mihari 1.4.0 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (108) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
  3. data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
  4. data/.github/workflows/test.yml +68 -0
  5. data/.standard.yml +4 -0
  6. data/README.md +22 -270
  7. data/Rakefile +1 -0
  8. data/build_frontend.sh +14 -0
  9. data/docker/Dockerfile +5 -3
  10. data/{screenshots → images}/alert.png +0 -0
  11. data/{screenshots → images}/eyecatch.png +0 -0
  12. data/images/logo.png +0 -0
  13. data/{screenshots → images}/misp.png +0 -0
  14. data/{screenshots → images}/slack.png +0 -0
  15. data/images/web_alerts.png +0 -0
  16. data/images/web_config.png +0 -0
  17. data/lib/mihari.rb +2 -2
  18. data/lib/mihari/analyzers/basic.rb +3 -4
  19. data/lib/mihari/analyzers/binaryedge.rb +4 -7
  20. data/lib/mihari/analyzers/censys.rb +3 -7
  21. data/lib/mihari/analyzers/circl.rb +3 -5
  22. data/lib/mihari/analyzers/crtsh.rb +2 -6
  23. data/lib/mihari/analyzers/dnpedia.rb +3 -6
  24. data/lib/mihari/analyzers/dnstwister.rb +4 -9
  25. data/lib/mihari/analyzers/free_text.rb +2 -6
  26. data/lib/mihari/analyzers/http_hash.rb +3 -11
  27. data/lib/mihari/analyzers/onyphe.rb +3 -6
  28. data/lib/mihari/analyzers/otx.rb +4 -9
  29. data/lib/mihari/analyzers/passive_dns.rb +4 -9
  30. data/lib/mihari/analyzers/passive_ssl.rb +4 -9
  31. data/lib/mihari/analyzers/passivetotal.rb +9 -14
  32. data/lib/mihari/analyzers/pulsedive.rb +7 -12
  33. data/lib/mihari/analyzers/reverse_whois.rb +4 -9
  34. data/lib/mihari/analyzers/securitytrails.rb +12 -17
  35. data/lib/mihari/analyzers/securitytrails_domain_feed.rb +3 -7
  36. data/lib/mihari/analyzers/shodan.rb +9 -8
  37. data/lib/mihari/analyzers/spyse.rb +6 -11
  38. data/lib/mihari/analyzers/ssh_fingerprint.rb +2 -6
  39. data/lib/mihari/analyzers/urlscan.rb +4 -12
  40. data/lib/mihari/analyzers/virustotal.rb +6 -11
  41. data/lib/mihari/analyzers/zoomeye.rb +7 -11
  42. data/lib/mihari/cli.rb +62 -299
  43. data/lib/mihari/commands/binaryedge.rb +21 -0
  44. data/lib/mihari/commands/censys.rb +22 -0
  45. data/lib/mihari/commands/circl.rb +21 -0
  46. data/lib/mihari/commands/config.rb +21 -0
  47. data/lib/mihari/commands/crtsh.rb +22 -0
  48. data/lib/mihari/commands/dnpedia.rb +21 -0
  49. data/lib/mihari/commands/dnstwister.rb +19 -0
  50. data/lib/mihari/commands/free_text.rb +21 -0
  51. data/lib/mihari/commands/http_hash.rb +25 -0
  52. data/lib/mihari/commands/json.rb +36 -0
  53. data/lib/mihari/commands/onyphe.rb +19 -0
  54. data/lib/mihari/commands/otx.rb +21 -0
  55. data/lib/mihari/commands/passive_dns.rb +19 -0
  56. data/lib/mihari/commands/passive_ssl.rb +21 -0
  57. data/lib/mihari/commands/passivetotal.rb +21 -0
  58. data/lib/mihari/commands/pulsedive.rb +21 -0
  59. data/lib/mihari/commands/reverse_whois.rb +21 -0
  60. data/lib/mihari/commands/securitytrails.rb +20 -0
  61. data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
  62. data/lib/mihari/commands/shodan.rb +19 -0
  63. data/lib/mihari/commands/spyse.rb +20 -0
  64. data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
  65. data/lib/mihari/commands/urlscan.rb +23 -0
  66. data/lib/mihari/commands/virustotal.rb +19 -0
  67. data/lib/mihari/commands/web.rb +20 -0
  68. data/lib/mihari/commands/zoomeye.rb +20 -0
  69. data/lib/mihari/config.rb +13 -25
  70. data/lib/mihari/configurable.rb +4 -5
  71. data/lib/mihari/database.rb +7 -1
  72. data/lib/mihari/emitters/misp.rb +4 -2
  73. data/lib/mihari/emitters/slack.rb +18 -7
  74. data/lib/mihari/emitters/the_hive.rb +1 -1
  75. data/lib/mihari/errors.rb +2 -0
  76. data/lib/mihari/models/alert.rb +51 -0
  77. data/lib/mihari/models/artifact.rb +1 -1
  78. data/lib/mihari/notifiers/exception_notifier.rb +1 -1
  79. data/lib/mihari/serializers/alert.rb +1 -1
  80. data/lib/mihari/serializers/artifact.rb +1 -1
  81. data/lib/mihari/serializers/tag.rb +1 -1
  82. data/lib/mihari/status.rb +10 -10
  83. data/lib/mihari/type_checker.rb +4 -4
  84. data/lib/mihari/version.rb +1 -1
  85. data/lib/mihari/web/app.rb +166 -0
  86. data/lib/mihari/web/public/index.html +21 -0
  87. data/lib/mihari/web/public/static/favicon.ico +0 -0
  88. data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
  89. data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
  90. data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
  91. data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
  92. data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
  93. data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
  94. data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
  95. data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
  96. data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
  97. data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
  98. data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
  99. data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
  100. data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
  101. data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
  102. data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
  103. data/lib/mihari/web/public/static/js/app.280cbdb7.js +12 -0
  104. data/lib/mihari/web/public/static/js/app.280cbdb7.js.map +1 -0
  105. data/mihari.gemspec +31 -24
  106. metadata +213 -49
  107. data/.travis.yml +0 -13
  108. data/lib/mihari/alert_viewer.rb +0 -23
@@ -0,0 +1,20 @@
1
+ module Mihari
2
+ module Commands
3
+ module Spyse
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "spyse [QUERY]", "Spyse search by a query"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
11
+ def spyse(query)
12
+ with_error_handling do
13
+ run_analyzer Analyzers::Spyse, query: query, options: options
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
@@ -0,0 +1,21 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Commands
5
+ module SSHFingerprint
6
+ def self.included(thor)
7
+ thor.class_eval do
8
+ desc "ssh_fingerprint [FINGERPRINT]", "Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)"
9
+ method_option :title, type: :string, desc: "title"
10
+ method_option :description, type: :string, desc: "description"
11
+ method_option :tags, type: :array, desc: "tags"
12
+ def ssh_fingerprint(fingerprint)
13
+ with_error_handling do
14
+ run_analyzer Analyzers::SSHFingerprint, query: fingerprint, options: options
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,23 @@
1
+ module Mihari
2
+ module Commands
3
+ module Urlscan
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "urlscan [QUERY]", "urlscan search by a given query"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ method_option :filter, type: :string, desc: "filter for urlscan pro search"
11
+ method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
12
+ method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
13
+ method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
14
+ def urlscan(query)
15
+ with_error_handling do
16
+ run_analyzer Analyzers::Urlscan, query: query, options: options
17
+ end
18
+ end
19
+ end
20
+ end
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,19 @@
1
+ module Mihari
2
+ module Commands
3
+ module VirusTotal
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by an ip or domain"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ def virustotal(indiactor)
11
+ with_error_handling do
12
+ run_analyzer Analyzers::VirusTotal, query: refang(indiactor), options: options
13
+ end
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,20 @@
1
+ module Mihari
2
+ module Commands
3
+ module Web
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "web", "Launch the web app"
7
+ method_option :port, type: :numeric, default: 9292
8
+ method_option :host, type: :string, default: "localhost"
9
+ def web
10
+ port = options["port"].to_i || 9292
11
+ host = options["host"] || "localhost"
12
+
13
+ load_configuration
14
+ Mihari::App.run!(port: port, host: host)
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
@@ -0,0 +1,20 @@
1
+ module Mihari
2
+ module Commands
3
+ module ZoomEye
4
+ def self.included(thor)
5
+ thor.class_eval do
6
+ desc "zoomeye [QUERY]", "ZoomEye search by a query"
7
+ method_option :title, type: :string, desc: "title"
8
+ method_option :description, type: :string, desc: "description"
9
+ method_option :tags, type: :array, desc: "tags"
10
+ method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
11
+ def zoomeye(query)
12
+ with_error_handling do
13
+ run_analyzer Analyzers::ZoomEye, query: query, options: options
14
+ end
15
+ end
16
+ end
17
+ end
18
+ end
19
+ end
20
+ end
data/lib/mihari/config.rb CHANGED
@@ -4,31 +4,7 @@ require "yaml"
4
4
 
