mihari 1.5.1 → 2.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (93) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
  3. data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
  4. data/.github/workflows/test.yml +41 -17
  5. data/.rubocop.yml +6 -0
  6. data/.standard.yml +4 -0
  7. data/README.md +23 -274
  8. data/bin/console +1 -0
  9. data/build_frontend.sh +14 -0
  10. data/docker/Dockerfile +3 -2
  11. data/examples/ipinfo_hosted_domains.rb +1 -1
  12. data/images/{eyecatch.png → overview.png} +0 -0
  13. data/images/tines.png +0 -0
  14. data/images/web_alerts.png +0 -0
  15. data/images/web_config.png +0 -0
  16. data/lib/mihari.rb +2 -2
  17. data/lib/mihari/analyzers/base.rb +11 -2
  18. data/lib/mihari/analyzers/circl.rb +3 -3
  19. data/lib/mihari/analyzers/onyphe.rb +2 -2
  20. data/lib/mihari/analyzers/securitytrails.rb +2 -2
  21. data/lib/mihari/analyzers/urlscan.rb +1 -6
  22. data/lib/mihari/cli.rb +73 -301
  23. data/lib/mihari/commands/binaryedge.rb +21 -0
  24. data/lib/mihari/commands/censys.rb +22 -0
  25. data/lib/mihari/commands/circl.rb +21 -0
  26. data/lib/mihari/commands/config.rb +27 -0
  27. data/lib/mihari/commands/crtsh.rb +22 -0
  28. data/lib/mihari/commands/dnpedia.rb +21 -0
  29. data/lib/mihari/commands/dnstwister.rb +21 -0
  30. data/lib/mihari/commands/free_text.rb +21 -0
  31. data/lib/mihari/commands/http_hash.rb +25 -0
  32. data/lib/mihari/commands/json.rb +42 -0
  33. data/lib/mihari/commands/onyphe.rb +21 -0
  34. data/lib/mihari/commands/otx.rb +21 -0
  35. data/lib/mihari/commands/passive_dns.rb +21 -0
  36. data/lib/mihari/commands/passive_ssl.rb +21 -0
  37. data/lib/mihari/commands/passivetotal.rb +21 -0
  38. data/lib/mihari/commands/pulsedive.rb +21 -0
  39. data/lib/mihari/commands/reverse_whois.rb +21 -0
  40. data/lib/mihari/commands/securitytrails.rb +22 -0
  41. data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
  42. data/lib/mihari/commands/shodan.rb +21 -0
  43. data/lib/mihari/commands/spyse.rb +22 -0
  44. data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
  45. data/lib/mihari/commands/urlscan.rb +23 -0
  46. data/lib/mihari/commands/virustotal.rb +21 -0
  47. data/lib/mihari/commands/web.rb +22 -0
  48. data/lib/mihari/commands/zoomeye.rb +22 -0
  49. data/lib/mihari/config.rb +12 -0
  50. data/lib/mihari/configurable.rb +4 -5
  51. data/lib/mihari/database.rb +8 -2
  52. data/lib/mihari/emitters/slack.rb +1 -1
  53. data/lib/mihari/emitters/the_hive.rb +1 -1
  54. data/lib/mihari/models/alert.rb +51 -0
  55. data/lib/mihari/models/artifact.rb +13 -2
  56. data/lib/mihari/notifiers/exception_notifier.rb +4 -4
  57. data/lib/mihari/serializers/alert.rb +1 -1
  58. data/lib/mihari/serializers/artifact.rb +1 -1
  59. data/lib/mihari/serializers/tag.rb +1 -1
  60. data/lib/mihari/status.rb +6 -14
  61. data/lib/mihari/version.rb +1 -1
  62. data/lib/mihari/web/app.rb +51 -0
  63. data/lib/mihari/web/controllers/alerts_controller.rb +75 -0
  64. data/lib/mihari/web/controllers/artifacts_controller.rb +24 -0
  65. data/lib/mihari/web/controllers/base_controller.rb +22 -0
  66. data/lib/mihari/web/controllers/command_controller.rb +26 -0
  67. data/lib/mihari/web/controllers/config_controller.rb +13 -0
  68. data/lib/mihari/web/controllers/sources_controller.rb +12 -0
  69. data/lib/mihari/web/controllers/tags_controller.rb +28 -0
  70. data/lib/mihari/web/helpers/json.rb +53 -0
  71. data/lib/mihari/web/public/index.html +21 -0
  72. data/lib/mihari/web/public/redoc-static.html +519 -0
  73. data/lib/mihari/web/public/static/favicon.ico +0 -0
  74. data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
  75. data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
  76. data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
  77. data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
  78. data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
  79. data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
  80. data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
  81. data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
  82. data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
  83. data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
  84. data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
  85. data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
  86. data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
  87. data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
  88. data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
  89. data/lib/mihari/web/public/static/js/app.cccddb2b.js +12 -0
  90. data/lib/mihari/web/public/static/js/app.cccddb2b.js.map +1 -0
  91. data/mihari.gemspec +16 -4
  92. metadata +261 -18
  93. data/lib/mihari/alert_viewer.rb +0 -23
data/bin/console CHANGED
@@ -1,4 +1,5 @@
1
1
  #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
2
3
 
