mihari 1.4.1 → 2.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (120) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
  3. data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
  4. data/.github/workflows/test.yml +68 -0
  5. data/.rubocop.yml +6 -0
  6. data/.standard.yml +4 -0
  7. data/README.md +24 -270
  8. data/Rakefile +1 -0
  9. data/bin/console +1 -0
  10. data/build_frontend.sh +14 -0
  11. data/docker/Dockerfile +5 -3
  12. data/examples/ipinfo_hosted_domains.rb +1 -1
  13. data/{screenshots → images}/alert.png +0 -0
  14. data/images/logo.png +0 -0
  15. data/{screenshots → images}/misp.png +0 -0
  16. data/{screenshots/eyecatch.png → images/overview.png} +0 -0
  17. data/{screenshots → images}/slack.png +0 -0
  18. data/images/web_alerts.png +0 -0
  19. data/images/web_config.png +0 -0
  20. data/lib/mihari.rb +2 -2
  21. data/lib/mihari/analyzers/base.rb +10 -1
  22. data/lib/mihari/analyzers/basic.rb +3 -4
  23. data/lib/mihari/analyzers/binaryedge.rb +4 -7
  24. data/lib/mihari/analyzers/censys.rb +3 -7
  25. data/lib/mihari/analyzers/circl.rb +6 -8
  26. data/lib/mihari/analyzers/crtsh.rb +2 -6
  27. data/lib/mihari/analyzers/dnpedia.rb +3 -6
  28. data/lib/mihari/analyzers/dnstwister.rb +4 -9
  29. data/lib/mihari/analyzers/free_text.rb +2 -6
  30. data/lib/mihari/analyzers/http_hash.rb +3 -11
  31. data/lib/mihari/analyzers/onyphe.rb +5 -8
  32. data/lib/mihari/analyzers/otx.rb +4 -9
  33. data/lib/mihari/analyzers/passive_dns.rb +4 -9
  34. data/lib/mihari/analyzers/passive_ssl.rb +4 -9
  35. data/lib/mihari/analyzers/passivetotal.rb +9 -14
  36. data/lib/mihari/analyzers/pulsedive.rb +7 -12
  37. data/lib/mihari/analyzers/reverse_whois.rb +4 -9
  38. data/lib/mihari/analyzers/securitytrails.rb +12 -17
  39. data/lib/mihari/analyzers/securitytrails_domain_feed.rb +3 -7
  40. data/lib/mihari/analyzers/shodan.rb +9 -8
  41. data/lib/mihari/analyzers/spyse.rb +6 -11
  42. data/lib/mihari/analyzers/ssh_fingerprint.rb +2 -6
  43. data/lib/mihari/analyzers/urlscan.rb +4 -12
  44. data/lib/mihari/analyzers/virustotal.rb +6 -11
  45. data/lib/mihari/analyzers/zoomeye.rb +7 -11
  46. data/lib/mihari/cli.rb +70 -300
  47. data/lib/mihari/commands/binaryedge.rb +21 -0
  48. data/lib/mihari/commands/censys.rb +22 -0
  49. data/lib/mihari/commands/circl.rb +21 -0
  50. data/lib/mihari/commands/config.rb +27 -0
  51. data/lib/mihari/commands/crtsh.rb +22 -0
  52. data/lib/mihari/commands/dnpedia.rb +21 -0
  53. data/lib/mihari/commands/dnstwister.rb +21 -0
  54. data/lib/mihari/commands/free_text.rb +21 -0
  55. data/lib/mihari/commands/http_hash.rb +25 -0
  56. data/lib/mihari/commands/json.rb +42 -0
  57. data/lib/mihari/commands/onyphe.rb +21 -0
  58. data/lib/mihari/commands/otx.rb +21 -0
  59. data/lib/mihari/commands/passive_dns.rb +21 -0
  60. data/lib/mihari/commands/passive_ssl.rb +21 -0
  61. data/lib/mihari/commands/passivetotal.rb +21 -0
  62. data/lib/mihari/commands/pulsedive.rb +21 -0
  63. data/lib/mihari/commands/reverse_whois.rb +21 -0
  64. data/lib/mihari/commands/securitytrails.rb +22 -0
  65. data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
  66. data/lib/mihari/commands/shodan.rb +21 -0
  67. data/lib/mihari/commands/spyse.rb +22 -0
  68. data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
  69. data/lib/mihari/commands/urlscan.rb +25 -0
