mihari 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +23 -20
- data/lib/mihari.rb +2 -0
- data/lib/mihari/analyzers/crtsh.rb +38 -0
- data/lib/mihari/analyzers/securitytrails.rb +69 -0
- data/lib/mihari/cli.rb +20 -0
- data/lib/mihari/status.rb +12 -3
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +2 -0
- metadata +32 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 288de64c354401afb06966aeff20d8cbf16ad7c2fa7ba16fe3caffc473885a48
|
|
4
|
+
data.tar.gz: 70416695adc834d0cb3b52410fa9665a163708d2be6e3544dde41f821e37e88b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a6042c43edc0817d926683694ed98decc52d35b3177b312bd36d2573b818a99add3a3a8317ae08f5a7172249422335f266595382828428fde7e5ea7017205407
|
|
7
|
+
data.tar.gz: 51135d5070b5f1697e0a51495de13b2e34c4e1eea2f91989ea2ae5301e65d851f52e7a963edaa7d5480f83ef720f893de404ee32ee30c458353fa9a9b1ef392b
|
data/README.md
CHANGED
|
@@ -39,15 +39,17 @@ mihari supports Censys, Shodan, Onyphe, urlscan and VirusTotal by default.
|
|
|
39
39
|
```bash
|
|
40
40
|
$ mihari
|
|
41
41
|
Commands:
|
|
42
|
-
mihari alerts
|
|
43
|
-
mihari censys [QUERY]
|
|
44
|
-
mihari
|
|
45
|
-
mihari
|
|
46
|
-
mihari
|
|
47
|
-
mihari
|
|
48
|
-
mihari
|
|
49
|
-
mihari
|
|
50
|
-
mihari
|
|
42
|
+
mihari alerts # Show the alerts on TheHive
|
|
43
|
+
mihari censys [QUERY] # Censys IPv4 lookup by a given query
|
|
44
|
+
mihari crtsh [QUERY] # crt.sh lookup by a given query
|
|
45
|
+
mihari help [COMMAND] # Describe available commands or one specific command
|
|
46
|
+
mihari import_from_json # Give a JSON input via STDIN
|
|
47
|
+
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
|
|
48
|
+
mihari securitytrails [IP|DOMAIN] # SecurityTrails resolutions lookup by a given ip or domain
|
|
49
|
+
mihari shodan [QUERY] # Shodan host lookup by a given query
|
|
50
|
+
mihari status # Show the current configuration status
|
|
51
|
+
mihari urlscan [QUERY] # urlscan lookup by a given query
|
|
52
|
+
mihari virustotal [IP|DOMAIN] # VirusTotal resolutions lookup by a given ip or domain
|
|
51
53
|
|
|
52
54
|
```
|
|
53
55
|
|
|
@@ -79,17 +81,18 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
|
|
|
79
81
|
|
|
80
82
|
All configuration is done via ENV variables.
