mihari 1.5.1 → 2.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/ISSUE_TEMPLATE/bug_report.md +43 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +15 -0
- data/.github/workflows/test.yml +41 -17
- data/.rubocop.yml +6 -0
- data/.standard.yml +4 -0
- data/README.md +23 -274
- data/bin/console +1 -0
- data/build_frontend.sh +14 -0
- data/docker/Dockerfile +3 -2
- data/examples/ipinfo_hosted_domains.rb +1 -1
- data/images/{eyecatch.png → overview.png} +0 -0
- data/images/tines.png +0 -0
- data/images/web_alerts.png +0 -0
- data/images/web_config.png +0 -0
- data/lib/mihari.rb +2 -2
- data/lib/mihari/analyzers/base.rb +11 -2
- data/lib/mihari/analyzers/circl.rb +3 -3
- data/lib/mihari/analyzers/onyphe.rb +2 -2
- data/lib/mihari/analyzers/securitytrails.rb +2 -2
- data/lib/mihari/analyzers/urlscan.rb +1 -6
- data/lib/mihari/cli.rb +73 -301
- data/lib/mihari/commands/binaryedge.rb +21 -0
- data/lib/mihari/commands/censys.rb +22 -0
- data/lib/mihari/commands/circl.rb +21 -0
- data/lib/mihari/commands/config.rb +27 -0
- data/lib/mihari/commands/crtsh.rb +22 -0
- data/lib/mihari/commands/dnpedia.rb +21 -0
- data/lib/mihari/commands/dnstwister.rb +21 -0
- data/lib/mihari/commands/free_text.rb +21 -0
- data/lib/mihari/commands/http_hash.rb +25 -0
- data/lib/mihari/commands/json.rb +42 -0
- data/lib/mihari/commands/onyphe.rb +21 -0
- data/lib/mihari/commands/otx.rb +21 -0
- data/lib/mihari/commands/passive_dns.rb +21 -0
- data/lib/mihari/commands/passive_ssl.rb +21 -0
- data/lib/mihari/commands/passivetotal.rb +21 -0
- data/lib/mihari/commands/pulsedive.rb +21 -0
- data/lib/mihari/commands/reverse_whois.rb +21 -0
- data/lib/mihari/commands/securitytrails.rb +22 -0
- data/lib/mihari/commands/securitytrails_domain_feed.rb +23 -0
- data/lib/mihari/commands/shodan.rb +21 -0
- data/lib/mihari/commands/spyse.rb +22 -0
- data/lib/mihari/commands/ssh_fingerprint.rb +21 -0
- data/lib/mihari/commands/urlscan.rb +23 -0
- data/lib/mihari/commands/virustotal.rb +21 -0
- data/lib/mihari/commands/web.rb +22 -0
- data/lib/mihari/commands/zoomeye.rb +22 -0
- data/lib/mihari/config.rb +12 -0
- data/lib/mihari/configurable.rb +4 -5
- data/lib/mihari/database.rb +8 -2
- data/lib/mihari/emitters/slack.rb +1 -1
- data/lib/mihari/emitters/the_hive.rb +1 -1
- data/lib/mihari/models/alert.rb +51 -0
- data/lib/mihari/models/artifact.rb +13 -2
- data/lib/mihari/notifiers/exception_notifier.rb +4 -4
- data/lib/mihari/serializers/alert.rb +1 -1
- data/lib/mihari/serializers/artifact.rb +1 -1
- data/lib/mihari/serializers/tag.rb +1 -1
- data/lib/mihari/status.rb +6 -14
