RubyGems - mihari - Versions diffs - 2.4.0 → 3.0.0 - Mend

mihari 2.4.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

checksums.yaml +4 -4
data/.gitignore +7 -0
data/.overcommit.yml +12 -0
data/README.md +1 -9
data/exe/mihari +1 -1
data/lib/mihari.rb +88 -15
data/lib/mihari/analyzers/base.rb +49 -8
data/lib/mihari/analyzers/basic.rb +1 -2
data/lib/mihari/analyzers/binaryedge.rb +7 -13
data/lib/mihari/analyzers/censys.rb +26 -63
data/lib/mihari/analyzers/circl.rb +20 -17
data/lib/mihari/analyzers/crtsh.rb +6 -13
data/lib/mihari/analyzers/dnpedia.rb +6 -12
data/lib/mihari/analyzers/dnstwister.rb +13 -10
data/lib/mihari/analyzers/onyphe.rb +6 -12
data/lib/mihari/analyzers/otx.rb +22 -19
data/lib/mihari/analyzers/passivetotal.rb +22 -21
data/lib/mihari/analyzers/pulsedive.rb +16 -13
data/lib/mihari/analyzers/rule.rb +99 -0
data/lib/mihari/analyzers/securitytrails.rb +22 -19
data/lib/mihari/analyzers/shodan.rb +7 -13
data/lib/mihari/analyzers/spyse.rb +12 -19
data/lib/mihari/analyzers/urlscan.rb +22 -27
data/lib/mihari/analyzers/virustotal.rb +25 -22
data/lib/mihari/analyzers/zoomeye.rb +14 -20
data/lib/mihari/cli/analyzer.rb +44 -0
data/lib/mihari/cli/base.rb +27 -0
data/lib/mihari/cli/init.rb +13 -0
data/lib/mihari/cli/main.rb +30 -0
data/lib/mihari/cli/mixins/utils.rb +88 -0
data/lib/mihari/cli/validator.rb +11 -0
data/lib/mihari/commands/binaryedge.rb +1 -1
data/lib/mihari/commands/censys.rb +1 -1
data/lib/mihari/commands/circl.rb +2 -2
data/lib/mihari/commands/crtsh.rb +1 -1
data/lib/mihari/commands/dnpedia.rb +1 -1
data/lib/mihari/commands/dnstwister.rb +2 -2
data/lib/mihari/commands/init.rb +46 -0
data/lib/mihari/commands/json.rb +1 -1
data/lib/mihari/commands/onyphe.rb +1 -1
data/lib/mihari/commands/otx.rb +2 -2
data/lib/mihari/commands/passivetotal.rb +2 -2
data/lib/mihari/commands/pulsedive.rb +2 -2
data/lib/mihari/commands/search.rb +77 -0
data/lib/mihari/commands/securitytrails.rb +2 -2
data/lib/mihari/commands/shodan.rb +1 -1
data/lib/mihari/commands/spyse.rb +1 -1
data/lib/mihari/commands/urlscan.rb +2 -2
data/lib/mihari/commands/validator.rb +38 -0
data/lib/mihari/commands/virustotal.rb +2 -2
data/lib/mihari/commands/zoomeye.rb +1 -1
data/lib/mihari/constraints.rb +5 -0
data/lib/mihari/database.rb +13 -2
data/lib/mihari/emitters/base.rb +2 -2
data/lib/mihari/emitters/database.rb +1 -1
data/lib/mihari/emitters/misp.rb +1 -1
data/lib/mihari/emitters/slack.rb +5 -6
data/lib/mihari/emitters/the_hive.rb +1 -1
data/lib/mihari/emitters/webhook.rb +2 -9
data/lib/mihari/mixins/configurable.rb +38 -0
data/lib/mihari/mixins/configuration.rb +85 -0
data/lib/mihari/mixins/hash.rb +20 -0
data/lib/mihari/mixins/refang.rb +21 -0
data/lib/mihari/mixins/retriable.rb +27 -0
data/lib/mihari/mixins/rule.rb +79 -0
data/lib/mihari/models/alert.rb +28 -1
data/lib/mihari/models/artifact.rb +10 -0
data/lib/mihari/notifiers/base.rb +9 -1
data/lib/mihari/notifiers/exception_notifier.rb +50 -0
data/lib/mihari/notifiers/slack.rb +29 -0
data/lib/mihari/schemas/configuration.rb +42 -0
data/lib/mihari/schemas/macros.rb +17 -0
data/lib/mihari/schemas/rule.rb +72 -0
data/lib/mihari/serializers/artifact.rb +1 -1
data/lib/mihari/status.rb +14 -0
data/lib/mihari/templates/rule.yml.erb +19 -0
data/lib/mihari/type_checker.rb +8 -3
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/controllers/base_controller.rb +1 -1
data/lib/mihari/web/public/index.html +1 -21
data/lib/mihari/web/public/redoc-static.html +2 -2
data/lib/mihari/web/public/static/js/app.ab213f7c.js +12 -0
data/lib/mihari/web/public/static/js/app.ab213f7c.js.map +1 -0
data/mihari.gemspec +12 -5
metadata +123 -50
data/.rubocop.yml +0 -161
data/lib/mihari/analyzers/free_text.rb +0 -48
data/lib/mihari/analyzers/http_hash.rb +0 -100
data/lib/mihari/analyzers/passive_dns.rb +0 -59
data/lib/mihari/analyzers/passive_ssl.rb +0 -55
data/lib/mihari/analyzers/reverse_whois.rb +0 -55
data/lib/mihari/analyzers/securitytrails_domain_feed.rb +0 -59
data/lib/mihari/analyzers/ssh_fingerprint.rb +0 -58
data/lib/mihari/cli.rb +0 -126
data/lib/mihari/commands/config.rb +0 -27
data/lib/mihari/commands/free_text.rb +0 -21
data/lib/mihari/commands/http_hash.rb +0 -25
data/lib/mihari/commands/passive_dns.rb +0 -21
data/lib/mihari/commands/passive_ssl.rb +0 -21
data/lib/mihari/commands/reverse_whois.rb +0 -21
data/lib/mihari/commands/securitytrails_domain_feed.rb +0 -23
data/lib/mihari/commands/ssh_fingerprint.rb +0 -21
data/lib/mihari/config.rb +0 -85
data/lib/mihari/configurable.rb +0 -21
data/lib/mihari/html.rb +0 -43
data/lib/mihari/retriable.rb +0 -17

