RubyGems - mihari - Versions diffs - 2.3.1 → 3.1.0 - Mend

mihari 2.3.1 → 3.1.0

Files changed (108) hide show

checksums.yaml +4 -4
data/.gitignore +7 -0
data/.overcommit.yml +12 -0
data/README.md +1 -9
data/docker/Dockerfile +1 -1
data/exe/mihari +1 -1
data/lib/mihari.rb +89 -15
data/lib/mihari/analyzers/base.rb +49 -8
data/lib/mihari/analyzers/basic.rb +1 -2
data/lib/mihari/analyzers/binaryedge.rb +7 -13
data/lib/mihari/analyzers/censys.rb +26 -63
data/lib/mihari/analyzers/circl.rb +20 -17
data/lib/mihari/analyzers/crtsh.rb +6 -13
data/lib/mihari/analyzers/dnpedia.rb +6 -12
data/lib/mihari/analyzers/dnstwister.rb +13 -10
data/lib/mihari/analyzers/onyphe.rb +6 -12
data/lib/mihari/analyzers/otx.rb +22 -19
data/lib/mihari/analyzers/passivetotal.rb +22 -21
data/lib/mihari/analyzers/pulsedive.rb +16 -13
data/lib/mihari/analyzers/rule.rb +97 -0
data/lib/mihari/analyzers/securitytrails.rb +22 -19
data/lib/mihari/analyzers/shodan.rb +7 -13
data/lib/mihari/analyzers/spyse.rb +12 -19
data/lib/mihari/analyzers/urlscan.rb +22 -27
data/lib/mihari/analyzers/virustotal.rb +25 -22
data/lib/mihari/analyzers/zoomeye.rb +14 -20
data/lib/mihari/cli/analyzer.rb +44 -0
data/lib/mihari/cli/base.rb +27 -0
data/lib/mihari/cli/init.rb +13 -0
data/lib/mihari/cli/main.rb +30 -0
data/lib/mihari/cli/mixins/utils.rb +88 -0
data/lib/mihari/cli/validator.rb +11 -0
data/lib/mihari/commands/binaryedge.rb +1 -1
data/lib/mihari/commands/censys.rb +1 -1
data/lib/mihari/commands/circl.rb +2 -2
data/lib/mihari/commands/crtsh.rb +1 -1
data/lib/mihari/commands/dnpedia.rb +1 -1
data/lib/mihari/commands/dnstwister.rb +2 -2
data/lib/mihari/commands/init.rb +46 -0
data/lib/mihari/commands/json.rb +1 -1
data/lib/mihari/commands/onyphe.rb +1 -1
data/lib/mihari/commands/otx.rb +2 -2
data/lib/mihari/commands/passivetotal.rb +2 -2
data/lib/mihari/commands/pulsedive.rb +2 -2
data/lib/mihari/commands/search.rb +77 -0
data/lib/mihari/commands/securitytrails.rb +2 -2
data/lib/mihari/commands/shodan.rb +1 -1
data/lib/mihari/commands/spyse.rb +1 -1
data/lib/mihari/commands/urlscan.rb +2 -2
data/lib/mihari/commands/validator.rb +38 -0
data/lib/mihari/commands/virustotal.rb +2 -2
data/lib/mihari/commands/zoomeye.rb +1 -1
data/lib/mihari/constraints.rb +5 -0
data/lib/mihari/database.rb +13 -2
data/lib/mihari/emitters/base.rb +2 -2
data/lib/mihari/emitters/database.rb +1 -1
data/lib/mihari/emitters/misp.rb +3 -1
data/lib/mihari/emitters/slack.rb +6 -10
data/lib/mihari/emitters/the_hive.rb +1 -1
data/lib/mihari/emitters/webhook.rb +53 -0
data/lib/mihari/mixins/configurable.rb +38 -0
data/lib/mihari/mixins/configuration.rb +90 -0
data/lib/mihari/mixins/hash.rb +20 -0
data/lib/mihari/mixins/refang.rb +21 -0
data/lib/mihari/mixins/retriable.rb +27 -0
data/lib/mihari/mixins/rule.rb +79 -0
data/lib/mihari/models/alert.rb +28 -1
data/lib/mihari/models/artifact.rb +11 -1
data/lib/mihari/notifiers/base.rb +9 -1
data/lib/mihari/notifiers/exception_notifier.rb +50 -0
data/lib/mihari/notifiers/slack.rb +29 -1
data/lib/mihari/schemas/configuration.rb +42 -0
data/lib/mihari/schemas/macros.rb +17 -0
data/lib/mihari/schemas/rule.rb +72 -0
data/lib/mihari/serializers/artifact.rb +1 -1
data/lib/mihari/status.rb +14 -0
data/lib/mihari/templates/rule.yml.erb +19 -0
data/lib/mihari/type_checker.rb +8 -3
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/controllers/base_controller.rb +1 -1
data/lib/mihari/web/public/index.html +1 -21
data/lib/mihari/web/public/redoc-static.html +2 -2
data/lib/mihari/web/public/static/js/app.ab213f7c.js +12 -0
data/lib/mihari/web/public/static/js/app.ab213f7c.js.map +1 -0
data/mihari.gemspec +19 -12
metadata +138 -65
data/.rubocop.yml +0 -161
data/lib/mihari/analyzers/free_text.rb +0 -48
data/lib/mihari/analyzers/http_hash.rb +0 -100
data/lib/mihari/analyzers/passive_dns.rb +0 -59
data/lib/mihari/analyzers/passive_ssl.rb +0 -55
data/lib/mihari/analyzers/reverse_whois.rb +0 -55
data/lib/mihari/analyzers/securitytrails_domain_feed.rb +0 -59
data/lib/mihari/analyzers/ssh_fingerprint.rb +0 -58
data/lib/mihari/cli.rb +0 -126
data/lib/mihari/commands/config.rb +0 -27
data/lib/mihari/commands/free_text.rb +0 -21
data/lib/mihari/commands/http_hash.rb +0 -25
data/lib/mihari/commands/passive_dns.rb +0 -21
data/lib/mihari/commands/passive_ssl.rb +0 -21
data/lib/mihari/commands/reverse_whois.rb +0 -21
data/lib/mihari/commands/securitytrails_domain_feed.rb +0 -23
data/lib/mihari/commands/ssh_fingerprint.rb +0 -21
data/lib/mihari/config.rb +0 -83
data/lib/mihari/configurable.rb +0 -21
data/lib/mihari/html.rb +0 -43
data/lib/mihari/retriable.rb +0 -17
data/lib/mihari/slack_monkeypatch.rb +0 -16

