mihari 0.9.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4175ef15648358026415714167bb1b0567076ad01c20ecf172def0272610ed02
4
- data.tar.gz: 5b001b4a18c211441a753c5325f355028ae7bf426dbe2c51d676be95f267cf48
3
+ metadata.gz: 8de738680ca57bdaf9ba336692c3cad0be84cfffc055eef2785fd7c1c3bf32d6
4
+ data.tar.gz: e6cda3a6e8d0f9c49728e6d04284332fe7f820287078e83fdd5cfa1ede4c27fc
5
5
  SHA512:
6
- metadata.gz: 351a8537861e52c4d4f5e3eb159d83ee10a699870198736169631c7353726ca6e22cf79c35db827b48b10fef9fc1e6ef236bbb4b07d42dde5452d3316fc051d8
7
- data.tar.gz: 1467f8fbbce999eef16a72e430a70a5e40faeb9597f2b6f533a202efe27cce7022598768557b8459d1859c33252311ec63fcbe0005a4225dc076173d4a2b712c
6
+ metadata.gz: '0238a0da4e31a5146aa4fc5b8ed16b012a9d874657e1ae69ede3ad0bc7ec6c95a74374160b6871e5eade40d90455f54c5522fe17b33d200e0898f7c748629619'
7
+ data.tar.gz: 9d60cae8a47366f44eebed73fc78ed0d21c239131636d87be6621af255b669b3ef5abb5649a4d3ae8ba77120f06939cf74bf52f78d07fa4535369bec426a88aa
data/README.md CHANGED
@@ -51,14 +51,16 @@ docker pull ninoseki/mihari
51
51
 
52
52
  ## Basic usage
53
53
 
54
- mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh and VirusTotal by default.
54
+ mihari supports Censys, Shodan, Onyphe, urlscan, SecurityTrails, crt.sh, CIRCL passive DNS/SSL and VirusTotal by default.
55
55
 
56
56
  ```bash
57
57
  $ mihari
58
58
  Commands:
59
59
  mihari alerts # Show the alerts on TheHive
60
60
  mihari censys [QUERY] # Censys IPv4 lookup by a given query
61
+ mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint
61
62
  mihari crtsh [QUERY] # crt.sh lookup by a given query
63
+ mihari dnpedia [QUERY] # DNPedia domain lookup by a given query
62
64
  mihari help [COMMAND] # Describe available commands or one specific command
63
65
  mihari import_from_json # Give a JSON input via STDIN
64
66
  mihari onyphe [QUERY] # Onyphe datascan lookup by a given query
@@ -145,20 +147,22 @@ The input is a JSON data should have `title`, `description` and `artifacts` key.
145
147
 
146
148
  All configuration is done via ENV variables.
147
149
 
148
- | Key | Desc. | Required or optional |
149
- |------------------------|------------------------|--------------------------------|
150
- | THEHIVE_API_ENDPOINT | TheHive URL | Required |
151
- | THEHIVE_API_KEY | TheHive API key | Required |
152
- | MISP_API_ENDPOINT | MISP URL | Optional |
153
- | MISP_API_KEY | MISP API key | Optional |
154
- | SLACK_WEBHOOK_URL | Slack Webhook URL | Optional |
155
- | SLACK_CHANNEL | Slack channel name | Optional (default: `#general`) |
156
- | CENSYS_ID | Censys API ID | Optional |
157
- | CENSYS_SECRET | Censys secret | Optional |
158
- | ONYPHE_API_KEY | Onyphe API key | Optional |
159
- | SECURITYTRAILS_API_KEY | SecurityTrails API key | Optional |
160
- | SHODAN_API_KEY | Shodan API key | Optional |
161
- | VIRUSTOTAL_API_KEY | VirusTotal API key | Optional |
150
+ | Key | Desc. | Required or optional |
151
+ |------------------------|--------------------------------|--------------------------------|
152
+ | THEHIVE_API_ENDPOINT | TheHive URL | Required |
153
+ | THEHIVE_API_KEY | TheHive API key | Required |
154
+ | MISP_API_ENDPOINT | MISP URL | Optional |
155
+ | MISP_API_KEY | MISP API key | Optional |
156
+ | SLACK_WEBHOOK_URL | Slack Webhook URL | Optional |
157
+ | SLACK_CHANNEL | Slack channel name | Optional (default: `#general`) |
158
+ | CENSYS_ID | Censys API ID | Optional |
159
+ | CENSYS_SECRET | Censys secret | Optional |
160
+ | CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | Optional |
161
+ | CIRCL_PASSIVE_PASSWORD | CIRC_ passive DNS/SSL password | Optional |
162
+ | ONYPHE_API_KEY | Onyphe API key | Optional |
163
+ | SECURITYTRAILS_API_KEY | SecurityTrails API key | Optional |
164
+ | SHODAN_API_KEY | Shodan API key | Optional |
165
+ | VIRUSTOTAL_API_KEY | VirusTotal API key | Optional |
162
166
 
163
167
  You can check the configuration status via `status` command.