3
4
  require "bundler/setup"
4
5
  require "mihari"
data/build_frontend.sh ADDED
@@ -0,0 +1,14 @@
1
+ #!/bin/sh
2
+
3
+ CURRENT_DIR=${PWD}
4
+
5
+ mkdir -p tmp
6
+ cd tmp
7
+ git clone https://github.com/ninoseki/mihari-frontend.git
8
+ cd mihari-frontend
9
+ npm install
10
+ npm run build
11
+
12
+ cp -r dist/* ${CURRENT_DIR}/lib/mihari/web/public
13
+
14
+ rm -rf ${CURRENT_DIR}/tmp/mihari-frontend
data/docker/Dockerfile CHANGED
@@ -1,6 +1,7 @@
1
- FROM ruby:3.0.0-alpine3.13
1
+ FROM ruby:3.0.1-alpine3.13
2
2
 
3
- RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev \
3
+ RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev mysql-client mysql-dev \
4
+ && gem install pg mysql2 \
4
5
  && cd /tmp/ \
5
6
  && git clone https://github.com/ninoseki/mihari.git \
6
7
  && cd mihari \
@@ -34,7 +34,7 @@ module Mihari
34
34
  uri = URI("#{IPINFO_API_ENDPOINT}/domains/#{ip}?token=#{token}")
35
35
  res = uri.read
36
36
  json = JSON.parse(res)
37
- json.dig("domains") || []
37
+ json["domains"] || []
38
38
  end
39
39
  end
40
40
  end
File without changes
data/images/tines.png ADDED
Binary file
Binary file
Binary file
data/lib/mihari.rb CHANGED
@@ -79,8 +79,8 @@ require "mihari/emitters/slack"
79
79
  require "mihari/emitters/stdout"
80
80
  require "mihari/emitters/the_hive"
81
81
 
82
- require "mihari/alert_viewer"
83
-
84
82
  require "mihari/status"
85
83
 
84
+ require "mihari/web/app"
85
+
86
86
  require "mihari/cli"
@@ -8,6 +8,13 @@ module Mihari
8
8
  include Configurable
9
9
  include Retriable
10
10
 
11
+ attr_accessor :ignore_old_artifacts, :ignore_threshold
12
+
13
+ def initialize
14
+ @ignore_old_artifacts = false
15
+ @ignore_threshold = 0
16
+ end
17
+
11
18
  # @return [Array<String>, Array<Mihari::Artifact>]
12
19
  def artifacts
13
20
  raise NotImplementedError, "You must implement #{self.class}##{__method__}"
@@ -42,7 +49,7 @@ module Mihari
42
49
 
43
50
  def run_emitter(emitter)
44
51
  emitter.run(title: title, description: description, artifacts: unique_artifacts, source: source, tags: tags)
45
- rescue => e
52
+ rescue StandardError => e
46
53
  puts "Emission by #{emitter.class} is failed: #{e}"
47
54
  end
48
55
 
