mihari 1.5.0 → 2.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (96) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
  3. data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
  4. data/.github/workflows/test.yml +41 -17
  5. data/.rubocop.yml +6 -0
  6. data/.standard.yml +4 -0
  7. data/README.md +21 -266
  8. data/bin/console +1 -0
  9. data/build_frontend.sh +14 -0
  10. data/docker/Dockerfile +5 -3
  11. data/examples/ipinfo_hosted_domains.rb +1 -1
  12. data/{screenshots → images}/alert.png +0 -0
  13. data/images/logo.png +0 -0
  14. data/{screenshots → images}/misp.png +0 -0
  15. data/{screenshots/eyecatch.png → images/overview.png} +0 -0
  16. data/{screenshots → images}/slack.png +0 -0
  17. data/images/web_alerts.png +0 -0
  18. data/images/web_config.png +0 -0
  19. data/lib/mihari.rb +2 -2
  20. data/lib/mihari/analyzers/base.rb +11 -2
  21. data/lib/mihari/analyzers/circl.rb +3 -3
  22. data/lib/mihari/analyzers/onyphe.rb +2 -2
  23. data/lib/mihari/analyzers/securitytrails.rb +2 -2
  24. data/lib/mihari/analyzers/shodan.rb +4 -0
  25. data/lib/mihari/cli.rb +73 -301
  26. data/lib/mihari/commands/binaryedge.rb +21 -0
  27. data/lib/mihari/commands/censys.rb +22 -0
  28. data/lib/mihari/commands/circl.rb +21 -0
  29. data/lib/mihari/commands/config.rb +27 -0
  30. data/lib/mihari/commands/crtsh.rb +22 -0
  31. data/lib/mihari/commands/dnpedia.rb +21 -0
  32. data/lib/mihari/commands/dnstwister.rb +21 -0
  33. data/lib/mihari/commands/free_text.rb +21 -0
  34. data/lib/mihari/commands/http_hash.rb +25 -0
  35. data/lib/mihari/commands/json.rb +42 -0
  36. data/lib/mihari/commands/onyphe.rb +21 -0
  37. data/lib/mihari/commands/otx.rb +21 -0
  38. data/lib/mihari/commands/passive_dns.rb +21 -0
  39. data/lib/mihari/commands/passive_ssl.rb +21 -0
  40. data/lib/mihari/commands/passivetotal.rb +21 -0
  41. data/lib/mihari/commands/pulsedive.rb +21 -0
  42. data/lib/mihari/commands/reverse_whois.rb +21 -0
  43. data/lib/mihari/commands/securitytrails.rb +22 -0
  44. data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
  45. data/lib/mihari/commands/shodan.rb +21 -0
  46. data/lib/mihari/commands/spyse.rb +22 -0
  47. data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
  48. data/lib/mihari/commands/urlscan.rb +25 -0
  49. data/lib/mihari/commands/virustotal.rb +21 -0
  50. data/lib/mihari/commands/web.rb +22 -0
  51. data/lib/mihari/commands/zoomeye.rb +22 -0
  52. data/lib/mihari/config.rb +12 -0
  53. data/lib/mihari/configurable.rb +4 -5
  54. data/lib/mihari/database.rb +8 -2
  55. data/lib/mihari/emitters/slack.rb +1 -1
  56. data/lib/mihari/emitters/the_hive.rb +1 -1
  57. data/lib/mihari/models/alert.rb +51 -0
  58. data/lib/mihari/models/artifact.rb +13 -2
  59. data/lib/mihari/notifiers/exception_notifier.rb +4 -4
  60. data/lib/mihari/serializers/alert.rb +1 -1
  61. data/lib/mihari/serializers/artifact.rb +1 -1
  62. data/lib/mihari/serializers/tag.rb +1 -1
  63. data/lib/mihari/status.rb +6 -14
  64. data/lib/mihari/version.rb +1 -1
  65. data/lib/mihari/web/app.rb +51 -0
  66. data/lib/mihari/web/controllers/alerts_controller.rb +75 -0
  67. data/lib/mihari/web/controllers/artifacts_controller.rb +24 -0
  68. data/lib/mihari/web/controllers/base_controller.rb +22 -0
  69. data/lib/mihari/web/controllers/command_controller.rb +26 -0
  70. data/lib/mihari/web/controllers/config_controller.rb +13 -0
  71. data/lib/mihari/web/controllers/sources_controller.rb +12 -0
  72. data/lib/mihari/web/controllers/tags_controller.rb +28 -0
  73. data/lib/mihari/web/helpers/json.rb +53 -0
  74. data/lib/mihari/web/public/index.html +1 -0
  75. data/lib/mihari/web/public/redoc-static.html +519 -0