data/lib/mihari/analyzers/circl.rb CHANGED Viewed

@@ -5,26 +5,29 @@ require "passive_circl"
 module Mihari
   module Analyzers
     class CIRCL < Base
-      attr_reader :title, :description, :tags
+      include Mixins::Refang
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "CIRCL passive DNS/SSL search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+      def initialize(*args, **kwargs)
+        super
-        @title = title || "CIRCL passive lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
       def artifacts
-        lookup || []
+        search || []
       end
       private
-      def config_keys
+      def configuration_keys
         %w[circl_passive_password circl_passive_username]
       end
@@ -32,26 +35,26 @@ module Mihari
         @api ||= ::PassiveCIRCL::API.new(username: Mihari.config.circl_passive_username, password: Mihari.config.circl_passive_password)
       end
-      def lookup
+      def search
         case @type
         when "domain"
-          passive_dns_lookup
+          passive_dns_search
         when "hash"
-          passive_ssl_lookup
+          passive_ssl_search
         else
           raise InvalidInputError, "#{@query}(type: #{@type || "unknown"}) is not supported."
         end
       end
-      def passive_dns_lookup
+      def passive_dns_search
         results = api.dns.query(@query)
-        results.map do |result|
+        results.filter_map do |result|
           type = result["rrtype"]
           type == "A" ? result["rdata"] : nil
-        end.compact.uniq
+        end.uniq
       end
-      def passive_ssl_lookup
+      def passive_ssl_search
         result = api.ssl.cquery(@query)
         seen = result["seen"] || []
         seen.uniq

data/lib/mihari/analyzers/crtsh.rb CHANGED Viewed

@@ -5,22 +5,15 @@ require "crtsh"
 module Mihari
   module Analyzers
     class Crtsh < Base
-      attr_reader :title, :description, :query, :tags, :exclude_expired
-      def initialize(query, title: nil, description: nil, tags: [], exclude_expired: nil)
-        super()
-        @query = query
-        @title = title || "crt.sh lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-        @exclude_expired = exclude_expired.nil? ? true : exclude_expired
-      end
+      param :query
+      option :title, default: proc { "crt.sh search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
+      option :exclude_expired, default: proc { true }
       def artifacts
         results = search
-        name_values = results.map { |result| result["name_value"] }.compact
+        name_values = results.filter_map { |result| result["name_value"] }
         name_values.map(&:lines).flatten.uniq.map(&:chomp)
       end