- data/lib/mihari/version.rb +1 -1
- data/lib/mihari/web/app.rb +51 -0
- data/lib/mihari/web/controllers/alerts_controller.rb +75 -0
- data/lib/mihari/web/controllers/artifacts_controller.rb +24 -0
- data/lib/mihari/web/controllers/base_controller.rb +22 -0
- data/lib/mihari/web/controllers/command_controller.rb +26 -0
- data/lib/mihari/web/controllers/config_controller.rb +13 -0
- data/lib/mihari/web/controllers/sources_controller.rb +12 -0
- data/lib/mihari/web/controllers/tags_controller.rb +28 -0
- data/lib/mihari/web/helpers/json.rb +53 -0
- data/lib/mihari/web/public/index.html +21 -0
- data/lib/mihari/web/public/redoc-static.html +519 -0
- data/lib/mihari/web/public/static/favicon.ico +0 -0
- data/lib/mihari/web/public/static/fonts/fa-brands-400.099a9556.woff +0 -0
- data/lib/mihari/web/public/static/fonts/fa-brands-400.30cc681d.eot +0 -0
- data/lib/mihari/web/public/static/fonts/fa-brands-400.3b89dd10.ttf +0 -0
- data/lib/mihari/web/public/static/fonts/fa-brands-400.f7307680.woff2 +0 -0
- data/lib/mihari/web/public/static/fonts/fa-regular-400.1f77739c.ttf +0 -0
- data/lib/mihari/web/public/static/fonts/fa-regular-400.7124eb50.woff +0 -0
- data/lib/mihari/web/public/static/fonts/fa-regular-400.7630483d.eot +0 -0
- data/lib/mihari/web/public/static/fonts/fa-regular-400.f0f82301.woff2 +0 -0
- data/lib/mihari/web/public/static/fonts/fa-solid-900.1042e8ca.eot +0 -0
- data/lib/mihari/web/public/static/fonts/fa-solid-900.605ed792.ttf +0 -0
- data/lib/mihari/web/public/static/fonts/fa-solid-900.9fe5a17c.woff +0 -0
- data/lib/mihari/web/public/static/fonts/fa-solid-900.e8a427e1.woff2 +0 -0
- data/lib/mihari/web/public/static/img/fa-brands-400.ba7ed552.svg +3717 -0
- data/lib/mihari/web/public/static/img/fa-regular-400.0bb42845.svg +801 -0
- data/lib/mihari/web/public/static/img/fa-solid-900.376c1f97.svg +5034 -0
- data/lib/mihari/web/public/static/js/app.cccddb2b.js +12 -0
- data/lib/mihari/web/public/static/js/app.cccddb2b.js.map +1 -0
- data/mihari.gemspec +16 -4
- metadata +261 -18
- data/lib/mihari/alert_viewer.rb +0 -23
data/bin/console
CHANGED
data/build_frontend.sh
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/bin/sh
|
2
|
+
|
3
|
+
CURRENT_DIR=${PWD}
|
4
|
+
|
5
|
+
mkdir -p tmp
|
6
|
+
cd tmp
|
7
|
+
git clone https://github.com/ninoseki/mihari-frontend.git
|
8
|
+
cd mihari-frontend
|
9
|
+
npm install
|
10
|
+
npm run build
|
11
|
+
|
12
|
+
cp -r dist/* ${CURRENT_DIR}/lib/mihari/web/public
|
13
|
+
|
14
|
+
rm -rf ${CURRENT_DIR}/tmp/mihari-frontend
|
data/docker/Dockerfile
CHANGED
@@ -1,6 +1,7 @@
|
|
1
|
-
FROM ruby:3.0.