  70. data/lib/mihari/commands/virustotal.rb +21 -0
  71. data/lib/mihari/commands/web.rb +22 -0
  72. data/lib/mihari/commands/zoomeye.rb +22 -0
  73. data/lib/mihari/config.rb +13 -25
  74. data/lib/mihari/configurable.rb +4 -5
  75. data/lib/mihari/database.rb +7 -1
  76. data/lib/mihari/emitters/misp.rb +4 -2
  77. data/lib/mihari/emitters/slack.rb +18 -7
  78. data/lib/mihari/emitters/the_hive.rb +1 -1
  79. data/lib/mihari/errors.rb +2 -0
  80. data/lib/mihari/models/alert.rb +51 -0
  81. data/lib/mihari/models/artifact.rb +14 -3
  82. data/lib/mihari/notifiers/exception_notifier.rb +1 -1
  83. data/lib/mihari/serializers/alert.rb +1 -1
  84. data/lib/mihari/serializers/artifact.rb +1 -1
  85. data/lib/mihari/serializers/tag.rb +1 -1
  86. data/lib/mihari/status.rb +6 -14
  87. data/lib/mihari/type_checker.rb +4 -4
  88. data/lib/mihari/version.rb +1 -1
  89. data/lib/mihari/web/app.rb +49 -0
  90. data/lib/mihari/web/controllers/alerts_controller.rb +66 -0
  91. data/lib/mihari/web/controllers/artifacts_controller.rb +26 -0
  92. data/lib/mihari/web/controllers/command_controller.rb +27 -0
  93. data/lib/mihari/web/controllers/config_controller.rb +15 -0
  94. data/lib/mihari/web/controllers/sources_controller.rb +14 -0
  95. data/lib/mihari/web/controllers/tags_controller.rb +30 -0
  96. data/lib/mihari/web/helpers/json.rb +51 -0
  97. data/lib/mihari/web/public/index.html +21 -0
  98. data/lib/mihari/web/public/redoc-static.html +519 -0
  99. data/lib/mihari/web/public/static/favicon.ico +0 -0
  100. data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
  101. data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
  102. data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
  103. data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
  104. data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
  105. data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
  106. data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
  107. data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
  108. data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
  109. data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
  110. data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
  111. data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
  112. data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
  113. data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
  114. data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
  115. data/lib/mihari/web/public/static/js/app.bcc595df.js +12 -0
  116. data/lib/mihari/web/public/static/js/app.bcc595df.js.map +1 -0
  117. data/mihari.gemspec +28 -21
  118. metadata +217 -45
  119. data/.travis.yml +0 -13
  120. data/lib/mihari/alert_viewer.rb +0 -23
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3739df12ff7fe35c98ad1dbd181fd8b300486443e36b7ed50bbbd8507a00eccf
4
- data.tar.gz: 43e048cf9eb60f8c0e32cbd43b729e25fa86da2e09784dc24d52163260653988
3
+ metadata.gz: c5859ab6b5d161359ea07c4af14de087013befa3b51d91844a60127137882e28
4
+ data.tar.gz: 481f34619d14e04f3187a9d2c3a05b3a1d109c7809622accebc47b100a506bc4
5
5
  SHA512:
6
- metadata.gz: f62b84ba24b7405b0977414c6c91c9d97219a77f5d166c46c83682613a99f19a17dfedd8768f560eed7c0e6d28d7ea343a332400512748551b518b8e09e038fd
7