|
|
81
83
|
|
|
82
|
-
| Key
|
|
83
|
-
|
|
84
|
-
| THEHIVE_API_ENDPOINT
|
|
85
|
-
| THEHIVE_API_KEY
|
|
86
|
-
| SLACK_WEBHOOK_URL
|
|
87
|
-
| SLACK_CHANNEL
|
|
88
|
-
| CENSYS_ID
|
|
89
|
-
| CENSYS_SECRET
|
|
90
|
-
|
|
|
91
|
-
|
|
|
92
|
-
|
|
|
84
|
+
| Key | Desc. | Required or optional |
|
|
85
|
+
|------------------------|------------------------|--------------------------------|
|
|
86
|
+
| THEHIVE_API_ENDPOINT | TheHive URL | Required |
|
|
87
|
+
| THEHIVE_API_KEY | TheHive API key | Required |
|
|
88
|
+
| SLACK_WEBHOOK_URL | Slack Webhook URL | Optional |
|
|
89
|
+
| SLACK_CHANNEL | Slack channel name | Optional (default: `#general`) |
|
|
90
|
+
| CENSYS_ID | Censys API ID | Optional |
|
|
91
|
+
| CENSYS_SECRET | Censys secret | Optional |
|
|
92
|
+
| ONYPHE_API_KEY | Onyphe API key | Optional |
|
|
93
|
+
| SECURITYTRAILS_API_KEY | SecurityTrails API key | Optional |
|
|
94
|
+
| SHODAN_API_KEY | Shodan API key | Optional |
|
|
95
|
+
| VIRUSTOTAL_API_KEY | VirusTotal API key | Optional |
|
|
93
96
|
|
|
94
97
|
## How to create a custom analyzer
|
|
95
98
|
|
data/lib/mihari.rb
CHANGED
|
@@ -28,7 +28,9 @@ require "mihari/the_hive"
|
|
|
28
28
|
require "mihari/analyzers/base"
|
|
29
29
|
require "mihari/analyzers/basic"
|
|
30
30
|
require "mihari/analyzers/censys"
|
|
31
|
+
require "mihari/analyzers/crtsh"
|
|
31
32
|
require "mihari/analyzers/onyphe"
|
|
33
|
+
require "mihari/analyzers/securitytrails"
|
|
32
34
|
require "mihari/analyzers/shodan"
|
|
33
35
|
require "mihari/analyzers/urlscan"
|
|
34
36
|
require "mihari/analyzers/virustotal"
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "crtsh"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class Crtsh < Base
|
|
8
|
+
attr_reader :api
|
|
9
|
+
attr_reader :title
|
|
10
|
+
attr_reader :description
|
|
11
|
+
attr_reader :query
|
|
12
|
+
attr_reader :tags
|
|
13
|
+
|
|
14
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
15
|
+
super()
|
|
16
|
+
|
|
17
|
+
@api = ::Crtsh::API.new
|
|
18
|
+
@query = query
|
|
19
|
+
@title = title || "crt.sh lookup"
|
|
20
|
+
@description = description || "query = #{query}"
|
|
21
|
+
@tags = tags
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def artifacts
|
|
25
|
+
results = search
|
|
26
|
+
results.map { |result| result.dig("name_value") }.compact.uniq
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
private
|
|
30
|
+
|
|
31
|
+
def search
|
|
32
|
+
api.search(query)
|
|
33
|
+
rescue ::Crtsh::Error => _e
|
|
34
|
+
[]
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "securitytrails"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class SecurityTrails < Base
|
|
8
|
+
attr_reader :api
|
|
9
|
+
attr_reader :indicator
|
|
10
|
+
attr_reader :type
|
|
11
|
+
|
|
12
|
+
attr_reader :title
|
|
13
|
+
attr_reader :description
|
|
14
|
+
attr_reader :tags
|
|
15
|
+
|
|
16
|
+
def initialize(indicator, title: nil, description: nil, tags: [])
|
|
17
|
+
super()
|
|
18
|
+
|
|
19
|
+
@api = ::SecurityTrails::API.new
|
|
20
|
+
@indicator = indicator
|
|
21
|
+
@type = TypeChecker.type(indicator)
|
|
22
|
+
|
|
23
|
+
@title = title || "SecurityTrails lookup"
|
|
24
|
+
@description = description || "indicator = #{indicator}"
|
|
25
|
+
@tags = tags
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def artifacts
|
|
29
|
+
lookup || []
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
private
|
|
33
|
+
|
|
34
|
+
def valid_type?
|
|
35
|
+
%w(ip domain).include? type
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def lookup
|
|
39
|
+
case type
|
|
40
|
+
when "domain"
|
|
41
|
+
domain_lookup
|
|
42
|
+
when "ip"
|
|
43
|
+
ip_lookup
|
|
44
|
+
else
|
|
45
|
+
raise ArgumentError, "#{indicator}(type: #{type || 'unknown'}) is not supported." unless valid_type?
