mihari 1.4.1 → 2.2.0

data/lib/mihari/commands/securitytrails_domain_feed.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module SecurityTrailsDomainFeed
+      def self.included(thor)
+        thor.class_eval do
+          desc "securitytrails_domain_feed [REGEXP]", "SecurityTrails new domain feed search by a regexp"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, default: "registered", desc: "A type of domain feed ('all', 'new' or 'registered')"
+          def securitytrails_domain_feed(regexp)
+            with_error_handling do
+              run_analyzer Analyzers::SecurityTrailsDomainFeed, query: regexp, options: options
+            end
+          end
+          map "st_domain_feed" => :securitytrails_domain_feedd
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/shodan.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Shodan
+      def self.included(thor)
+        thor.class_eval do
+          desc "shodan [QUERY]", "Shodan host search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def shodan(query)
+            with_error_handling do
+              run_analyzer Analyzers::Shodan, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/spyse.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Spyse
+      def self.included(thor)
+        thor.class_eval do
+          desc "spyse [QUERY]", "Spyse search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
+          def spyse(query)
+            with_error_handling do
+              run_analyzer Analyzers::Spyse, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/ssh_fingerprint.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module SSHFingerprint
+      def self.included(thor)
+        thor.class_eval do
+          desc "ssh_fingerprint [FINGERPRINT]", "Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def ssh_fingerprint(fingerprint)
+            with_error_handling do
+              run_analyzer Analyzers::SSHFingerprint, query: fingerprint, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/urlscan.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Urlscan
+      def self.included(thor)
+        thor.class_eval do
+          desc "urlscan [QUERY]", "urlscan search by a given query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :filter, type: :string, desc: "filter for urlscan pro search"
+          method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
+          method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
+          method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
+          def urlscan(query)
+            with_error_handling do
+              run_analyzer Analyzers::Urlscan, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/virustotal.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module VirusTotal
+      def self.included(thor)
+        thor.class_eval do
+          desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by an ip or domain"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def virustotal(indiactor)
+            with_error_handling do
+              run_analyzer Analyzers::VirusTotal, query: refang(indiactor), options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/web.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Web
+      def self.included(thor)
+        thor.class_eval do
+          desc "web", "Launch the web app"
+          method_option :port, type: :numeric, default: 9292
+          method_option :host, type: :string, default: "localhost"
+          def web
+            port = options["port"].to_i || 9292
+            host = options["host"] || "localhost"
+
+            load_configuration
+            Mihari::App.run!(port: port, host: host)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/zoomeye.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module ZoomEye
+      def self.included(thor)
+        thor.class_eval do
+          desc "zoomeye [QUERY]", "ZoomEye search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
+          def zoomeye(query)
+            with_error_handling do
+              run_analyzer Analyzers::ZoomEye, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/config.rb

@@ -4,31 +4,7 @@ require "yaml"
 
 module Mihari
   class Config
-    attr_accessor :binaryedge_api_key
-    attr_accessor :censys_id
-    attr_accessor :censys_secret
-    attr_accessor :circl_passive_password
-    attr_accessor :circl_passive_username
-    attr_accessor :misp_api_endpoint
-    attr_accessor :misp_api_key
-    attr_accessor :onyphe_api_key
-    attr_accessor :otx_api_key
-    attr_accessor :passivetotal_api_key
-    attr_accessor :passivetotal_username
-    attr_accessor :pulsedive_api_key
-    attr_accessor :securitytrails_api_key
-    attr_accessor :shodan_api_key
-    attr_accessor :slack_channel
-    attr_accessor :slack_webhook_url
-    attr_accessor :spyse_api_key
-    attr_accessor :thehive_api_endpoint
-    attr_accessor :thehive_api_key
-    attr_accessor :urlscan_api_key
-    attr_accessor :virustotal_api_key
-    attr_accessor :zoomeye_password
-    attr_accessor :zoomeye_username
-
-    attr_accessor :database
+    attr_accessor :binaryedge_api_key, :censys_id, :censys_secret, :circl_passive_password, :circl_passive_username, :misp_api_endpoint, :misp_api_key, :onyphe_api_key, :otx_api_key, :passivetotal_api_key, :passivetotal_username, :pulsedive_api_key, :securitytrails_api_key, :shodan_api_key, :slack_channel, :slack_webhook_url, :spyse_api_key, :thehive_api_endpoint, :thehive_api_key, :urlscan_api_key, :virustotal_api_key, :zoomeye_password, :zoomeye_username, :database
 
