mihari 2.2.0 → 3.0.0

data/lib/mihari/analyzers/securitytrails.rb

@@ -5,26 +5,29 @@ require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrails < Base
-      attr_reader :query, :type, :title, :description, :tags
+      include Mixins::Refang
 
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "SecurityTrails search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
 
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+
+      def initialize(*args, **kwargs)
+        super
 
-        @title = title || "SecurityTrails lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
 
       def artifacts
-        lookup || []
+        search || []
       end
 
       private
 
-      def config_keys
+      def configuration_keys
         %w[securitytrails_api_key]
       end
 
@@ -36,20 +39,20 @@ module Mihari
         %w[ip domain mail].include? type
       end
 
-      def lookup
+      def search
         case type
         when "domain"
-          domain_lookup
+          domain_search
         when "ip"
-          ip_lookup
+          ip_search
         when "mail"
-          mail_lookup
+          mail_search
         else
           raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end
       end
 
-      def domain_lookup
+      def domain_search
         result = api.history.get_all_dns_history(query, type: "a")
         records = result["records"] || []
         records.map do |record|
@@ -57,16 +60,16 @@ module Mihari
         end.flatten.compact.uniq
       end
 
-      def ip_lookup
+      def ip_search
         result = api.domains.search(filter: { ipv4: query })
         records = result["records"] || []
-        records.map { |record| record["hostname"] }.compact.uniq
+        records.filter_map { |record| record["hostname"] }.uniq
       end
 
-      def mail_lookup
+      def mail_search
         result = api.domains.search(filter: { whois_email: query })
         records = result["records"] || []
-        records.map { |record| record["hostname"] }.compact.uniq
+        records.filter_map { |record| record["hostname"] }.uniq
       end
     end
   end

data/lib/mihari/analyzers/shodan.rb

@@ -5,16 +5,10 @@ require "shodan"
 module Mihari
   module Analyzers
     class Shodan < Base
-      attr_reader :title, :description, :query, :tags
-
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
-
-        @query = query
-        @title = title || "Shodan lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-      end
+      param :query
+      option :title, default: proc { "Shodan search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
 
       def artifacts
         results = search
@@ -22,9 +16,9 @@ module Mihari
 
         results.map do |result|
           matches = result["matches"] || []
-          matches.map do |match|
+          matches.filter_map do |match|
             match["ip_str"]
-          end.compact
+          end
         end.flatten.compact.uniq
       end
 
@@ -32,7 +26,7 @@ module Mihari
 
       PAGE_SIZE = 100
 
-      def config_keys
+      def configuration_keys
         %w[shodan_api_key]
       end
 

data/lib/mihari/analyzers/spyse.rb

@@ -6,21 +6,14 @@ require "json"
 module Mihari
   module Analyzers
     class Spyse < Base
-      attr_reader :query, :type, :title, :description, :tags
-
-      def initialize(query, title: nil, description: nil, tags: [], type: "domain")
-        super()
-
-        @query = query
-
-        @title = title || "Spyse lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-        @type = type
-      end
+      param :query
+      option :title, default: proc { "Spyse search" }
+      option :description, default: proc { "query = #{query}" }
+      option :type, default: proc { "domain" }
+      option :tags, default: proc { [] }
 
       def artifacts
-        lookup || []
+        search || []
       end
 
       private
@@ -29,7 +22,7 @@ module Mihari
         @search_params ||= JSON.parse(query)
       end
 
-      def config_keys
+      def configuration_keys
         %w[spyse_api_key]
       end
 
@@ -41,7 +34,7 @@ module Mihari
         %w[ip domain cert].include? type
       end
 
-      def domain_lookup
+      def domain_search
         res = api.domain.search(search_params, limit: 100)
         items = res.dig("data", "items") || []
         items.map do |item|
@@ -49,7 +42,7 @@ module Mihari
         end.uniq.compact
       end
 
-      def ip_lookup
+      def ip_search
         res = api.ip.search(search_params, limit: 100)
         items = res.dig("data", "items") || []
         items.map do |item|
@@ -57,12 +50,12 @@ module Mihari
         end.uniq.compact
       end
 
-      def lookup
+      def search
         case type
         when "domain"
-          domain_lookup
+          domain_search
         when "ip"
-          ip_lookup
+          ip_search
         else
           raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end

data/lib/mihari/analyzers/urlscan.rb

@@ -2,34 +2,22 @@
 
 require "urlscan"
 
+SUPPORTED_DATA_TYPES = %w[url domain ip].freeze
+
 module Mihari
   module Analyzers
     class Urlscan < Base
-      attr_reader :title, :description, :query, :tags, :filter, :target_type, :use_pro, :use_similarity
-
-      def initialize(
-        query,
-        description: nil,
-        filter: nil,
-        tags: [],
-        target_type: "url",
-        title: nil,
-        use_pro: false,
-        use_similarity: false
-      )
-        super()
+      param :query
+      option :title, default: proc { "urlscan search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
+      option :allowed_data_types, default: proc { SUPPORTED_DATA_TYPES }
+      option :use_similarity, default: proc { false }
 
-        @query = query
-        @title = title || "urlscan lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+      def initialize(*args, **kwargs)
+        super
 