|
1
|
+
FROM ruby:3.0.1-alpine3.13
|
2
2
|
|
3
|
-
RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev \
|
3
|
+
RUN apk --no-cache add git build-base ruby-dev sqlite-dev postgresql-dev mysql-client mysql-dev \
|
4
|
+
&& gem install pg mysql2 \
|
4
5
|
&& cd /tmp/ \
|
5
6
|
&& git clone https://github.com/ninoseki/mihari.git \
|
6
7
|
&& cd mihari \
|
File without changes
|
data/images/tines.png
ADDED
Binary file
|
Binary file
|
Binary file
|
data/lib/mihari.rb
CHANGED
@@ -8,6 +8,13 @@ module Mihari
|
|
8
8
|
include Configurable
|
9
9
|
include Retriable
|
10
10
|
|
11
|
+
attr_accessor :ignore_old_artifacts, :ignore_threshold
|
12
|
+
|
13
|
+
def initialize
|
14
|
+
@ignore_old_artifacts = false
|
15
|
+
@ignore_threshold = 0
|
16
|
+
end
|
17
|
+
|
11
18
|
# @return [Array<String>, Array<Mihari::Artifact>]
|
12
19
|
def artifacts
|
13
20
|
raise NotImplementedError, "You must implement #{self.class}##{__method__}"
|
@@ -42,7 +49,7 @@ module Mihari
|
|
42
49
|
|
43
50
|
def run_emitter(emitter)
|
44
51
|
emitter.run(title: title, description: description, artifacts: unique_artifacts, source: source, tags: tags)
|
45
|
-
rescue => e
|
52
|
+
rescue StandardError => e
|
46
53
|
puts "Emission by #{emitter.class} is failed: #{e}"
|
47
54
|
end
|
48
55
|
|
@@ -61,7 +68,9 @@ module Mihari
|
|
61
68
|
|
62
69
|
# @return [Array<Mihari::Artifact>]
|
63
70
|
def unique_artifacts
|
64
|
-
@unique_artifacts ||= normalized_artifacts.select
|
71
|
+
@unique_artifacts ||= normalized_artifacts.select do |artifact|
|
72
|
+
artifact.unique?(ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold)
|
73
|
+
end
|
65
74
|
end
|
66
75
|
|
67
76
|
def set_unique_artifacts
|
@@ -46,14 +46,14 @@ module Mihari
|
|
46
46
|
def passive_dns_lookup
|
47
47
|
results = api.dns.query(@query)
|
48
48
|
results.map do |result|
|
49
|
-
type = result
|
50
|
-
type == "A" ? result
|
49
|
+
type = result["rrtype"]
|
50
|
+
type == "A" ? result["rdata"] : nil
|
51
51
|
end.compact.uniq
|
52
52
|
end
|
53
53
|
|
54
54
|
def passive_ssl_lookup
|
55
55
|
result = api.ssl.cquery(@query)
|
56
|
-
seen = result
|
56
|
+
seen = result["seen"] || []
|
57
57
|
seen.uniq
|
58
58
|
end
|
59
59
|
end
|
@@ -21,10 +21,10 @@ module Mihari
|
|
21
21
|
return [] unless results
|
22
22
|
|
23
23
|
flat_results = results.map do |result|
|
24
|
-
result
|
24
|
+
result["results"]
|
25
25
|
end.flatten.compact
|
26
26
|
|
27
|
-
flat_results.map { |result| result
|
27
|
+
flat_results.map { |result| result["ip"] }.compact.uniq
|
28
28
|
end
|
29
29
|
|
30
30
|
private
|
@@ -58,13 +58,13 @@ module Mihari
|
|
58
58
|
end
|
59
59
|
|
60
60
|
def ip_lookup
|
61
|
-
result = api.domains.search(filter: {ipv4: query})
|
61
|
+
result = api.domains.search(filter: { ipv4: query })
|
62
62
|
records = result["records"] || []
|
63
63
|
records.map { |record| record["hostname"] }.compact.uniq
|
64
64
|
end
|
65
65
|
|
66
66
|
def mail_lookup
|
67
|
-
result = api.domains.search(filter: {whois_email: query})
|
67
|
+
result = api.domains.search(filter: { whois_email: query })
|
68
68
|
records = result["records"] || []
|
69
69
|
records.map { |record| record["hostname"] }.compact.uniq
|
70
70
|
end
|
@@ -5,16 +5,14 @@ require "urlscan"
|
|
5
5
|
module Mihari
|
6
6
|
module Analyzers
|
7
7
|
class Urlscan < Base
|
8
|
-
attr_reader :title, :description, :query, :tags, :
|
8
|
+
attr_reader :title, :description, :query, :tags, :target_type, :use_similarity
|
9
9
|
|
10
10
|
def initialize(
|
11
11
|
query,
|
12
12
|
description: nil,
|
13
|
-
filter: nil,
|
14
13
|
tags: [],
|
15
14
|
target_type: "url",
|
16
15
|
title: nil,
|
17
|
-
use_pro: false,
|
18
16
|
use_similarity: false
|
19
17
|
)
|
20
18
|
super()
|
@@ -24,9 +22,7 @@ module Mihari
|
|
24
22
|
@description = description || "query = #{query}"
|
25
23
|
@tags = tags
|
26
24
|
|
27
|
-
@filter = filter
|
28
25
|
@target_type = target_type
|
29
|
-
@use_pro = use_pro
|
30
26
|
@use_similarity = use_similarity
|
31
27
|
|
32
28
|
raise InvalidInputError, "type should be url, domain or ip." unless valid_target_type?