@@ -61,7 +68,9 @@ module Mihari
61
68
 
62
69
  # @return [Array<Mihari::Artifact>]
63
70
  def unique_artifacts
64
- @unique_artifacts ||= normalized_artifacts.select(&:unique?)
71
+ @unique_artifacts ||= normalized_artifacts.select do |artifact|
72
+ artifact.unique?(ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold)
73
+ end
65
74
  end
66
75
 
67
76
  def set_unique_artifacts
@@ -46,14 +46,14 @@ module Mihari
46
46
  def passive_dns_lookup
47
47
  results = api.dns.query(@query)
48
48
  results.map do |result|
49
- type = result.dig("rrtype")
50
- type == "A" ? result.dig("rdata") : nil
49
+ type = result["rrtype"]
50
+ type == "A" ? result["rdata"] : nil
51
51
  end.compact.uniq
52
52
  end
53
53
 
54
54
  def passive_ssl_lookup
55
55
  result = api.ssl.cquery(@query)
56
- seen = result.dig("seen") || []
56
+ seen = result["seen"] || []
57
57
  seen.uniq
58
58
  end
59
59
  end
@@ -21,10 +21,10 @@ module Mihari
21
21
  return [] unless results
22
22
 
23
23
  flat_results = results.map do |result|
24
- result.dig("results")
24
+ result["results"]
25
25
  end.flatten.compact
26
26
 
27
- flat_results.map { |result| result.dig("ip") }.compact.uniq
27
+ flat_results.map { |result| result["ip"] }.compact.uniq
28
28
  end
29
29
 
30
30
  private
@@ -58,13 +58,13 @@ module Mihari
58
58
  end
59
59
 
60
60
  def ip_lookup
61
- result = api.domains.search(filter: {ipv4: query})
61
+ result = api.domains.search(filter: { ipv4: query })
62
62
  records = result["records"] || []
63
63
  records.map { |record| record["hostname"] }.compact.uniq
64
64
  end
65
65
 
66
66
  def mail_lookup
67
- result = api.domains.search(filter: {whois_email: query})
67
+ result = api.domains.search(filter: { whois_email: query })
68
68
  records = result["records"] || []
69
69
  records.map { |record| record["hostname"] }.compact.uniq
70
70
  end
@@ -5,16 +5,14 @@ require "urlscan"
5
5
  module Mihari
6
6
  module Analyzers
7
7
  class Urlscan < Base
8
- attr_reader :title, :description, :query, :tags, :filter, :target_type, :use_pro, :use_similarity
8
+ attr_reader :title, :description, :query, :tags, :target_type, :use_similarity
9
9
 
10
10
  def initialize(
11
11
  query,
12
12
  description: nil,
13
- filter: nil,
14
13
  tags: [],
15
14
  target_type: "url",
16
15
  title: nil,
17
- use_pro: false,
18
16
  use_similarity: false
19
17
  )
20
18
  super()
@@ -24,9 +22,7 @@ module Mihari
24
22
  @description = description || "query = #{query}"
25
23
  @tags = tags
26
24
 
27
- @filter = filter
28
25
  @target_type = target_type
29
- @use_pro = use_pro
30
26
  @use_similarity = use_similarity
31
27
 
32
28
  raise InvalidInputError, "type should be url, domain or ip." unless valid_target_type?
@@ -54,7 +50,6 @@ module Mihari
54
50
 
55
51
  def search
56
52
  return api.pro.similar(query) if use_similarity
57
- return api.pro.search(query: query, filter: filter, size: 10_000) if use_pro
58
53
 