data/lib/mihari/analyzers/dnpedia.rb CHANGED Viewed

@@ -5,19 +5,13 @@ require "dnpedia"
 module Mihari
   module Analyzers
     class DNPedia < Base
-      attr_reader :query, :title, :description, :tags
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
-        @query = query
-        @title = title || "DNPedia domain lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-      end
+      param :query
+      option :title, default: proc { "DNPedia domain search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
       def artifacts
-        lookup || []
+        search || []
       end
       private
@@ -26,7 +20,7 @@ module Mihari
         @api ||= ::DNPedia::API.new
       end
-      def lookup
+      def search
         res = api.search(query)
         rows = res["rows"] || []
         rows.map do |row|

data/lib/mihari/analyzers/dnstwister.rb CHANGED Viewed

@@ -7,21 +7,24 @@ require "parallel"
 module Mihari
   module Analyzers
     class DNSTwister < Base
-      attr_reader :query, :type, :title, :description, :tags
+      include Mixins::Refang
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "dnstwister domain search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+      def initialize(*args, **kwargs)
+        super
-        @title = title || "dnstwister domain lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
       def artifacts
-        lookup || []
+        search || []
       end
       private
@@ -41,7 +44,7 @@ module Mihari
         false
       end
-      def lookup
+      def search
         raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         res = api.fuzz(query)

data/lib/mihari/analyzers/onyphe.rb CHANGED Viewed

@@ -5,16 +5,10 @@ require "onyphe"
 module Mihari
   module Analyzers
     class Onyphe < Base
-      attr_reader :title, :description, :query, :tags
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
-        @query = query
-        @title = title || "Onyphe lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
-      end
+      param :query
+      option :title, default: proc { "Onyphe search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
       def artifacts
         results = search
@@ -24,14 +18,14 @@ module Mihari
           result["results"]
         end.flatten.compact
-        flat_results.map { |result| result["ip"] }.compact.uniq
+        flat_results.filter_map { |result| result["ip"] }.uniq
       end
       private
       PAGE_SIZE = 10
-      def config_keys
+      def configuration_keys
         %w[onyphe_api_key]
       end

data/lib/mihari/analyzers/otx.rb CHANGED Viewed

@@ -5,26 +5,29 @@ require "otx_ruby"
 module Mihari
   module Analyzers
     class OTX < Base
-      attr_reader :query, :type, :title, :description, :tags
+      include Mixins::Refang
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "OTX search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+      def initialize(*args, **kwargs)
+        super
-        @title = title || "OTX lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
       def artifacts
-        lookup || []
+        search || []
       end
       private
-      def config_keys
+      def configuration_keys
         %w[otx_api_key]
       end
@@ -40,29 +43,29 @@ module Mihari
         %w[ip domain].include? type
       end
-      def lookup
+      def search
         case type
         when "domain"
-          domain_lookup
+          domain_search
         when "ip"
-          ip_lookup
+          ip_search
         else
           raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end
       end
-      def domain_lookup
+      def domain_search
         records = domain_client.get_passive_dns(query)
-        records.map do |record|
+        records.filter_map do |record|
           record.address if record.record_type == "A"
-        end.compact.uniq
+        end.uniq
       end
-      def ip_lookup
+      def ip_search
         records = ip_client.get_passive_dns(query)
-        records.map do |record|
+        records.filter_map do |record|
           record.hostname if record.record_type == "A"
-        end.compact.uniq
+        end.uniq
       end
     end
   end

data/lib/mihari/analyzers/passivetotal.rb CHANGED Viewed

@@ -5,26 +5,29 @@ require "passivetotal"
 module Mihari
   module Analyzers
     class PassiveTotal < Base
-      attr_reader :query, :type, :title, :description, :tags
+      include Mixins::Refang
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "PassiveTotal search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+      def initialize(*args, **kwargs)
+        super
-        @title = title || "PassiveTotal lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
       def artifacts
-        lookup || []
+        search || []
       end
       private
-      def config_keys
+      def configuration_keys
         %w[passivetotal_username passivetotal_api_key]
       end
@@ -33,30 +36,28 @@ module Mihari
       end
       def valid_type?
-        %w[ip domain mail].include? type
+        %w[ip domain mail hash].include? type
       end
-      def lookup
+      def search
         case type
-        when "domain"
-          passive_dns_lookup
-        when "ip"
-          passive_dns_lookup
+        when "domain", "ip"
+          passive_dns_search
         when "mail"
-          reverse_whois_lookup
+          reverse_whois_search
         when "hash"
-          ssl_lookup
+          ssl_search
         else
           raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         end
       end
-      def passive_dns_lookup
+      def passive_dns_search
         res = api.dns.passive_unique(query)
         res["results"] || []
       end
-      def reverse_whois_lookup
+      def reverse_whois_search
         res = api.whois.search(query: query, field: "email")
         results = res["results"] || []
         results.map do |result|
@@ -64,7 +65,7 @@ module Mihari
         end.flatten.compact.uniq
       end
-      def ssl_lookup
+      def ssl_search
         res = api.ssl.history(query)
         results = res["results"] || []
         results.map do |result|

