mihari 1.3.0 → 1.5.0

data/lib/mihari/analyzers/urlscan.rb

@@ -5,20 +5,29 @@ require "urlscan"
 module Mihari
   module Analyzers
     class Urlscan < Base
-      attr_reader :title
-      attr_reader :description
-      attr_reader :query
-      attr_reader :tags
-      attr_reader :target_type
+      attr_reader :title, :description, :query, :tags, :filter, :target_type, :use_pro, :use_similarity
 
-      def initialize(query, title: nil, description: nil, tags: [], target_type: "url")
+      def initialize(
+        query,
+        description: nil,
+        filter: nil,
+        tags: [],
+        target_type: "url",
+        title: nil,
+        use_pro: false,
+        use_similarity: false
+      )
         super()
 
         @query = query
         @title = title || "urlscan lookup"
         @description = description || "query = #{query}"
         @tags = tags
+
+        @filter = filter
         @target_type = target_type
+        @use_pro = use_pro
+        @use_similarity = use_similarity
 
         raise InvalidInputError, "type should be url, domain or ip." unless valid_target_type?
       end
@@ -27,7 +36,7 @@ module Mihari
         result = search
         return [] unless result
 
-        results = result.dig("results") || []
+        results = result["results"] || []
         results.map do |match|
           match.dig "page", target_type
         end.compact.uniq
@@ -35,16 +44,23 @@ module Mihari
 
       private
 
+      def config_keys
+        %w[urlscan_api_key]
+      end
+
       def api
-        @api ||= ::UrlScan::API.new
+        @api ||= ::UrlScan::API.new(Mihari.config.urlscan_api_key)
       end
 
       def search
+        return api.pro.similar(query) if use_similarity
+        return api.pro.search(query: query, filter: filter, size: 10_000) if use_pro
+
         api.search(query, size: 10_000)
       end
 
       def valid_target_type?
-        %w(url domain ip).include? target_type
+        %w[url domain ip].include? target_type
       end
     end
   end

data/lib/mihari/analyzers/virustotal.rb

@@ -5,12 +5,7 @@ require "virustotal"
 module Mihari
   module Analyzers
     class VirusTotal < Base
-      attr_reader :indicator
-      attr_reader :type
-
-      attr_reader :title
-      attr_reader :description
-      attr_reader :tags
+      attr_reader :indicator, :type, :title, :description, :tags
 
       def initialize(indicator, title: nil, description: nil, tags: [])
         super()
@@ -30,7 +25,7 @@ module Mihari
       private
 
       def config_keys
-        %w(virustotal_api_key)
+        %w[virustotal_api_key]
       end
 
       def api
@@ -38,7 +33,7 @@ module Mihari
       end
 
       def valid_type?
-        %w(ip domain).include? type
+        %w[ip domain].include? type
       end
 
       def lookup
@@ -48,14 +43,14 @@ module Mihari
         when "ip"
           ip_lookup
         else
-          raise InvalidInputError, "#{indicator}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+          raise InvalidInputError, "#{indicator}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end
       end
 
       def domain_lookup
         res = api.domain.resolutions(indicator)
 
-        data = res.dig("data") || []
+        data = res["data"] || []
         data.map do |item|
           item.dig("attributes", "ip_address")
         end.compact.uniq
@@ -64,7 +59,7 @@ module Mihari
       def ip_lookup
         res = api.ip_address.resolutions(indicator)
 
-        data = res.dig("data") || []
+        data = res["data"] || []
         data.map do |item|
           item.dig("attributes", "host_name")
         end.compact.uniq

data/lib/mihari/analyzers/zoomeye.rb

@@ -5,11 +5,7 @@ require "zoomeye"
 module Mihari
   module Analyzers
     class ZoomEye < Base
-      attr_reader :title
-      attr_reader :description
-      attr_reader :query
-      attr_reader :tags
-      attr_reader :type
+      attr_reader :title, :description, :query, :tags, :type
 
       def initialize(query, title: nil, description: nil, tags: [], type: "host")
         super()
@@ -37,11 +33,11 @@ module Mihari
       PAGE_SIZE = 10
 
       def valid_type?
-        %w(host web).include? type
+        %w[host web].include? type
       end
 
       def config_keys
-        %w(zoomeye_password zoomeye_username)
+        %w[zoomeye_password zoomeye_username]
       end
 
       def api
@@ -50,9 +46,9 @@ module Mihari
 
       def convert_responses(responses)
         responses.map do |res|
-          matches = res.dig("matches") || []
+          matches = res["matches"] || []
           matches.map do |match|
-            match.dig "ip"
+            match["ip"]
           end
         end.flatten.compact.uniq
       end
@@ -69,7 +65,7 @@ module Mihari
           res = _host_lookup(query, page: page)
           break unless res
 
-          total = res.dig("total").to_i
+          total = res["total"].to_i
           responses << res
           break if total <= page * PAGE_SIZE
         end
@@ -88,7 +84,7 @@ module Mihari
           res = _web_lookup(query, page: page)
           break unless res
 