59
54
  api.search(query, size: 10_000)
60
55
  end
data/lib/mihari/cli.rb CHANGED
@@ -1,318 +1,84 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "thor"
4
- require "json"
4
+
5
+ require "mihari/commands/binaryedge"
6
+ require "mihari/commands/censys"
7
+ require "mihari/commands/circl"
8
+ require "mihari/commands/crtsh"
9
+ require "mihari/commands/dnpedia"
10
+ require "mihari/commands/dnstwister"
11
+ require "mihari/commands/onyphe"
12
+ require "mihari/commands/otx"
13
+ require "mihari/commands/passivetotal"
14
+ require "mihari/commands/pulsedive"
15
+ require "mihari/commands/securitytrails_domain_feed"
16
+ require "mihari/commands/securitytrails"
17
+ require "mihari/commands/shodan"
18
+ require "mihari/commands/spyse"
19
+ require "mihari/commands/urlscan"
20
+ require "mihari/commands/virustotal"
21
+ require "mihari/commands/zoomeye"
22
+
23
+ require "mihari/commands/free_text"
24
+ require "mihari/commands/http_hash"
25
+ require "mihari/commands/passive_dns"
26
+ require "mihari/commands/passive_ssl"
27
+ require "mihari/commands/reverse_whois"
28
+ require "mihari/commands/ssh_fingerprint"
29
+
30
+ require "mihari/commands/config"
31
+ require "mihari/commands/json"
32
+ require "mihari/commands/web"
5
33
 