|
@@ -54,7 +50,6 @@ module Mihari
|
|
54
50
|
|
55
51
|
def search
|
56
52
|
return api.pro.similar(query) if use_similarity
|
57
|
-
return api.pro.search(query: query, filter: filter, size: 10_000) if use_pro
|
58
53
|
|
59
54
|
api.search(query, size: 10_000)
|
60
55
|
end
|
data/lib/mihari/cli.rb
CHANGED
@@ -1,318 +1,84 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "thor"
|
4
|
-
|
4
|
+
|
5
|
+
require "mihari/commands/binaryedge"
|
6
|
+
require "mihari/commands/censys"
|
7
|
+
require "mihari/commands/circl"
|
8
|
+
require "mihari/commands/crtsh"
|
9
|
+
require "mihari/commands/dnpedia"
|
10
|
+
require "mihari/commands/dnstwister"
|
11
|
+
require "mihari/commands/onyphe"
|
12
|
+
require "mihari/commands/otx"
|
13
|
+
require "mihari/commands/passivetotal"
|
14
|
+
require "mihari/commands/pulsedive"
|
15
|
+
require "mihari/commands/securitytrails_domain_feed"
|
16
|
+
require "mihari/commands/securitytrails"
|
17
|
+
require "mihari/commands/shodan"
|
18
|
+
require "mihari/commands/spyse"
|
19
|
+
require "mihari/commands/urlscan"
|
20
|
+
require "mihari/commands/virustotal"
|
21
|
+
require "mihari/commands/zoomeye"
|
22
|
+
|
23
|
+
require "mihari/commands/free_text"
|
24
|
+
require "mihari/commands/http_hash"
|
25
|
+
require "mihari/commands/passive_dns"
|
26
|
+
require "mihari/commands/passive_ssl"
|
27
|
+
require "mihari/commands/reverse_whois"
|
28
|
+
require "mihari/commands/ssh_fingerprint"
|
29
|
+
|
30
|
+
require "mihari/commands/config"
|
31
|
+
require "mihari/commands/json"
|
32
|
+
require "mihari/commands/web"
|
5
33
|
|
6
34
|
module Mihari
|
7
35
|
class CLI < Thor
|
8
|
-
class_option :config, type: :string, desc: "
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
end
|
44
|
-
|
45
|
-
desc "urlscan [QUERY]", "urlscan search by a given query"
|
46
|
-
method_option :title, type: :string, desc: "title"
|
47
|
-
method_option :description, type: :string, desc: "description"
|
48
|
-
method_option :tags, type: :array, desc: "tags"
|
49
|
-
method_option :filter, type: :string, desc: "filter for urlscan pro search"
|
50
|
-
method_option :target_type, type: :string, default: "url", desc: "target type to fetch from lookup results (target type should be 'url', 'domain' or 'ip')"
|
51
|
-
method_option :use_pro, type: :boolean, default: false, desc: "use pro search API or not"
|
52
|
-
method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
|
53
|
-
def urlscan(query)
|
54
|
-
with_error_handling do
|
55
|
-
run_analyzer Analyzers::Urlscan, query: query, options: options
|
56
|
-
end
|
57
|
-
end
|
58
|
-
|
59
|
-
desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by an ip or domain"
|
60
|
-
method_option :title, type: :string, desc: "title"
|
61
|
-
method_option :description, type: :string, desc: "description"
|
62
|
-
method_option :tags, type: :array, desc: "tags"
|
63
|
-
def virustotal(indiactor)
|
64
|
-
with_error_handling do
|
65
|
-
run_analyzer Analyzers::VirusTotal, query: refang(indiactor), options: options
|
66
|
-
end
|
67
|
-
end
|
68
|
-
|
69
|
-
desc "securitytrails [IP|DOMAIN|EMAIL]", "SecurityTrails lookup by an ip, domain or email"
|
70
|
-
method_option :title, type: :string, desc: "title"
|
71
|
-
method_option :description, type: :string, desc: "description"
|
72
|
-
method_option :tags, type: :array, desc: "tags"
|
73
|
-
def securitytrails(indiactor)
|
74
|
-
with_error_handling do
|
75
|
-
run_analyzer Analyzers::SecurityTrails, query: refang(indiactor), options: options