-          total = res.dig("total").to_i
+          total = res["total"].to_i
           responses << res
           break if total <= page * PAGE_SIZE
         end

data/lib/mihari/cli.rb

@@ -7,6 +7,10 @@ module Mihari
   class CLI < Thor
     class_option :config, type: :string, desc: "path to config file"
 
+    def self.exit_on_failure?
+      true
+    end
+
     desc "censys [QUERY]", "Censys IPv4 search by a query"
     method_option :title, type: :string, desc: "title"
     method_option :description, type: :string, desc: "description"
@@ -42,7 +46,10 @@ module Mihari
     method_option :title, type: :string, desc: "title"
     method_option :description, type: :string, desc: "description"
     method_option :tags, type: :array, desc: "tags"
+    method_option :filter, type: :string, desc: "filter for urlscan pro search"
     method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
+    method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
+    method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
     def urlscan(query)
       with_error_handling do
         run_analyzer Analyzers::Urlscan, query: query, options: options
@@ -252,16 +259,16 @@ module Mihari
     desc "import_from_json", "Give a JSON input via STDIN"
     def import_from_json(input = nil)
       with_error_handling do
-        json = input || STDIN.gets.chomp
+        json = input || $stdin.gets.chomp
         raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
 
         json = parse_as_json(json)
         raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
 
-        title = json.dig("title")
-        description = json.dig("description")
-        artifacts = json.dig("artifacts")
-        tags = json.dig("tags") || []
+        title = json["title"]
+        description = json["description"]
+        artifacts = json["artifacts"]
+        tags = json["tags"] || []
 
         basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
         basic.run
@@ -295,7 +302,7 @@ module Mihari
     no_commands do
       def with_error_handling
         yield
-      rescue StandardError => e
+      rescue => e
         notifier = Notifiers::ExceptionNotifier.new
         notifier.notify e
       end
@@ -308,7 +315,7 @@ module Mihari
 
       # @return [true, false]
       def valid_json?(json)
-        %w(title description artifacts).all? { |key| json.key? key }
+        %w[title description artifacts].all? { |key| json.key? key }
       end
 
       def load_configuration

data/lib/mihari/config.rb

@@ -4,30 +4,7 @@ require "yaml"
 
 module Mihari
   class Config
-    attr_accessor :binaryedge_api_key
-    attr_accessor :censys_id
-    attr_accessor :censys_secret
-    attr_accessor :circl_passive_password
-    attr_accessor :circl_passive_username
-    attr_accessor :misp_api_endpoint
-    attr_accessor :misp_api_key
-    attr_accessor :onyphe_api_key
-    attr_accessor :otx_api_key
-    attr_accessor :passivetotal_api_key
-    attr_accessor :passivetotal_username
-    attr_accessor :pulsedive_api_key
-    attr_accessor :securitytrails_api_key
-    attr_accessor :shodan_api_key
-    attr_accessor :slack_channel
-    attr_accessor :slack_webhook_url
-    attr_accessor :spyse_api_key
-    attr_accessor :thehive_api_endpoint
-    attr_accessor :thehive_api_key
-    attr_accessor :virustotal_api_key
-    attr_accessor :zoomeye_password
-    attr_accessor :zoomeye_username
-
-    attr_accessor :database
+    attr_accessor :binaryedge_api_key, :censys_id, :censys_secret, :circl_passive_password, :circl_passive_username, :misp_api_endpoint, :misp_api_key, :onyphe_api_key, :otx_api_key, :passivetotal_api_key, :passivetotal_username, :pulsedive_api_key, :securitytrails_api_key, :shodan_api_key, :slack_channel, :slack_webhook_url, :spyse_api_key, :thehive_api_endpoint, :thehive_api_key, :urlscan_api_key, :virustotal_api_key, :zoomeye_password, :zoomeye_username, :database
 
     def initialize
       load_from_env
@@ -53,6 +30,7 @@ module Mihari
       @spyse_api_key = ENV["SPYSE_API_KEY"]
       @thehive_api_endpoint = ENV["THEHIVE_API_ENDPOINT"]
       @thehive_api_key = ENV["THEHIVE_API_KEY"]
+      @urlscan_api_key = ENV["URLSCAN_API_KEY"]
       @virustotal_api_key = ENV["VIRUSTOTAL_API_KEY"]
       @zoomeye_password = ENV["ZOOMEYE_PASSWORD"]
       @zoomeye_username = ENV["ZOOMEYE_USERNAME"]

data/lib/mihari/database.rb

@@ -54,7 +54,7 @@ module Mihari
 
         ActiveRecord::Migration.verbose = false
         InitialSchema.migrate(:up)
-      rescue StandardError
+      rescue
         # Do nothing
       end
 