-        @filter = filter
-        @target_type = target_type
-        @use_pro = use_pro
-        @use_similarity = use_similarity
-
-        raise InvalidInputError, "type should be url, domain or ip." unless valid_target_type?
+        raise InvalidInputError, "allowed_data_types should be any of url, domain and ip." unless valid_alllowed_data_types?
       end
 
       def artifacts
@@ -37,14 +25,17 @@ module Mihari
         return [] unless result
 
         results = result["results"] || []
-        results.map do |match|
-          match.dig "page", target_type
-        end.compact.uniq
+
+        allowed_data_types.map do |type|
+          results.filter_map do |match|
+            match.dig "page", type
+          end.uniq
+        end.flatten
       end
 
       private
 
-      def config_keys
+      def configuration_keys
         %w[urlscan_api_key]
       end
 
@@ -54,13 +45,12 @@ module Mihari
 
       def search
         return api.pro.similar(query) if use_similarity
-        return api.pro.search(query: query, filter: filter, size: 10_000) if use_pro
 
         api.search(query, size: 10_000)
       end
 
-      def valid_target_type?
-        %w[url domain ip].include? target_type
+      def valid_alllowed_data_types?
+        allowed_data_types.all? { |type| SUPPORTED_DATA_TYPES.include? type }
       end
     end
   end

data/lib/mihari/analyzers/virustotal.rb

@@ -5,26 +5,29 @@ require "virustotal"
 module Mihari
   module Analyzers
     class VirusTotal < Base
-      attr_reader :indicator, :type, :title, :description, :tags
+      include Mixins::Refang
 
-      def initialize(indicator, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "VirusTotal search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
 
-        @indicator = indicator
-        @type = TypeChecker.type(indicator)
+      attr_reader :type
 
-        @title = title || "VirusTotal lookup"
-        @description = description || "indicator = #{indicator}"
-        @tags = tags
+      def initialize(*args, **kwargs)
+        super
+
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
 
       def artifacts
-        lookup || []
+        search || []
       end
 
       private
 
-      def config_keys
+      def configuration_keys
         %w[virustotal_api_key]
       end
 
@@ -36,33 +39,33 @@ module Mihari
         %w[ip domain].include? type
       end
 
-      def lookup
+      def search
         case type
         when "domain"
-          domain_lookup
+          domain_search
         when "ip"
-          ip_lookup
+          ip_search
         else
-          raise InvalidInputError, "#{indicator}(type: #{type || "unknown"}) is not supported." unless valid_type?
+          raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end
       end
 
-      def domain_lookup
-        res = api.domain.resolutions(indicator)
+      def domain_search
+        res = api.domain.resolutions(query)
 
         data = res["data"] || []
-        data.map do |item|
+        data.filter_map do |item|
           item.dig("attributes", "ip_address")
-        end.compact.uniq
+        end.uniq
       end
 
-      def ip_lookup
-        res = api.ip_address.resolutions(indicator)
+      def ip_search
+        res = api.ip_address.resolutions(query)
 
         data = res["data"] || []
-        data.map do |item|
+        data.filter_map do |item|
           item.dig("attributes", "host_name")
-        end.compact.uniq
+        end.uniq
       end
     end
   end

data/lib/mihari/analyzers/zoomeye.rb

@@ -5,24 +5,18 @@ require "zoomeye"
 module Mihari
   module Analyzers
     class ZoomEye < Base
-      attr_reader :title, :description, :query, :tags, :type
-
-      def initialize(query, title: nil, description: nil, tags: [], type: "host")
-        super()
-
-        @query = query
-        @title = title || "ZoomEye lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-        @type = type
-      end
+      param :query
+      option :title, default: proc { "ZoomEye search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
+      option :type, default: proc { "host" }
 
       def artifacts
         case type
         when "host"
-          host_lookup
+          host_search
         when "web"
-          web_lookup
+          web_search
         else
           raise InvalidInputError, "#{type} type is not supported." unless valid_type?
         end
@@ -36,12 +30,12 @@ module Mihari
         %w[host web].include? type
       end
 
-      def config_keys
-        %w[zoomeye_password zoomeye_username]
+      def configuration_keys
+        %w[zoomeye_api_key]
       end
 
       def api
-        @api ||= ::ZoomEye::API.new(username: Mihari.config.zoomeye_username, password: Mihari.config.zoomeye_password)
+        @api ||= ::ZoomEye::API.new(api_key: Mihari.config.zoomeye_api_key)
       end
 
       def convert_responses(responses)
@@ -53,16 +47,16 @@ module Mihari
         end.flatten.compact.uniq
       end
 
-      def _host_lookup(query, page: 1)
+      def _host_search(query, page: 1)
         api.host.search(query, page: page)
       rescue ::ZoomEye::Error => _e
         nil
       end
 
-      def host_lookup
+      def host_search
         responses = []
         (1..Float::INFINITY).each do |page|
-          res = _host_lookup(query, page: page)
+          res = _host_search(query, page: page)
           break unless res
 
           total = res["total"].to_i
@@ -72,16 +66,16 @@ module Mihari
         convert_responses responses.compact
       end
 
-      def _web_lookup(query, page: 1)
+      def _web_search(query, page: 1)
         api.web.search(query, page: page)
       rescue ::ZoomEye::Error => _e
         nil
       end
 
-      def web_lookup
+      def web_search
         responses = []
         (1..Float::INFINITY).each do |page|
-          res = _web_lookup(query, page: page)
+          res = _web_search(query, page: page)
           break unless res
 
           total = res["total"].to_i