mihari 0.9.1 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +19 -15
- data/lib/mihari.rb +3 -1
- data/lib/mihari/analyzers/circl.rb +61 -0
- data/lib/mihari/analyzers/dnpedia.rb +43 -0
- data/lib/mihari/cli.rb +20 -0
- data/lib/mihari/version.rb +1 -1
- data/mihari.gemspec +2 -0
- metadata +32 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8de738680ca57bdaf9ba336692c3cad0be84cfffc055eef2785fd7c1c3bf32d6
|
|
4
|
+
data.tar.gz: e6cda3a6e8d0f9c49728e6d04284332fe7f820287078e83fdd5cfa1ede4c27fc
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '0238a0da4e31a5146aa4fc5b8ed16b012a9d874657e1ae69ede3ad0bc7ec6c95a74374160b6871e5eade40d90455f54c5522fe17b33d200e0898f7c748629619'
|
|
7
|
+
data.tar.gz: 9d60cae8a47366f44eebed73fc78ed0d21c239131636d87be6621af255b669b3ef5abb5649a4d3ae8ba77120f06939cf74bf52f78d07fa4535369bec426a88aa
|
data/README.md
CHANGED
|
@@ -51,14 +51,16 @@ docker pull ninoseki/mihari
|
|
|
51
51
|
|
|
52
52
|
## Basic usage
|
|
53
53
|
|
|
54
|
-
mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh and VirusTotal by default.
|
|
54
|
+
mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh, CIRCL passive DNS/SSL and VirusTotal by default.
|
|
55
55
|
|
|
56
56
|
```bash
|
|
57
57
|
$ mihari
|
|
58
58
|
Commands:
|
|
59
59
|
mihari alerts # Show the alerts on TheHive
|
|
60
60
|
mihari censys [QUERY] # Censys IPv4 lookup by a given query
|
|
61
|
+
mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint
|
|
61
62
|
mihari crtsh [QUERY] # crt.sh lookup by a given query
|
|
63
|
+
mihari dnpedia [QUERY] # DNPedia domain lookup by a given query
|
|
62
64
|
mihari help [COMMAND] # Describe available commands or one specific command
|
|
63
65
|
mihari import_from_json # Give a JSON input via STDIN
|
|
64
66
|
mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
|
|
@@ -145,20 +147,22 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
|
|
|
145
147
|
|
|
146
148
|
All configuration is done via ENV variables.
|
|
147
149
|
|
|
148
|
-
| Key | Desc.
|
|
149
|
-
|
|
150
|
-
| THEHIVE_API_ENDPOINT | TheHive URL
|
|
151
|
-
| THEHIVE_API_KEY | TheHive API key
|
|
152
|
-
| MISP_API_ENDPOINT | MISP URL
|
|
153
|
-
| MISP_API_KEY | MISP API key
|
|
154
|
-
| SLACK_WEBHOOK_URL | Slack Webhook URL
|
|
155
|
-
| SLACK_CHANNEL | Slack channel name
|
|
156
|
-
| CENSYS_ID | Censys API ID
|
|
157
|
-
| CENSYS_SECRET | Censys secret
|
|
158
|
-
|
|
|
159
|
-
|
|
|
160
|
-
|
|
|
161
|
-
|
|
|
150
|
+
| Key | Desc. | Required or optional |
|
|
151
|
+
|------------------------|--------------------------------|--------------------------------|
|
|
152
|
+
| THEHIVE_API_ENDPOINT | TheHive URL | Required |
|
|
153
|
+
| THEHIVE_API_KEY | TheHive API key | Required |
|
|
154
|
+
| MISP_API_ENDPOINT | MISP URL | Optional |
|
|
155
|
+
| MISP_API_KEY | MISP API key | Optional |
|
|
156
|
+
| SLACK_WEBHOOK_URL | Slack Webhook URL | Optional |
|
|
157
|
+
| SLACK_CHANNEL | Slack channel name | Optional (default: `#general`) |
|
|
158
|
+
| CENSYS_ID | Censys API ID | Optional |
|
|
159
|
+
| CENSYS_SECRET | Censys secret | Optional |
|
|
160
|
+
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | Optional |
|
|
161
|
+
| CIRCL_PASSIVE_PASSWORD | CIRC_ passive DNS/SSL password | Optional |
|
|
162
|
+
| ONYPHE_API_KEY | Onyphe API key | Optional |
|
|
163
|
+
| SECURITYTRAILS_API_KEY | SecurityTrails API key | Optional |
|
|
164
|
+
| SHODAN_API_KEY | Shodan API key | Optional |
|
|
165
|
+
| VIRUSTOTAL_API_KEY | VirusTotal API key | Optional |
|
|
162
166
|
|
|
163
167
|
You can check the configuration status via `status` command.