data/lib/mihari/mixins/rule.rb ADDED Viewed

@@ -0,0 +1,79 @@
+require "date"
+require "pathname"
+require "yaml"
+require "erb"
+module Mihari
+  module Mixins
+    module Rule
+      #
+      # Load rule into hash
+      #
+      # @param [String] path Path to YAML file or YAML string
+      #
+      # @return [Hash]
+      #
+      def load_rule(path)
+        return YAML.safe_load(File.read(path), permitted_classes: [Date], symbolize_names: true) if Pathname(path).exist?
+        YAML.safe_load(path, symbolize_names: true)
+      end
+      #
+      # Validate rule schema
+      #
+      # @param [Hash] rule
+      #
+      def validate_rule(rule)
+        error_message = "Failed to parse the input as a rule!"
+        contract = Schemas::RuleContract.new
+        begin
+          result = contract.call(rule)
+          unless result.errors.empty?
+            messages = result.errors.messages.map do |message|
+              path = message.path.map(&:to_s).join
+              "#{path} #{message.text}"
+            end
+            puts error_message.colorize(:red)
+            raise ArgumentError, messages.join("\n")
+          end
+        rescue NoMethodError
+          puts error_message.colorize(:red)
+          raise ArgumentError, "Invalid rule schema"
+        end
+      end
+      #
+      # Returns a template for rule
+      #
+      # @return [String] A template for rule
+      #
+      def rule_template
+        # Use ERB to fill created_on and updated_on with Date.today
+        data = File.read(File.expand_path("../templates/rule.yml.erb", __dir__))
+        template = ERB.new(data)
+        data = template.result
+        # validate the template of rule for just in case
+        rule = YAML.safe_load(data, permitted_classes: [Date], symbolize_names: true)
+        validate_rule rule
+        data
+      end
+      #
+      # Create (blank) rule file
+      #
+      # @param [String] filename
+      # @param [Dry::Files] files
+      # @param [String] template
+      #
+      # @return [nil]
+      #
+      def initialize_rule_yaml(filename, files = Dry::Files.new, template: rule_template)
+        files.write(filename, template)
+      end
+    end
+  end
+end

data/lib/mihari/models/alert.rb CHANGED Viewed

@@ -10,6 +10,21 @@ module Mihari
     has_many :tags, through: :taggings
     class << self
+      #
+      # Search alerts
+      #
+      # @param [String, nil] artifact_data
+      # @param [String, nil] description
+      # @param [String, nil] source
+      # @param [String, nil] tag_name
+      # @param [String, nil] title
+      # @param [String, nil] from_at
+      # @param [String, nil] to_at
+      # @param [Integer, nil] limit
+      # @param [Integer, nil] page
+      #
+      # @return [Array<Hash>]
+      #
       def search(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil, limit: 10, page: 1)
         limit = limit.to_i
         raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
@@ -20,7 +35,6 @@ module Mihari
         offset = (page - 1) * limit
         relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
-        # relation = relation.group("alerts.id")
         alerts = relation.limit(limit).offset(offset).order(id: :desc)
@@ -32,6 +46,19 @@ module Mihari
         end
       end
+      #
+      # Count alerts
+      #
+      # @param [String, nil] artifact_data
+      # @param [String, nil] description
+      # @param [String, nil] source
+      # @param [String, nil] tag_name
+      # @param [String, nil] title
+      # @param [String, nil] from_at
+      # @param [String, nil] to_at
+      #
+      # @return [Integer]
+      #
       def count(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil)
         relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
         relation.distinct("alerts.id").count

