mihari 0.2.5 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +8 -0
- data/lib/mihari.rb +1 -0
- data/lib/mihari/analyzers/urlscan.rb +43 -0
- data/lib/mihari/cli.rb +20 -16
- data/lib/mihari/the_hive.rb +15 -1
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +2 -0
- metadata +31 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '00748afea4184f8ea3595e822be84acf14a97f78d7d91390013c7bc49d3792bc'
|
|
4
|
+
data.tar.gz: fb9f40550592648a4c4c9095aadf714efbea3f35de82f26f1fd2648c9c054409
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd032efa642aa96133776a8e1483f7e98485dd5c86395b2eec41c9c8806ebf300131c2a2cafa91c9a0027b08136679f4d6926016ad5d0504514bb657f2440de1
|
|
7
|
+
data.tar.gz: d77bebb5f059bc55e0a467f3547b5cd3148551d3101037cad0667a1568c8e2cec1f69ea8bee7bf86f71805909ed695073450a19296d39ae0c1c679762a8232f6
|
data/README.md
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
[](https://travis-ci.org/ninoseki/mihari)
|
|
4
4
|
[](https://coveralls.io/github/ninoseki/mihari?branch=master)
|
|
5
|
+
[](https://www.codefactor.io/repository/github/ninoseki/mihari)
|
|
5
6
|
|
|
6
7
|
mihari(`見張り`) is a framework for continuous malicious hosts (C2 / landing page / phishing, etc.) monitoring backended with [TheHive](https://github.com/TheHive-Project/TheHive).
|
|
7
8
|
|
|
@@ -42,6 +43,7 @@ Commands:
|
|
|
42
43
|
mihari import_from_json # Give a JSON input via STDIN
|
|
43
44
|
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
|
|
44
45
|
mihari shodan [QUERY] # Shodan host lookup by a given query
|
|
46
|
+
mihari urlscan [QUERY] # urlscan lookup by a given query
|
|
45
47
|
```
|
|
46
48
|
|
|
47
49
|
### Censys
|
|
@@ -62,6 +64,12 @@ mihari shodan "YOUR QUERY"
|
|
|
62
64
|
mihari onyphe "YOUR QUERY"
|
|
63
65
|
```
|
|
64
66
|
|
|
67
|
+
### urlscan.io
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
mihari urlscan "YOUR QUERY"
|
|
71
|
+
```
|
|
72
|
+
|
|
65
73
|
### Import from JSON
|
|
66
74
|
|
|
67
75
|
```bash
|
data/lib/mihari.rb
CHANGED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "urlscan"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class Urlscan < Base
|
|
8
|
+
attr_reader :api
|
|
9
|
+
attr_reader :title
|
|
10
|
+
attr_reader :description
|
|
11
|
+
attr_reader :query
|
|
12
|
+
attr_reader :tags
|
|
13
|
+
|
|
14
|
+
def initialize(query, tags: [])
|
|
15
|
+
super()
|
|
16
|
+
|
|
17
|
+
@api = ::UrlScan::API.new
|
|
18
|
+
@query = query
|
|
19
|
+
@title = "urlscan lookup"
|
|
20
|
+
@description = "query = #{query}"
|
|
21
|
+
@tags = tags
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def artifacts
|
|
25
|
+
result = search
|
|
26
|
+
return [] unless result
|
|
27
|
+
|
|
28
|
+
results = result.dig("results") || []
|
|
29
|
+
results.map do |match|
|
|
30
|
+
match.dig "task", "url"
|
|
31
|
+
end.compact
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def search
|
|
37
|
+
api.search(query)
|
|
38
|
+
rescue ::UrlScan::ResponseError => _e
|
|
39
|
+
nil
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -9,30 +9,32 @@ module Mihari
|
|
|
9
9
|
method_option :tags, type: :array, desc: "tags"
|
|
10
10
|
def censys(query)
|
|
11
11
|
tags = options.dig("tags") || []
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
censys.run
|
|
15
|
-
end
|
|
12
|
+
censys = Analyzers::Censys.new(query, tags: tags)
|
|
13
|
+
run_analyzer censys
|
|
16
14
|
end
|
|
17
15
|
|
|
18
16
|
desc "shodan [QUERY]", "Shodan host lookup by a given query"
|
|
19
17
|
method_option :tags, type: :array, desc: "tags"
|
|
20
18
|
def shodan(query)
|
|
21
19
|
tags = options.dig("tags") || []
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
shodan.run
|
|
25
|
-
end
|
|
20
|
+
shodan = Analyzers::Shodan.new(query, tags: tags)
|
|
21
|
+
run_analyzer shodan
|
|
26
22
|
end
|
|
27
23
|
|
|
28
24
|
desc "onyphe [QUERY]", "Onyphe datascan lookup by a given query"
|
|
29
25
|
method_option :tags, type: :array, desc: "tags"
|
|
30
26
|
def onyphe(query)
|
|
31
27
|
tags = options.dig("tags") || []
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
28
|
+
onyphe = Analyzers::Onyphe.new(query, tags: tags)
|
|
29
|
+
run_analyzer onyphe
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
desc "urlscan [QUERY]", "urlscan lookup by a given query"
|
|
33
|
+
method_option :tags, type: :array, desc: "tags"
|
|
34
|
+
def urlscan(query)
|
|
35
|
+
tags = options.dig("tags") || []
|
|
36
|
+
urlscan = Analyzers::Urlscan.new(query, tags: tags)
|
|
37
|
+
run_analyzer urlscan
|
|
36
38
|
end
|
|
37
39
|
|
|
38
40
|
desc "import_from_json", "Give a JSON input via STDIN"
|
|
@@ -48,10 +50,8 @@ module Mihari
|
|
|
48
50
|
artifacts = json.dig("artifacts")
|
|
49
51
|
tags = json.dig("tags") || []
|
|
50
52
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
basic.run
|
|
54
|
-
end
|
|
53
|
+
basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
|
|
54
|
+
run_analyzer basic
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
no_commands do
|
|
@@ -64,6 +64,10 @@ module Mihari
|
|
|
64
64
|
puts e.backtrace.join('\n')
|
|
65
65
|
end
|
|
66
66
|
|
|
67
|
+
def run_analyzer(analyzer)
|
|
68
|
+
with_error_handling { analyzer.run }
|
|
69
|
+
end
|
|
70
|
+
|
|
67
71
|
def parse_as_json(input)
|
|
68
72
|
JSON.parse input
|
|
69
73
|
rescue JSON::ParserError => e
|
data/lib/mihari/the_hive.rb
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "net/ping"
|
|
4
|
+
require "uri"
|
|
5
|
+
|
|
3
6
|
module Mihari
|
|
4
7
|
class TheHive
|
|
5
8
|
# @return [true, false]
|
|
@@ -14,7 +17,7 @@ module Mihari
|
|
|
14
17
|
|
|
15
18
|
# @return [true, false]
|
|
16
19
|
def valid?
