RubyGems - mihari - Versions diffs - 1.1.1 → 1.2.0 - Mend

mihari 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +4 -1
data/lib/mihari.rb +1 -0
data/lib/mihari/analyzers/otx.rb +74 -0
data/lib/mihari/analyzers/passive_dns.rb +2 -1
data/lib/mihari/cli.rb +10 -0
data/lib/mihari/config.rb +2 -0
data/lib/mihari/version.rb +1 -1
data/mihari.gemspec +1 -0
metadata +17 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c43df888d661331830b74ecbf097f2bf7f0450850fca0ad8bfe86d58fe5d32f
-  data.tar.gz: 123d3a13867550f57557472e63819b1bc8a70fd80bb0ef3fa0543d9414fc84a8
+  metadata.gz: 901c334bf0485bbb82a422a1900347e77e476143afaef3036c177ceadbb7e6c6
+  data.tar.gz: 3fd3663d4d05518b46f9d1a53d9d742b150a84ffba93aaf4d9ebdcbd93505342
 SHA512:
-  metadata.gz: 96693d5a7ca81b7a1f6834ffedb7ad9897dba6fe510dc632c204a2497595ae67c6bf7c70895bccc5738d6d83369cafc7f309962e6e29a941a2ccb5f5fc84b68a
-  data.tar.gz: 9b4d2ccb878b2aec9b82ac158b5da5bea76653b443c3d53c5d4146a4e3900f400680d690cb0ab6becb526f827d1cb482d663719625f10ee6011e598411c29b67
+  metadata.gz: b97df59e99c969940ffe54a1ecf1e655f582ed4f2372c4e08feb3572fd7f38e767303911a4ec36151325da78415738a0f952f35dfbd010bd9dc6a1832635c78a
+  data.tar.gz: b092fdfa627a2ab2d2e4a71c4e070e1788fa496b3be6f64e038b332632adbdd4d70c2cae239e14814a31f03def374eb215f3cc580695af38d9562e1b2e1da4e1

data/README.md CHANGED

@@ -67,6 +67,7 @@ Mihari supports the following services by default.
 - [DN Pedia](https://dnpedia.com/)
 - [dnstwister](https://dnstwister.report/)
 - [Onyphe](https://onyphe.io)
+- [OTX](https://otx.alienvault.com/)
 - [PassiveTotal](https://community.riskiq.com/)
 - [SecurityTrails](https://securitytrails.com/)
 - [Shodan](https://shodan.io)
@@ -89,6 +90,7 @@ Commands:
   mihari http_hash                            # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
   mihari import_from_json                     # Give a JSON input via STDIN
   mihari onyphe [QUERY]                       # Onyphe datascan search by a query
+  mihari otx [IP|DOMAIN]                      # OTX lookup by an IP or domain
   mihari passive_dns [IP|DOMAIN]              # Cross search with passive DNS services by an ip or domain
   mihari passive_ssl [SHA1]                   # Cross search with passive SSL services by an SHA1 certificate fingerprint
   mihari passivetotal [IP|DOMAIN|EMAIL|SHA1]  # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
@@ -116,7 +118,7 @@ You can get aggregated results by using the following commands.
 | Command         | Desc.                                                                                                   |
 |-----------------|---------------------------------------------------------------------------------------------------------|
-| passive_dns     | Passive DNS lookup with CIRCL passive DNS, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal       |
+| passive_dns     | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal  |
 | passive_ssl     | Passive SSL lookup with CIRCL passive SSL and PassiveTotal                                              |
 | reverse_whois   | Revese Whois lookup with PassiveTotal and SecurityTrails                                                |
 | http_hash       | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
@@ -211,6 +213,7 @@ Configuration can be done via environment variables or a YAML file.
 | MISP_API_ENDPOINT      | MISP URL                                                                                        |             |
 | MISP_API_KEY           | MISP API key                                                                                    |             |
 | ONYPHE_API_KEY         | Onyphe API key                                                                                  |             |
+| OTX_API_KEY            | OTX API key                                                                                     |             |
 | PASSIVETOTAL_API_KEY   | PassiveTotal API key                                                                            |             |
 | PASSIVETOTAL_USERNAME  | PassiveTotal username                                                                           |             |
 | PULSEDIVE_API_KEY      | Pulsedive API key                                                                               |             |

data/lib/mihari.rb CHANGED

@@ -50,6 +50,7 @@ require "mihari/analyzers/crtsh"
 require "mihari/analyzers/dnpedia"
 require "mihari/analyzers/dnstwister"
 require "mihari/analyzers/onyphe"
+require "mihari/analyzers/otx"
 require "mihari/analyzers/passivetotal"
 require "mihari/analyzers/pulsedive"
 require "mihari/analyzers/securitytrails_domain_feed"