- data.tar.gz: 794a4b44504e01cbb8b772fb7d7f9e389b67895352e4552549cf02bb70827695d44424ba583059020394ea0eb620a58ef05c4e34bed78b9dabc842abad996516
6
+ metadata.gz: 13693510f6f7d3560d207bb97dec50bb4851514e3b35918a82924e4e73d18e4bdcf963c3cd8928cd17559187b69419c8aa2a8e11e9d857965473dabfdf12ac59
7
+ data.tar.gz: 8786ad5973687848a89c8737eb92e52dd636e912b6af0ddf339dccccbff28c42f55e4111d1967b1d9a7b8aca07618788e82d98c24a56ca54102b36c84231d21e
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: Bug report
3
+ about: Create a bug report to help us improve
4
+ title: "[BUG]"
5
+ labels: bug
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ <!--
11
+ Thank you for taking the time to report a bug.
12
+ Please make sure there is no existing issue about this kind of bug.
13
+ -->
14
+
15
+ ### **Describe the bug**
16
+
17
+ A clear and concise description of what the bug is.
18
+
19
+ ### **Steps to reproduce**
20
+
21
+ - ...
22
+
23
+ ### **Expected behavior**
24
+
25
+ A clear and concise description of what you expected to happen.
26
+
27
+ ### **Actual behavior**
28
+
29
+ A clear and concise description of what actually happened.
30
+
31
+ ### **Screenshots**
32
+
33
+ Add screenshots to help explain your problem.
34
+
35
+ ### **System Information:**
36
+
37
+ - OS: [e.g. Windows10]
38
+ - Ruby version: [e.g. 3.0]
39
+ - Mihari version: [e.g. 2.0.0]
40
+
41
+ ### **Additional context**
42
+
43
+ Add any other context about the problem here.
@@ -0,0 +1,15 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest a new Feature for Mihari
4
+ title: "[Feature Request]"
5
+ labels: enhancement
6
+ assignees: ''
7
+
8
+ ---
9
+ <!--
10
+
11
+ 1. Make sure your requested feature makes sense for Mihari.
12
+
13
+ 2. If you want to suggest a new integration of a service, please provide detailed information of it. (e.g. API docs)
14
+
15
+ -->
@@ -0,0 +1,68 @@
1
+ name: Ruby CI
2
+
3
+ on: [pull_request]
4
+
5
+ jobs:
6
+ build:
7
+ runs-on: ubuntu-latest
8
+
9
+ services:
10
+ postgres:
11
+ image: postgres:12
12
+ env:
13
+ POSTGRES_USER: postgres
14
+ POSTGRES_PASSWORD: postgres
15
+ POSTGRES_DB: test
16
+ options: >-
17
+ --health-cmd pg_isready
18
+ --health-interval 10s
19
+ --health-timeout 5s
20
+ --health-retries 5
21
+ ports:
22
+ - 5432:5432
23
+
24
+ mysql:
25
+ image: mysql:8.0
26
+ env:
27
+ MYSQL_USER: mysql
28
+ MYSQL_PASSWORD: mysql
29
+ MYSQL_DATABASE: test
30
+ MYSQL_ROOT_PASSWORD: rootpassword
31
+ ports:
32
+ - 3306:3306
33
+ options: >-
34
+ --health-cmd="mysqladmin ping"
35
+ --health-interval=10s
36
+ --health-timeout=5s
37
+ --health-retries=3
38
+
39
+ strategy:
40
+ fail-fast: false
41
+ matrix:
42
+ ruby: [2.7, "3.0"]
43
+
44
+ steps:
45
+ - uses: actions/checkout@v2
46
+ - name: Set up Ruby 2.7
47
+ uses: ruby/setup-ruby@v1
48
+ with:
49
+ ruby-version: ${{ matrix.ruby }}
50
+ bundler-cache: true
51
+
52
+ - name: Install dependencies
53
+ run: |
54
+ sudo apt-get -yqq install libpq-dev libmysqlclient-dev
55
+ gem install bundler
56
+ bundle install
57
+
58
+ - name: Test with PostgreSQL
59
+ env:
60
+ DATABASE: postgresql://postgres:postgres@localhost:5432/test
61
+ run: |
62
+ bundle exec rake
63
+
64
+ - name: Test with MySQL
65
+ env:
66
+ DATABASE: mysql2://mysql:mysql@127.0.0.1:3306/test
67
+ run: |
68
+ bundle exec rake
data/.rubocop.yml CHANGED
@@ -4,6 +4,9 @@
4
4
  require:
5
5
  - rubocop-performance
6
6
 