|
|
164
168
|
|
data/lib/mihari.rb
CHANGED
|
@@ -29,10 +29,12 @@ require "mihari/the_hive"
|
|
|
29
29
|
require "mihari/analyzers/base"
|
|
30
30
|
require "mihari/analyzers/basic"
|
|
31
31
|
require "mihari/analyzers/censys"
|
|
32
|
+
require "mihari/analyzers/circl"
|
|
32
33
|
require "mihari/analyzers/crtsh"
|
|
34
|
+
require "mihari/analyzers/dnpedia"
|
|
33
35
|
require "mihari/analyzers/onyphe"
|
|
34
|
-
require "mihari/analyzers/securitytrails"
|
|
35
36
|
require "mihari/analyzers/securitytrails_domain_feed"
|
|
37
|
+
require "mihari/analyzers/securitytrails"
|
|
36
38
|
require "mihari/analyzers/shodan"
|
|
37
39
|
require "mihari/analyzers/urlscan"
|
|
38
40
|
require "mihari/analyzers/virustotal"
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "passive_circl"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class CIRCL < Base
|
|
8
|
+
attr_reader :title
|
|
9
|
+
attr_reader :description
|
|
10
|
+
attr_reader :tags
|
|
11
|
+
|
|
12
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
13
|
+
super()
|
|
14
|
+
|
|
15
|
+
@query = query
|
|
16
|
+
@type = TypeChecker.type(query)
|
|
17
|
+
|
|
18
|
+
@title = title || "CIRCL passive lookup"
|
|
19
|
+
@description = description || "query = #{query}"
|
|
20
|
+
@tags = tags
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def artifacts
|
|
24
|
+
lookup || []
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
private
|
|
28
|
+
|
|
29
|
+
def api
|
|
30
|
+
@api ||= ::PassiveCIRCL::API.new
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def lookup
|
|
34
|
+
case @type
|
|
35
|
+
when "domain"
|
|
36
|
+
passive_dns_lookup
|
|
37
|
+
when "hash"
|
|
38
|
+
passive_ssl_lookup
|
|
39
|
+
else
|
|
40
|
+
raise ArgumentError, "#{@query}(type: #{@type || 'unknown'}) is not supported."
|
|
41
|
+
end
|
|
42
|
+
rescue ::PassiveCIRCL::Error => _e
|
|
43
|
+
nil
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def passive_dns_lookup
|
|
47
|
+
results = api.dns.query(@query)
|
|
48
|
+
results.map do |result|
|
|
49
|
+
type = result.dig("rrtype")
|
|
50
|
+
type == "A" ? result.dig("rdata") : nil
|
|
51
|
+
end.compact.uniq
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def passive_ssl_lookup
|
|
55
|
+
result = api.ssl.cquery(@query)
|
|
56
|
+
seen = result.dig("seen") || []
|
|
57
|
+
seen.uniq
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dnpedia"
|
|
4
|
+
|
|
5
|
+
module Mihari
|
|
6
|
+
module Analyzers
|
|
7
|
+
class DNPedia < Base
|
|
8
|
+
attr_reader :query
|
|
9
|
+
attr_reader :title
|
|
10
|
+
attr_reader :description
|
|
11
|
+
attr_reader :tags
|
|
12
|
+
|
|
13
|
+
def initialize(query, title: nil, description: nil, tags: [])
|
|
14
|
+
super()
|
|
15
|
+
|
|
16
|
+
@query = query
|
|
17
|
+
@title = title || "DNPedia domain lookup"
|
|
18
|
+
@description = description || "query = #{query}"
|
|
19
|
+
@tags = tags
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def artifacts
|
|
23
|
+
lookup || []
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
def api
|
|
29
|
+
@api ||= ::DNPedia::API.new
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def lookup
|
|
33
|
+
res = api.search(query)
|
|
34
|
+
rows = res.dig("rows") || []
|
|
35
|
+
rows.map do |row|
|
|
36
|
+
[row.dig("name"), row.dig("zoneid")].join(".")