  76. data/lib/mihari/web/public/static/favicon.ico +0 -0
  77. data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
  78. data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
  79. data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
  80. data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
  81. data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
  82. data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
  83. data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
  84. data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
  85. data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
  86. data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
  87. data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
  88. data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
  89. data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
  90. data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
  91. data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
  92. data/lib/mihari/web/public/static/js/app.cccddb2b.js +12 -0
  93. data/lib/mihari/web/public/static/js/app.cccddb2b.js.map +1 -0
  94. data/mihari.gemspec +16 -4
  95. metadata +264 -21
  96. data/lib/mihari/alert_viewer.rb +0 -23
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 70afeb6b1ddaa263689beb836de85264ad1e871a1887a0574adfc22f00e006d8
4
- data.tar.gz: ad614363a9a3320c2dfa34ec19bd4712d08a9a6e662cdf11b4b70c775f55e592
3
+ metadata.gz: 14bf63fb577af68b341abac71adfcc2dc1bab435d2be6ed78d33cb59bcf54c9b
4
+ data.tar.gz: 772be3a526f71631ed0ee861fc9c307bff4a686dae6ab370510870f361657bc3
5
5
  SHA512:
6
- metadata.gz: 8b7b9b86a6ec5341ce03b5652e29d45ccfafcd6ee09ca469ccf88d9872a965aded13fae1925c647cbbdedb389532469060698e35a06905197ffb143b223d0a93
7
- data.tar.gz: 5d839d16358cf855658bc85d8e30868ce9fcae63cf9064461e67343cd979cee90daad2822260d96da9f00acadb9f981e29de89eb07b35047f9cd3ae039a37c3e
6
+ metadata.gz: 0b57106d1727f2d4d780bb78bd4e40f23ad89d67893741d68bd0ed6d5ef9d03e9f1aad514338b2b400d7c5c3ef2cd75fdc6252b5049263e0c8bb41ff7a929c1f
7
+ data.tar.gz: b44040e98a4544bfab59ed1b61f648014c4a470a6233248fef72d61c9839d92b004b8a7152a8c68c1c790d4b40acb5fe1085b41ef1c1650750387fb7281f1850
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: Bug report
3
+ about: Create a bug report to help us improve
4
+ title: "[BUG]"
5
+ labels: bug
6
+ assignees: ''
7
+
8
+ ---
9
+
10
+ <!--
11
+ Thank you for taking the time to report a bug.
12
+ Please make sure there is no existing issue about this kind of bug.
13
+ -->
14
+
15
+ ### **Describe the bug**
16
+
17
+ A clear and concise description of what the bug is.
18
+
19
+ ### **Steps to reproduce**
20
+
21
+ - ...
22
+
23
+ ### **Expected behavior**
24
+
25
+ A clear and concise description of what you expected to happen.
26
+
27
+ ### **Actual behavior**
28
+
29
+ A clear and concise description of what actually happened.
30
+
31
+ ### **Screenshots**
32
+
33
+ Add screenshots to help explain your problem.
34
+
35
+ ### **System Information:**
36
+
37
+ - OS: [e.g. Windows10]
38
+ - Ruby version: [e.g. 3.0]
39
+ - Mihari version: [e.g. 2.0.0]
40
+
41
+ ### **Additional context**
42
+
43
+ Add any other context about the problem here.
@@ -0,0 +1,15 @@
1
+ ---
2
+ name: Feature request
3
+ about: Suggest a new Feature for Mihari
4
+ title: "[Feature Request]"
5
+ labels: enhancement
6
+ assignees: ''
7
+
8
+ ---
9
+ <!--
10
+
11
+ 1. Make sure your requested feature makes sense for Mihari.
12
+
13
+ 2. If you want to suggest a new integration of a service, please provide detailed information of it. (e.g. API docs)
14
+
15
+ -->
@@ -4,11 +4,10 @@ on: [pull_request]
4
4
 