     def initialize
       load_from_env
@@ -79,6 +55,18 @@ module Mihari
           end
         end
       end
+
+      def initialize_yaml(filename)
+        keys = new.instance_variables.map do |key|
+          key.to_s[1..]
+        end
+
+        config = keys.map do |key|
+          [key, nil]
+        end.to_h
+
+        YAML.dump(config, File.open(filename, "w"))
+      end
     end
   end
 

data/lib/mihari/configurable.rb

@@ -6,13 +6,12 @@ module Mihari
       config_keys.all? { |key| Mihari.config.send(key) }
     end
 
-    def configuration_status
+    def configuration_values
       return nil if config_keys.empty?
 
-      names = config_keys.join(" and ")
-      be_verb = config_keys.length == 1 ? "is" : "are"
-      status = configured? ? "found" : "missing"
-      "#{names} #{be_verb} #{status}"
+      config_keys.map do |key|
+        { key: key.upcase, value: Mihari.config.send(key) }
+      end
     end
 
     def config_keys

data/lib/mihari/database.rb

@@ -34,6 +34,7 @@ end
 
 def adapter
   return "postgresql" if Mihari.config.database.start_with?("postgresql://", "postgres://")
+  return "mysql2" if Mihari.config.database.start_with?("mysql2://")
 
   "sqlite3"
 end
@@ -43,7 +44,7 @@ module Mihari
     class << self
       def connect
         case adapter
-        when "postgresql"
+        when "postgresql", "mysql2"
           ActiveRecord::Base.establish_connection(Mihari.config.database)
         else
           ActiveRecord::Base.establish_connection(
@@ -58,6 +59,11 @@ module Mihari
         # Do nothing
       end
 
+      def close
+        ActiveRecord::Base.clear_active_connections!
+        ActiveRecord::Base.connection.close
+      end
+
       def destroy!
         InitialSchema.migrate(:down) if ActiveRecord::Base.connected?
       end

data/lib/mihari/emitters/misp.rb

@@ -7,6 +7,8 @@ module Mihari
   module Emitters
     class MISP < Base
       def initialize
+        super()
+
         ::MISP.configure do |config|
           config.api_endpoint = Mihari.config.misp_api_endpoint
           config.api_key = Mihari.config.misp_api_key
@@ -35,7 +37,7 @@ module Mihari
       private
 
       def config_keys
-        %w(misp_api_endpoint misp_api_key)
+        %w[misp_api_endpoint misp_api_key]
       end
 
       def build_attribute(artifact)
@@ -61,7 +63,7 @@ module Mihari
           ip: "ip-dst",
           mail: "email-dst",
           url: "url",
-          domain: "domain",
+          domain: "domain"
         }
         return table[type] if table.key?(type)
 

data/lib/mihari/emitters/slack.rb

@@ -19,25 +19,31 @@ module Mihari
       end
 
       def actions
-        [vt_link, urlscan_link, censys_link].compact
+        [vt_link, urlscan_link, censys_link, shodan_link].compact
       end
 
       def vt_link
         return nil unless _vt_link
 
-        { type: "button", text: "Lookup on VirusTotal", url: _vt_link, }
+        { type: "button", text: "VirusTotal", url: _vt_link }
       end
 
       def urlscan_link
         return nil unless _urlscan_link
 
-        { type: "button", text: "Lookup on urlscan.io", url: _urlscan_link, }
+        { type: "button", text: "urlscan.io", url: _urlscan_link }
       end
 
       def censys_link
         return nil unless _censys_link
 
-        { type: "button", text: "Lookup on Censys", url: _censys_link, }
+        { type: "button", text: "Censys", url: _censys_link }
+      end
+
+      def shodan_link
+        return nil unless _shodan_link
+
+        { type: "button", text: "Shodan", url: _shodan_link }
       end
 