data/lib/mihari/analyzers/pulsedive.rb CHANGED Viewed

@@ -5,26 +5,29 @@ require "pulsedive"
 module Mihari
   module Analyzers
     class Pulsedive < Base
-      attr_reader :query, :type, :title, :description, :tags
+      include Mixins::Refang
-      def initialize(query, title: nil, description: nil, tags: [])
-        super()
+      param :query
+      option :title, default: proc { "Pulsedive search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
-        @query = query
-        @type = TypeChecker.type(query)
+      attr_reader :type
+      def initialize(*args, **kwargs)
+        super
-        @title = title || "Pulsedive lookup"
-        @description = description || "query = #{query}"
-        @tags = tags
+        @query = refang(query)
+        @type = TypeChecker.type(query)
       end
       def artifacts
-        lookup || []
+        search || []
       end
       private
-      def config_keys
+      def configuration_keys
         %w[pulsedive_api_key]
       end
@@ -36,16 +39,16 @@ module Mihari
         %w[ip domain].include? type
       end
-      def lookup
+      def search
         raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
         indicator = api.indicator.get_by_value(query)
         iid = indicator["iid"]
         properties = api.indicator.get_properties_by_id(iid)
-        (properties["dns"] || []).map do |property|
+        (properties["dns"] || []).filter_map do |property|
           property["value"] if ["A", "PTR"].include?(property["name"])
-        end.compact
+        end
       end
     end
   end

data/lib/mihari/analyzers/rule.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+require "uuidtools"
+module Mihari
+  module Analyzers
+    class Rule < Base
+      option :title
+      option :description
+      option :queries
+      option :id, default: proc {}
+      option :tags, default: proc { [] }
+      option :allowed_data_types, default: proc { ALLOWED_DATA_TYPES }
+      attr_reader :source
+      def initialize(**kwargs)
+        super(**kwargs)
+        @source = id || UUIDTools::UUID.md5_create(UUIDTools::UUID_URL_NAMESPACE, title + description).to_s
+      end
+      ANALYZER_TO_CLASS = {
+        "binaryedge" => BinaryEdge,
+        "censys" => Censys,
+        "circl" => CIRCL,
+        "crtsh" => Crtsh,
+        "dnpedia" => DNPedia,
+        "dnstwister" => DNSTwister,
+        "onyphe" => Onyphe,
+        "otx" => OTX,
+        "passivetotal" => PassiveTotal,
+        "pulsedive" => Pulsedive,
+        "securitytrails" => SecurityTrails,
+        "shodan" => Shodan,
+        "spyse" => Spyse,
+        "urlscan" => Urlscan,
+        "virustotal" => VirusTotal,
+        "zoomeye" => ZoomEye
+      }.freeze
+      #
+      # Returns a list of artifacts matched with queries
+      #
+      # @return [Array<Mihari::Artifact>]
+      #
+      def artifacts
+        artifacts = []
+        queries.each do |params|
+          analyzer_name = params[:analyzer]
+          klass = get_analyzer_class(analyzer_name)
+          query = params[:query]
+          analyzer = klass.new(query, **params)
+          # Use #normalized_artifacts method to get atrifacts as Array<Mihari::Artifact>
+          # So Mihari::Artifact object has "source" attribute (e.g. "Shodan")
+          artifacts << analyzer.normalized_artifacts
+        end
+        artifacts.flatten
+      end
+      #
+      # Normalize artifacts
+      # - Uniquefy artifacts by #uniq(&:data)
+      # - Reject an invalid artifact (for just in case)
+      # - Select artifacts with allowed data types
+      #
+      # @return [Array<Mihari::Artifact>]
+      #
+      def normalized_artifacts
+        @normalized_artifacts ||= artifacts.uniq(&:data).select(&:valid?).select do |artifact|
+          allowed_data_types.include? artifact.data_type
+        end
+      end
+      private
+      #
+      # Get analyzer class
+      #
+      # @param [String] analyzer_name
+      #
+      # @return [Class<Mihari::Analyzers::Base>] analyzer class
+      #
+      def get_analyzer_class(analyzer_name)
+        analyzer = ANALYZER_TO_CLASS[analyzer_name]
+        return analyzer if analyzer
+        raise ArgumentError, "#{analyzer_name} is not supported"
+      end
+    end
+  end
+end