|
|
46
|
+
end
|
|
47
|
+
rescue ::SecurityTrails::Error => _e
|
|
48
|
+
nil
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def domain_lookup
|
|
52
|
+
result = api.history.get_all_dns_history(indicator, "a").to_h
|
|
53
|
+
records = result.dig(:records) || []
|
|
54
|
+
records.map do |record|
|
|
55
|
+
values = record.dig(:values) || []
|
|
56
|
+
values.map { |value| value.dig(:ip) }
|
|
57
|
+
end.compact.flatten.uniq
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def ip_lookup
|
|
61
|
+
result = api.domains.search( filter: { ipv4: indicator }).to_h
|
|
62
|
+
records = result.dig(:records) || []
|
|
63
|
+
records.map do |record|
|
|
64
|
+
record.dig(:hostname)
|
|
65
|
+
end.compact.uniq
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -56,6 +56,26 @@ module Mihari
|
|
|
56
56
|
end
|
|
57
57
|
end
|
|
58
58
|
|
|
59
|
+
desc "securitytrails [IP|DOMAIN]", "SecurityTrails resolutions lookup by a given ip or domain"
|
|
60
|
+
method_option :title, type: :string, desc: "title"
|
|
61
|
+
method_option :description, type: :string, desc: "description"
|
|
62
|
+
method_option :tags, type: :array, desc: "tags"
|
|
63
|
+
def securitytrails(indiactor)
|
|
64
|
+
with_error_handling do
|
|
65
|
+
run_analyzer Analyzers::SecurityTrails, query: indiactor, options: options
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
desc "crtsh [QUERY]", "crt.sh lookup by a given query"
|
|
70
|
+
method_option :title, type: :string, desc: "title"
|
|
71
|
+
method_option :description, type: :string, desc: "description"
|
|
72
|
+
method_option :tags, type: :array, desc: "tags"
|
|
73
|
+
def crtsh(query)
|
|
74
|
+
with_error_handling do
|
|
75
|
+
run_analyzer Analyzers::Crtsh, query: query, options: options
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
59
79
|
desc "import_from_json", "Give a JSON input via STDIN"
|
|
60
80
|
def import_from_json(input = nil)
|
|
61
81
|
with_error_handling do
|
data/lib/mihari/status.rb
CHANGED
|
@@ -4,12 +4,13 @@ module Mihari
|
|
|
4
4
|
class Status
|
|
5
5
|
def check
|
|
6
6
|
{
|
|
7
|
-
shodan: { status: shodan?, message: shodan },
|
|
8
|
-
slack: { status: slack?, message: slack },
|
|
9
7
|
censys: { status: censys?, message: censys },
|
|
10
|
-
virustotal: { status: virustotal?, message: virustotal },
|
|
11
8
|
onyphe: { status: onyphe?, message: onyphe },
|
|
9
|
+
securitytrails: { status: securitytrails?, message: securitytrails },
|
|
10
|
+
shodan: { status: shodan?, message: shodan },
|
|
11
|
+
slack: { status: slack?, message: slack },
|
|
12
12
|
the_hive: { status: the_hive?, message: the_hive },
|
|
13
|
+
virustotal: { status: virustotal?, message: virustotal },
|
|
13
14
|
}.map do |key, value|
|
|
14
15
|
[key, convert(value)]
|
|
15
16
|
end.to_h
|
|
@@ -28,6 +29,14 @@ module Mihari
|
|
|
28
29
|
}
|
|
29
30
|
end
|
|
30
31
|
|
|
32
|
+
def securitytrails?
|
|
33
|
+
ENV.key? "SECURITYTRAILS_API_KEY"
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def securitytrails
|
|
37
|
+
securitytrails? ? "SECURITYTRAILS_API_KEY is found" : "SECURITYTRAILS_API_KEY is missing"
|
|
38
|
+
end
|
|
39
|
+
|
|
31
40
|
def virustotal?