7
+ AllCops:
8
+ NewCops: enable
9
+
7
10
  Style/Alias:
8
11
  Enabled: false
9
12
  StyleGuide: https://relaxed.ruby.style/#stylealias
@@ -151,5 +154,8 @@ Lint/AssignmentInCondition:
151
154
  Layout/LineLength:
152
155
  Enabled: false
153
156
 
157
+ Style/StringLiteralsInInterpolation:
158
+ Enabled: false
159
+
154
160
  Metrics:
155
161
  Enabled: false
data/.standard.yml ADDED
@@ -0,0 +1,4 @@
1
+ ignore:
2
+ - "**/*":
3
+ - Layout/SpaceInsideHashLiteralBraces
4
+ - Style/RescueStandardError
data/README.md CHANGED
@@ -1,62 +1,31 @@
1
1
  # mihari
2
2
 
3
3
  [![Gem Version](https://badge.fury.io/rb/mihari.svg)](https://badge.fury.io/rb/mihari)
4
- [![Build Status](https://travis-ci.com/ninoseki/mihari.svg?branch=master)](https://travis-ci.com/ninoseki/mihari)
4
+ [![Ruby CI](https://github.com/ninoseki/mihari/actions/workflows/test.yml/badge.svg)](https://github.com/ninoseki/mihari/actions/workflows/test.yml)
5
5
  [![Docker Cloud Build Status](https://img.shields.io/docker/cloud/build/ninoseki/mihari)](https://hub.docker.com/r/ninoseki/mihari)
6
6
  [![Coverage Status](https://coveralls.io/repos/github/ninoseki/mihari/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/mihari?branch=master)
7
7
  [![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/mihari/badge)](https://www.codefactor.io/repository/github/ninoseki/mihari)
8
8
 
9
- Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting.
9
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/logo.png)
10
10
 
11
- ## How it works
12
-
13
- - Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes) from the results.
14
- - Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
15
- - If it doesn't contain the artifacts:
16
- - Mihari creates an alert on TheHive. (Optional)
17
- - Mihari sends a notification to Slack. (Optional)
18
- - Mihari creates an event on MISP. (Optional)
19
-
20
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/eyecatch.png)
21
-
22
- ### Screenshots
23
-
24
- - TheHive alert example
25
-
26
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/alert.png)
27
-
28
- - Slack notification example
11
+ Mihari is a framework for continuous OSINT based threat hunting.
29
12
 
30
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/slack.png)
31
-
32
- - MISP event example
33
-
34
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
35
-
36
- ## Requirements
37
-
38
- - Ruby 2.6+
39
- - SQLite3
40
- - libpq
41
-
42
- ```bash
43
- # For Debian / Ubuntu
44
- apt-get install sqlite3 libsqlite3-dev libpq-dev
45
- ```
13
+ ## How it works
46
14
 
47
- ## Installation
15
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/overview.png)
48
16
 
49
- ```bash
50
- gem install mihari
51
- ```
17
+ - Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
18
+ - Mihari checks whether a DB (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
19
+ - If it doesn't contain the artifacts:
20
+ - Mihari creates an alert on TheHive.
21
+ - Mihari sends a notification to Slack.
22
+ - Mihari creates an event on MISP.
52
23
 