data/lib/mihari/analyzers/otx.rb ADDED

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+require "otx_ruby"
+module Mihari
+  module Analyzers
+    class OTX < Base
+      attr_reader :query
+      attr_reader :type
+      attr_reader :title
+      attr_reader :description
+      attr_reader :tags
+      def initialize(query, title: nil, description: nil, tags: [])
+        super()
+        @query = query
+        @type = TypeChecker.type(query)
+        @title = title || "OTX lookup"
+        @description = description || "query = #{query}"
+        @tags = tags
+      end
+      def artifacts
+        lookup || []
+      end
+      private
+      def config_keys
+        %w(otx_api_key)
+      end
+      def domain_client
+        @domain_client ||= ::OTX::Domain.new(Mihari.config.otx_api_key)
+      end
+      def ip_client
+        @ip_client ||= ::OTX::IP.new(Mihari.config.otx_api_key)
+      end
+      def valid_type?
+        %w(ip domain).include? type
+      end
+      def lookup
+        case type
+        when "domain"
+          domain_lookup
+        when "ip"
+          ip_lookup
+        else
+          raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+        end
+      end
+      def domain_lookup
+        records = domain_client.get_passive_dns(query)
+        records.map do |record|
+          record.address if record.record_type == "A"
+        end.compact.uniq
+      end
+      def ip_lookup
+        records = ip_client.get_passive_dns(query)
+        records.map do |record|
+          record.hostname if record.record_type == "A"
+        end.compact.uniq
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/passive_dns.rb CHANGED

@@ -14,6 +14,7 @@ module Mihari
       ANALYZERS = [
         Mihari::Analyzers::CIRCL,
+        Mihari::Analyzers::OTX,
         Mihari::Analyzers::PassiveTotal,
         Mihari::Analyzers::Pulsedive,
         Mihari::Analyzers::SecurityTrails,
@@ -55,7 +56,7 @@ module Mihari
         analyzer.artifacts
       rescue ArgumentError, InvalidInputError => _e
         nil
-      rescue ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
+      rescue Faraday::Error, ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
         nil
       end
     end

data/lib/mihari/cli.rb CHANGED

@@ -164,6 +164,16 @@ module Mihari
       end
     end
+    desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
+    method_option :title, type: :string, desc: "title"
+    method_option :description, type: :string, desc: "description"
+    method_option :tags, type: :array, desc: "tags"
+    def otx(domain)
+      with_error_handling do
+        run_analyzer Analyzers::OTX, query: refang(domain), options: options
+      end
+    end
     desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
     method_option :title, type: :string, desc: "title"
     method_option :description, type: :string, desc: "description"

data/lib/mihari/config.rb CHANGED

@@ -12,6 +12,7 @@ module Mihari
     attr_accessor :misp_api_endpoint
     attr_accessor :misp_api_key
     attr_accessor :onyphe_api_key
+    attr_accessor :otx_api_key
     attr_accessor :passivetotal_api_key
     attr_accessor :passivetotal_username
     attr_accessor :pulsedive_api_key
@@ -40,6 +41,7 @@ module Mihari
       @misp_api_endpoint = ENV["MISP_API_ENDPOINT"]
       @misp_api_key = ENV["MISP_API_KEY"]
       @onyphe_api_key = ENV["ONYPHE_API_KEY"]
+      @otx_api_key = ENV["OTX_API_KEY"]
       @passivetotal_api_key = ENV["PASSIVETOTAL_API_KEY"]
       @passivetotal_username = ENV["PASSIVETOTAL_USERNAME"]
       @pulsedive_api_key = ENV["PULSEDIVE_API_KEY"]

data/lib/mihari/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "1.1.1"
+  VERSION = "1.2.0"
 end

data/mihari.gemspec CHANGED

@@ -52,6 +52,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "murmurhash3", "~> 0.1"
   spec.add_dependency "net-ping", "~> 2.0"
   spec.add_dependency "onyphe", "~> 2.0"
+  spec.add_dependency "otx_ruby", "~> 0.9"
   spec.add_dependency "parallel", "~> 1.19"
   spec.add_dependency "passive_circl", "~> 0.1"
   spec.add_dependency "passivetotalx", "~> 0.1"

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-07-19 00:00:00.000000000 Z
+date: 2020-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -388,6 +388,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: otx_ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -619,6 +633,7 @@ files:
 - lib/mihari/analyzers/free_text.rb
 - lib/mihari/analyzers/http_hash.rb
 - lib/mihari/analyzers/onyphe.rb
+- lib/mihari/analyzers/otx.rb
 - lib/mihari/analyzers/passive_dns.rb
 - lib/mihari/analyzers/passive_ssl.rb
 - lib/mihari/analyzers/passivetotal.rb