5
5
  module Mihari
6
6
  class Config
7
- attr_accessor :binaryedge_api_key
8
- attr_accessor :censys_id
9
- attr_accessor :censys_secret
10
- attr_accessor :circl_passive_password
11
- attr_accessor :circl_passive_username
12
- attr_accessor :misp_api_endpoint
13
- attr_accessor :misp_api_key
14
- attr_accessor :onyphe_api_key
15
- attr_accessor :otx_api_key
16
- attr_accessor :passivetotal_api_key
17
- attr_accessor :passivetotal_username
18
- attr_accessor :pulsedive_api_key
19
- attr_accessor :securitytrails_api_key
20
- attr_accessor :shodan_api_key
21
- attr_accessor :slack_channel
22
- attr_accessor :slack_webhook_url
23
- attr_accessor :spyse_api_key
24
- attr_accessor :thehive_api_endpoint
25
- attr_accessor :thehive_api_key
26
- attr_accessor :urlscan_api_key
27
- attr_accessor :virustotal_api_key
28
- attr_accessor :zoomeye_password
29
- attr_accessor :zoomeye_username
30
-
31
- attr_accessor :database
7
+ attr_accessor :binaryedge_api_key, :censys_id, :censys_secret, :circl_passive_password, :circl_passive_username, :misp_api_endpoint, :misp_api_key, :onyphe_api_key, :otx_api_key, :passivetotal_api_key, :passivetotal_username, :pulsedive_api_key, :securitytrails_api_key, :shodan_api_key, :slack_channel, :slack_webhook_url, :spyse_api_key, :thehive_api_endpoint, :thehive_api_key, :urlscan_api_key, :virustotal_api_key, :zoomeye_password, :zoomeye_username, :database
32
8
 
