mihari 1.5.0 → 2.2.1

data/lib/mihari/commands/securitytrails_domain_feed.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module SecurityTrailsDomainFeed
+      def self.included(thor)
+        thor.class_eval do
+          desc "securitytrails_domain_feed [REGEXP]", "SecurityTrails new domain feed search by a regexp"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, default: "registered", desc: "A type of domain feed ('all', 'new' or 'registered')"
+          def securitytrails_domain_feed(regexp)
+            with_error_handling do
+              run_analyzer Analyzers::SecurityTrailsDomainFeed, query: regexp, options: options
+            end
+          end
+          map "st_domain_feed" => :securitytrails_domain_feedd
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/shodan.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Shodan
+      def self.included(thor)
+        thor.class_eval do
+          desc "shodan [QUERY]", "Shodan host search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def shodan(query)
+            with_error_handling do
+              run_analyzer Analyzers::Shodan, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/spyse.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Spyse
+      def self.included(thor)
+        thor.class_eval do
+          desc "spyse [QUERY]", "Spyse search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
+          def spyse(query)
+            with_error_handling do
+              run_analyzer Analyzers::Spyse, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/ssh_fingerprint.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module SSHFingerprint
+      def self.included(thor)
+        thor.class_eval do
+          desc "ssh_fingerprint [FINGERPRINT]", "Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def ssh_fingerprint(fingerprint)
+            with_error_handling do
+              run_analyzer Analyzers::SSHFingerprint, query: fingerprint, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/urlscan.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Urlscan
+      def self.included(thor)
+        thor.class_eval do
+          desc "urlscan [QUERY]", "urlscan search by a given query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :filter, type: :string, desc: "filter for urlscan pro search"
+          method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
+          method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
+          method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
+          def urlscan(query)
+            with_error_handling do
+              run_analyzer Analyzers::Urlscan, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/virustotal.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module VirusTotal
+      def self.included(thor)
+        thor.class_eval do
+          desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by an ip or domain"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def virustotal(indiactor)
+            with_error_handling do
+              run_analyzer Analyzers::VirusTotal, query: refang(indiactor), options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/web.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Web
+      def self.included(thor)
+        thor.class_eval do
+          desc "web", "Launch the web app"
+          method_option :port, type: :numeric, default: 9292
+          method_option :host, type: :string, default: "localhost"
+          def web
+            port = options["port"].to_i || 9292
+            host = options["host"] || "localhost"
+
+            load_configuration
+            Mihari::App.run!(port: port, host: host)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/zoomeye.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module ZoomEye
+      def self.included(thor)
+        thor.class_eval do
+          desc "zoomeye [QUERY]", "ZoomEye search by a query"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
+          def zoomeye(query)
+            with_error_handling do
+              run_analyzer Analyzers::ZoomEye, query: query, options: options
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/config.rb

@@ -55,6 +55,18 @@ module Mihari
           end
         end
       end
+
+      def initialize_yaml(filename)
+        keys = new.instance_variables.map do |key|
+          key.to_s[1..]
+        end
+
+        config = keys.map do |key|
+          [key, nil]
+        end.to_h
+
+        YAML.dump(config, File.open(filename, "w"))
+      end
     end
   end
 

data/lib/mihari/configurable.rb

@@ -6,13 +6,12 @@ module Mihari
       config_keys.all? { |key| Mihari.config.send(key) }
     end
 
-    def configuration_status
+    def configuration_values
       return nil if config_keys.empty?
 
-      names = config_keys.join(" and ")
-      be_verb = config_keys.length == 1 ? "is" : "are"
-      status = configured? ? "found" : "missing"
-      "#{names} #{be_verb} #{status}"
+      config_keys.map do |key|
+        { key: key.upcase, value: Mihari.config.send(key) }
+      end
     end
 
     def config_keys

data/lib/mihari/database.rb

@@ -34,6 +34,7 @@ end
 
 def adapter
   return "postgresql" if Mihari.config.database.start_with?("postgresql://", "postgres://")
+  return "mysql2" if Mihari.config.database.start_with?("mysql2://")
 
   "sqlite3"
 end
@@ -43,7 +44,7 @@ module Mihari
     class << self
       def connect
         case adapter
-        when "postgresql"
+        when "postgresql", "mysql2"
           ActiveRecord::Base.establish_connection(Mihari.config.database)
         else
           ActiveRecord::Base.establish_connection(
@@ -54,10 +55,15 @@ module Mihari
 
         ActiveRecord::Migration.verbose = false
         InitialSchema.migrate(:up)
-      rescue
+      rescue StandardError
         # Do nothing
       end
 
+      def close
+        ActiveRecord::Base.clear_active_connections!
+        ActiveRecord::Base.connection.close
+      end
+
       def destroy!
         InitialSchema.migrate(:down) if ActiveRecord::Base.connected?
       end

data/lib/mihari/emitters/slack.rb

@@ -132,7 +132,7 @@ module Mihari
         [
           "*#{title}*",
           "*Desc.*: #{description}",
-          "*Tags*: #{tags.join(', ')}"
+          "*Tags*: #{tags.join(", ")}"
         ].join("\n")
       end
 

data/lib/mihari/emitters/the_hive.rb

@@ -17,7 +17,7 @@ module Mihari
         api.alert.create(
           title: title,
           description: description,
-          artifacts: artifacts.map { |artifact| {data: artifact.data, data_type: artifact.data_type, message: description} },
+          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
           tags: tags,
           type: "external",
           source: "mihari"

data/lib/mihari/models/alert.rb

@@ -1,11 +1,62 @@
 # frozen_string_literal: true
 
 require "active_record"
+require "active_record/filter"
 
