mihari 0.17.5 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 004a0d8f2ddeda5059f6748657b786b9470a290eb4d593ff0bb0632ebb495d3d
-  data.tar.gz: c4f51acdb2dc76e52a445e382ce3c15b215b29f9abd860ca1c05fe814b24bf96
+  metadata.gz: 901c334bf0485bbb82a422a1900347e77e476143afaef3036c177ceadbb7e6c6
+  data.tar.gz: 3fd3663d4d05518b46f9d1a53d9d742b150a84ffba93aaf4d9ebdcbd93505342
 SHA512:
-  metadata.gz: f3d1b8959e726240a7257f999347ff2fc81b9bf359948dfc9f09a9edad66d76225f8a4e16b105d1bda2ee5675100e13705fdb448dc6986493234280f849c4637
-  data.tar.gz: 1b6dd5276812e5ba6f6c7997cb921acd261dbcced5af3599253b3995ced1450a8a998e8bdd88155ebe44ce3e724fb71da6e59fb72c2c6ed12222f1e1efd07dcc
+  metadata.gz: b97df59e99c969940ffe54a1ecf1e655f582ed4f2372c4e08feb3572fd7f38e767303911a4ec36151325da78415738a0f952f35dfbd010bd9dc6a1832635c78a
+  data.tar.gz: b092fdfa627a2ab2d2e4a71c4e070e1788fa496b3be6f64e038b332632adbdd4d70c2cae239e14814a31f03def374eb215f3cc580695af38d9562e1b2e1da4e1

data/.gitignore

@@ -54,3 +54,6 @@ Gemfile.lock
 
 # solargraph
 .solargraph.yml
+
+# SQLite
+*.db

data/.rubocop.yml

@@ -0,0 +1,155 @@
+# Relaxed.Ruby.Style
+## Version 2.5
+
+require:
+  - rubocop-performance
+
+Style/Alias:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylealias
+
+Style/AsciiComments:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleasciicomments
+
+Style/BeginBlock:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylebeginblock
+
+Style/BlockDelimiters:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleblockdelimiters
+
+Style/CommentAnnotation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylecommentannotation
+
+Style/Documentation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styledocumentation
+
+Layout/DotPosition:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutdotposition
+
+Style/DoubleNegation:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styledoublenegation
+
+Style/EndBlock:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleendblock
+
+Style/FormatString:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleformatstring
+
+Style/IfUnlessModifier:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleifunlessmodifier
+
+Style/Lambda:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylelambda
+
+Style/ModuleFunction:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylemodulefunction
+
+Style/MultilineBlockChain:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylemultilineblockchain
+
+Style/NegatedIf:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenegatedif
+
+Style/NegatedWhile:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenegatedwhile
+
+Style/NumericPredicate:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylenumericpredicate
+
+Style/ParallelAssignment:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleparallelassignment
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylepercentliteraldelimiters
+
+Style/PerlBackrefs:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styleperlbackrefs
+
+Style/Semicolon:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesemicolon
+
+Style/SignalException:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesignalexception
+
+Style/SingleLineBlockParams:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesinglelineblockparams
+
+Style/SingleLineMethods:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylesinglelinemethods
+
+Layout/SpaceBeforeBlockBraces:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutspacebeforeblockbraces
+
+Layout/SpaceInsideParens:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#layoutspaceinsideparens
+
+Style/SpecialGlobalVars:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylespecialglobalvars
+
+Style/StringLiterals:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylestringliterals
+
+Style/TrailingCommaInArguments:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainarguments
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainarrayliteral
+
+Style/TrailingCommaInHashLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#styletrailingcommainhashliteral
+
+Style/SymbolArray:
+  Enabled: false
+  StyleGuide: http://relaxed.ruby.style/#stylesymbolarray
+
+Style/WhileUntilModifier:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylewhileuntilmodifier
+
+Style/WordArray:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#stylewordarray
+
+Lint/AmbiguousRegexpLiteral:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#lintambiguousregexpliteral
+
+Lint/AssignmentInCondition:
+  Enabled: false
+  StyleGuide: https://relaxed.ruby.style/#lintassignmentincondition
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics:
+  Enabled: false