data/lib/mihari/models/artifact.rb CHANGED Viewed

@@ -16,13 +16,23 @@ end
 module Mihari
   class Artifact < ActiveRecord::Base
     include ActiveModel::Validations
     validates_with ArtifactValidator
     def initialize(attributes)
       super
       self.data_type = TypeChecker.type(data)
     end
+    #
+    # Check uniqueness of artifact
+    #
+    # @param [Boolean] ignore_old_artifacts
+    # @param [Integer] ignore_threshold
+    #
+    # @return [Boolean] true if it is unique. Otherwise false.
+    #
     def unique?(ignore_old_artifacts: false, ignore_threshold: 0)
       artifact = self.class.where(data: data).order(created_at: :desc).first
       return true if artifact.nil?

data/lib/mihari/notifiers/base.rb CHANGED Viewed

@@ -3,11 +3,19 @@
 module Mihari
   module Notifiers
     class Base
-      # @return [true, false]
+      # Validate notifier availability
+      #
+      # @return [Boolean]
+      #
       def valid?
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
+      #
+      # Send a notification
+      #
+      # @return [nil]
+      #
       def notify
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end

data/lib/mihari/notifiers/exception_notifier.rb CHANGED Viewed

@@ -24,10 +24,25 @@ module Mihari
         notify_to_slack(text: clean_message, attachments: attachments) if @slack.valid?
       end
+      #
+      # Send notification to Slack
+      #
+      # @param [String] text
+      # @param [Array<Hash>] attachments
+      #
+      # @return [nil]
+      #
       def notify_to_slack(text:, attachments:)
         @slack.notify(text: text, attachments: attachments)
       end
+      #
+      # Send notification to STDOUT
+      #
+      # @param [Exception] exception
+      #
+      # @return [nil]
+      #
       def notify_to_stdout(exception)
         text = to_text(exception.class).chomp
         message = "#{text}: #{exception.message}"
@@ -35,6 +50,14 @@ module Mihari
         puts format_backtrace(exception.backtrace) if exception.backtrace
       end
+      #
+      # Convert exception to attachments (for Slack)
+      #
+      # @param [Exception] exception
+      # @param [String] clean_message
+      #
+      # @return [Array<Hash>]
+      #
       def to_attachments(exception, clean_message)
         text = to_text(exception.class)
         backtrace = exception.backtrace
@@ -43,12 +66,27 @@ module Mihari
         [color: @color, text: text, fields: fields, mrkdwn_in: %w[text fields]]
       end
+      #
+      # Convert exception class to text
+      #
+      # @param [Class<Exception>] exception_class
+      #
+      # @return [String]
+      #
       def to_text(exception_class)
         measure_word = /^[aeiou]/i.match?(exception_class.to_s) ? "An" : "A"
         exception_name = "*#{measure_word}* `#{exception_class}`"
         "#{exception_name} *occured in background*\n"
       end
+      #
+      # Convert clean_message and backtrace into fields (for Slack)
+      #
+      # @param [String] clean_message
+      # @param [Array] backtrace
+      #
+      # @return [Array<Hash>]
+      #
       def to_fields(clean_message, backtrace)
         fields = [
           { title: "Exception", value: clean_message },
@@ -62,12 +100,24 @@ module Mihari
         fields
       end
+      #
+      # Hostname of runnning instance
+      #
+      # @return [String]
+      #
       def hostname
         Socket.gethostname
       rescue StandardError => _e
         "N/A"
       end
+      #
+      # Format backtrace in string
+      #
+      # @param [Array] backtrace
+      #
+      # @return [String]
+      #
       def format_backtrace(backtrace)
         return nil unless backtrace

data/lib/mihari/notifiers/slack.rb CHANGED Viewed

@@ -9,22 +9,51 @@ module Mihari
       SLACK_CHANNEL_KEY = "SLACK_CHANNEL"
       DEFAULT_USERNAME = "mihari"
+      #
+      # Slack channel to post
+      #
+      # @return [String]
+      #
       def slack_channel
         Mihari.config.slack_channel || "#general"
       end
+      #
+      # Slack webhook URL
+      #
+      # @return [String]
+      #
       def slack_webhook_url
         Mihari.config.slack_webhook_url
       end
+      #
+      # Check Slack webhook URL is set
+      #
+      # @return [Boolean]
+      #
       def slack_webhook_url?
         !Mihari.config.slack_webhook_url.nil?
       end
+      #
+      # Check Slack webhook URL is set. Alias of #slack_webhook_url?.
+      #
+      # @return [Boolean]
+      #
       def valid?
         slack_webhook_url?
       end
+      #
+      # Send notification to Slack
+      #
+      # @param [String] text
+      # @param [Array<Hash>] attachments
+      # @param [Boolean] mrkdwn
+      #
+      # @return [nil]
+      #
       def notify(text:, attachments: [], mrkdwn: true)
         notifier = ::Slack::Notifier.new(slack_webhook_url, channel: slack_channel, username: DEFAULT_USERNAME)
         notifier.post(text: text, attachments: attachments, mrkdwn: mrkdwn)

