mihari 1.4.0 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (108) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
  3. data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
  4. data/.github/workflows/test.yml +68 -0
  5. data/.standard.yml +4 -0
  6. data/README.md +22 -270
  7. data/Rakefile +1 -0
  8. data/build_frontend.sh +14 -0
  9. data/docker/Dockerfile +5 -3
  10. data/{screenshots → images}/alert.png +0 -0
  11. data/{screenshots → images}/eyecatch.png +0 -0
  12. data/images/logo.png +0 -0
  13. data/{screenshots → images}/misp.png +0 -0
  14. data/{screenshots → images}/slack.png +0 -0
  15. data/images/web_alerts.png +0 -0
  16. data/images/web_config.png +0 -0
  17. data/lib/mihari.rb +2 -2
  18. data/lib/mihari/analyzers/basic.rb +3 -4
  19. data/lib/mihari/analyzers/binaryedge.rb +4 -7
  20. data/lib/mihari/analyzers/censys.rb +3 -7
  21. data/lib/mihari/analyzers/circl.rb +3 -5
  22. data/lib/mihari/analyzers/crtsh.rb +2 -6
  23. data/lib/mihari/analyzers/dnpedia.rb +3 -6
  24. data/lib/mihari/analyzers/dnstwister.rb +4 -9
  25. data/lib/mihari/analyzers/free_text.rb +2 -6
  26. data/lib/mihari/analyzers/http_hash.rb +3 -11
  27. data/lib/mihari/analyzers/onyphe.rb +3 -6
  28. data/lib/mihari/analyzers/otx.rb +4 -9
  29. data/lib/mihari/analyzers/passive_dns.rb +4 -9
  30. data/lib/mihari/analyzers/passive_ssl.rb +4 -9
  31. data/lib/mihari/analyzers/passivetotal.rb +9 -14
  32. data/lib/mihari/analyzers/pulsedive.rb +7 -12
  33. data/lib/mihari/analyzers/reverse_whois.rb +4 -9
  34. data/lib/mihari/analyzers/securitytrails.rb +12 -17
  35. data/lib/mihari/analyzers/securitytrails_domain_feed.rb +3 -7
  36. data/lib/mihari/analyzers/shodan.rb +9 -8
  37. data/lib/mihari/analyzers/spyse.rb +6 -11
  38. data/lib/mihari/analyzers/ssh_fingerprint.rb +2 -6
  39. data/lib/mihari/analyzers/urlscan.rb +4 -12
  40. data/lib/mihari/analyzers/virustotal.rb +6 -11
  41. data/lib/mihari/analyzers/zoomeye.rb +7 -11
  42. data/lib/mihari/cli.rb +62 -299
  43. data/lib/mihari/commands/binaryedge.rb +21 -0
  44. data/lib/mihari/commands/censys.rb +22 -0
  45. data/lib/mihari/commands/circl.rb +21 -0
  46. data/lib/mihari/commands/config.rb +21 -0
  47. data/lib/mihari/commands/crtsh.rb +22 -0
  48. data/lib/mihari/commands/dnpedia.rb +21 -0
  49. data/lib/mihari/commands/dnstwister.rb +19 -0
  50. data/lib/mihari/commands/free_text.rb +21 -0
  51. data/lib/mihari/commands/http_hash.rb +25 -0
  52. data/lib/mihari/commands/json.rb +36 -0
  53. data/lib/mihari/commands/onyphe.rb +19 -0
  54. data/lib/mihari/commands/otx.rb +21 -0
  55. data/lib/mihari/commands/passive_dns.rb +19 -0
  56. data/lib/mihari/commands/passive_ssl.rb +21 -0
  57. data/lib/mihari/commands/passivetotal.rb +21 -0
  58. data/lib/mihari/commands/pulsedive.rb +21 -0
  59. data/lib/mihari/commands/reverse_whois.rb +21 -0
  60. data/lib/mihari/commands/securitytrails.rb +20 -0
  61. data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
  62. data/lib/mihari/commands/shodan.rb +19 -0
  63. data/lib/mihari/commands/spyse.rb +20 -0
  64. data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
  65. data/lib/mihari/commands/urlscan.rb +23 -0
  66. data/lib/mihari/commands/virustotal.rb +19 -0
  67. data/lib/mihari/commands/web.rb +20 -0
  68. data/lib/mihari/commands/zoomeye.rb +20 -0
  69. data/lib/mihari/config.rb +13 -25
  70. data/lib/mihari/configurable.rb +4 -5
  71. data/lib/mihari/database.rb +7 -1
  72. data/lib/mihari/emitters/misp.rb +4 -2
  73. data/lib/mihari/emitters/slack.rb +18 -7
  74. data/lib/mihari/emitters/the_hive.rb +1 -1
  75. data/lib/mihari/errors.rb +2 -0
  76. data/lib/mihari/models/alert.rb +51 -0
  77. data/lib/mihari/models/artifact.rb +1 -1
  78. data/lib/mihari/notifiers/exception_notifier.rb +1 -1
  79. data/lib/mihari/serializers/alert.rb +1 -1
  80. data/lib/mihari/serializers/artifact.rb +1 -1
  81. data/lib/mihari/serializers/tag.rb +1 -1
  82. data/lib/mihari/status.rb +10 -10
  83. data/lib/mihari/type_checker.rb +4 -4
  84. data/lib/mihari/version.rb +1 -1
  85. data/lib/mihari/web/app.rb +166 -0
  86. data/lib/mihari/web/public/index.html +21 -0
  87. data/lib/mihari/web/public/static/favicon.ico +0 -0
  88. data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
  89. data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
  90. data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
  91. data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
  92. data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
  93. data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