5
5
  jobs:
6
6
  build:
7
-
8
7
  runs-on: ubuntu-latest
9
8
 
10
9
  services:
11
- db:
10
+ postgres:
12
11
  image: postgres:12
13
12
  env:
14
13
  POSTGRES_USER: postgres
@@ -22,23 +21,48 @@ jobs:
22
21
  ports:
23
22
  - 5432:5432
24
23
 
24
+ mysql:
25
+ image: mysql:8.0
26
+ env:
27
+ MYSQL_USER: mysql
28
+ MYSQL_PASSWORD: mysql
29
+ MYSQL_DATABASE: test
30
+ MYSQL_ROOT_PASSWORD: rootpassword
31
+ ports:
32
+ - 3306:3306
33
+ options: >-
34
+ --health-cmd="mysqladmin ping"
35
+ --health-interval=10s
36
+ --health-timeout=5s
37
+ --health-retries=3
38
+
25
39
  strategy:
26
40
  fail-fast: false
27
41
  matrix:
28
- ruby: [2.7, '3.0']
42
+ ruby: [2.7, "3.0"]
29
43
 
30
44
  steps:
31
- - uses: actions/checkout@v2
32
- - name: Set up Ruby 2.7
33
- uses: actions/setup-ruby@v1
34
- with:
35
- ruby-version: ${{ matrix.ruby }}
36
- bundler-cache: true
37
- - name: Build and test with Rake
38
- env:
39
- DATABASE: postgresql://postgres:postgres@localhost:5432/test
40
- run: |
41
- sudo apt-get -yqq install libpq-dev
42
- gem install bundler
43
- bundle install
44
- bundle exec rake
45
+ - uses: actions/checkout@v2
46
+ - name: Set up Ruby 2.7
47
+ uses: ruby/setup-ruby@v1
48
+ with:
49
+ ruby-version: ${{ matrix.ruby }}
50
+ bundler-cache: true
51
+
52
+ - name: Install dependencies
53
+ run: |
54
+ sudo apt-get -yqq install libpq-dev libmysqlclient-dev
55
+ gem install bundler
56
+ bundle install
57
+
58
+ - name: Test with PostgreSQL
59
+ env:
60
+ DATABASE: postgresql://postgres:postgres@localhost:5432/test
61
+ run: |
62
+ bundle exec rake
63
+
64
+ - name: Test with MySQL
65
+ env:
66
+ DATABASE: mysql2://mysql:mysql@127.0.0.1:3306/test
67
+ run: |
68
+ bundle exec rake
data/.rubocop.yml CHANGED
@@ -4,6 +4,9 @@
4
4
  require:
5
5
  - rubocop-performance
6
6
 
7
+ AllCops:
8
+ NewCops: enable
9
+
7
10
  Style/Alias:
8
11
  Enabled: false
9
12
  StyleGuide: https://relaxed.ruby.style/#stylealias
@@ -151,5 +154,8 @@ Lint/AssignmentInCondition:
151
154
  Layout/LineLength:
152
155
  Enabled: false
153
156
 
157
+ Style/StringLiteralsInInterpolation:
158
+ Enabled: false
159
+
154
160
  Metrics:
155
161
  Enabled: false
data/.standard.yml ADDED
@@ -0,0 +1,4 @@
1
+ ignore:
2
+ - "**/*":
3
+ - Layout/SpaceInsideHashLiteralBraces
4
+ - Style/RescueStandardError
data/README.md CHANGED
@@ -1,61 +1,31 @@
1
1
  # mihari
2
2
 
3
3
  [![Gem Version](https://badge.fury.io/rb/mihari.svg)](https://badge.fury.io/rb/mihari)
4
- [![Build Status](https://travis-ci.com/ninoseki/mihari.svg?branch=master)](https://travis-ci.com/ninoseki/mihari)
4
+ [![Ruby CI](https://github.com/ninoseki/mihari/actions/workflows/test.yml/badge.svg)](https://github.com/ninoseki/mihari/actions/workflows/test.yml)
5
5
  [![Docker Cloud Build Status](https://img.shields.io/docker/cloud/build/ninoseki/mihari)](https://hub.docker.com/r/ninoseki/mihari)
6
6
  [![Coverage Status](https://coveralls.io/repos/github/ninoseki/mihari/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/mihari?branch=master)
7
7
  [![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/mihari/badge)](https://www.codefactor.io/repository/github/ninoseki/mihari)
8
8
 