|
|
37
|
+
end
|
|
38
|
+
rescue ::DNPedia::Error => _e
|
|
39
|
+
nil
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
data/lib/mihari/cli.rb
CHANGED
|
@@ -89,6 +89,26 @@ module Mihari
|
|
|
89
89
|
end
|
|
90
90
|
end
|
|
91
91
|
|
|
92
|
+
desc "dnpedia [QUERY]", "DNPedia domain lookup by a given query"
|
|
93
|
+
method_option :title, type: :string, desc: "title"
|
|
94
|
+
method_option :description, type: :string, desc: "description"
|
|
95
|
+
method_option :tags, type: :array, desc: "tags"
|
|
96
|
+
def dnpedia(query)
|
|
97
|
+
with_error_handling do
|
|
98
|
+
run_analyzer Analyzers::DNPedia, query: query, options: options
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
|
|
102
|
+
desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint"
|
|
103
|
+
method_option :title, type: :string, desc: "title"
|
|
104
|
+
method_option :description, type: :string, desc: "description"
|
|
105
|
+
method_option :tags, type: :array, desc: "tags"
|
|
106
|
+
def circl(query)
|
|
107
|
+
with_error_handling do
|
|
108
|
+
run_analyzer Analyzers::CIRCL, query: query, options: options
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
92
112
|
desc "import_from_json", "Give a JSON input via STDIN"
|
|
93
113
|
def import_from_json(input = nil)
|
|
94
114
|
with_error_handling do
|
data/lib/mihari/version.rb
CHANGED
data/mihari.gemspec
CHANGED
|
@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
|
|
|
36
36
|
spec.add_dependency "addressable", "~> 2.7"
|
|
37
37
|
spec.add_dependency "censu", "~> 0.2"
|
|
38
38
|
spec.add_dependency "crtsh-rb", "~> 0.1"
|
|
39
|
+
spec.add_dependency "dnpedia", "~> 0.1"
|
|
39
40
|
spec.add_dependency "email_address", "~> 0.1"
|
|
40
41
|
spec.add_dependency "hachi", "~> 0.2"
|
|
41
42
|
spec.add_dependency "lightly", "~> 0.3"
|
|
@@ -44,6 +45,7 @@ Gem::Specification.new do |spec|
|
|
|
44
45
|
spec.add_dependency "net-ping", "~> 2.0"
|
|
45
46
|
spec.add_dependency "onyphe", "~> 0.2"
|
|
46
47
|
spec.add_dependency "parallel", "~> 1.17"
|
|
48
|
+
spec.add_dependency "passive_circl", "~> 0.1"
|
|
47
49
|
spec.add_dependency "public_suffix", "~> 4.0"
|
|
48
50
|
spec.add_dependency "securitytrails", "~> 0.2"
|
|
49
51
|
spec.add_dependency "shodanx", "~> 0.2"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.10.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-10-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -164,6 +164,20 @@ dependencies:
|
|
|
164
164
|
- - "~>"
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
166
|
version: '0.1'
|
|
167
|
+
- !ruby/object:Gem::Dependency
|
|
168
|
+
name: dnpedia
|
|
169
|
+
requirement: !ruby/object:Gem::Requirement
|
|
170
|
+
requirements:
|
|
171
|
+
- - "~>"
|
|
172
|
+
- !ruby/object:Gem::Version
|
|
173
|
+
version: '0.1'
|
|
174
|
+
type: :runtime
|
|
175
|
+
prerelease: false
|
|
176
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
177
|
+
requirements:
|
|
178
|
+
- - "~>"
|
|
179
|
+
- !ruby/object:Gem::Version
|
|
180
|
+
version: '0.1'
|
|
167
181
|
- !ruby/object:Gem::Dependency
|
|
168
182
|
name: email_address
|
|
169
183
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -276,6 +290,20 @@ dependencies:
|
|
|
276
290
|
- - "~>"
|
|
277
291
|
- !ruby/object:Gem::Version
|
|
278
292
|
version: '1.17'
|
|
293
|
+
- !ruby/object:Gem::Dependency
|
|
294
|
+
name: passive_circl
|
|
295
|
+
requirement: !ruby/object:Gem::Requirement
|
|
296
|
+
requirements:
|
|
297
|
+
- - "~>"
|
|
298
|
+
- !ruby/object:Gem::Version
|
|
299
|
+
version: '0.1'
|
|
300
|
+
type: :runtime
|
|
301
|
+
prerelease: false
|
|
302
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
303
|
+
requirements:
|
|
304
|
+
- - "~>"
|
|
305
|
+
- !ruby/object:Gem::Version
|
|
306
|
+
version: '0.1'
|
|
279
307
|
- !ruby/object:Gem::Dependency
|
|
280
308
|
name: public_suffix
|
|
281
309
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -399,7 +427,9 @@ files:
|
|
|
399
427
|
- lib/mihari/analyzers/base.rb
|
|
400
428
|
- lib/mihari/analyzers/basic.rb
|
|
401
429
|
- lib/mihari/analyzers/censys.rb
|
|
430
|
+
- lib/mihari/analyzers/circl.rb
|
|
402
431
|
- lib/mihari/analyzers/crtsh.rb
|
|
432
|
+
- lib/mihari/analyzers/dnpedia.rb
|
|
403
433
|
- lib/mihari/analyzers/onyphe.rb
|
|
404
434
|
- lib/mihari/analyzers/securitytrails.rb
|
|
405
435
|
- lib/mihari/analyzers/securitytrails_domain_feed.rb
|