33
9
  def initialize
34
10
  load_from_env
@@ -79,6 +55,18 @@ module Mihari
79
55
  end
80
56
  end
81
57
  end
58
+
59
+ def initialize_yaml(filename)
60
+ keys = new.instance_variables.map do |key|
61
+ key.to_s[1..-1]
62
+ end
63
+
64
+ config = keys.map do |key|
65
+ [key, nil]
66
+ end.to_h
67
+
68
+ YAML.dump(config, File.open(filename, "w"))
69
+ end
82
70
  end
83
71
  end
84
72
 
@@ -6,13 +6,12 @@ module Mihari
6
6
  config_keys.all? { |key| Mihari.config.send(key) }
7
7
  end
8
8
 
9
- def configuration_status
9
+ def configuration_values
10
10
  return nil if config_keys.empty?
11
11
 
12
- names = config_keys.join(" and ")
13
- be_verb = config_keys.length == 1 ? "is" : "are"
14
- status = configured? ? "found" : "missing"
15
- "#{names} #{be_verb} #{status}"
12
+ config_keys.map do |key|
13
+ { key: key.upcase, value: Mihari.config.send(key) }
14
+ end
16
15
  end
17
16
 
18
17
  def config_keys
@@ -34,6 +34,7 @@ end
34
34
 
35
35
  def adapter
36
36
  return "postgresql" if Mihari.config.database.start_with?("postgresql://", "postgres://")
37
+ return "mysql2" if Mihari.config.database.start_with?("mysql2://")
37
38
 