53
- Or you can use this tool with Docker.
24
+ Also, you can check the alerts on a built-in web app.
54
25
 
55
- ```bash
56
- docker pull ninoseki/mihari
57
- ```
26
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/web_alerts.png)
58
27
 
59
- ## Basic usage
28
+ ## Supported services
60
29
 
61
30
  Mihari supports the following services by default.
62
31
 
@@ -69,6 +38,7 @@ Mihari supports the following services by default.
69
38
  - [Onyphe](https://onyphe.io)
70
39
  - [OTX](https://otx.alienvault.com/)
71
40
  - [PassiveTotal](https://community.riskiq.com/)
41
+ - [Pulsedive](https://pulsedive.com/)
72
42
  - [SecurityTrails](https://securitytrails.com/)
73
43
  - [Shodan](https://shodan.io)
74
44
  - [Spyse](https://spyse.com)
@@ -76,233 +46,17 @@ Mihari supports the following services by default.
76
46
  - [VirusTotal](http://virustotal.com)
77
47
  - [ZoomEye](https://zoomeye.org)
78
48
 
79
- ```bash
80
- $ mihari
81
- Commands:
82
- mihari alerts # Show the alerts on TheHive
83
- mihari binaryedge [QUERY] # BinaryEdge host search by a query
84
- mihari censys [QUERY] # Censys IPv4 search by a query
85
- mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint
86
- mihari crtsh [QUERY] # crt.sh search by a query
87
- mihari dnpedia [QUERY] # DNPedia domain search by a query
88
- mihari dnstwister [DOMAIN] # dnstwister lookup by a domain
89
- mihari free_text [TEXT] # Cross search with search engines by a free text
90
- mihari help [COMMAND] # Describe available commands or one specific command
91
- mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
92
- mihari import_from_json # Give a JSON input via STDIN
93
- mihari onyphe [QUERY] # Onyphe datascan search by a query
94
- mihari otx [IP|DOMAIN] # OTX lookup by an IP or domain
95
- mihari passive_dns [IP|DOMAIN] # Cross search with passive DNS services by an ip or domain
96
- mihari passive_ssl [SHA1] # Cross search with passive SSL services by an SHA1 certificate fingerprint
97
- mihari passivetotal [IP|DOMAIN|EMAIL|SHA1] # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
98
- mihari pulsedive [IP|DOMAIN] # Pulsedive lookup by an ip or domain
99
- mihari reverse_whois [EMAIL] # Cross search with reverse whois services by an email
100
- mihari securitytrails [IP|DOMAIN|EMAIL] # SecurityTrails lookup by an ip, domain or email
101
- mihari securitytrails_domain_feed [REGEXP] # SecurityTrails new domain feed search by a regexp
102
- mihari shodan [QUERY] # Shodan host search by a query
103
- mihari spyse [QUERY] # Spyse search by a query
104
- mihari ssh_fingerprint [FINGERPRINT] # Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)
105
- mihari status # Show the current configuration status
106
- mihari urlscan [QUERY] # urlscan search by a given query
107
- mihari virustotal [IP|DOMAIN] # VirusTotal resolutions lookup by an ip or domain
108
- mihari zoomeye [QUERY] # ZoomEye search by a query
109
-
110
- Options:
111
- [--config=CONFIG] # path to config file
112
-
113
- ```
114
-
115
- ### Cross searches
116
-
117
- Mihari has cross search features. A cross search is a search across a number of services.
118
-
119
- You can get aggregated results by using the following commands.
120
-
121
- | Command | Desc. |
122
- |-----------------|---------------------------------------------------------------------------------------------------------|
123
- | passive_dns | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
124
- | passive_ssl | Passive SSL lookup with CIRCL passive SSL and PassiveTotal |