       # @return [Array]
@@ -89,6 +95,11 @@ module Mihari
       end
       memoize :_censys_link
 
+      def _shodan_link
+        data_type == "ip" ? "https://www.shodan.io/host/#{data}" : nil
+      end
+      memoize :_shodan_link
+
       # @return [String]
       def sha256
         Digest::SHA256.hexdigest data
@@ -96,7 +107,7 @@ module Mihari
 
       # @return [String]
       def defanged_data
-        @defanged_data ||= data.to_s.gsub /\./, "[.]"
+        @defanged_data ||= data.to_s.gsub(/\./, "[.]")
       end
     end
 
@@ -121,7 +132,7 @@ module Mihari
         [
           "*#{title}*",
           "*Desc.*: #{description}",
-          "*Tags*: #{tags.join(', ')}",
+          "*Tags*: #{tags.join(", ")}"
         ].join("\n")
       end
 
@@ -137,7 +148,7 @@ module Mihari
       private
 
       def config_keys
-        %w(slack_webhook_url)
+        %w[slack_webhook_url]
       end
     end
   end

data/lib/mihari/emitters/the_hive.rb

@@ -27,7 +27,7 @@ module Mihari
       private
 
       def config_keys
-        %w(thehive_api_endpoint thehive_api_key)
+        %w[thehive_api_endpoint thehive_api_key]
       end
 
       def api

data/lib/mihari/errors.rb

@@ -2,6 +2,8 @@
 
 module Mihari
   class Error < StandardError; end
+
   class InvalidInputError < Error; end
+
   class RetryableError < Error; end
 end

data/lib/mihari/models/alert.rb

@@ -1,11 +1,62 @@
 # frozen_string_literal: true
 
 require "active_record"
+require "active_record/filter"
 
 module Mihari
   class Alert < ActiveRecord::Base
     has_many :taggings, dependent: :destroy
     has_many :artifacts, dependent: :destroy
     has_many :tags, through: :taggings
+
+    class << self
+      def search(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil, limit: 10, page: 1)
+        limit = limit.to_i
+        raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+
+        page = page.to_i
+        raise ArgumentError, "page should be bigger than zero" unless page.positive?
+
+        offset = (page - 1) * limit
+
+        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        # relation = relation.group("alerts.id")
+
+        alerts = relation.limit(limit).offset(offset).order(id: :desc)
+
+        alerts.map do |alert|
+          json = AlertSerializer.new(alert).as_json
+          json[:artifacts] = json[:artifacts] || []
+          json[:tags] = json[:tags] || []
+          json
+        end
+      end
+
+      def count(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil)
+        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        relation.distinct("alerts.id").count
+      end
+
+      private
+
+      def build_relation(artifact_data: nil, title: nil, description: nil, source: nil, tag_name: nil, from_at: nil, to_at: nil)
+        relation = self
+        relation = joins(:tags) if tag_name
+        relation = joins(:artifacts) if artifact_data
+
+        relation = relation.where(artifacts: { data: artifact_data }) if artifact_data
+        relation = relation.where(tags: { name: tag_name }) if tag_name
+
+        relation = relation.where(source: source) if source
+        relation = relation.where(title: title) if title
+
+        relation = relation.filter(description: { like: "%#{description}%" }) if description
+
+        relation = relation.filter(created_at: { gte: from_at }) if from_at
+        relation = relation.filter(created_at: { lte: to_at }) if to_at
+
+        relation
+      end
+    end
   end
 end