data/.travis.yml

@@ -1,7 +1,13 @@
 ---
-sudo: false
 language: ruby
 cache: bundler
+services:
+  - postgresql
 rvm:
   - 2.6
+  - 2.7
+env:
+  - DATABASE=":memory:"
+  - DATABASE="postgresql://postgres@0.0.0.0:5432/travis_ci_test"
 before_install: gem install bundler -v 2.1
+before_script: psql -c 'create database travis_ci_test;' -U postgres

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source "https://rubygems.org"
 
 # Specify your gem's dependencies in mihari.gemspec

data/README.md

@@ -10,19 +10,15 @@ Mihari is a helper to run queries & manage results continuously. Mihari can be u
 
 ## How it works
 
-- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts from the results.
-- Mihari checks whether [TheHive](https://thehive-project.org/) contains the artifacts or not.
+- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes) from the results.
+- Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
   - If it doesn't contain the artifacts:
-    - Mihari creates an alert on TheHive.
+    - Mihari creates an alert on TheHive. (Optional)
     - Mihari sends a notification to Slack. (Optional)
     - Mihari creates an event on MISP. (Optional)
 
 ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/eyecatch.png)
 
-Check this blog post for more details: [Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive](https://hackmd.io/s/SkUaSrqoE).
-
-You can use mihari without TheHive but note that mihari depends on TheHive to manage artifacts. It means mihari might make duplications when without TheHive.
-
 ### Screenshots
 
 - TheHive alert example
@@ -37,6 +33,17 @@ You can use mihari without TheHive but note that mihari depends on TheHive to ma
 
 ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
 
+## Requirements
+
+- Ruby 2.6+
+- SQLite3
+- libpq
+
+```bash
+# For Debian / Ubuntu
+apt-get install sqlite3 libsqlite3-dev libpq-dev
+```
+
 ## Installation
 
 ```bash
@@ -60,6 +67,7 @@ Mihari supports the following services by default.
 - [DN Pedia](https://dnpedia.com/)
 - [dnstwister](https://dnstwister.report/)
 - [Onyphe](https://onyphe.io)
+- [OTX](https://otx.alienvault.com/)
 - [PassiveTotal](https://community.riskiq.com/)
 - [SecurityTrails](https://securitytrails.com/)
 - [Shodan](https://shodan.io)
@@ -82,6 +90,7 @@ Commands:
   mihari http_hash                            # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
   mihari import_from_json                     # Give a JSON input via STDIN
   mihari onyphe [QUERY]                       # Onyphe datascan search by a query
+  mihari otx [IP|DOMAIN]                      # OTX lookup by an IP or domain
   mihari passive_dns [IP|DOMAIN]              # Cross search with passive DNS services by an ip or domain
   mihari passive_ssl [SHA1]                   # Cross search with passive SSL services by an SHA1 certificate fingerprint
   mihari passivetotal [IP|DOMAIN|EMAIL|SHA1]  # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
@@ -109,7 +118,7 @@ You can get aggregated results by using the following commands.
 
 | Command         | Desc.                                                                                                   |
 |-----------------|---------------------------------------------------------------------------------------------------------|
-| passive_dns     | Passive DNS lookup with CIRCL passive DNS, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal       |
+| passive_dns     | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal  |
 | passive_ssl     | Passive SSL lookup with CIRCL passive SSL and PassiveTotal                                              |
 | reverse_whois   | Revese Whois lookup with PassiveTotal and SecurityTrails                                                |
 | http_hash       | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
@@ -156,49 +165,13 @@ mihari http_hash --html /tmp/index.html
 
 ```bash
 # Censys lookup for PANDA C2
-$ mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
-{
-  "title": "PANDA C2",
-  "description": "query = (\"PANDA\" AND \"SMAdmin\" AND \"layui\")",
-  "artifacts": [
-    "154.223.165.223",
-    "154.194.2.31",
-    "45.114.127.119",
-    "..."
-  ],
-  "tags": []
-}
+mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
 