125
- | reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails |
126
- | http_hash | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
127
- | free_text | Free text lookup with BinaryEdge and Censys |
128
- | ssh_fingerprint | SSH fingerprint lookup with BinaryEdge and Shodan |
129
-
130
- #### http_hash command
131
-
132
- The usage of `http_hash` command is a little bit tricky.
133
-
134
- ```bash
135
- $ mihari help http_hash
136
- Usage:
137
- mihari http_hash
138
-
139
- Options:
140
- [--title=TITLE] # title
141
- [--description=DESCRIPTION] # description
142
- [--tags=one two three] # tags
143
- [--md5=MD5] # MD5 hash
144
- [--sha256=SHA256] # SHA256 hash
145
- [--mmh3=N] # MurmurHash3 hash
146
-
147
- Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
148
-
149
- ```
150
-
151
- There are 2 ways to use this command.
152
-
153
- First one is passing `--md5`, `--sha256` and `--mmh3` parameters.
154
-
155
- ```bash
156
- mihari http_hash --md5=881191f7736b5b8cfad5959ca99d2a51 --sha256=b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e --mmh3=-1467534799
157
- ```
158
-
159
- Another one is passing `--html` parameter. In this case, hashes of an HTML file are automatically calculated.
160
-
161
- ```bash
162
- wget http://example.com -O /tmp/index.html
163
- mihari http_hash --html /tmp/index.html
164
- ```
165
-
166
- ### Example usages
167
-
168
- ```bash
169
- # Censys lookup for PANDA C2
170
- mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
171
-
172
- # VirusTotal passive DNS lookup of a FAKESPY host
173
- mihari virustotal "jppost-hi.top" --title "FAKESPY passive DNS"
174
-
175
- # You can pass a "defanged" indicator as an input
176
- mihari virustotal "jppost-hi[.]top" --title "FAKESPY passive DNS"
177
- ```
178
-
179
- ### Import from JSON
180
-
181
- ```bash
182
- echo '{ "title": "test", "description": "test", "artifacts": ["1.1.1.1", "github.com", "2.2.2.2"] }' | mihari import_from_json
183
- ```
184
-
185
- The input is a JSON data should have `title`, `description` and `artifacts` key. `tags` key is an optional parameter.
186
-
187
- ```json
188
- {
189
- "title": "test",
190
- "description": "test",
191
- "artifacts": ["1.1.1.1", "github.com"],
192
- "tags": ["test"]
193
- }
194
- ```
195
-
196
- | Key | Desc. | Required or optional |
197
- |-------------|----------------------------------------------------------------------------|----------------------|
198
- | title | A title of an alert | Required |
199
- | description | A description of an alert | Required |
200
- | artifacts | An array of artifacts (supported data types: ip, domain, url, email, hash) | Required |
201
- | tags | An array of tags | Optional |
202
-
203
- ## Configuration
204
-
205
- Configuration can be done via environment variables or a YAML file.
206
-
207
- | Key | Description | Default |
208
- |------------------------|-------------------------------------------------------------------------------------------------|-------------|
209
- | DATABASE | A path to the SQLite database or a DB URL (e.g. `postgres://postgres:pass@db.host:5432/somedb`) | `mihari.db` |
210
- | BINARYEDGE_API_KEY | BinaryEdge API key | |
211
- | CENSYS_ID | Censys API ID | |
212
- | CENSYS_SECRET | Censys secret | |
213
- | CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
214
- | CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | |
215
- | MISP_API_ENDPOINT | MISP URL | |
216
- | MISP_API_KEY | MISP API key | |