38
39
  "sqlite3"
39
40
  end
@@ -43,7 +44,7 @@ module Mihari
43
44
  class << self
44
45
  def connect
45
46
  case adapter
46
- when "postgresql"
47
+ when "postgresql", "mysql2"
47
48
  ActiveRecord::Base.establish_connection(Mihari.config.database)
48
49
  else
49
50
  ActiveRecord::Base.establish_connection(
@@ -58,6 +59,11 @@ module Mihari
58
59
  # Do nothing
59
60
  end
60
61
 
62
+ def close
63
+ ActiveRecord::Base.clear_active_connections!
64
+ ActiveRecord::Base.connection.close
65
+ end
66
+
61
67
  def destroy!
62
68
  InitialSchema.migrate(:down) if ActiveRecord::Base.connected?
63
69
  end
@@ -7,6 +7,8 @@ module Mihari
7
7
  module Emitters
8
8
  class MISP < Base
9
9
  def initialize
10
+ super()
11
+
10
12
  ::MISP.configure do |config|
11
13
  config.api_endpoint = Mihari.config.misp_api_endpoint
12
14
  config.api_key = Mihari.config.misp_api_key
@@ -35,7 +37,7 @@ module Mihari
35
37
  private
36
38
 
37
39
  def config_keys
38
- %w(misp_api_endpoint misp_api_key)
40
+ %w[misp_api_endpoint misp_api_key]
39
41
  end
40
42
 
41
43
  def build_attribute(artifact)
@@ -61,7 +63,7 @@ module Mihari
61
63
  ip: "ip-dst",
62
64
  mail: "email-dst",
63
65
  url: "url",
64
- domain: "domain",
66
+ domain: "domain"
65
67
  }
66
68
  return table[type] if table.key?(type)
67
69
 
@@ -19,25 +19,31 @@ module Mihari
19
19
  end
20
20
 
21
21
  def actions
22
- [vt_link, urlscan_link, censys_link].compact
22
+ [vt_link, urlscan_link, censys_link, shodan_link].compact
23
23
  end
24
24
 
25
25
  def vt_link
26
26
  return nil unless _vt_link
27
27
 
28
- { type: "button", text: "Lookup on VirusTotal", url: _vt_link, }
28
+ { type: "button", text: "VirusTotal", url: _vt_link }
29
29
  end
30
30
 
31
31
  def urlscan_link
32
32
  return nil unless _urlscan_link
33
33
 
34
- { type: "button", text: "Lookup on urlscan.io", url: _urlscan_link, }
34
+ { type: "button", text: "urlscan.io", url: _urlscan_link }
35
35
  end
36
36
 
37
37
  def censys_link
38
38
  return nil unless _censys_link
39
39
 
40
- { type: "button", text: "Lookup on Censys", url: _censys_link, }
40
+ { type: "button", text: "Censys", url: _censys_link }
41
+ end
42
+
43
+ def shodan_link
44
+ return nil unless _shodan_link
45
+
46
+ { type: "button", text: "Shodan", url: _shodan_link }
41
47
  end
42
48
 
43
49
  # @return [Array]
@@ -89,6 +95,11 @@ module Mihari
89
95
  end
90
96
  memoize :_censys_link
91
97
 
98
+ def _shodan_link
99
+ data_type == "ip" ? "https://www.shodan.io/host/#{data}" : nil
100
+ end
101
+ memoize :_shodan_link
102
+
92
103
  # @return [String]
93
104
  def sha256
94
105
  Digest::SHA256.hexdigest data
@@ -96,7 +107,7 @@ module Mihari
96
107
 
97
108
  # @return [String]
98
109
  def defanged_data
99
- @defanged_data ||= data.to_s.gsub /\./, "[.]"
110
+ @defanged_data ||= data.to_s.gsub(/\./, "[.]")
100
111
  end
101
112
  end
102
113
 
@@ -121,7 +132,7 @@ module Mihari
121
132
  [
122
133
  "*#{title}*",
123
134
  "*Desc.*: #{description}",
124
- "*Tags*: #{tags.join(', ')}",
135
+ "*Tags*: #{tags.join(", ")}"
125
136
  ].join("\n")
126
137
  end
127
138
 