6
34
  module Mihari
7
35
  class CLI < Thor
8
- class_option :config, type: :string, desc: "path to config file"
9
-
10
- def self.exit_on_failure?
11
- true
12
- end
13
-
14
- desc "censys [QUERY]", "Censys IPv4 search by a query"
15
- method_option :title, type: :string, desc: "title"
16
- method_option :description, type: :string, desc: "description"
17
- method_option :tags, type: :array, desc: "tags"
18
- method_option :type, type: :string, desc: "type to search (ipv4 / websites / certificates)", default: "ipv4"
19
- def censys(query)
20
- with_error_handling do
21
- run_analyzer Analyzers::Censys, query: query, options: options
22
- end
23
- end
24
-
25
- desc "shodan [QUERY]", "Shodan host search by a query"
26
- method_option :title, type: :string, desc: "title"
27
- method_option :description, type: :string, desc: "description"
28
- method_option :tags, type: :array, desc: "tags"
29
- def shodan(query)
30
- with_error_handling do
31
- run_analyzer Analyzers::Shodan, query: query, options: options
32
- end
33
- end
34
-
35
- desc "onyphe [QUERY]", "Onyphe datascan search by a query"
36
- method_option :title, type: :string, desc: "title"
37
- method_option :description, type: :string, desc: "description"
38
- method_option :tags, type: :array, desc: "tags"
39
- def onyphe(query)
40
- with_error_handling do
41
- run_analyzer Analyzers::Onyphe, query: query, options: options
42
- end
43
- end
44
-
45
- desc "urlscan [QUERY]", "urlscan search by a given query"
46
- method_option :title, type: :string, desc: "title"
47
- method_option :description, type: :string, desc: "description"
48
- method_option :tags, type: :array, desc: "tags"
49
- method_option :filter, type: :string, desc: "filter for urlscan pro search"
50
- method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
51
- method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
52
- method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
53
- def urlscan(query)
54
- with_error_handling do
55
- run_analyzer Analyzers::Urlscan, query: query, options: options
56
- end
57
- end
58
-
59
- desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by an ip or domain"
60
- method_option :title, type: :string, desc: "title"
61
- method_option :description, type: :string, desc: "description"
62
- method_option :tags, type: :array, desc: "tags"
63
- def virustotal(indiactor)
64
- with_error_handling do
65
- run_analyzer Analyzers::VirusTotal, query: refang(indiactor), options: options
66
- end
67
- end
68
-
69
- desc "securitytrails [IP|DOMAIN|EMAIL]", "SecurityTrails lookup by an ip, domain or email"
70
- method_option :title, type: :string, desc: "title"
71
- method_option :description, type: :string, desc: "description"
72
- method_option :tags, type: :array, desc: "tags"
73
- def securitytrails(indiactor)
74
- with_error_handling do
75
- run_analyzer Analyzers::SecurityTrails, query: refang(indiactor), options: options
76
- end
77
- end
78
- map "st" => :securitytrails
79
-
80
- desc "securitytrails_domain_feed [REGEXP]", "SecurityTrails new domain feed search by a regexp"
81
- method_option :title, type: :string, desc: "title"
82
- method_option :description, type: :string, desc: "description"
83
- method_option :tags, type: :array, desc: "tags"
84
- method_option :type, type: :string, default: "registered", desc: "A type of domain feed ('all', 'new' or 'registered')"
85
- def securitytrails_domain_feed(regexp)
86
- with_error_handling do
87
- run_analyzer Analyzers::SecurityTrailsDomainFeed, query: regexp, options: options
88
- end
89
- end
90
- map "st_domain_feed" => :securitytrails_domain_feed
91
-
92
- desc "crtsh [QUERY]", "crt.sh search by a query"
93
- method_option :title, type: :string, desc: "title"
94
- method_option :description, type: :string, desc: "description"
95
- method_option :tags, type: :array, desc: "tags"
96
- method_option :exclude_expired, type: :boolean, desc: "exclude expired certificates"
97
- def crtsh(query)
98
- with_error_handling do
99
- run_analyzer Analyzers::Crtsh, query: query, options: options
100
- end
101
- end
102
-
103
- desc "dnpedia [QUERY]", "DNPedia domain search by a query"
104
- method_option :title, type: :string, desc: "title"
105
- method_option :description, type: :string, desc: "description"
106
- method_option :tags, type: :array, desc: "tags"
107
- def dnpedia(query)
108
- with_error_handling do
109
- run_analyzer Analyzers::DNPedia, query: query, options: options
110
- end
111
- end
112
-
113
- desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint"
114
- method_option :title, type: :string, desc: "title"
115
- method_option :description, type: :string, desc: "description"
116
- method_option :tags, type: :array, desc: "tags"
117
- def circl(query)
118
- with_error_handling do
119
- run_analyzer Analyzers::CIRCL, query: refang(query), options: options
120
- end
121
- end
122
-
123
- desc "passivetotal [IP|DOMAIN|EMAIL|SHA1]", "PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint"
124
- method_option :title, type: :string, desc: "title"
125
- method_option :description, type: :string, desc: "description"
126
- method_option :tags, type: :array, desc: "tags"
127
- def passivetotal(indicator)
128
- with_error_handling do
129
- run_analyzer Analyzers::PassiveTotal, query: refang(indicator), options: options
130
- end
131
- end
132
-
133
- desc "zoomeye [QUERY]", "ZoomEye search by a query"
134
- method_option :title, type: :string, desc: "title"
135
- method_option :description, type: :string, desc: "description"
136
- method_option :tags, type: :array, desc: "tags"
137
- method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
138
- def zoomeye(query)
139
- with_error_handling do
140
- run_analyzer Analyzers::ZoomEye, query: query, options: options
141
- end
142
- end
143
-
144
- desc "binaryedge [QUERY]", "BinaryEdge host search by a query"
145
- method_option :title, type: :string, desc: "title"
146
- method_option :description, type: :string, desc: "description"
147
- method_option :tags, type: :array, desc: "tags"
148
- def binaryedge(query)
149
- with_error_handling do
150
- run_analyzer Analyzers::BinaryEdge, query: query, options: options
151
- end
152
- end
153
-
154
- desc "pulsedive [IP|DOMAIN]", "Pulsedive lookup by an ip or domain"
155
- method_option :title, type: :string, desc: "title"
156
- method_option :description, type: :string, desc: "description"
157
- method_option :tags, type: :array, desc: "tags"
158
- def pulsedive(indiactor)
159
- with_error_handling do
160
- run_analyzer Analyzers::Pulsedive, query: refang(indiactor), options: options
161
- end
162
- end
163
-
164
- desc "dnstwister [DOMAIN]", "dnstwister lookup by a domain"
165
- method_option :title, type: :string, desc: "title"
166
- method_option :description, type: :string, desc: "description"
167
- method_option :tags, type: :array, desc: "tags"