9
- Mihari is a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting.
9
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/logo.png)
10
+
11
+ Mihari is a framework for continuous OSINT based threat hunting.
10
12
 
11
13
  ## How it works
12
14
 
13
- - Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes).
14
- - Mihari checks whether a DB (SQLite3 or PostgreSQL) contains the artifacts or not.
15
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/overview.png)
16
+
17
+ - Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
18
+ - Mihari checks whether a DB (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
15
19
  - If it doesn't contain the artifacts:
16
20
  - Mihari creates an alert on TheHive.
17
21
  - Mihari sends a notification to Slack.
18
22
  - Mihari creates an event on MISP.
19
23
 
20
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/eyecatch.png)
21
-
22
- ### Screenshots
23
-
24
- - TheHive alert example
25
-
26
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/alert.png)
27
-
28
- - Slack notification example
29
-
30
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/slack.png)
31
-
32
- - MISP event example
33
-
34
- ![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
35
-
36
- ## Requirements
37
-
38
- - Ruby (2.7 or 3.0)
39
- - SQLite3 or PostgreSQL
40
-
41
- ```bash
42
- # For Debian / Ubuntu
43
- apt-get install sqlite3 libsqlite3-dev libpq-dev
44
- ```
45
-
46
- ## Installation
47
-
48
- ```bash
49
- gem install mihari
50
- ```
51
-
52
- Or you can use this tool with Docker.
24
+ Also, you can check the alerts on a built-in web app.
53
25
 
54
- ```bash
55
- docker pull ninoseki/mihari
56
- ```
26
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/web_alerts.png)
57
27
 
58
- ## Basic usage
28
+ ## Supported services
59
29
 
60
30
  Mihari supports the following services by default.
61
31
 
@@ -68,6 +38,7 @@ Mihari supports the following services by default.
68
38
  - [Onyphe](https://onyphe.io)
69
39
  - [OTX](https://otx.alienvault.com/)
70
40
  - [PassiveTotal](https://community.riskiq.com/)
41
+ - [Pulsedive](https://pulsedive.com/)
71
42
  - [SecurityTrails](https://securitytrails.com/)
72
43
  - [Shodan](https://shodan.io)
73
44
  - [Spyse](https://spyse.com)
@@ -75,233 +46,17 @@ Mihari supports the following services by default.
75
46
  - [VirusTotal](http://virustotal.com)
76
47
  - [ZoomEye](https://zoomeye.org)
77
48
 