|
76
|
-
end
|
77
|
-
end
|
78
|
-
map "st" => :securitytrails
|
79
|
-
|
80
|
-
desc "securitytrails_domain_feed [REGEXP]", "SecurityTrails new domain feed search by a regexp"
|
81
|
-
method_option :title, type: :string, desc: "title"
|
82
|
-
method_option :description, type: :string, desc: "description"
|
83
|
-
method_option :tags, type: :array, desc: "tags"
|
84
|
-
method_option :type, type: :string, default: "registered", desc: "A type of domain feed ('all', 'new' or 'registered')"
|
85
|
-
def securitytrails_domain_feed(regexp)
|
86
|
-
with_error_handling do
|
87
|
-
run_analyzer Analyzers::SecurityTrailsDomainFeed, query: regexp, options: options
|
88
|
-
end
|
89
|
-
end
|
90
|
-
map "st_domain_feed" => :securitytrails_domain_feed
|
91
|
-
|
92
|
-
desc "crtsh [QUERY]", "crt.sh search by a query"
|
93
|
-
method_option :title, type: :string, desc: "title"
|
94
|
-
method_option :description, type: :string, desc: "description"
|
95
|
-
method_option :tags, type: :array, desc: "tags"
|
96
|
-
method_option :exclude_expired, type: :boolean, desc: "exclude expired certificates"
|
97
|
-
def crtsh(query)
|
98
|
-
with_error_handling do
|
99
|
-
run_analyzer Analyzers::Crtsh, query: query, options: options
|
100
|
-
end
|
101
|
-
end
|
102
|
-
|
103
|
-
desc "dnpedia [QUERY]", "DNPedia domain search by a query"
|
104
|
-
method_option :title, type: :string, desc: "title"
|
105
|
-
method_option :description, type: :string, desc: "description"
|
106
|
-
method_option :tags, type: :array, desc: "tags"
|
107
|
-
def dnpedia(query)
|
108
|
-
with_error_handling do
|
109
|
-
run_analyzer Analyzers::DNPedia, query: query, options: options
|
110
|
-
end
|
111
|
-
end
|
112
|
-
|
113
|
-
desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL lookup by a domain or SHA1 certificate fingerprint"
|
114
|
-
method_option :title, type: :string, desc: "title"
|
115
|
-
method_option :description, type: :string, desc: "description"
|
116
|
-
method_option :tags, type: :array, desc: "tags"
|
117
|
-
def circl(query)
|
118
|
-
with_error_handling do
|
119
|
-
run_analyzer Analyzers::CIRCL, query: refang(query), options: options
|
120
|
-
end
|
121
|
-
end
|
122
|
-
|
123
|
-
desc "passivetotal [IP|DOMAIN|EMAIL|SHA1]", "PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint"
|
124
|
-
method_option :title, type: :string, desc: "title"
|
125
|
-
method_option :description, type: :string, desc: "description"
|
126
|
-
method_option :tags, type: :array, desc: "tags"
|
127
|
-
def passivetotal(indicator)
|
128
|
-
with_error_handling do
|
129
|
-
run_analyzer Analyzers::PassiveTotal, query: refang(indicator), options: options
|
130
|
-
end
|
131
|
-
end
|
132
|
-
|
133
|
-
desc "zoomeye [QUERY]", "ZoomEye search by a query"
|
134
|
-
method_option :title, type: :string, desc: "title"
|
135
|
-
method_option :description, type: :string, desc: "description"
|
136
|
-
method_option :tags, type: :array, desc: "tags"
|
137
|
-
method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
|
138
|
-
def zoomeye(query)
|
139
|
-
with_error_handling do
|
140
|
-
run_analyzer Analyzers::ZoomEye, query: query, options: options
|
141
|
-
end
|
142
|
-
end
|
143
|
-
|
144
|
-
desc "binaryedge [QUERY]", "BinaryEdge host search by a query"
|
145
|
-
method_option :title, type: :string, desc: "title"
|
146
|
-
method_option :description, type: :string, desc: "description"
|
147
|
-
method_option :tags, type: :array, desc: "tags"
|
148
|
-
def binaryedge(query)