 # VirusTotal passive DNS lookup of a FAKESPY host
-$ mihari virustotal "jppost-hi.top" --title "FAKESPY host passive DNS results"
-{
-  "title": "FAKESPY host passive DNS results",
-  "description": "indicator = jppost-hi.top",
-  "artifacts": [
-    "185.22.152.28",
-    "192.236.200.44",
-    "193.148.69.12",
-    "..."
-  ],
-  "tags": []
-}
+mihari virustotal "jppost-hi.top" --title "FAKESPY passive DNS"
 
 # You can pass a "defanged" indicator as an input
-$ mihari virustotal "jppost-hi[.]top" --title "FAKESPY host passive DNS results"
-
-# SecurityTrails domain feed lookup for finding (possibly) Apple phishing websites
-$ mihari securitytrails_domain_feed "apple-" --type new
-{
-  "title": "SecurityTrails domain feed lookup",
-  "description": "Regexp = /apple-/",
-  "artifacts": [
-    "apple-sign.online",
-    "apple-log-in.com",
-    "apple-locator-id.info",
-    "..."
-  ],
-  "tags": []
-}
+mihari virustotal "jppost-hi[.]top" --title "FAKESPY passive DNS"
 ```
 
 ### Import from JSON
@@ -229,28 +202,30 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
 
 Configuration can be done via environment variables or a YAML file.
 
-| Key                    | Desc.                          | Recommended or optional        |
-|------------------------|--------------------------------|--------------------------------|
-| THEHIVE_API_ENDPOINT   | TheHive URL                    | Recommended                    |
-| THEHIVE_API_KEY        | TheHive API key                | Recommended                    |
-| MISP_API_ENDPOINT      | MISP URL                       | Optional                       |
-| MISP_API_KEY           | MISP API key                   | Optional                       |
-| SLACK_WEBHOOK_URL      | Slack Webhook URL              | Optional                       |
-| SLACK_CHANNEL          | Slack channel name             | Optional (default: `#general`) |
-| BINARYEDGE_API_KEY     | BinaryEdge API key             | Optional                       |
-| CENSYS_ID              | Censys API ID                  | Optional                       |
-| CENSYS_SECRET          | Censys secret                  | Optional                       |
-| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | Optional                       |
-| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | Optional                       |
-| ONYPHE_API_KEY         | Onyphe API key                 | Optional                       |
-| PASSIVETOTAL_API_KEY   | PassiveTotal API key           | Optional                       |
-| PASSIVETOTAL_USERNAME  | PassiveTotal username          | Optional                       |
-| PULSEDIVE_API_KEY      | Pulsedive API key              | Optional                       |
-| SECURITYTRAILS_API_KEY | SecurityTrails API key         | Optional                       |
-| SHODAN_API_KEY         | Shodan API key                 | Optional                       |
-| VIRUSTOTAL_API_KEY     | VirusTotal API key             | Optional                       |
-| ZOOMEYE_USERNAMME      | ZoomEye username               | Optional                       |
-| ZOOMEYE_PASSWORD       | ZoomEye password               | Optional                       |
+| Key                    | Description                                                                                     | Default     |
+|------------------------|-------------------------------------------------------------------------------------------------|-------------|
+| DATABASE               | A path to the SQLite database or a DB URL (e.g. `postgres://postgres:pass@db.host:5432/somedb`) | `mihari.db` |
+| BINARYEDGE_API_KEY     | BinaryEdge API key                                                                              |             |
+| CENSYS_ID              | Censys API ID                                                                                   |             |
+| CENSYS_SECRET          | Censys secret                                                                                   |             |
+| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password                                                                  |             |
+| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username                                                                  |             |
+| MISP_API_ENDPOINT      | MISP URL                                                                                        |             |
+| MISP_API_KEY           | MISP API key                                                                                    |             |
+| ONYPHE_API_KEY         | Onyphe API key                                                                                  |             |
+| OTX_API_KEY            | OTX API key                                                                                     |             |
+| PASSIVETOTAL_API_KEY   | PassiveTotal API key                                                                            |             |
+| PASSIVETOTAL_USERNAME  | PassiveTotal username                                                                           |             |
+| PULSEDIVE_API_KEY      | Pulsedive API key                                                                               |             |
+| SECURITYTRAILS_API_KEY | SecurityTrails API key                                                                          |             |
+| SHODAN_API_KEY         | Shodan API key                                                                                  |             |
+| SLACK_CHANNEL          | Slack channel name                                                                              | `#general`  |
+| SLACK_WEBHOOK_URL      | Slack Webhook URL                                                                               |             |
+| THEHIVE_API_ENDPOINT   | TheHive URL                                                                                     |             |
+| THEHIVE_API_KEY        | TheHive API key                                                                                 |             |
+| VIRUSTOTAL_API_KEY     | VirusTotal API key                                                                              |             |
+| ZOOMEYE_PASSWORD       | ZoomEye password                                                                                |             |
+| ZOOMEYE_USERNAMME      | ZoomEye username                                                                                |             |
 
 Instead of using environment variables, you can use a YAML file for configuration.
 
@@ -261,6 +236,7 @@ mihari virustotal 1.1.1.1 --config /path/to/yaml.yml
 The YAML file should be a YAML hash like below:
 