168
- def dnstwister(domain)
169
- with_error_handling do
170
- run_analyzer Analyzers::DNSTwister, query: refang(domain), options: options
171
- end
172
- end
173
-
174
- desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
175
- method_option :title, type: :string, desc: "title"
176
- method_option :description, type: :string, desc: "description"
177
- method_option :tags, type: :array, desc: "tags"
178
- def otx(domain)
179
- with_error_handling do
180
- run_analyzer Analyzers::OTX, query: refang(domain), options: options
181
- end
182
- end
183
-
184
- desc "spyse [QUERY]", "Spyse search by a query"
185
- method_option :title, type: :string, desc: "title"
186
- method_option :description, type: :string, desc: "description"
187
- method_option :tags, type: :array, desc: "tags"
188
- method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
189
- def spyse(query)
190
- with_error_handling do
191
- run_analyzer Analyzers::Spyse, query: query, options: options
192
- end
193
- end
194
-
195
- desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
196
- method_option :title, type: :string, desc: "title"
197
- method_option :description, type: :string, desc: "description"
198
- method_option :tags, type: :array, desc: "tags"
199
- def passive_dns(query)
200
- with_error_handling do
201
- run_analyzer Analyzers::PassiveDNS, query: refang(query), options: options
202
- end
203
- end
204
-
205
- desc "passive_ssl [SHA1]", "Cross search with passive SSL services by an SHA1 certificate fingerprint"
206
- method_option :title, type: :string, desc: "title"
207
- method_option :description, type: :string, desc: "description"
208
- method_option :tags, type: :array, desc: "tags"
209
- def passive_ssl(query)
210
- with_error_handling do
211
- run_analyzer Analyzers::PassiveSSL, query: query, options: options
212
- end
213
- end
214
-
215
- desc "reverse_whois [EMAIL]", "Cross search with reverse whois services by an email"
216
- method_option :title, type: :string, desc: "title"
217
- method_option :description, type: :string, desc: "description"
218
- method_option :tags, type: :array, desc: "tags"
219
- def reverse_whois(query)
220
- with_error_handling do
221
- run_analyzer Analyzers::ReveseWhois, query: refang(query), options: options
222
- end
223
- end
224
-
225
- desc "http_hash", "Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)"
226
- method_option :title, type: :string, desc: "title"
227
- method_option :description, type: :string, desc: "description"
228
- method_option :tags, type: :array, desc: "tags"
229
- method_option :md5, type: :string, desc: "MD5 hash"
230
- method_option :sha256, type: :string, desc: "SHA256 hash"
231
- method_option :mmh3, type: :numeric, desc: "MurmurHash3 hash"
232
- method_option :html, type: :string, desc: "path to an HTML file"
233
- def http_hash
234
- with_error_handling do
235
- run_analyzer Analyzers::HTTPHash, query: nil, options: options
236
- end
237
- end
238
-
239
- desc "free_text [TEXT]", "Cross search with search engines by a free text"
240
- method_option :title, type: :string, desc: "title"
241
- method_option :description, type: :string, desc: "description"
242
- method_option :tags, type: :array, desc: "tags"
243
- def free_text(text)
244
- with_error_handling do
245
- run_analyzer Analyzers::FreeText, query: text, options: options
246
- end
247
- end
248
-
249
- desc "ssh_fingerprint [FINGERPRINT]", "Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)"
250
- method_option :title, type: :string, desc: "title"
251
- method_option :description, type: :string, desc: "description"
252
- method_option :tags, type: :array, desc: "tags"
253
- def ssh_fingerprint(fingerprint)
254
- with_error_handling do
255
- run_analyzer Analyzers::SSHFingerprint, query: fingerprint, options: options
256
- end
257
- end
258
-
259
- desc "import_from_json", "Give a JSON input via STDIN"
260
- def import_from_json(input = nil)
261
- with_error_handling do
262
- json = input || $stdin.gets.chomp
263
- raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
264
-
265
- json = parse_as_json(json)
266
- raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
267
-
268
- title = json["title"]
269
- description = json["description"]
270
- artifacts = json["artifacts"]
271
- tags = json["tags"] || []
272
-
273
- basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
274
- basic.run
275
- end
276
- end
277
-
278
- desc "alerts", "Show the alerts on TheHive"
279
- method_option :limit, type: :string, default: "5", desc: "Number of alerts to show (or 'all' to show all the alerts)"
280
- method_option :title, type: :string, desc: "Title to filter"
281
- method_option :source, type: :string, desc: "Source to filter"
282
- method_option :tag, type: :string, desc: "Tag to filter"
283
- def alerts
284
- with_error_handling do
285
- load_configuration
286
-
287
- viewer = AlertViewer.new
288
- alerts = viewer.list(limit: options["limit"], title: options["title"], source: options["source"], tag: options[:tag])
289
- puts JSON.pretty_generate(alerts)
290
- end
291
- end
292
-
293
- desc "status", "Show the current configuration status"
294
- def status
295
- with_error_handling do
296
- load_configuration
297
-
298
- puts JSON.pretty_generate(Status.check)
36
+ class_option :config, type: :string, desc: "Path to the config file"
37
+
38
+ class_option :ignore_old_artifacts, type: :boolean, default: false, desc: "Whether to ignore old artifacts from checking or not. Only affects with analyze commands."
39
+ class_option :ignore_threshold, type: :numeric, default: 0, desc: "Number of days to define whether an artifact is old or not. Only affects with analyze commands."
40
+
41
+ include Mihari::Commands::BinaryEdge
42
+ include Mihari::Commands::Censys
43
+ include Mihari::Commands::CIRCL
44
+ include Mihari::Commands::Config
45
+ include Mihari::Commands::Crtsh
46
+ include Mihari::Commands::DNPedia
47
+ include Mihari::Commands::DNSTwister
48
+ include Mihari::Commands::FreeText
49
+ include Mihari::Commands::HTTPHash
50
+ include Mihari::Commands::JSON
51
+ include Mihari::Commands::Onyphe
52
+ include Mihari::Commands::OTX
53
+ include Mihari::Commands::PassiveDNS
54
+ include Mihari::Commands::PassiveSSL
55
+ include Mihari::Commands::PassiveTotal
56
+ include Mihari::Commands::Pulsedive
57
+ include Mihari::Commands::ReverseWhois
58
+ include Mihari::Commands::SecurityTrails
59
+ include Mihari::Commands::SecurityTrailsDomainFeed
60
+ include Mihari::Commands::Shodan
61
+ include Mihari::Commands::Spyse
62
+ include Mihari::Commands::SSHFingerprint
63
+ include Mihari::Commands::Urlscan
64
+ include Mihari::Commands::VirusTotal
65
+ include Mihari::Commands::Web
66
+ include Mihari::Commands::ZoomEye
67
+
68
+ class << self
69
+ def exit_on_failure?
70
+ true
299
71
  end
300
72
  end
301
73
 