data/lib/mihari/schemas/configuration.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+require "dry/schema"
+require "dry/validation"
+require "mihari/schemas/macros"
+module Mihari
+  module Schemas
+    Configuration = Dry::Schema.Params do
+      optional(:binaryedge_api_key).value(:string)
+      optional(:censys_id).value(:string)
+      optional(:censys_secret).value(:string)
+      optional(:circl_passive_password).value(:string)
+      optional(:circl_passive_username).value(:string)
+      optional(:misp_api_endpoint).value(:string)
+      optional(:misp_api_key).value(:string)
+      optional(:onyphe_api_key).value(:string)
+      optional(:otx_api_key).value(:string)
+      optional(:passivetotal_api_key).value(:string)
+      optional(:passivetotal_username).value(:string)
+      optional(:pulsedive_api_key).value(:string)
+      optional(:securitytrails_api_key).value(:string)
+      optional(:shodan_api_key).value(:string)
+      optional(:slack_channel).value(:string)
+      optional(:slack_webhook_url).value(:string)
+      optional(:spyse_api_key).value(:string)
+      optional(:thehive_api_endpoint).value(:string)
+      optional(:thehive_api_key).value(:string)
+      optional(:urlscan_api_key).value(:string)
+      optional(:virustotal_api_key).value(:string)
+      optional(:zoomeye_api_key).value(:string)
+      optional(:webhook_url).value(:string)
+      optional(:webhook_use_json_body).value(:bool)
+      optional(:database).value(:string)
+    end
+    class ConfigurationContract < Dry::Validation::Contract
+      params(Configuration)
+    end
+  end
+end

data/lib/mihari/schemas/macros.rb ADDED Viewed

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+require "dry/types"
+module Dry
+  module Schema
+    module Macros
+      class DSL
+        def default(value)
+          schema_dsl.before(:rule_applier) do |result|
+            result.update(name => value) unless result[name]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/schemas/rule.rb ADDED Viewed

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+require "dry/schema"
+require "dry/validation"
+require "dry/types"
+require "mihari/schemas/macros"
+module Mihari
+  module Types
+    include Dry.Types()
+  end
+  DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
+  AnalyzerTypes = Types::String.enum(
+    "binaryedge", "censys", "circl", "dnpedia", "dnstwister",
+    "onyphe", "otx", "passivetotal", "pulsedive", "securitytrails",
+    "shodan", "virustotal"
+  )
+  module Schemas
+    Analyzer = Dry::Schema.Params do
+      required(:analyzer).value(AnalyzerTypes)
+      required(:query).value(:string)
+    end
+    Spyse = Dry::Schema.Params do
+      required(:analyzer).value(Types::String.enum("spyse"))
+      required(:query).value(:string)
+      required(:type).value(Types::String.enum("ip", "domain"))
+    end
+    ZoomEye = Dry::Schema.Params do
+      required(:analyzer).value(Types::String.enum("zoomeye"))
+      required(:query).value(:string)
+      required(:type).value(Types::String.enum("host", "web"))
+    end
+    Crtsh = Dry::Schema.Params do
+      required(:analyzer).value(Types::String.enum("crtsh"))
+      required(:query).value(:string)
+      optional(:exclude_expired).value(:bool).default(true)
+    end
+    Urlscan = Dry::Schema.Params do
+      required(:analyzer).value(Types::String.enum("urlscan"))
+      required(:query).value(:string)
+      optional(:use_similarity).value(:bool).default(true)
+    end
+    Rule = Dry::Schema.Params do
+      required(:title).value(:string)
+      required(:description).value(:string)
+      optional(:tags).value(array[:string]).default([])
+      optional(:id).value(:string)
+      optional(:author).value(:string)
+      optional(:created_on).value(:date)
+      optional(:updated_on).value(:date)
+      required(:queries).value(:array).each { Analyzer | Spyse | ZoomEye | Urlscan | Crtsh }
+      optional(:allowed_data_types).value(array[DataTypes]).default(ALLOWED_DATA_TYPES)
+    end
+    class RuleContract < Dry::Validation::Contract
+      params(Rule)
+    end
+  end
+end