RubyGems - mihari - Versions diffs - 0.2.1 → 0.2.2 - Mend

mihari 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/README.md +21 -12
data/lib/mihari/analyzers/base.rb +11 -1
data/lib/mihari/analyzers/basic.rb +3 -1
data/lib/mihari/cli.rb +2 -1
data/lib/mihari/notifiers/the_hive.rb +7 -2
data/lib/mihari/the_hive.rb +9 -2
data/lib/mihari/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 249e7df317ee9b52f8ea3b5cfd61907e01c0b70b212198c761d187d9e7632c05
-  data.tar.gz: '0286a744aac6c5572fb427167a221eab3021d7f2f640a7de80e8426cf9f79ca4'
+  metadata.gz: fca44bdfc7be51ca91f0daa4e7761b6f430e63c7eeb185b9a285180f38f9e688
+  data.tar.gz: acb42896cad9c436b0ee2fefc4d086fa44f299574244ae373e79c93a1496bba6
 SHA512:
-  metadata.gz: c962e2822a4202d4e0ad1566964363aaa4ec3aa9cfa70de3cebd263a2929d92b04d01c2825ce300206afcf7b8dc3baec679dd5c0d6fd3db484a82755457f3de1
-  data.tar.gz: 796f880fcc0c71cc0d11ee393dc710a9e647cbc545d950c9b4a350336284c17fe9c31438bd5f1344bec185b796782efd7bc82669e821b4e407ad39d3dd080a88
+  metadata.gz: 05b97240bb7e59483e8d5ecb68cb77c27ee41deebd42d9c948b796d550e41362cca972b8cea152b16f1c3b546bb14e95c7a0a74b5d3b9f8bd2f1c29f941220d7
+  data.tar.gz: 6e55ab64c2b43cd9efa20ee631b615ce834868461aef220fbba8bb1a873240a488b6e2f9ec88c29e4918ffcc1c286fbec47897a8e65948f81a12fe992de7cb0a

data/README.md CHANGED Viewed

@@ -12,6 +12,8 @@ mihari(`見張り`) is a framework for continuous malicious hosts (C2 / landing
     - mihari creates an alert with the artifacts on the TheHive instance.
     - mihari sends a notification to Slack. (Optional)
+Check this blog post for more detail: [Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive](https://hackmd.io/s/SkUaSrqoE)
 ### Screenshots
 - TheHive alert example
@@ -66,21 +68,23 @@ mihari onyphe "YOUR QUERY"
 echo '{ "title": "test", "description": "test", "artifacts": ["1.1.1.1", "github.com", "2.2.2.2"] }' | mihari import_from_json
 ```
-The input is a JSON data should have `title`, `description` and `artifacts` key.
+The input is a JSON data should have `title`, `description` and `artifacts` key. `tags` key is an optional parameter.
 ```json
 {
   "title": "test",
   "description": "test",
-  "artifacts": ["1.1.1.1", "github.com"]
+  "artifacts": ["1.1.1.1", "github.com"],
+  "tags": ["test"]
 }
 ```
-| Key         | Desc.                                                                      |
-|-------------|----------------------------------------------------------------------------|
-| title       | A title of an alert                                                        |
-| description | A description of an alert                                                  |
-| artifacts   | An array of artifacts (supported data types: ip, domain, url, email, hash) |
+| Key         | Desc.                                                                      | Required or optional |
+|-------------|----------------------------------------------------------------------------|----------------------|
+| title       | A title of an alert                                                        | Required             |
+| description | A description of an alert                                                  | Required             |
+| artifacts   | An array of artifacts (supported data types: ip, domain, url, email, hash) | Required             |
+| tags        | An array of tags                                                           | Optional             |
 ## Configuration
@@ -101,11 +105,12 @@ All configuration is done via ENV variables.
 Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.
-| Name           | Desc.                                                                      | @return       |
-|----------------|----------------------------------------------------------------------------|---------------|
-| `#title`       | A title of an alert                                                        | String        |
-| `#description` | A description of an alert                                                  | String        |
-| `#artifacts`   | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> |
+| Name           | Desc.                                                                      | @return       | Required or optional |
+|----------------|----------------------------------------------------------------------------|---------------|----------------------|
+| `#title`       | A title of an alert                                                        | String        | Required             |
+| `#description` | A description of an alert                                                  | String        | Required             |
+| `#artifacts`   | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> | Required             |
+| `#tags`        | An array of tags                                                           | Array<String> | Optional             |
 ```ruby
 require "mihari"
@@ -124,6 +129,10 @@ module Mihari
       def artifacts
         ["9.9.9.9", "example.com"]
       end
+      def tags
+        ["example"]
+      end
     end
   end
 end

data/lib/mihari/analyzers/base.rb CHANGED Viewed

@@ -24,6 +24,11 @@ module Mihari
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
+      # @return [Array<String>]
+      def tags
+        []
+      end
       def run(reject_exists_ones: true)
         unique_artifacts = normalized_artifacts.reject do |artifact|
           reject_exists_ones & the_hive.valid? && the_hive.exists?(data: artifact.data, data_type: artifact.data_type)
@@ -33,7 +38,12 @@ module Mihari
           notifier = notifier_class.new
           next unless notifier.valid?
-          notifier.notify(title: title, description: description, artifacts: unique_artifacts)
+          notifier.notify(
+            title: title,
+            description: description,
+            artifacts: unique_artifacts,
+            tags: tags
+          )
         end
       end

data/lib/mihari/analyzers/basic.rb CHANGED Viewed

@@ -6,13 +6,15 @@ module Mihari
       attr_reader :title
       attr_reader :description
       attr_reader :artifacts
+      attr_reader :tags
-      def initialize(title:, description:, artifacts:)
+      def initialize(title:, description:, artifacts:, tags: [])
         super()
         @title = title
         @description = description
         @artifacts = artifacts
+        @tags = tags
       end
     end
   end

data/lib/mihari/cli.rb CHANGED Viewed

@@ -40,9 +40,10 @@ module Mihari
       title = json.dig("title")
       description = json.dig("description")
       artifacts = json.dig("artifacts")
+      tags = json.dig("tags") || []
       with_error_handling do
-        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts)
+        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
         basic.run
       end
     end

data/lib/mihari/notifiers/the_hive.rb CHANGED Viewed

@@ -14,10 +14,15 @@ module Mihari
         api.valid?
       end
-      def notify(title:, description:, artifacts:)
+      def notify(title:, description:, artifacts:, tags: [])
         return if artifacts.empty?
-        res = api.create_alert(title: title, description: description, artifacts: artifacts.map(&:to_h))
+        res = api.create_alert(
+          title: title,
+          description: description,
+          artifacts: artifacts.map(&:to_h),
+          tags: tags
+        )
         id = res.dig("id")
         puts "A new alret is created. (id: #{id})"
       end

data/lib/mihari/the_hive.rb CHANGED Viewed

@@ -34,8 +34,15 @@ module Mihari
     end
     # @return [Hash]
-    def create_alert(title:, description:, artifacts:)
-      api.alert.create(title: title, description: description, artifacts: artifacts, type: "external", source: "mihari")
+    def create_alert(title:, description:, artifacts:, tags: [])
+      api.alert.create(
+        title: title,
+        description: description,
+        artifacts: artifacts,
+        tags: tags,
+        type: "external",
+        source: "mihari"
+      )
     end
   end
 end

data/lib/mihari/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "0.2.1"
+  VERSION = "0.2.2"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.2
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-05-07 00:00:00.000000000 Z
+date: 2019-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler