mihari 0.8.0 → 0.8.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +7 -1
- data/lib/mihari.rb +2 -1
- data/lib/mihari/analyzers/base.rb +15 -4
- data/lib/mihari/cache.rb +35 -0
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +6 -3
- data/screenshots/eyecatch.png +0 -0
- metadata +52 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ced23a972f1bf15c0d379cebbb11c303b3819d09ec56cf7f3f8936f6376cdd43
|
|
4
|
+
data.tar.gz: 3bef1fa391842b63d005cd75041def63dbba8ec473de4b8f56adfdf1e7119ab6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7e3a6503831ca7dbdd54fb28861d51e9fe7b8e622db4dd1843a69780ae14be8bf28f81ccf7fb93ed09af33ea2d4af89a82b85de14b420e55ada42c5bb564a7e4
|
|
7
|
+
data.tar.gz: 07fbc1dd07f0cf38f071482e6c28062719e417c3b1e544373a61e4cf692d32d7b14c2512382350d43f7612d276996e5d8cdbe61e614edd3358de5b28aa14987f
|
data/README.md
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
[](https://coveralls.io/github/ninoseki/mihari?branch=master)
|
|
6
6
|
[](https://www.codefactor.io/repository/github/ninoseki/mihari)
|
|
7
7
|
|
|
8
|
-
mihari(`見張り`) is a sidekick tool for [TheHive](https://github.com/TheHive-Project/TheHive)
|
|
8
|
+
mihari(`見張り`) is a sidekick tool for [TheHive](https://github.com/TheHive-Project/TheHive) for monitoring malicious hosts (C2 / landing page / phishing, etc.) continuously.
|
|
9
9
|
|
|
10
10
|
## How it works
|
|
11
11
|
|
|
@@ -14,6 +14,8 @@ mihari(`見張り`) is a sidekick tool for [TheHive](https://github.com/TheHive-
|
|
|
14
14
|
- mihari creates an alert with the artifacts on the TheHive instance.
|
|
15
15
|
- mihari sends a notification to Slack. (Optional)
|
|
16
16
|
|
|
17
|
+
|
|
18
|
+
|
|
17
19
|
Check this blog post for more detail: [Continuous C2 hunting with Censys, Shodan, Onyphe and TheHive](https://hackmd.io/s/SkUaSrqoE)
|
|
18
20
|
|
|
19
21
|
### Screenshots
|
|
@@ -137,6 +139,10 @@ example.run
|
|
|
137
139
|
|
|
138
140
|
See `/examples` for more.
|
|
139
141
|
|
|
142
|
+
## Caching
|
|
143
|
+
|
|
144
|
+
mihari caches execution results in `/tmp/mihari` and the default cache duration is 7 days. If you want to clear the cache, please clear `/tmp/mihari`.
|
|
145
|
+
|
|
140
146
|
## License
|
|
141
147
|
|
|
142
148
|
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/lib/mihari.rb
CHANGED
|
@@ -3,10 +3,9 @@
|
|
|
3
3
|
module Mihari
|
|
4
4
|
module Analyzers
|
|
5
5
|
class Base
|
|
6
|
-
attr_reader :the_hive
|
|
7
|
-
|
|
8
6
|
def initialize
|
|
9
7
|
@the_hive = TheHive.new
|
|
8
|
+
@cache = Cache.new
|
|
10
9
|
end
|
|
11
10
|
|
|
12
11
|
# @return [Array<String>, Array<Mihari::Artifact>]
|
|
@@ -36,6 +35,8 @@ module Mihari
|
|
|
36
35
|
|
|
37
36
|
run_emitter emitter
|
|
38
37
|
end
|
|
38
|
+
|
|
39
|
+
save_as_cache unique_artifacts.map(&:data)
|
|
39
40
|
end
|
|
40
41
|
|
|
41
42
|
def run_emitter(emitter)
|
|
@@ -53,11 +54,21 @@ module Mihari
|
|
|
53
54
|
end.select(&:valid?)
|
|
54
55
|
end
|
|
55
56
|
|
|
57
|
+
def uncached_artifacts
|
|
58
|
+
@uncached_artifacts ||= normalized_artifacts.reject do |artifact|
|
|
59
|
+
@cache.cached? artifact.data
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
|
|
56
63
|
# @return [Array<Mihari::Artifact>]
|
|
57
64
|
def unique_artifacts
|
|
58
|
-
return
|
|
65
|
+
return uncached_artifacts unless @the_hive.valid?
|
|
66
|
+
|
|
67
|
+
@unique_artifacts ||= @the_hive.artifact.find_non_existing_artifacts(uncached_artifacts)
|
|
68
|
+
end
|
|
59
69
|
|
|
60
|
-
|
|
70
|
+
def save_as_cache(data)
|
|
71
|
+
@cache.save data
|
|
61
72
|
end
|
|
62
73
|
end
|
|
63
74
|
end
|
data/lib/mihari/cache.rb
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "lightly"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
class Cache
|
|
7
|
+
DEFAULT_CACHE_DIR = "/tmp/mihari"
|
|
8
|
+
|
|
9
|
+
def initialize
|
|
10
|
+
@data = Lightly.new(life: "7d", dir: DEFAULT_CACHE_DIR)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def cached?(key)
|
|
14
|
+
return false unless @data.enabled?
|
|
15
|
+
|
|
16
|
+
begin
|
|
17
|
+
@data.cached? key
|
|
18
|
+
rescue Errno::ENOENT => _e
|
|
19
|
+
false
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def save(*keys)
|
|
24
|
+
return unless @data.enabled?
|
|
25
|
+
|
|
26
|
+
begin
|
|
27
|
+
keys.flatten.each do |key|
|
|
28
|
+
@data.save key, true
|
|
29
|
+
end
|
|
30
|
+
rescue Errno::ENOENT => _e
|
|
31
|
+
nil
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -26,8 +26,10 @@ Gem::Specification.new do |spec|
|
|
|
26
26
|
|
|
27
27
|
spec.add_development_dependency "bundler", "~> 2.0"
|
|
28
28
|
spec.add_development_dependency "coveralls", "~> 0.8"
|
|
29
|
+
spec.add_development_dependency "fakefs", "~> 0.20"
|
|
29
30
|
spec.add_development_dependency "rake", "~> 12.3"
|
|
30
31
|
spec.add_development_dependency "rspec", "~> 3.8"
|
|
32
|
+
spec.add_development_dependency "timecop", "~> 0.9"
|
|
31
33
|
spec.add_development_dependency "vcr", "~> 5.0"
|
|
32
34
|
spec.add_development_dependency "webmock", "~> 3.7"
|
|
33
35
|
|
|
@@ -36,14 +38,15 @@ Gem::Specification.new do |spec|
|
|
|
36
38
|
spec.add_dependency "crtsh-rb", "~> 0.1"
|
|
37
39
|
spec.add_dependency "email_address", "~> 0.1"
|
|
38
40
|
spec.add_dependency "hachi", "~> 0.2"
|
|
41
|
+
spec.add_dependency "lightly", "~> 0.3"
|
|
39
42
|
spec.add_dependency "mem", "~> 0.1"
|
|
40
43
|
spec.add_dependency "net-ping", "~> 2.0"
|
|
41
44
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
42
|
-
spec.add_dependency "public_suffix", "~>
|
|
45
|
+
spec.add_dependency "public_suffix", "~> 4.0"
|
|
43
46
|
spec.add_dependency "securitytrails", "~> 0.2"
|
|
44
|
-
spec.add_dependency "shodanx", "~> 0.
|
|
47
|
+
spec.add_dependency "shodanx", "~> 0.2"
|
|
45
48
|
spec.add_dependency "slack-notifier", "~> 2.3"
|
|
46
49
|
spec.add_dependency "thor", "~> 0.20"
|
|
47
|
-
spec.add_dependency "urlscan", "~> 0.
|
|
50
|
+
spec.add_dependency "urlscan", "~> 0.4"
|
|
48
51
|
spec.add_dependency "virustotalx", "~> 0.1"
|
|
49
52
|
end
|
|
Binary file
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.8.