78
- ```bash
79
- $ mihari
80
- Commands:
81
- mihari alerts # Show the alerts on TheHive
82
- mihari binaryedge [QUERY] # BinaryEdge host search by a query
83
- mihari censys [QUERY] # Censys IPv4 search by a query
84
- mihari circl [DOMAIN|SHA1] # CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint
85
- mihari crtsh [QUERY] # crt.sh search by a query
86
- mihari dnpedia [QUERY] # DNPedia domain search by a query
87
- mihari dnstwister [DOMAIN] # dnstwister lookup by a domain
88
- mihari free_text [TEXT] # Cross search with search engines by a free text
89
- mihari help [COMMAND] # Describe available commands or one specific command
90
- mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
91
- mihari import_from_json # Give a JSON input via STDIN
92
- mihari onyphe [QUERY] # Onyphe datascan search by a query
93
- mihari otx [IP|DOMAIN] # OTX lookup by an IP or domain
94
- mihari passive_dns [IP|DOMAIN] # Cross search with passive DNS services by an ip or domain
95
- mihari passive_ssl [SHA1] # Cross search with passive SSL services by an SHA1 certificate fingerprint
96
- mihari passivetotal [IP|DOMAIN|EMAIL|SHA1] # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
97
- mihari pulsedive [IP|DOMAIN] # Pulsedive lookup by an ip or domain
98
- mihari reverse_whois [EMAIL] # Cross search with reverse whois services by an email
99
- mihari securitytrails [IP|DOMAIN|EMAIL] # SecurityTrails lookup by an ip, domain or email
100
- mihari securitytrails_domain_feed [REGEXP] # SecurityTrails new domain feed search by a regexp
101
- mihari shodan [QUERY] # Shodan host search by a query
102
- mihari spyse [QUERY] # Spyse search by a query
103
- mihari ssh_fingerprint [FINGERPRINT] # Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)
104
- mihari status # Show the current configuration status
105
- mihari urlscan [QUERY] # urlscan search by a given query
106
- mihari virustotal [IP|DOMAIN] # VirusTotal resolutions lookup by an ip or domain
107
- mihari zoomeye [QUERY] # ZoomEye search by a query
108
-
109
- Options:
110
- [--config=CONFIG] # path to config file
111
-
112
- ```
113
-
114
- ### Cross searches
115
-
116
- Mihari has cross search features. A cross search is a search across a number of services.
117
-
118
- You can get aggregated results by using the following commands.
119
-
120
- | Command | Desc. |
121
- |-----------------|---------------------------------------------------------------------------------------------------------|
122
- | passive_dns | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
123
- | passive_ssl | Passive SSL lookup with CIRCL passive SSL and PassiveTotal |
124
- | reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails |
125
- | http_hash | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
126
- | free_text | Free text lookup with BinaryEdge and Censys |
127
- | ssh_fingerprint | SSH fingerprint lookup with BinaryEdge and Shodan |
128
-
129
- #### http_hash command
130
-
131
- The usage of `http_hash` command is a little bit tricky.
132
-
133
- ```bash
134
- $ mihari help http_hash
135
- Usage:
136
- mihari http_hash
137
-
138
- Options:
139
- [--title=TITLE] # title
140
- [--description=DESCRIPTION] # description
141
- [--tags=one two three] # tags
142
- [--md5=MD5] # MD5 hash
143
- [--sha256=SHA256] # SHA256 hash
144
- [--mmh3=N] # MurmurHash3 hash
145
-
146
- Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
147
-
148
- ```
149
-
150
- There are 2 ways to use this command.
151
-
152
- First one is passing `--md5`, `--sha256` and `--mmh3` parameters.
153
-
154
- ```bash
155
- mihari http_hash --md5=881191f7736b5b8cfad5959ca99d2a51 --sha256=b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e --mmh3=-1467534799
156
- ```
157
-
158
- Another one is passing `--html` parameter. In this case, hashes of an HTML file are automatically calculated.
159
-
160
- ```bash
161
- wget http://example.com -O /tmp/index.html
162
- mihari http_hash --html /tmp/index.html
163
- ```
164
-
165
- ### Example usages
166
-
167
- ```bash
168
- # Censys lookup for PANDA C2
169
- mihari censys '("PANDA" AND "SMAdmin" AND "layui")' --title "PANDA C2"
170
-
171
- # VirusTotal passive DNS lookup of a FAKESPY host
172
- mihari virustotal "jppost-hi.top" --title "FAKESPY passive DNS"
173
-
174
- # You can pass a "defanged" indicator as an input
175
- mihari virustotal "jppost-hi[.]top" --title "FAKESPY passive DNS"
176
- ```
177
-
178
- ### Import from JSON
179
-
180
- ```bash
181
- echo '{ "title": "test", "description": "test", "artifacts": ["1.1.1.1", "github.com", "2.2.2.2"] }' | mihari import_from_json
182
- ```
183
-
184
- The input is a JSON data should have `title`, `description` and `artifacts` key. `tags` key is an optional parameter.
185
-
186
- ```json
187
- {
188
- "title": "test",
189
- "description": "test",
