # frozen_string_literal: true
 
+require "hachi"
+require "net/ping"
+
 module Mihari
   module Emitters
     class TheHive < Base
       # @return [true, false]
       def valid?
-        the_hive.valid?
+        api_endpont? && api_key? && ping?
       end
 
-      def emit(title:, description:, artifacts:, tags: [])
+      def emit(title:, description:, artifacts:, tags: [], **_options)
         return if artifacts.empty?
 
-        the_hive.alert.create(
+        api.alert.create(
           title: title,
           description: description,
-          artifacts: artifacts.map(&:to_h),
-          tags: tags
+          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari"
         )
-
-        save_as_cache artifacts.map(&:data)
       end
 
       private
 
       def config_keys
-        %w(THEHIVE_API_ENDPOINT THEHIVE_API_KEY)
+        [Mihari.config.thehive_api_endpoint, Mihari.config.thehive_api_key]
       end
 
-      def the_hive
-        @the_hive ||= Mihari::TheHive.new
+      def api
+        @api ||= Hachi::API.new(api_endpoint: Mihari.config.thehive_api_endpoint, api_key: Mihari.config.thehive_api_key)
       end
 
-      def cache
-        @cache ||= Cache.new
+      # @return [true, false]
+      def api_endpont?
+        !Mihari.config.thehive_api_endpoint.nil?
       end
 
-      def save_as_cache(data)
-        cache.save data
+      # @return [true, false]
+      def api_key?
+        !Mihari.config.thehive_api_key.nil?
+      end
+
+      def ping?
+        base_url = Mihari.config.thehive_api_endpoint
+        base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url
+        url = "#{base_url}/index.html"
+
+        http = Net::Ping::HTTP.new(url)
+        http.ping?
       end
     end
   end