|
|
4
|
+
version: 0.8.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-09-
|
|
11
|
+
date: 2019-09-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -38,6 +38,20 @@ dependencies:
|
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0.8'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: fakefs
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - "~>"
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '0.20'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '0.20'
|
|
41
55
|
- !ruby/object:Gem::Dependency
|
|
42
56
|
name: rake
|
|
43
57
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -66,6 +80,20 @@ dependencies:
|
|
|
66
80
|
- - "~>"
|
|
67
81
|
- !ruby/object:Gem::Version
|
|
68
82
|
version: '3.8'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: timecop
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '0.9'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '0.9'
|
|
69
97
|
- !ruby/object:Gem::Dependency
|
|
70
98
|
name: vcr
|
|
71
99
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -164,6 +192,20 @@ dependencies:
|
|
|
164
192
|
- - "~>"
|
|
165
193
|
- !ruby/object:Gem::Version
|
|
166
194
|
version: '0.2'
|
|
195
|
+
- !ruby/object:Gem::Dependency
|
|
196
|
+
name: lightly
|
|
197
|
+
requirement: !ruby/object:Gem::Requirement
|
|
198
|
+
requirements:
|
|
199
|
+
- - "~>"
|
|
200
|
+
- !ruby/object:Gem::Version
|
|
201
|
+
version: '0.3'
|
|
202
|
+
type: :runtime
|
|
203
|
+
prerelease: false
|
|
204
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
205
|
+
requirements:
|
|
206
|
+
- - "~>"
|
|
207
|
+
- !ruby/object:Gem::Version
|
|
208
|
+
version: '0.3'
|
|
167
209
|
- !ruby/object:Gem::Dependency
|
|
168
210
|
name: mem
|
|
169
211
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -212,14 +254,14 @@ dependencies:
|
|
|
212
254
|
requirements:
|
|
213
255
|
- - "~>"
|
|
214
256
|
- !ruby/object:Gem::Version
|
|
215
|
-
version: '
|
|
257
|
+
version: '4.0'
|
|
216
258
|
type: :runtime
|
|
217
259
|
prerelease: false
|
|
218
260
|
version_requirements: !ruby/object:Gem::Requirement
|
|
219
261
|
requirements:
|
|
220
262
|
- - "~>"
|
|
221
263
|
- !ruby/object:Gem::Version
|
|
222
|
-
version: '
|
|
264
|
+
version: '4.0'
|
|
223
265
|
- !ruby/object:Gem::Dependency
|
|
224
266
|
name: securitytrails
|
|
225
267
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -240,14 +282,14 @@ dependencies:
|
|
|
240
282
|
requirements:
|
|
241
283
|
- - "~>"
|
|
242
284
|
- !ruby/object:Gem::Version
|
|
243
|
-
version: '0.
|
|
285
|
+
version: '0.2'
|
|
244
286
|
type: :runtime
|
|
245
287
|
prerelease: false
|
|
246
288
|
version_requirements: !ruby/object:Gem::Requirement
|
|
247
289
|
requirements:
|
|
248
290
|
- - "~>"
|
|
249
291
|
- !ruby/object:Gem::Version
|
|
250
|
-
version: '0.
|
|
292
|
+
version: '0.2'
|
|
251
293
|
- !ruby/object:Gem::Dependency
|
|
252
294
|
name: slack-notifier
|
|
253
295
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -282,14 +324,14 @@ dependencies:
|
|
|
282
324
|
requirements:
|
|
283
325
|
- - "~>"
|
|
284
326
|
- !ruby/object:Gem::Version
|
|
285
|
-
version: '0.
|
|
327
|
+
version: '0.4'
|
|
286
328
|
type: :runtime
|
|
287
329
|
prerelease: false
|
|
288
330
|
version_requirements: !ruby/object:Gem::Requirement
|
|
289
331
|
requirements:
|
|
290
332
|
- - "~>"
|
|
291
333
|
- !ruby/object:Gem::Version
|
|
292
|
-
version: '0.
|
|
334
|
+
version: '0.4'
|
|
293
335
|
- !ruby/object:Gem::Dependency
|
|
294
336
|
name: virustotalx
|
|
295
337
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -337,6 +379,7 @@ files:
|
|
|
337
379
|
- lib/mihari/analyzers/urlscan.rb
|
|
338
380
|
- lib/mihari/analyzers/virustotal.rb
|
|
339
381
|
- lib/mihari/artifact.rb
|
|
382
|
+
- lib/mihari/cache.rb
|
|
340
383
|
- lib/mihari/cli.rb
|
|
341
384
|
- lib/mihari/emitters/base.rb
|
|
342
385
|
- lib/mihari/emitters/slack.rb
|
|
@@ -355,6 +398,7 @@ files:
|
|
|
355
398
|
- lib/mihari/version.rb
|
|
356
399
|
- mihari.gemspec
|
|
357
400
|
- screenshots/alert.png
|
|
401
|
+
- screenshots/eyecatch.png
|
|
358
402
|
- screenshots/slack.png
|
|
359
403
|
homepage: https://github.com/ninoseki/mihari
|
|
360
404
|
licenses:
|