mihari 0.17.5 → 1.2.0

data/lib/mihari/alert_viewer.rb

@@ -2,40 +2,22 @@
 
 module Mihari
   class AlertViewer
-    attr_reader :limit
-    attr_reader :the_hive
-
-    ALERT_KEYS = %w(title description artifacts tags createdAt status).freeze
-
-    def initialize(limit: 5)
-      @limit = limit
-      validate_limit
-
-      @the_hive = TheHive.new
-      raise Error, "Cannot connect to the TheHive instance" unless the_hive.valid?
-    end
-
-    def list
-      range = limit == "all" ? "all" : "0-#{limit}"
-      alerts = the_hive.alert.list(range: range)
-      alerts.map { |alert| convert alert }
-    end
-
-    private
-
-    def validate_limit
-      return true if limit == "all"
-
-      raise ArgumentError, "limit should be bigger than zero" unless limit.to_i.positive?
-    end
-
-    def convert(alert)
-      attributes = alert.select { |k, _v| ALERT_KEYS.include? k }
-      attributes["createdAt"] = Time.at(attributes["createdAt"] / 1000).to_s
-      attributes["artifacts"] = (attributes.dig("artifacts") || []).map do |artifact|
-        artifact.dig("data")
-      end.sort
-      attributes
+    def list(title: nil, source: nil, tag: nil, limit: 5)
+      limit = limit.to_i
+      raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+
+      relation = Alert.includes(:tags, :artifacts)
+      relation = relation.where(title: title) if title
+      relation = relation.where(source: source) if source
+      relation = relation.where(tags: { name: tag } ) if tag
+
+      alerts = relation.limit(limit).order(id: :desc)
+      alerts.map do |alert|
+        json = AlertSerializer.new(alert).as_json
+        json[:artifacts] = (json.dig(:artifacts) || []).map { |artifact_| artifact_.dig(:data) }
+        json[:tags] = (json.dig(:tags) || []).map { |tag_| tag_.dig(:name) }
+        json
+      end
     end
   end
 end

data/lib/mihari/analyzers/base.rb

@@ -23,6 +23,10 @@ module Mihari
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
 
+      def source
+        self.class.to_s.split("::").last
+      end
+
       # @return [Array<String>]
       def tags
         []
@@ -37,7 +41,7 @@ module Mihari
       end
 
       def run_emitter(emitter)
-        emitter.run(title: title, description: description, artifacts: unique_artifacts, tags: tags)
+        emitter.run(title: title, description: description, artifacts: unique_artifacts, source: source, tags: tags)
       rescue StandardError => e
         puts "Emission by #{emitter.class} is failed: #{e}"
       end
@@ -48,32 +52,16 @@ module Mihari
 
       private
 
-      def the_hive
-        @the_hive ||= TheHive.new
-      end
-
-      def cache
-        @cache ||= Cache.new
-      end
-
       # @return [Array<Mihari::Artifact>]
       def normalized_artifacts
         @normalized_artifacts ||= artifacts.compact.uniq.sort.map do |artifact|
-          artifact.is_a?(Artifact) ? artifact : Artifact.new(artifact)
+          artifact.is_a?(Artifact) ? artifact : Artifact.new(data: artifact)
         end.select(&:valid?)
       end
 
-      def uncached_artifacts
-        @uncached_artifacts ||= normalized_artifacts.reject do |artifact|
-          cache.cached? artifact.data
-        end
-      end
-
       # @return [Array<Mihari::Artifact>]
       def unique_artifacts
-        return uncached_artifacts unless the_hive.valid?
-
-        @unique_artifacts ||= the_hive.artifact.find_non_existing_artifacts(uncached_artifacts)
+        @unique_artifacts ||= normalized_artifacts.select(&:unique?)
       end
 
       def set_unique_artifacts

data/lib/mihari/analyzers/basic.rb

@@ -6,12 +6,14 @@ module Mihari
       attr_accessor :title
       attr_reader :description
       attr_reader :artifacts
+      attr_reader :source
       attr_reader :tags
 