|
|
32
41
|
ENV.key?("VIRUSTOTAL_API_KEY")
|
|
33
42
|
end
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -33,12 +33,14 @@ Gem::Specification.new do |spec|
|
|
|
33
33
|
|
|
34
34
|
spec.add_dependency "addressable", "~> 2.7"
|
|
35
35
|
spec.add_dependency "censu", "~> 0.2"
|
|
36
|
+
spec.add_dependency "crtsh-rb", "~> 0.1"
|
|
36
37
|
spec.add_dependency "email_address", "~> 0.1"
|
|
37
38
|
spec.add_dependency "hachi", "~> 0.2"
|
|
38
39
|
spec.add_dependency "mem", "~> 0.1"
|
|
39
40
|
spec.add_dependency "net-ping", "~> 2.0"
|
|
40
41
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
41
42
|
spec.add_dependency "public_suffix", "~> 3.1"
|
|
43
|
+
spec.add_dependency "securitytrails", "~> 0.2"
|
|
42
44
|
spec.add_dependency "shodanx", "~> 0.1"
|
|
43
45
|
spec.add_dependency "slack-notifier", "~> 2.3"
|
|
44
46
|
spec.add_dependency "thor", "~> 0.20"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.7.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-09-
|
|
11
|
+
date: 2019-09-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -122,6 +122,20 @@ dependencies:
|
|
|
122
122
|
- - "~>"
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: '0.2'
|
|
125
|
+
- !ruby/object:Gem::Dependency
|
|
126
|
+
name: crtsh-rb
|
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
|
128
|
+
requirements:
|
|
129
|
+
- - "~>"
|
|
130
|
+
- !ruby/object:Gem::Version
|
|
131
|
+
version: '0.1'
|
|
132
|
+
type: :runtime
|
|
133
|
+
prerelease: false
|
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
135
|
+
requirements:
|
|
136
|
+
- - "~>"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '0.1'
|
|
125
139
|
- !ruby/object:Gem::Dependency
|
|
126
140
|
name: email_address
|
|
127
141
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -206,6 +220,20 @@ dependencies:
|
|
|
206
220
|
- - "~>"
|
|
207
221
|
- !ruby/object:Gem::Version
|
|
208
222
|
version: '3.1'
|
|
223
|
+
- !ruby/object:Gem::Dependency
|
|
224
|
+
name: securitytrails
|
|
225
|
+
requirement: !ruby/object:Gem::Requirement
|
|
226
|
+
requirements:
|
|
227
|
+
- - "~>"
|
|
228
|
+
- !ruby/object:Gem::Version
|
|
229
|
+
version: '0.2'
|
|
230
|
+
type: :runtime
|
|
231
|
+
prerelease: false
|
|
232
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
233
|
+
requirements:
|
|
234
|
+
- - "~>"
|
|
235
|
+
- !ruby/object:Gem::Version
|
|
236
|
+
version: '0.2'
|
|
209
237
|
- !ruby/object:Gem::Dependency
|
|
210
238
|
name: shodanx
|
|
211
239
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -301,7 +329,9 @@ files:
|
|
|
301
329
|
- lib/mihari/analyzers/base.rb
|
|
302
330
|
- lib/mihari/analyzers/basic.rb
|
|
303
331
|
- lib/mihari/analyzers/censys.rb
|
|
332
|
+
- lib/mihari/analyzers/crtsh.rb
|
|
304
333
|
- lib/mihari/analyzers/onyphe.rb
|
|
334
|
+
- lib/mihari/analyzers/securitytrails.rb
|
|
305
335
|
- lib/mihari/analyzers/shodan.rb
|
|
306
336
|
- lib/mihari/analyzers/urlscan.rb
|
|
307
337
|
- lib/mihari/analyzers/virustotal.rb
|