|
149
|
-
with_error_handling do
|
150
|
-
run_analyzer Analyzers::BinaryEdge, query: query, options: options
|
151
|
-
end
|
152
|
-
end
|
153
|
-
|
154
|
-
desc "pulsedive [IP|DOMAIN]", "Pulsedive lookup by an ip or domain"
|
155
|
-
method_option :title, type: :string, desc: "title"
|
156
|
-
method_option :description, type: :string, desc: "description"
|
157
|
-
method_option :tags, type: :array, desc: "tags"
|
158
|
-
def pulsedive(indiactor)
|
159
|
-
with_error_handling do
|
160
|
-
run_analyzer Analyzers::Pulsedive, query: refang(indiactor), options: options
|
161
|
-
end
|
162
|
-
end
|
163
|
-
|
164
|
-
desc "dnstwister [DOMAIN]", "dnstwister lookup by a domain"
|
165
|
-
method_option :title, type: :string, desc: "title"
|
166
|
-
method_option :description, type: :string, desc: "description"
|
167
|
-
method_option :tags, type: :array, desc: "tags"
|
168
|
-
def dnstwister(domain)
|
169
|
-
with_error_handling do
|
170
|
-
run_analyzer Analyzers::DNSTwister, query: refang(domain), options: options
|
171
|
-
end
|
172
|
-
end
|
173
|
-
|
174
|
-
desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
|
175
|
-
method_option :title, type: :string, desc: "title"
|
176
|
-
method_option :description, type: :string, desc: "description"
|
177
|
-
method_option :tags, type: :array, desc: "tags"
|
178
|
-
def otx(domain)
|
179
|
-
with_error_handling do
|
180
|
-
run_analyzer Analyzers::OTX, query: refang(domain), options: options
|
181
|
-
end
|
182
|
-
end
|
183
|
-
|
184
|
-
desc "spyse [QUERY]", "Spyse search by a query"
|
185
|
-
method_option :title, type: :string, desc: "title"
|
186
|
-
method_option :description, type: :string, desc: "description"
|
187
|
-
method_option :tags, type: :array, desc: "tags"
|
188
|
-
method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
|
189
|
-
def spyse(query)
|
190
|
-
with_error_handling do
|
191
|
-
run_analyzer Analyzers::Spyse, query: query, options: options
|
192
|
-
end
|
193
|
-
end
|
194
|
-
|
195
|
-
desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
|
196
|
-
method_option :title, type: :string, desc: "title"
|
197
|
-
method_option :description, type: :string, desc: "description"
|
198
|
-
method_option :tags, type: :array, desc: "tags"
|
199
|
-
def passive_dns(query)
|
200
|
-
with_error_handling do
|
201
|
-
run_analyzer Analyzers::PassiveDNS, query: refang(query), options: options
|
202
|
-
end
|
203
|
-
end
|
204
|
-
|
205
|
-
desc "passive_ssl [SHA1]", "Cross search with passive SSL services by an SHA1 certificate fingerprint"
|
206
|
-
method_option :title, type: :string, desc: "title"
|
207
|
-
method_option :description, type: :string, desc: "description"
|
208
|
-
method_option :tags, type: :array, desc: "tags"
|
209
|
-
def passive_ssl(query)
|
210
|
-
with_error_handling do
|
211
|
-
run_analyzer Analyzers::PassiveSSL, query: query, options: options
|
212
|
-
end
|
213
|
-
end
|
214
|
-
|
215
|
-
desc "reverse_whois [EMAIL]", "Cross search with reverse whois services by an email"
|
216
|
-
method_option :title, type: :string, desc: "title"
|
217
|
-
method_option :description, type: :string, desc: "description"
|
218
|
-
method_option :tags, type: :array, desc: "tags"
|
219
|
-
def reverse_whois(query)
|
220
|
-
with_error_handling do
|
221
|
-
run_analyzer Analyzers::ReveseWhois, query: refang(query), options: options
|
222
|
-
end
|
223
|
-
end
|
224
|
-
|
225
|
-
desc "http_hash", "Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)"
|
226
|
-
