mihari 0.2.5 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +8 -0
- data/lib/mihari.rb +1 -0
- data/lib/mihari/analyzers/urlscan.rb +43 -0
- data/lib/mihari/cli.rb +20 -16
- data/lib/mihari/the_hive.rb +15 -1
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +2 -0
- metadata +31 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '00748afea4184f8ea3595e822be84acf14a97f78d7d91390013c7bc49d3792bc'
|
|
4
|
+
data.tar.gz: fb9f40550592648a4c4c9095aadf714efbea3f35de82f26f1fd2648c9c054409
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd032efa642aa96133776a8e1483f7e98485dd5c86395b2eec41c9c8806ebf300131c2a2cafa91c9a0027b08136679f4d6926016ad5d0504514bb657f2440de1
|
|
7
|
+
data.tar.gz: d77bebb5f059bc55e0a467f3547b5cd3148551d3101037cad0667a1568c8e2cec1f69ea8bee7bf86f71805909ed695073450a19296d39ae0c1c679762a8232f6
|
data/README.md
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
[](https://travis-ci.org/ninoseki/mihari)
|
|
4
4
|
[](https://coveralls.io/github/ninoseki/mihari?branch=master)
|
|
5
|
+
[](https://www.codefactor.io/repository/github/ninoseki/mihari)
|
|
5
6
|
|
|
6
7
|
mihari(`見張り`) is a framework for continuous malicious hosts (C2 / landing page / phishing, etc.) monitoring backended with [TheHive](https://github.com/TheHive-Project/TheHive).
|
|
7
8
|
|
|
@@ -42,6 +43,7 @@ Commands:
|
|
|
42
43
|
mihari import_from_json # Give a JSON input via STDIN
|
|
43
44
|
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
|
|
44
45
|
mihari shodan [QUERY] # Shodan host lookup by a given query
|
|
46
|
+
mihari urlscan [QUERY] # urlscan lookup by a given query
|
|
45
47
|
```
|
|
46
48
|
|
|
47
49
|
### Censys
|
|
@@ -62,6 +64,12 @@ mihari shodan "YOUR QUERY"
|
|
|
62
64
|
mihari onyphe "YOUR QUERY"
|
|
63
65
|
```
|
|
64
66
|
|
|
67
|
+
### urlscan.io
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
mihari urlscan "YOUR QUERY"
|
|
71
|
+
```
|
|
72
|
+
|
|
65
73
|
### Import from JSON
|
|
66
74
|
|
|
67
75
|
```bash
|
data/lib/mihari.rb
CHANGED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "urlscan"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class Urlscan < Base
|
|
8
|
+
attr_reader :api
|
|
9
|
+
attr_reader :title
|
|
10
|
+
attr_reader :description
|
|
11
|
+
attr_reader :query
|
|
12
|
+
attr_reader :tags
|
|
13
|
+
|
|
14
|
+
def initialize(query, tags: [])
|
|
15
|
+
super()
|
|
16
|
+
|
|
17
|
+
@api = ::UrlScan::API.new
|
|
18
|
+
@query = query
|
|
19
|
+
@title = "urlscan lookup"
|
|
20
|
+
@description = "query = #{query}"
|
|
21
|
+
@tags = tags
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def artifacts
|
|
25
|
+
result = search
|
|
26
|
+
return [] unless result
|
|
27
|
+
|
|
28
|
+
results = result.dig("results") || []
|
|
29
|
+
results.map do |match|
|
|
30
|
+
match.dig "task", "url"
|
|
31
|
+
end.compact
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def search
|
|
37
|
+
api.search(query)
|
|
38
|
+
rescue ::UrlScan::ResponseError => _e
|
|
39
|
+
nil
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -9,30 +9,32 @@ module Mihari
|
|
|
9
9
|
method_option :tags, type: :array, desc: "tags"
|
|
10
10
|
def censys(query)
|
|
11
11
|
tags = options.dig("tags") || []
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
censys.run
|
|
15
|
-
end
|
|
12
|
+
censys = Analyzers::Censys.new(query, tags: tags)
|
|
13
|
+
run_analyzer censys
|
|
16
14
|
end
|
|
17
15
|
|
|
18
16
|
desc "shodan [QUERY]", "Shodan host lookup by a given query"
|
|
19
17
|
method_option :tags, type: :array, desc: "tags"
|
|
20
18
|
def shodan(query)
|
|
21
19
|
tags = options.dig("tags") || []
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
shodan.run
|
|
25
|
-
end
|
|
20
|
+
shodan = Analyzers::Shodan.new(query, tags: tags)
|
|
21
|
+
run_analyzer shodan
|
|
26
22
|
end
|
|
27
23
|
|
|
28
24
|
desc "onyphe [QUERY]", "Onyphe datascan lookup by a given query"
|
|
29
25
|
method_option :tags, type: :array, desc: "tags"
|
|
30
26
|
def onyphe(query)
|
|
31
27
|
tags = options.dig("tags") || []
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
28
|
+
onyphe = Analyzers::Onyphe.new(query, tags: tags)
|
|
29
|
+
run_analyzer onyphe
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
desc "urlscan [QUERY]", "urlscan lookup by a given query"
|
|
33
|
+
method_option :tags, type: :array, desc: "tags"