164
168
 
@@ -29,10 +29,12 @@ require "mihari/the_hive"
29
29
  require "mihari/analyzers/base"
30
30
  require "mihari/analyzers/basic"
31
31
  require "mihari/analyzers/censys"
32
+ require "mihari/analyzers/circl"
32
33
  require "mihari/analyzers/crtsh"
34
+ require "mihari/analyzers/dnpedia"
33
35
  require "mihari/analyzers/onyphe"
34
- require "mihari/analyzers/securitytrails"
35
36
  require "mihari/analyzers/securitytrails_domain_feed"
37
+ require "mihari/analyzers/securitytrails"
36
38
  require "mihari/analyzers/shodan"
37
39
  require "mihari/analyzers/urlscan"
38
40
  require "mihari/analyzers/virustotal"
@@ -0,0 +1,61 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "passive_circl"
4
+
5
+ module Mihari
6
+ module Analyzers
7
+ class CIRCL < Base
8
+ attr_reader :title
9
+ attr_reader :description
10
+ attr_reader :tags
11
+
12
+ def initialize(query, title: nil, description: nil, tags: [])
13
+ super()
14
+
15
+ @query = query
16
+ @type = TypeChecker.type(query)
17
+
18
+ @title = title || "CIRCL passive lookup"
19
+ @description = description || "query = #{query}"
20
+ @tags = tags
21
+ end
22
+
23
+ def artifacts
24
+ lookup || []
25
+ end
26
+
27
+ private
28
+
29
+ def api
30
+ @api ||= ::PassiveCIRCL::API.new
31
+ end
32
+
33
+ def lookup
34
+ case @type
35
+ when "domain"
36
+ passive_dns_lookup
37
+ when "hash"
38
+ passive_ssl_lookup
39
+ else
40
+ raise ArgumentError, "#{@query}(type: #{@type || 'unknown'}) is not supported."
41
+ end
42
+ rescue ::PassiveCIRCL::Error => _e
43
+ nil
44
+ end
45
+
46
+ def passive_dns_lookup
47
+ results = api.dns.query(@query)
48
+ results.map do |result|
49
+ type = result.dig("rrtype")
50
+ type == "A" ? result.dig("rdata") : nil
51
+ end.compact.uniq
52
+ end
53
+
54
+ def passive_ssl_lookup
55
+ result = api.ssl.cquery(@query)
56
+ seen = result.dig("seen") || []
57
+ seen.uniq
58
+ end
59
+ end
60
+ end
61
+ end
@@ -0,0 +1,43 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "dnpedia"
4
+
5
+ module Mihari
6
+ module Analyzers
7
+ class DNPedia < Base
8
+ attr_reader :query
9
+ attr_reader :title
10
+ attr_reader :description
11
+ attr_reader :tags
12
+
13
+ def initialize(query, title: nil, description: nil, tags: [])
14
+ super()
15
+
16
+ @query = query
17
+ @title = title || "DNPedia domain lookup"
18
+ @description = description || "query = #{query}"
19
+ @tags = tags
20
+ end
21
+
22
+ def artifacts
23
+ lookup || []
24
+ end
25
+
26
+ private
27
+
28
+ def api
29
+ @api ||= ::DNPedia::API.new
30
+ end
31
+
32
+ def lookup
33
+ res = api.search(query)
34
+ rows = res.dig("rows") || []
35
+ rows.map do |row|
36
+ [row.dig("name"), row.dig("zoneid")].join(".")