-      def initialize(title:, description:, artifacts:, tags: [])
+      def initialize(title:, description:, artifacts:, source:, tags: [])
         @title = title
         @description = description
         @artifacts = artifacts
+        @source = source
         @tags = tags
       end
     end

data/lib/mihari/analyzers/binaryedge.rb

@@ -52,11 +52,11 @@ module Mihari
       end
 
       def config_keys
-        %w(BINARYEDGE_API_KEY)
+        %w(binaryedge_api_key)
       end
 
       def api
-        @api ||= ::BinaryEdge::API.new
+        @api ||= ::BinaryEdge::API.new(Mihari.config.binaryedge_api_key)
       end
     end
   end

data/lib/mihari/analyzers/censys.rb

@@ -86,11 +86,11 @@ module Mihari
       end
 
       def config_keys
-        %w(CENSYS_ID CENSYS_SECRET)
+        %w(censys_id censys_secret)
       end
 
       def api
-        @api ||= ::Censys::API.new
+        @api ||= ::Censys::API.new(Mihari.config.censys_id, Mihari.config.censys_secret)
       end
     end
   end

data/lib/mihari/analyzers/circl.rb

@@ -27,11 +27,11 @@ module Mihari
       private
 
       def config_keys
-        %w(CIRCL_PASSIVE_USERNAME CIRCL_PASSIVE_PASSWORD)
+        %w(circl_passive_password circl_passive_username)
       end
 
       def api
-        @api ||= ::PassiveCIRCL::API.new
+        @api ||= ::PassiveCIRCL::API.new(username: Mihari.config.circl_passive_username, password: Mihari.config.circl_passive_password)
       end
 
       def lookup

data/lib/mihari/analyzers/onyphe.rb

@@ -35,15 +35,15 @@ module Mihari
       PAGE_SIZE = 10
 
       def config_keys
-        %w(ONYPHE_API_KEY)
+        %w(onyphe_api_key)
       end
 
       def api
-        @api ||= ::Onyphe::API.new
+        @api ||= ::Onyphe::API.new(Mihari.config.onyphe_api_key)
       end
 
       def search_with_page(query, page: 1)
-        api.datascan(query, page: page)
+        api.simple.datascan(query, page: page)
       end
 
       def search

data/lib/mihari/analyzers/otx.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "otx_ruby"
+
+module Mihari
+  module Analyzers
+    class OTX < Base
+      attr_reader :query
+      attr_reader :type
+
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+
+        @query = query
+        @type = TypeChecker.type(query)
+
+        @title = title || "OTX lookup"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+
+      def artifacts
+        lookup || []
+      end
+
+      private
+
+      def config_keys
+        %w(otx_api_key)
+      end
+
+      def domain_client
+        @domain_client ||= ::OTX::Domain.new(Mihari.config.otx_api_key)
+      end
+
+      def ip_client
+        @ip_client ||= ::OTX::IP.new(Mihari.config.otx_api_key)
+      end
+
+      def valid_type?
+        %w(ip domain).include? type
+      end
+
+      def lookup
+        case type
+        when "domain"
+          domain_lookup
+        when "ip"
+          ip_lookup
+        else
+          raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+        end
+      end
+
+      def domain_lookup
+        records = domain_client.get_passive_dns(query)
+        records.map do |record|
+          record.address if record.record_type == "A"
+        end.compact.uniq
+      end
+
+      def ip_lookup
+        records = ip_client.get_passive_dns(query)
+        records.map do |record|
+          record.hostname if record.record_type == "A"
+        end.compact.uniq
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/passive_dns.rb

@@ -14,6 +14,7 @@ module Mihari
 
       ANALYZERS = [
         Mihari::Analyzers::CIRCL,
+        Mihari::Analyzers::OTX,
         Mihari::Analyzers::PassiveTotal,
         Mihari::Analyzers::Pulsedive,
         Mihari::Analyzers::SecurityTrails,
@@ -55,7 +56,7 @@ module Mihari
         analyzer.artifacts
       rescue ArgumentError, InvalidInputError => _e
         nil
-      rescue ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
+      rescue Faraday::Error, ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
         nil
       end
     end

data/lib/mihari/analyzers/passivetotal.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(PASSIVETOTAL_USERNAME PASSIVETOTAL_API_KEY)
+        %w(passivetotal_username passivetotal_api_key)
       end
 