190
- "artifacts": ["1.1.1.1", "github.com"],
191
- "tags": ["test"]
192
- }
193
- ```
194
-
195
- | Key | Desc. | Required or optional |
196
- |-------------|----------------------------------------------------------------------------|----------------------|
197
- | title | A title of an alert | Required |
198
- | description | A description of an alert | Required |
199
- | artifacts | An array of artifacts (supported data types: ip, domain, url, email, hash) | Required |
200
- | tags | An array of tags | Optional |
201
-
202
- ## Configuration
203
-
204
- Configuration can be done via environment variables or a YAML file.
205
-
206
- | Key | Description | Default |
207
- |------------------------|-------------------------------------------------------------------------------------------------|-------------|
208
- | DATABASE | A path to the SQLite database or a DB URL (e.g. `postgres://postgres:pass@db.host:5432/somedb`) | `mihari.db` |
209
- | BINARYEDGE_API_KEY | BinaryEdge API key | |
210
- | CENSYS_ID | Censys API ID | |
211
- | CENSYS_SECRET | Censys secret | |
212
- | CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
213
- | CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username | |
214
- | MISP_API_ENDPOINT | MISP URL | |
215
- | MISP_API_KEY | MISP API key | |
216
- | ONYPHE_API_KEY | Onyphe API key | |
217
- | OTX_API_KEY | OTX API key | |
218
- | PASSIVETOTAL_API_KEY | PassiveTotal API key | |
219
- | PASSIVETOTAL_USERNAME | PassiveTotal username | |
220
- | PULSEDIVE_API_KEY | Pulsedive API key | |
221
- | SECURITYTRAILS_API_KEY | SecurityTrails API key | |
222
- | SHODAN_API_KEY | Shodan API key | |
223
- | SLACK_CHANNEL | Slack channel name | `#general` |
224
- | SLACK_WEBHOOK_URL | Slack Webhook URL | |
225
- | SPYSE_API_KEY | Spyse API key | |
226
- | THEHIVE_API_ENDPOINT | TheHive URL | |
227
- | THEHIVE_API_KEY | TheHive API key | |
228
- | URLSCAN_API_KEY | urlscan.io API key | |
229
- | VIRUSTOTAL_API_KEY | VirusTotal API key | |
230
- | ZOOMEYE_PASSWORD | ZoomEye password | |
231
- | ZOOMEYE_USERNAMME | ZoomEye username | |
232
-
233
- Instead of using environment variables, you can use a YAML file for configuration.
234
-
235
- ```bash
236
- mihari virustotal 1.1.1.1 --config /path/to/yaml.yml
237
- ```
238
-
239
- The YAML file should be a YAML hash like below:
240
-
241
- ```yaml
242
- database: /tmp/mihari.db
243
- thehive_api_endpoint: https://localhost
244
- thehive_api_key: foo
245
- virustotal_api_key: foo
246
- ```
247
-
248
- You can check the configuration status via `status` command.
249
-
250
- ```bash
251
- mihari status
252
- ```
253
-
254
- ## How to create a custom script
255
-
256
- Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.
257
-
258
- | Name | Desc. | @return | Required or optional |
259
- |----------------|----------------------------------------------------------------------------|---------------|----------------------|
260
- | `#title` | A title of an alert | String | Required |
261
- | `#description` | A description of an alert | String | Required |
262
- | `#artifacts` | An array of artifacts (supported data types: ip, domain, url, email, hash) | Array<String> | Required |
263
- | `#tags` | An array of tags | Array<String> | Optional |
264
-
265
- ```ruby
266
- require "mihari"
267
-
268
- module Mihari
269
- module Analyzers
270
- class Example < Base
271
- def title
272
- "example"
273
- end
274
-
275
- def description
276
- "example"
277
- end
278
-
279
- def artifacts
280
- ["9.9.9.9", "example.com"]
281
- end
282
-
283
- def tags
284
- ["example"]
285
- end
286
- end
287
- end
288
- end
289
-
290
- example = Mihari::Analyzers::Example.new
291
- example.run
292
- ```
293
-
294
- See `/examples` for more.
49
+ See [Usage](https://github.com/ninoseki/mihari/wiki/Usage) for more information.
295
50
 
296
- ## Using it with Docker
51
+ ## Docs
297
52
 
298
- ```bash
299
- $ docker run --rm ninoseki/mihari
300
- # Note that you should pass configurations via environment variables
301
- $ docker run --rm ninoseki/mihari -e THEHIVE_API_ENDPOINT="http://THEHIVE_URL" -e THEHIVE_API_KEY="API KEY" mihari
302
- # or
303
- $ docker run --rm ninoseki/mihari --env-file ~/.mihari.env mihari
304
- ```
53
+ - [Requirements & Installation](https://github.com/ninoseki/mihari/wiki/Requirements-&-Installation)
54
+ - [Usage](https://github.com/ninoseki/mihari/wiki/Usage)
55
+ - [Built-in Web App](https://github.com/ninoseki/mihari/wiki/Built-in-Web-App)
56
+ - [Configuration](https://github.com/ninoseki/mihari/wiki/Configuration)
57
+ - [Custom Script](https://github.com/ninoseki/mihari/wiki/Custom-Script)
58
+ - [Docker](https://github.com/ninoseki/mihari/wiki/Docker)
59
+ - [GitHub Actions](https://github.com/ninoseki/mihari/wiki/GitHub-Actions)
305
60
 
306
61
  ## License
307
62