 ```yaml
+database: /tmp/mihari.db
 thehive_api_endpoint: https://localhost
 thehive_api_key: foo
 virustotal_api_key: foo
@@ -314,10 +290,6 @@ example.run
 
 See `/examples` for more.
 
-## Caching
-
-Mihari caches execution results in `/tmp/mihari` and the default cache duration is 7 days. If you want to clear the cache, please clear `/tmp/mihari`.
-
 ## Using it with Docker
 
 ```bash

data/config/pre_commit.yml

@@ -0,0 +1,3 @@
+---
+:checks_add:
+  - :rubocop

data/docker/Dockerfile

@@ -1,5 +1,5 @@
 FROM ruby:2.6-alpine3.10
-RUN apk --no-cache add git build-base ruby-dev \
+RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev \
   && cd /tmp/ \
   && git clone https://github.com/ninoseki/mihari.git \
   && cd mihari \

data/lib/mihari.rb

@@ -19,24 +19,27 @@ module Mihari
 end
 
 require "mihari/version"
-
 require "mihari/errors"
 
-require "mihari/artifact"
-require "mihari/cache"
 require "mihari/config"
+
+require "mihari/database"
 require "mihari/type_checker"
 
+require "mihari/models/alert"
+require "mihari/models/artifact"
+require "mihari/models/tag"
+require "mihari/models/tagging"
+
+require "mihari/serializers/alert"
+require "mihari/serializers/artifact"
+require "mihari/serializers/tag"
+
 require "mihari/html"
 
 require "mihari/configurable"
 require "mihari/retriable"
 
-require "mihari/the_hive/base"
-require "mihari/the_hive/alert"
-require "mihari/the_hive/artifact"
-require "mihari/the_hive"
-
 require "mihari/analyzers/base"
 require "mihari/analyzers/basic"
 
@@ -47,6 +50,7 @@ require "mihari/analyzers/crtsh"
 require "mihari/analyzers/dnpedia"
 require "mihari/analyzers/dnstwister"
 require "mihari/analyzers/onyphe"
+require "mihari/analyzers/otx"
 require "mihari/analyzers/passivetotal"
 require "mihari/analyzers/pulsedive"
 require "mihari/analyzers/securitytrails_domain_feed"
@@ -68,6 +72,7 @@ require "mihari/notifiers/slack"
 require "mihari/notifiers/exception_notifier"
 
 require "mihari/emitters/base"
+require "mihari/emitters/database"
 require "mihari/emitters/misp"
 require "mihari/emitters/slack"
 require "mihari/emitters/stdout"