       def api
-        @api ||= ::PassiveTotal::API.new
+        @api ||= ::PassiveTotal::API.new(username: Mihari.config.passivetotal_username, api_key: Mihari.config.passivetotal_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/pulsedive.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(PULSEDIVE_API_KEY)
+        %w(pulsedive_api_key)
       end
 
       def api
-        @api ||= ::Pulsedive::API.new
+        @api ||= ::Pulsedive::API.new(Mihari.config.pulsedive_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/securitytrails.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(SECURITYTRAILS_API_KEY)
+        %w(securitytrails_api_key)
       end
 
       def api
-        @api ||= ::SecurityTrails::API.new
+        @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/securitytrails_domain_feed.rb

@@ -32,11 +32,11 @@ module Mihari
       private
 
       def config_keys
-        %w(SECURITYTRAILS_API_KEY)
+        %w(securitytrails_api_key)
       end
 
       def api
-        @api ||= ::SecurityTrails::API.new
+        @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/shodan.rb

@@ -36,11 +36,11 @@ module Mihari
       PAGE_SIZE = 100
 
       def config_keys
-        %w(SHODAN_API_KEY)
+        %w(shodan_api_key)
       end
 
       def api
-        @api ||= ::Shodan::API.new
+        @api ||= ::Shodan::API.new(key: Mihari.config.shodan_api_key)
       end
 
       def search_with_page(query, page: 1)

data/lib/mihari/analyzers/virustotal.rb

@@ -30,11 +30,11 @@ module Mihari
       private
 
       def config_keys
-        %w(VIRUSTOTAL_API_KEY)
+        %w(virustotal_api_key)
       end
 
       def api
-        @api = ::VirusTotal::API.new
+        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
       end
 
       def valid_type?

data/lib/mihari/analyzers/zoomeye.rb

@@ -41,11 +41,11 @@ module Mihari
       end
 
       def config_keys
-        %w(ZOOMEYE_USERNAME ZOOMEYE_PASSWORD)
+        %w(zoomeye_password zoomeye_username)
       end
 
       def api
-        @api ||= ::ZoomEye::API.new
+        @api ||= ::ZoomEye::API.new(username: Mihari.config.zoomeye_username, password: Mihari.config.zoomeye_password)
       end
 
       def convert_responses(responses)

data/lib/mihari/cli.rb

@@ -164,6 +164,16 @@ module Mihari
       end
     end
 
+    desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def otx(domain)
+      with_error_handling do
+        run_analyzer Analyzers::OTX, query: refang(domain), options: options
+      end
+    end
+
     desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
     method_option :title, type: :string, desc: "title"
     method_option :description, type: :string, desc: "description"
@@ -242,17 +252,22 @@ module Mihari
         artifacts = json.dig("artifacts")
         tags = json.dig("tags") || []
 
-        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
+        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
         basic.run
       end
     end
 
     desc "alerts", "Show the alerts on TheHive"
     method_option :limit, type: :string, default: "5", desc: "Number of alerts to show (or 'all' to show all the alerts)"
+    method_option :title, type: :string, desc: "Title to filter"
+    method_option :source, type: :string, desc: "Source to filter"
+    method_option :tag, type: :string, desc: "Tag to filter"
     def alerts
       with_error_handling do
-        viewer = AlertViewer.new(limit: options["limit"])
-        alerts = viewer.list
+        load_configuration
+
+        viewer = AlertViewer.new
+        alerts = viewer.list(limit: options["limit"], title: options["title"], source: options["source"], tag: options[:tag])
         puts JSON.pretty_generate(alerts)
       end
     end
@@ -261,6 +276,7 @@ module Mihari
     def status
       with_error_handling do
         load_configuration
+
         puts JSON.pretty_generate(Status.check)
       end
     end
@@ -286,7 +302,10 @@ module Mihari
 
       def load_configuration
         config = options["config"]
-        Config.load_from_yaml(config) if config
+        return unless config
+
+        Config.load_from_yaml(config)
+        Database.connect
       end
 
       def run_analyzer(analyzer_class, query:, options:)