302
74
  no_commands do
303
75
  def with_error_handling
304
76
  yield
305
- rescue => e
77
+ rescue StandardError => e
306
78
  notifier = Notifiers::ExceptionNotifier.new
307
79
  notifier.notify e
308
80
  end
309
81
 
310
- def parse_as_json(input)
311
- JSON.parse input
312
- rescue JSON::ParserError => _e
313
- nil
314
- end
315
-
316
82
  # @return [true, false]
317
83
  def valid_json?(json)
318
84
  %w[title description artifacts].all? { |key| json.key? key }
@@ -333,16 +99,22 @@ module Mihari
333
99
  options = normalize_options(options)
334
100
 
335
101
  analyzer = analyzer_class.new(query, **options)
102
+
103
+ analyzer.ignore_old_artifacts = options[:ignore_old_artifacts] || false
104
+ analyzer.ignore_threshold = options[:ignore_threshold] || 0
105
+
336
106
  analyzer.run
337
107
  end
338
108
 
339
109
  def symbolize_hash_keys(hash)
340
- hash.map { |k, v| [k.to_sym, v] }.to_h
110
+ hash.transform_keys(&:to_sym)
341
111
  end
342
112
 
343
113
  def normalize_options(options)
344
114
  # Delete :config because it is not intended to use for running an analyzer
345
- options.delete(:config)
115
+ [:config, :ignore_old_artifacts, :ignore_threshold].each do |ignore_key|
116
+ options.delete(ignore_key)
117
+ end
346
118
  options
347
119
  end
348
120