 module Mihari
   class Alert < ActiveRecord::Base
     has_many :taggings, dependent: :destroy
     has_many :artifacts, dependent: :destroy
     has_many :tags, through: :taggings
+
+    class << self
+      def search(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil, limit: 10, page: 1)
+        limit = limit.to_i
+        raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+
+        page = page.to_i
+        raise ArgumentError, "page should be bigger than zero" unless page.positive?
+
+        offset = (page - 1) * limit
+
+        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        # relation = relation.group("alerts.id")
+
+        alerts = relation.limit(limit).offset(offset).order(id: :desc)
+
+        alerts.map do |alert|
+          json = AlertSerializer.new(alert).as_json
+          json[:artifacts] = json[:artifacts] || []
+          json[:tags] = json[:tags] || []
+          json
+        end
+      end
+
+      def count(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil)
+        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        relation.distinct("alerts.id").count
+      end
+
+      private
+
+      def build_relation(artifact_data: nil, title: nil, description: nil, source: nil, tag_name: nil, from_at: nil, to_at: nil)
+        relation = self
+        relation = joins(:tags) if tag_name
+        relation = joins(:artifacts) if artifact_data
+
+        relation = relation.where(artifacts: { data: artifact_data }) if artifact_data
+        relation = relation.where(tags: { name: tag_name }) if tag_name
+
+        relation = relation.where(source: source) if source
+        relation = relation.where(title: title) if title
+
+        relation = relation.filter(description: { like: "%#{description}%" }) if description
+
+        relation = relation.filter(created_at: { gte: from_at }) if from_at
+        relation = relation.filter(created_at: { lte: to_at }) if to_at
+
+        relation
+      end
+    end
   end
 end

data/lib/mihari/models/artifact.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 
 require "active_record"
+require "active_record/filter"
+require "active_support/core_ext/integer/time"
+require "active_support/core_ext/numeric/time"
 
 class ArtifactValidator < ActiveModel::Validator
   def validate(record)
@@ -20,8 +23,16 @@ module Mihari
       self.data_type = TypeChecker.type(data)
     end
 
-    def unique?
-      self.class.find_by(data: data).nil?
+    def unique?(ignore_old_artifacts: false, ignore_threshold: 0)
+      artifact = self.class.where(data: data).order(created_at: :desc).first
+      return true if artifact.nil?
+
+      return false unless ignore_old_artifacts
+
+      days_before = (-ignore_threshold).days.from_now
+      # if an artifact is created before {ignore_threshold} days, ignore it
+      #                           within {ignore_threshold} days, do not ignore it
+      artifact.created_at < days_before
     end
   end
 end

data/lib/mihari/notifiers/exception_notifier.rb

@@ -51,20 +51,20 @@ module Mihari
 
       def to_fields(clean_message, backtrace)
         fields = [
-          {title: "Exception", value: clean_message},
-          {title: "Hostname", value: hostname}
+          { title: "Exception", value: clean_message },
+          { title: "Hostname", value: hostname }
         ]
 
         if backtrace
           formatted_backtrace = format_backtrace(backtrace)
-          fields << {title: "Backtrace", value: formatted_backtrace}
+          fields << { title: "Backtrace", value: formatted_backtrace }
         end
         fields
       end
 
       def hostname
         Socket.gethostname
-      rescue => _e
+      rescue StandardError => _e
         "N/A"
       end
 

data/lib/mihari/serializers/alert.rb

@@ -4,7 +4,7 @@ require "active_model_serializers"
 
 module Mihari
   class AlertSerializer < ActiveModel::Serializer
-    attributes :title, :description, :source, :created_at
+    attributes :id, :title, :description, :source, :created_at
 
     has_many :artifacts
     has_many :tags, through: :taggings

data/lib/mihari/serializers/artifact.rb

@@ -4,6 +4,6 @@ require "active_model_serializers"
 
 module Mihari
   class ArtifactSerializer < ActiveModel::Serializer
-    attributes :data, :data_type
+    attributes :id, :data, :data_type
   end
 end

data/lib/mihari/serializers/tag.rb

@@ -4,6 +4,6 @@ require "active_model_serializers"
 
 module Mihari
   class TagSerializer < ActiveModel::Serializer
-    attributes :name
+    attributes :id, :name
   end
 end

data/lib/mihari/status.rb

@@ -3,9 +3,7 @@
 module Mihari
   class Status
     def check
-      statuses.map do |key, value|
-        [key, convert(**value)]
-      end.to_h
+      statuses
     end
 
     def self.check
@@ -14,16 +12,9 @@ module Mihari
 
     private
 
-    def convert(status:, message:)
-      {
-        status: status ? "OK" : "Bad",
-        message: message
-      }
-    end
-
     def statuses
       (Mihari.analyzers + Mihari.emitters).map do |klass|
-        name = klass.to_s.downcase.split("::").last.to_s
+        name = klass.to_s.split("::").last.to_s
 
         [name, build_status(klass)]
       end.to_h.compact
@@ -33,10 +24,11 @@ module Mihari
       is_analyzer = klass.ancestors.include?(Mihari::Analyzers::Base)
 
       instance = is_analyzer ? klass.new("dummy") : klass.new
-      status = instance.configured?
-      message = instance.configuration_status
+      is_configured = instance.configured?
+      values = instance.configuration_values
+      type = is_analyzer ? "Analyzer" : "Emitter"
 
-      message ? {status: status, message: message} : nil
+      values ? { is_configured: is_configured, values: values, type: type } : nil
     rescue ArgumentError => _e
       nil
     end