217
- | ONYPHE_API_KEY | Onyphe API key | |
218
- | OTX_API_KEY | OTX API key | |
219
- | PASSIVETOTAL_API_KEY | PassiveTotal API key | |
220
- | PASSIVETOTAL_USERNAME | PassiveTotal username | |
221
- | PULSEDIVE_API_KEY | Pulsedive API key | |
222
- | SECURITYTRAILS_API_KEY | SecurityTrails API key | |
223
- | SHODAN_API_KEY | Shodan API key | |
224
- | SLACK_CHANNEL | Slack channel name | `#general` |
225
- | SLACK_WEBHOOK_URL | Slack Webhook URL | |
226
- | SPYSE_API_KEY | Spyse API key | |
227
- | THEHIVE_API_ENDPOINT | TheHive URL | |
228
- | THEHIVE_API_KEY | TheHive API key | |
229
- | URLSCAN_API_KEY | urlscan.io API key | |
230
- | VIRUSTOTAL_API_KEY | VirusTotal API key | |
231
- | ZOOMEYE_PASSWORD | ZoomEye password | |
232
- | ZOOMEYE_USERNAMME | ZoomEye username | |
233
-
234
- Instead of using environment variables, you can use a YAML file for configuration.
235
-
236
- ```bash
237
- mihari virustotal 1.1.1.1 --config /path/to/yaml.yml
238
- ```
239
-
240
- The YAML file should be a YAML hash like below:
241
-
242
- ```yaml
243
- database: /tmp/mihari.db
244
- thehive_api_endpoint: https://localhost
245
- thehive_api_key: foo
246
- virustotal_api_key: foo
247
- ```
248
-
249
- You can check the configuration status via `status` command.
250
-
251
- ```bash
252
- mihari status
253
- ```
254
-
255
- ## How to create a custom script
256
-
257
- Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.
258
-
259
- | Name | Desc. | @return | Required or optional |
260
- |----------------|----------------------------------------------------------------------------|---------------|----------------------|
261
- | `#title` | A title of an alert | String | Required |
262
- | `#description` | A description of an alert | String | Required |
263
- | `#artifacts` | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> | Required |
264
- | `#tags` | An array of tags | Array<String> | Optional |
265
-
266
- ```ruby
267
- require "mihari"
268
-
269
- module Mihari
270
- module Analyzers
271
- class Example < Base
272
- def title
273
- "example"
274
- end
275
-
276
- def description
277
- "example"
278
- end
279
-
280
- def artifacts
281
- ["9.9.9.9", "example.com"]
282
- end
283
-
284
- def tags
285
- ["example"]
286
- end
287
- end
288
- end
289
- end
290
-
291
- example = Mihari::Analyzers::Example.new
292
- example.run
293
- ```
294
-
295
- See `/examples` for more.
49
+ See [Usage](https://github.com/ninoseki/mihari/wiki/Usage) for more information.
296
50
 
297
- ## Using it with Docker
51
+ ## Docs
298
52
 
299
- ```bash
300
- $ docker run --rm ninoseki/mihari
301
- # Note that you should pass configurations via environment variables
302
- $ docker run --rm ninoseki/mihari -e THEHIVE_API_ENDPOINT="http://THEHIVE_URL" -e THEHIVE_API_KEY="API KEY" mihari
303
- # or
304
- $ docker run --rm ninoseki/mihari --env-file ~/.mihari.env mihari
305
- ```
53
+ - [Requirements & Installation](https://github.com/ninoseki/mihari/wiki/Requirements-&-Installation)
54
+ - [Usage](https://github.com/ninoseki/mihari/wiki/Usage)
55
+ - [Built-in Web App](https://github.com/ninoseki/mihari/wiki/Built-in-Web-App)
56
+ - [Configuration](https://github.com/ninoseki/mihari/wiki/Configuration)
57
+ - [Custom Script](https://github.com/ninoseki/mihari/wiki/Custom-Script)
58
+ - [Docker](https://github.com/ninoseki/mihari/wiki/Docker)
59
+ - [GitHub Actions](https://github.com/ninoseki/mihari/wiki/GitHub-Actions)
306
60
 
307
61
  ## License
308
62