  94. data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
  95. data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
  96. data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
  97. data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
  98. data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
  99. data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
  100. data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
  101. data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
  102. data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
  103. data/lib/mihari/web/public/static/js/app.280cbdb7.js +12 -0
  104. data/lib/mihari/web/public/static/js/app.280cbdb7.js.map +1 -0
  105. data/mihari.gemspec +31 -24
  106. metadata +213 -49
  107. data/.travis.yml +0 -13
  108. data/lib/mihari/alert_viewer.rb +0 -23
@@ -0,0 +1,22 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module Censys
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "censys [QUERY]", "Censys IPv4 search by a query"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ method_option :type, type: :string, desc: "type to search (ipv4 / websites / certificates)", default: "ipv4"
13
+ def censys(query)
14
+ with_error_handling do
15
+ run_analyzer Analyzers::Censys, query: query, options: options
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module CIRCL
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def circl(query)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::CIRCL, query: refang(query), options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,21 @@
1
+ module Mihari
2
+ module Commands
3
+ module Config
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "init_config", "Create a config file"
7
+ method_option :filename, type: :string, default: "mihari.yml"
8
+ def init_config
9
+ filename = options["filename"]
10
+
11
+ if File.exist?(filename) && !(yes? "#{filename} exists. Do you want to overwrite it? (y/n)")
12
+ return
13
+ end
14
+
15
+ Mihari::Config.initialize_yaml filename
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,22 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module Crtsh
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "crtsh [QUERY]", "crt.sh search by a query"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ method_option :exclude_expired, type: :boolean, desc: "exclude expired certificates"
13
+ def crtsh(query)
14
+ with_error_handling do
15
+ run_analyzer Analyzers::Crtsh, query: query, options: options
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module DNPedia
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "dnpedia [QUERY]", "DNPedia domain search by a query"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def dnpedia(query)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::DNPedia, query: query, options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,19 @@
1
+ module Mihari
2
+ module Commands
3
+ module DNSTwister
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "dnstwister [DOMAIN]", "dnstwister lookup by a domain"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def dnstwister(domain)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::DNSTwister, query: refang(domain), options: options
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module FreeText
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "free_text [TEXT]", "Cross search with search engines by a free text"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def free_text(text)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::FreeText, query: text, options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module HTTPHash
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "http_hash", "Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ method_option :md5, type: :string, desc: "MD5 hash"
13
+ method_option :sha256, type: :string, desc: "SHA256 hash"
14
+ method_option :mmh3, type: :numeric, desc: "MurmurHash3 hash"
15
+ method_option :html, type: :string, desc: "path to an HTML file"
16
+ def http_hash
17
+ with_error_handling do
18
+ run_analyzer Analyzers::HTTPHash, query: nil, options: options
19
+ end
20
+ end
21
+ end
22
+ end
23
+ end
24
+ end
25
+ end
@@ -0,0 +1,36 @@
1
+ module Mihari
2
+ module Commands
3
+ module JSON
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "import_from_json", "Give a JSON input via STDIN"
7
+ def import_from_json(input = nil)
8
+ with_error_handling do
9
+ json = input || $stdin.gets.chomp
10
+ raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
11
+
12
+ json = parse_as_json(json)
13
+ raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
14
+
15
+ title = json["title"]
16
+ description = json["description"]
17
+ artifacts = json["artifacts"]
18
+ tags = json["tags"] || []
19
+
20
+ basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
21
+ basic.run
22
+ end
23
+ end
24
+
25
+ no_commands do
26
+ def parse_as_json(input)
27
+ ::JSON.parse input
28
+ rescue ::JSON::ParserError => _e
29
+ nil
30
+ end
31
+ end
32
+ end
33
+ end
34
+ end
35
+ end
36
+ end
@@ -0,0 +1,19 @@
1
+ module Mihari
2
+ module Commands
3
+ module Onyphe
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "onyphe [QUERY]", "Onyphe datascan search by a query"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def onyphe(query)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::Onyphe, query: query, options: options
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module OTX
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def otx(domain)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::OTX, query: refang(domain), options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,19 @@
1
+ module Mihari
2
+ module Commands
3
+ module PassiveDNS
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def passive_dns(query)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::PassiveDNS, query: refang(query), options: options
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module PassiveSSL
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "passive_ssl [SHA1]", "Cross search with passive SSL services by an SHA1 certificate fingerprint"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def passive_ssl(query)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::PassiveSSL, query: query, options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module PassiveTotal
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "passivetotal [IP|DOMAIN|EMAIL|SHA1]", "PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def passivetotal(indicator)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::PassiveTotal, query: refang(indicator), options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module Pulsedive
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "pulsedive [IP|DOMAIN]", "Pulsedive lookup by an ip or domain"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def pulsedive(indiactor)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::Pulsedive, query: refang(indiactor), options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module ReverseWhois
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "reverse_whois [EMAIL]", "Cross search with reverse whois services by an email"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def reverse_whois(query)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::ReveseWhois, query: refang(query), options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,20 @@
1
+ module Mihari
2
+ module Commands
3
+ module SecurityTrails
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "securitytrails [IP|DOMAIN|EMAIL]", "SecurityTrails lookup by an ip, domain or email"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def securitytrails(indiactor)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::SecurityTrails, query: refang(indiactor), options: options
13
+ end
14
+ end
15
+ map "st" => :securitytrails
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
@@ -0,0 +1,23 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module SecurityTrailsDomainFeed
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "securitytrails_domain_feed [REGEXP]", "SecurityTrails new domain feed search by a regexp"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ method_option :type, type: :string, default: "registered", desc: "A type of domain feed ('all', 'new' or 'registered')"
13
+ def securitytrails_domain_feed(regexp)
14
+ with_error_handling do
15
+ run_analyzer Analyzers::SecurityTrailsDomainFeed, query: regexp, options: options
16
+ end
17
+ end
18
+ map "st_domain_feed" => :securitytrails_domain_feedd
19
+ end
20
+ end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,19 @@
1
+ module Mihari
2
+ module Commands
3
+ module Shodan
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "shodan [QUERY]", "Shodan host search by a query"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def shodan(query)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::Shodan, query: query, options: options
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end