|
|
34
|
+
def urlscan(query)
|
|
35
|
+
tags = options.dig("tags") || []
|
|
36
|
+
urlscan = Analyzers::Urlscan.new(query, tags: tags)
|
|
37
|
+
run_analyzer urlscan
|
|
36
38
|
end
|
|
37
39
|
|
|
38
40
|
desc "import_from_json", "Give a JSON input via STDIN"
|
|
@@ -48,10 +50,8 @@ module Mihari
|
|
|
48
50
|
artifacts = json.dig("artifacts")
|
|
49
51
|
tags = json.dig("tags") || []
|
|
50
52
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
basic.run
|
|
54
|
-
end
|
|
53
|
+
basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
|
|
54
|
+
run_analyzer basic
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
no_commands do
|
|
@@ -64,6 +64,10 @@ module Mihari
|
|
|
64
64
|
puts e.backtrace.join('\n')
|
|
65
65
|
end
|
|
66
66
|
|
|
67
|
+
def run_analyzer(analyzer)
|
|
68
|
+
with_error_handling { analyzer.run }
|
|
69
|
+
end
|
|
70
|
+
|
|
67
71
|
def parse_as_json(input)
|
|
68
72
|
JSON.parse input
|
|
69
73
|
rescue JSON::ParserError => e
|
data/lib/mihari/the_hive.rb
CHANGED
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require "net/ping"
|
|
4
|
+
require "uri"
|
|
5
|
+
|
|
3
6
|
module Mihari
|
|
4
7
|
class TheHive
|
|
5
8
|
# @return [true, false]
|
|
@@ -14,7 +17,7 @@ module Mihari
|
|
|
14
17
|
|
|
15
18
|
# @return [true, false]
|
|
16
19
|
def valid?
|
|
17
|
-
api_endpont? && api_key?
|
|
20
|
+
api_endpont? && api_key? && ping?
|
|
18
21
|
end
|
|
19
22
|
|
|
20
23
|
# @return [Hachi::API]
|
|
@@ -44,5 +47,16 @@ module Mihari
|
|
|
44
47
|
source: "mihari"
|
|
45
48
|
)
|
|
46
49
|
end
|
|
50
|
+
|
|
51
|
+
private
|
|
52
|
+
|
|
53
|
+
def ping?
|
|
54
|
+
base_url = ENV.fetch("THEHIVE_API_ENDPOINT")
|
|
55
|
+
base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url
|
|
56
|
+
url = "#{base_url}/index.html"
|
|
57
|
+
|
|
58
|
+
http = Net::Ping::HTTP.new(url)
|
|
59
|
+
http.ping?
|
|
60
|
+
end
|
|
47
61
|
end
|
|
48
62
|
end
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -36,9 +36,11 @@ Gem::Specification.new do |spec|
|
|
|
36
36
|
spec.add_dependency "email_address", "~> 0.1"
|
|
37
37
|
spec.add_dependency "hachi", "~> 0.1"
|
|
38
38
|
spec.add_dependency "mem", "~> 0.1"
|
|
39
|
+
spec.add_dependency "net-ping"
|
|
39
40
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
40
41
|
spec.add_dependency "public_suffix", "~> 3.1"
|
|
41
42
|
spec.add_dependency "shodanx", "~> 0.1"
|
|
42
43
|
spec.add_dependency "slack-incoming-webhooks", "~> 0.2"
|
|
43
44
|
spec.add_dependency "thor", "~> 0.19"
|
|
45
|
+
spec.add_dependency "urlscan", "~> 0.2"
|
|
44
46
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-07-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -164,6 +164,20 @@ dependencies:
|
|
|
164
164
|
- - "~>"
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
166
|
version: '0.1'
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: net-ping
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - ">="
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '0'
|
|
174
|
+
type: :runtime
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - ">="
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: '0'
|
|
167
181
|
- !ruby/object:Gem::Dependency
|
|
168
182
|
name: onyphe
|
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -234,6 +248,20 @@ dependencies:
|
|
|
234
248
|
- - "~>"
|
|
235
249
|
- !ruby/object:Gem::Version
|
|
236
250
|
version: '0.19'
|
|
251
|
+
- !ruby/object:Gem::Dependency
|
|
252
|
+
name: urlscan
|
|
253
|
+
requirement: !ruby/object:Gem::Requirement
|
|
254
|
+
requirements:
|
|
255
|
+
- - "~>"
|
|
256
|
+
- !ruby/object:Gem::Version
|
|
257
|
+
version: '0.2'
|
|
258
|
+
type: :runtime
|
|
259
|
+
prerelease: false
|
|
260
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
261
|
+
requirements:
|
|
262
|
+
- - "~>"
|
|
263
|
+
- !ruby/object:Gem::Version
|
|
264
|
+
version: '0.2'
|
|
237
265
|
description: A framework for continuous malicious hosts monitoring.
|
|
238
266
|
email:
|
|
239
267
|
- manabu.niseki@gmail.com
|
|
@@ -260,6 +288,7 @@ files:
|
|
|
260
288
|
- lib/mihari/analyzers/censys.rb
|
|
261
289
|
- lib/mihari/analyzers/onyphe.rb
|
|
262
290
|
- lib/mihari/analyzers/shodan.rb
|
|
291
|
+
- lib/mihari/analyzers/urlscan.rb
|
|
263
292
|
- lib/mihari/artifact.rb
|
|
264
293
|
- lib/mihari/cli.rb
|
|
265
294
|
- lib/mihari/errors.rb
|