data/lib/mihari/emitters/misp.rb

@@ -7,6 +7,8 @@ module Mihari
   module Emitters
     class MISP < Base
       def initialize
+        super()
+
         ::MISP.configure do |config|
           config.api_endpoint = Mihari.config.misp_api_endpoint
           config.api_key = Mihari.config.misp_api_key
@@ -35,7 +37,7 @@ module Mihari
       private
 
       def config_keys
-        %w(misp_api_endpoint misp_api_key)
+        %w[misp_api_endpoint misp_api_key]
       end
 
       def build_attribute(artifact)
@@ -61,7 +63,7 @@ module Mihari
           ip: "ip-dst",
           mail: "email-dst",
           url: "url",
-          domain: "domain",
+          domain: "domain"
         }
         return table[type] if table.key?(type)
 

data/lib/mihari/emitters/slack.rb

@@ -19,25 +19,31 @@ module Mihari
       end
 
       def actions
-        [vt_link, urlscan_link, censys_link].compact
+        [vt_link, urlscan_link, censys_link, shodan_link].compact
       end
 
       def vt_link
         return nil unless _vt_link
 
-        { type: "button", text: "Lookup on VirusTotal", url: _vt_link, }
+        { type: "button", text: "VirusTotal", url: _vt_link }
       end
 
       def urlscan_link
         return nil unless _urlscan_link
 
-        { type: "button", text: "Lookup on urlscan.io", url: _urlscan_link, }
+        { type: "button", text: "urlscan.io", url: _urlscan_link }
       end
 
       def censys_link
         return nil unless _censys_link
 
-        { type: "button", text: "Lookup on Censys", url: _censys_link, }
+        { type: "button", text: "Censys", url: _censys_link }
+      end
+
+      def shodan_link
+        return nil unless _shodan_link
+
+        { type: "button", text: "Shodan", url: _shodan_link }
       end
 
       # @return [Array]
@@ -89,6 +95,11 @@ module Mihari
       end
       memoize :_censys_link
 
+      def _shodan_link
+        data_type == "ip" ? "https://www.shodan.io/host/#{data}" : nil
+      end
+      memoize :_shodan_link
+
       # @return [String]
       def sha256
         Digest::SHA256.hexdigest data
@@ -96,7 +107,7 @@ module Mihari
 
       # @return [String]
       def defanged_data
-        @defanged_data ||= data.to_s.gsub /\./, "[.]"
+        @defanged_data ||= data.to_s.gsub(/\./, "[.]")
       end
     end
 
@@ -121,7 +132,7 @@ module Mihari
         [
           "*#{title}*",
           "*Desc.*: #{description}",
-          "*Tags*: #{tags.join(', ')}",
+          "*Tags*: #{tags.join(', ')}"
         ].join("\n")
       end
 
@@ -137,7 +148,7 @@ module Mihari
       private
 
       def config_keys
-        %w(slack_webhook_url)
+        %w[slack_webhook_url]
       end
     end
   end

data/lib/mihari/emitters/the_hive.rb

@@ -17,7 +17,7 @@ module Mihari
         api.alert.create(
           title: title,
           description: description,
-          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          artifacts: artifacts.map { |artifact| {data: artifact.data, data_type: artifact.data_type, message: description} },
           tags: tags,
           type: "external",
           source: "mihari"
@@ -27,7 +27,7 @@ module Mihari
       private
 
       def config_keys
-        %w(thehive_api_endpoint thehive_api_key)
+        %w[thehive_api_endpoint thehive_api_key]
       end
 
       def api

data/lib/mihari/errors.rb

@@ -2,5 +2,8 @@
 
 module Mihari
   class Error < StandardError; end
+
   class InvalidInputError < Error; end
+
+  class RetryableError < Error; end
 end

data/lib/mihari/models/artifact.rb

@@ -6,7 +6,7 @@ class ArtifactValidator < ActiveModel::Validator
   def validate(record)
     return if record.data_type
 
-    record.errors[:data] << "#{record.data} is not supported"
+    record.errors.add :data, "#{record.data} is not supported"
   end
 end
 

data/lib/mihari/notifiers/exception_notifier.rb

@@ -19,7 +19,7 @@ module Mihari
       def notify(exception)
         notify_to_stdout exception
 
-        clean_message = exception.message.tr('`', "'")
+        clean_message = exception.message.tr("`", "'")
         attachments = to_attachments(exception, clean_message)
         notify_to_slack(text: clean_message, attachments: attachments) if @slack.valid?
       end
@@ -51,20 +51,20 @@ module Mihari
 
       def to_fields(clean_message, backtrace)
         fields = [
-          { title: "Exception", value: clean_message },
-          { title: "Hostname", value: hostname }
+          {title: "Exception", value: clean_message},
+          {title: "Hostname", value: hostname}
         ]
 
         if backtrace
           formatted_backtrace = format_backtrace(backtrace)
-          fields << { title: "Backtrace", value: formatted_backtrace }
+          fields << {title: "Backtrace", value: formatted_backtrace}
         end
         fields
       end
 
       def hostname
         Socket.gethostname
-      rescue StandardError => _e
+      rescue => _e
         "N/A"
       end