37
+ end
38
+ rescue ::DNPedia::Error => _e
39
+ nil
40
+ end
41
+ end
42
+ end
43
+ end
@@ -89,6 +89,26 @@ module Mihari
89
89
  end
90
90
  end
91
91
 
92
+ desc "dnpedia [QUERY]", "DNPedia domain lookup by a given query"
93
+ method_option :title, type: :string, desc: "title"
94
+ method_option :description, type: :string, desc: "description"
95
+ method_option :tags, type: :array, desc: "tags"
96
+ def dnpedia(query)
97
+ with_error_handling do
98
+ run_analyzer Analyzers::DNPedia, query: query, options: options
99
+ end
100
+ end
101
+
102
+ desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a given domain / SHA1 certificate fingerprint"
103
+ method_option :title, type: :string, desc: "title"
104
+ method_option :description, type: :string, desc: "description"
105
+ method_option :tags, type: :array, desc: "tags"
106
+ def circl(query)
107
+ with_error_handling do
108
+ run_analyzer Analyzers::CIRCL, query: query, options: options
109
+ end
110
+ end
111
+
92
112
  desc "import_from_json", "Give a JSON input via STDIN"
93
113
  def import_from_json(input = nil)
94
114
  with_error_handling do
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Mihari
4
- VERSION = "0.9.1"
4
+ VERSION = "0.10.0"
5
5
  end
@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
36
36
  spec.add_dependency "addressable", "~> 2.7"
37
37
  spec.add_dependency "censu", "~> 0.2"
38
38
  spec.add_dependency "crtsh-rb", "~> 0.1"
39
+ spec.add_dependency "dnpedia", "~> 0.1"
39
40
  spec.add_dependency "email_address", "~> 0.1"
40
41
  spec.add_dependency "hachi", "~> 0.2"
41
42
  spec.add_dependency "lightly", "~> 0.3"
@@ -44,6 +45,7 @@ Gem::Specification.new do |spec|
44
45
  spec.add_dependency "net-ping", "~> 2.0"
45
46
  spec.add_dependency "onyphe", "~> 0.2"
46
47
  spec.add_dependency "parallel", "~> 1.17"
48
+ spec.add_dependency "passive_circl", "~> 0.1"
47
49
  spec.add_dependency "public_suffix", "~> 4.0"
48
50
  spec.add_dependency "securitytrails", "~> 0.2"
49
51
  spec.add_dependency "shodanx", "~> 0.2"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mihari
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.1
4
+ version: 0.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Manabu Niseki
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-09-27 00:00:00.000000000 Z
11
+ date: 2019-10-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -164,6 +164,20 @@ dependencies:
164
164
  - - "~>"
165
165
  - !ruby/object:Gem::Version
166
166
  version: '0.1'
167
+ - !ruby/object:Gem::Dependency
168
+ name: dnpedia
169
+ requirement: !ruby/object:Gem::Requirement
170
+ requirements:
171
+ - - "~>"
172
+ - !ruby/object:Gem::Version
173
+ version: '0.1'
174
+ type: :runtime
175
+ prerelease: false
176
+ version_requirements: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - "~>"
179
+ - !ruby/object:Gem::Version
180
+ version: '0.1'
167
181
  - !ruby/object:Gem::Dependency
168
182
  name: email_address
169
183
  requirement: !ruby/object:Gem::Requirement
@@ -276,6 +290,20 @@ dependencies:
276
290
  - - "~>"
277
291
  - !ruby/object:Gem::Version
278
292
  version: '1.17'
293
+ - !ruby/object:Gem::Dependency
294
+ name: passive_circl
295
+ requirement: !ruby/object:Gem::Requirement
296
+ requirements:
297
+ - - "~>"
298
+ - !ruby/object:Gem::Version
299
+ version: '0.1'
300
+ type: :runtime
301
+ prerelease: false
302
+ version_requirements: !ruby/object:Gem::Requirement
303
+ requirements:
304
+ - - "~>"
305
+ - !ruby/object:Gem::Version
306
+ version: '0.1'
279
307
  - !ruby/object:Gem::Dependency
280
308
  name: public_suffix
281
309
  requirement: !ruby/object:Gem::Requirement
@@ -399,7 +427,9 @@ files:
399
427
  - lib/mihari/analyzers/base.rb
400
428
  - lib/mihari/analyzers/basic.rb
401
429
  - lib/mihari/analyzers/censys.rb
430
+ - lib/mihari/analyzers/circl.rb
402
431
  - lib/mihari/analyzers/crtsh.rb
432
+ - lib/mihari/analyzers/dnpedia.rb
403
433
  - lib/mihari/analyzers/onyphe.rb
404
434
  - lib/mihari/analyzers/securitytrails.rb
405
435
  - lib/mihari/analyzers/securitytrails_domain_feed.rb