method_option :title, type: :string, desc: "title"
|
227
|
-
method_option :description, type: :string, desc: "description"
|
228
|
-
method_option :tags, type: :array, desc: "tags"
|
229
|
-
method_option :md5, type: :string, desc: "MD5 hash"
|
230
|
-
method_option :sha256, type: :string, desc: "SHA256 hash"
|
231
|
-
method_option :mmh3, type: :numeric, desc: "MurmurHash3 hash"
|
232
|
-
method_option :html, type: :string, desc: "path to an HTML file"
|
233
|
-
def http_hash
|
234
|
-
with_error_handling do
|
235
|
-
run_analyzer Analyzers::HTTPHash, query: nil, options: options
|
236
|
-
end
|
237
|
-
end
|
238
|
-
|
239
|
-
desc "free_text [TEXT]", "Cross search with search engines by a free text"
|
240
|
-
method_option :title, type: :string, desc: "title"
|
241
|
-
method_option :description, type: :string, desc: "description"
|
242
|
-
method_option :tags, type: :array, desc: "tags"
|
243
|
-
def free_text(text)
|
244
|
-
with_error_handling do
|
245
|
-
run_analyzer Analyzers::FreeText, query: text, options: options
|
246
|
-
end
|
247
|
-
end
|
248
|
-
|
249
|
-
desc "ssh_fingerprint [FINGERPRINT]", "Cross search with search engines by an SSH fingerprint (e.g. dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0)"
|
250
|
-
method_option :title, type: :string, desc: "title"
|
251
|
-
method_option :description, type: :string, desc: "description"
|
252
|
-
method_option :tags, type: :array, desc: "tags"
|
253
|
-
def ssh_fingerprint(fingerprint)
|
254
|
-
with_error_handling do
|
255
|
-
run_analyzer Analyzers::SSHFingerprint, query: fingerprint, options: options
|
256
|
-
end
|
257
|
-
end
|
258
|
-
|
259
|
-
desc "import_from_json", "Give a JSON input via STDIN"
|
260
|
-
def import_from_json(input = nil)
|
261
|
-
with_error_handling do
|
262
|
-
json = input || $stdin.gets.chomp
|
263
|
-
raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
|
264
|
-
|
265
|
-
json = parse_as_json(json)
|
266
|
-
raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
|
267
|
-
|
268
|
-
title = json["title"]
|
269
|
-
description = json["description"]
|
270
|
-
artifacts = json["artifacts"]
|
271
|
-
tags = json["tags"] || []
|
272
|
-
|
273
|
-
basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
|
274
|
-
basic.run
|
275
|
-
end
|
276
|
-
end
|
277
|
-
|
278
|
-
desc "alerts", "Show the alerts on TheHive"
|
279
|
-
method_option :limit, type: :string, default: "5", desc: "Number of alerts to show (or 'all' to show all the alerts)"
|
280
|
-
method_option :title, type: :string, desc: "Title to filter"
|
281
|
-
method_option :source, type: :string, desc: "Source to filter"
|
282
|
-
method_option :tag, type: :string, desc: "Tag to filter"
|
283
|
-
def alerts
|
284
|
-
with_error_handling do
|
285
|
-
load_configuration
|
286
|
-
|
287
|
-
viewer = AlertViewer.new
|
288
|
-
alerts = viewer.list(limit: options["limit"], title: options["title"], source: options["source"], tag: options[:tag])
|
289
|
-
puts JSON.pretty_generate(alerts)
|
290
|
-
end
|
291
|
-
end
|
292
|
-
|
293
|
-
desc "status", "Show the current configuration status"
|
294
|
-
def status
|
295
|
-
with_error_handling do
|
296
|
-
load_configuration
|
297
|
-
|
298
|
-
puts JSON.pretty_generate(Status.check)
|
36
|
+
class_option :config, type: :string, desc: "Path to the config file"
|
37
|
+
|
38
|
+
class_option :ignore_old_artifacts, type: :boolean, default: false, desc: "Whether to ignore old artifacts from checking or not. Only affects with analyze commands."