|
|
17
|
-
api_endpont? && api_key?
|
|
20
|
+
api_endpont? && api_key? && ping?
|
|
18
21
|
end
|
|
19
22
|
|
|
20
23
|
# @return [Hachi::API]
|
|
@@ -44,5 +47,16 @@ module Mihari
|
|
|
44
47
|
source: "mihari"
|
|
45
48
|
)
|
|
46
49
|
end
|
|
50
|
+
|
|
51
|
+
private
|
|
52
|
+
|
|
53
|
+
def ping?
|
|
54
|
+
base_url = ENV.fetch("THEHIVE_API_ENDPOINT")
|
|
55
|
+
base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url
|
|
56
|
+
url = "#{base_url}/index.html"
|
|
57
|
+
|
|
58
|
+
http = Net::Ping::HTTP.new(url)
|
|
59
|
+
http.ping?
|
|
60
|
+
end
|
|
47
61
|
end
|
|
48
62
|
end
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -36,9 +36,11 @@ Gem::Specification.new do |spec|
|
|
|
36
36
|
spec.add_dependency "email_address", "~> 0.1"
|
|
37
37
|
spec.add_dependency "hachi", "~> 0.1"
|
|
38
38
|
spec.add_dependency "mem", "~> 0.1"
|
|
39
|
+
spec.add_dependency "net-ping"
|
|
39
40
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
40
41
|
spec.add_dependency "public_suffix", "~> 3.1"
|
|
41
42
|
spec.add_dependency "shodanx", "~> 0.1"
|
|
42
43
|
spec.add_dependency "slack-incoming-webhooks", "~> 0.2"
|
|
43
44
|
spec.add_dependency "thor", "~> 0.19"
|
|
45
|
+
spec.add_dependency "urlscan", "~> 0.2"
|
|
44
46
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-07-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -164,6 +164,20 @@ dependencies:
|
|
|
164
164
|
- - "~>"
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
166
|
version: '0.1'
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: net-ping
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - ">="
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '0'
|
|
174
|
+
type: :runtime
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - ">="
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: '0'
|
|
167
181
|
- !ruby/object:Gem::Dependency
|
|
168
182
|
name: onyphe
|
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -234,6 +248,20 @@ dependencies:
|
|
|
234
248
|
- - "~>"
|
|
235
249
|
- !ruby/object:Gem::Version
|
|
236
250
|
version: '0.19'
|
|
251
|
+
- !ruby/object:Gem::Dependency
|
|
252
|
+
name: urlscan
|
|
253
|
+
requirement: !ruby/object:Gem::Requirement
|
|
254
|
+
requirements:
|
|
255
|
+
- - "~>"
|
|
256
|
+
- !ruby/object:Gem::Version
|
|
257
|
+
version: '0.2'
|
|
258
|
+
type: :runtime
|
|
259
|
+
prerelease: false
|
|
260
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
261
|
+
requirements:
|
|
262
|
+
- - "~>"
|
|
263
|
+
- !ruby/object:Gem::Version
|
|
264
|
+
version: '0.2'
|
|
237
265
|
description: A framework for continuous malicious hosts monitoring.
|
|
238
266
|
email:
|
|
239
267
|
- manabu.niseki@gmail.com
|
|
@@ -260,6 +288,7 @@ files:
|
|
|
260
288
|
- lib/mihari/analyzers/censys.rb
|
|
261
289
|
- lib/mihari/analyzers/onyphe.rb
|
|
262
290
|
- lib/mihari/analyzers/shodan.rb
|
|
291
|
+
- lib/mihari/analyzers/urlscan.rb
|
|
263
292
|
- lib/mihari/artifact.rb
|
|
264
293
|
- lib/mihari/cli.rb
|
|
265
294
|
- lib/mihari/errors.rb
|