@@ -137,7 +148,7 @@ module Mihari
137
148
  private
138
149
 
139
150
  def config_keys
140
- %w(slack_webhook_url)
151
+ %w[slack_webhook_url]
141
152
  end
142
153
  end
143
154
  end
@@ -27,7 +27,7 @@ module Mihari
27
27
  private
28
28
 
29
29
  def config_keys
30
- %w(thehive_api_endpoint thehive_api_key)
30
+ %w[thehive_api_endpoint thehive_api_key]
31
31
  end
32
32
 
33
33
  def api
data/lib/mihari/errors.rb CHANGED
@@ -2,6 +2,8 @@
2
2
 
3
3
  module Mihari
4
4
  class Error < StandardError; end
5
+
5
6
  class InvalidInputError < Error; end
7
+
6
8
  class RetryableError < Error; end
7
9
  end
@@ -1,11 +1,62 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "active_record"
4
+ require "active_record/filter"
4
5
 
5
6
  module Mihari
6
7
  class Alert < ActiveRecord::Base
7
8
  has_many :taggings, dependent: :destroy
8
9
  has_many :artifacts, dependent: :destroy
9
10
  has_many :tags, through: :taggings
11
+
12
+ class << self
13
+ def search(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil, limit: 10, page: 1)
14
+ limit = limit.to_i
15
+ raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
16
+
17
+ page = page.to_i
18
+ raise ArgumentError, "page should be bigger than zero" unless page.positive?
19
+
20
+ offset = (page - 1) * limit
21
+
22
+ relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
23
+ # relation = relation.group("alerts.id")
24
+
25
+ alerts = relation.limit(limit).offset(offset).order(id: :desc)
26
+
27
+ alerts.map do |alert|
28
+ json = AlertSerializer.new(alert).as_json
29
+ json[:artifacts] = json[:artifacts] || []
30
+ json[:tags] = json[:tags] || []
31
+ json
32
+ end
33
+ end
34
+
35
+ def count(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil)
36
+ relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
37
+ relation.distinct("alerts.id").count
38
+ end
39
+
40
+ private
41
+
42
+ def build_relation(artifact_data: nil, title: nil, description: nil, source: nil, tag_name: nil, from_at: nil, to_at: nil)
43
+ relation = self
44
+ relation = joins(:tags) if tag_name
45
+ relation = joins(:artifacts) if artifact_data
46
+
47
+ relation = relation.where(artifacts: { data: artifact_data }) if artifact_data
48
+ relation = relation.where(tags: { name: tag_name }) if tag_name
49
+
50
+ relation = relation.where(source: source) if source
51
+ relation = relation.where(title: title) if title
52
+
53
+ relation = relation.filter(description: { like: "%#{description}%" }) if description
54
+
55
+ relation = relation.filter(created_at: { gte: from_at }) if from_at
56
+ relation = relation.filter(created_at: { lte: to_at }) if to_at
57
+
58
+ relation
59
+ end
60
+ end
10
61
  end
11
62
  end
@@ -6,7 +6,7 @@ class ArtifactValidator < ActiveModel::Validator
6
6
  def validate(record)
7
7
  return if record.data_type
8
8
 
9
- record.errors[:data] << "#{record.data} is not supported"
9
+ record.errors.add :data, "#{record.data} is not supported"
10
10
  end
11
11
  end
12
12
 
@@ -19,7 +19,7 @@ module Mihari
19
19
  def notify(exception)
20
20
  notify_to_stdout exception
21
21
 
22
- clean_message = exception.message.tr('`', "'")
22
+ clean_message = exception.message.tr("`", "'")
23
23
  attachments = to_attachments(exception, clean_message)
24
24
  notify_to_slack(text: clean_message, attachments: attachments) if @slack.valid?
25
25
  end
@@ -4,7 +4,7 @@ require "active_model_serializers"
4
4
 
5
5
  module Mihari
6
6
  class AlertSerializer < ActiveModel::Serializer
7
- attributes :title, :description, :source, :created_at
7
+ attributes :id, :title, :description, :source, :created_at
8
8
 
9
9
  has_many :artifacts
10
10
  has_many :tags, through: :taggings