|
39
|
+
class_option :ignore_threshold, type: :numeric, default: 0, desc: "Number of days to define whether an artifact is old or not. Only affects with analyze commands."
|
40
|
+
|
41
|
+
include Mihari::Commands::BinaryEdge
|
42
|
+
include Mihari::Commands::Censys
|
43
|
+
include Mihari::Commands::CIRCL
|
44
|
+
include Mihari::Commands::Config
|
45
|
+
include Mihari::Commands::Crtsh
|
46
|
+
include Mihari::Commands::DNPedia
|
47
|
+
include Mihari::Commands::DNSTwister
|
48
|
+
include Mihari::Commands::FreeText
|
49
|
+
include Mihari::Commands::HTTPHash
|
50
|
+
include Mihari::Commands::JSON
|
51
|
+
include Mihari::Commands::Onyphe
|
52
|
+
include Mihari::Commands::OTX
|
53
|
+
include Mihari::Commands::PassiveDNS
|
54
|
+
include Mihari::Commands::PassiveSSL
|
55
|
+
include Mihari::Commands::PassiveTotal
|
56
|
+
include Mihari::Commands::Pulsedive
|
57
|
+
include Mihari::Commands::ReverseWhois
|
58
|
+
include Mihari::Commands::SecurityTrails
|
59
|
+
include Mihari::Commands::SecurityTrailsDomainFeed
|
60
|
+
include Mihari::Commands::Shodan
|
61
|
+
include Mihari::Commands::Spyse
|
62
|
+
include Mihari::Commands::SSHFingerprint
|
63
|
+
include Mihari::Commands::Urlscan
|
64
|
+
include Mihari::Commands::VirusTotal
|
65
|
+
include Mihari::Commands::Web
|
66
|
+
include Mihari::Commands::ZoomEye
|
67
|
+
|
68
|
+
class << self
|
69
|
+
def exit_on_failure?
|
70
|
+
true
|
299
71
|
end
|
300
72
|
end
|
301
73
|
|
302
74
|
no_commands do
|
303
75
|
def with_error_handling
|
304
76
|
yield
|
305
|
-
rescue => e
|
77
|
+
rescue StandardError => e
|
306
78
|
notifier = Notifiers::ExceptionNotifier.new
|
307
79
|
notifier.notify e
|
308
80
|
end
|
309
81
|
|
310
|
-
def parse_as_json(input)
|
311
|
-
JSON.parse input
|
312
|
-
rescue JSON::ParserError => _e
|
313
|
-
nil
|
314
|
-
end
|
315
|
-
|
316
82
|
# @return [true, false]
|
317
83
|
def valid_json?(json)
|
318
84
|
%w[title description artifacts].all? { |key| json.key? key }
|
@@ -333,16 +99,22 @@ module Mihari
|
|
333
99
|
options = normalize_options(options)
|
334
100
|
|
335
101
|
analyzer = analyzer_class.new(query, **options)
|
102
|
+
|
103
|
+
analyzer.ignore_old_artifacts = options[:ignore_old_artifacts] || false
|
104
|
+
analyzer.ignore_threshold = options[:ignore_threshold] || 0
|
105
|
+
|
336
106
|
analyzer.run
|
337
107
|
end
|
338
108
|
|
339
109
|
def symbolize_hash_keys(hash)
|
340
|
-
hash.
|
110
|
+
hash.transform_keys(&:to_sym)
|
341
111
|
end
|
342
112
|
|
343
113
|
def normalize_options(options)
|
344
114
|
# Delete :config because it is not intended to use for running an analyzer
|
345
|
-
|
115
|
+
[:config, :ignore_old_artifacts, :ignore_threshold].each do |ignore_key|
|
116
|
+
options.delete(ignore_key)
|
117
|
+
end
|
346
118
|
options
|
347
119
|
end
|
348
120
|
|