mihari 3.1.0 → 3.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f34c26d8db3034c1442de414f7781bfa1587a9600a8b67c77e4e3b2ececfa22a
4
- data.tar.gz: 3116144adcce4f2aae5bdcfee2031d130cbb985dfbf5afebc422021b35659b0a
3
+ metadata.gz: 1d3afbbcde503f0bf4c63e2ed78441c92eb287e1d820bc075ff86587b0d0616d
4
+ data.tar.gz: 0bb88ca8b8c58d962c2e45b765935ac8ad8e9804c72edc39df082d5f019dce74
5
5
  SHA512:
6
- metadata.gz: f89efb0944d2848e113854c272107f1274e2d35240e0c9e23b43bc4b8636272daa10d2b3d6e73617aae02092642e554a9b50a53fe8660dabbe9b2efbf7c6238b
7
- data.tar.gz: 4f83a5c0d8823f918825b59d04f096ceb0c572e7db84c0226d0cda4c347733f98774afc071d7bffcaadd899ceabd5972b35a262cb49cd961fce081c375a1a551
6
+ metadata.gz: 298000884be755ef975bb13a5963203d693429f72c5fe0ffe8f63d7bc407d876ffacda068aae1d837d0fff5a71ea8b278f7409f068560df885e4178b4d70905d
7
+ data.tar.gz: c98fa5a38aacf7949f40d317484a86b245a5b82ede6eaf1d8ed2a1e361623712b08e464a1f8d9b2a89f77e63fbc5a0e3ab56488494134222fbc7fb0e70399cac
data/README.md CHANGED
@@ -14,11 +14,12 @@ Mihari is a framework for continuous OSINT based threat hunting.
14
14
 
15
15
  ## How it works
16
16
 
17
- ![img](https://github.com/ninoseki/mihari/raw/master/images/overview.png)
17
+ ![img](https://github.com/ninoseki/mihari/raw/master/images/overview.jpg)
18
18
 
19
19
  - Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
20
- - Mihari checks whether a DB (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
20
+ - Mihari checks whether the database (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
21
21
  - If it doesn't contain the artifacts:
22
+ - Mihari saves artifacts in the database.
22
23
  - Mihari creates an alert on TheHive.
23
24
  - Mihari sends a notification to Slack.
24
25
  - Mihari creates an event on MISP.
@@ -52,6 +53,10 @@ Mihari supports the following services by default.
52
53
 
53
54
  - [Mihari Knowledge Base](https://www.notion.so/Mihari-Knowledge-Base-266994ff61204428ba6cfcebe40b0bd1)
54
55
 
56
+ ## Presentations
57
+
58
+ - [Adversary Infrastructure Tracking with Mihari](https://ninoseki.github.io/presentations/Adversary%20Infrastructure%20Tracking%20with%20Mihari.pdf)
59
+
55
60
  ## License
56
61
 
57
62
  The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
data/build_frontend.sh CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  CURRENT_DIR=${PWD}
4
4
 
5
+ # build the frontend app
5
6
  mkdir -p tmp
6
7
  cd tmp
7
8
  git clone https://github.com/ninoseki/mihari-frontend.git
@@ -11,4 +12,8 @@ npm run build
11
12
 
12
13
  cp -r dist/* ${CURRENT_DIR}/lib/mihari/web/public
13
14
 
15
+ # replace favicon path
16
+ sed -i "" 's/href="\/favicon.ico"/href="\/static\/favicon.ico"/' ${CURRENT_DIR}/lib/mihari/web/public/index.html
17
+
18
+ # remove tmp dir
14
19
  rm -rf ${CURRENT_DIR}/tmp/mihari-frontend
data/config.ru ADDED
@@ -0,0 +1,6 @@
1
+ require "./lib/mihari"
2
+
3
+ # set rack env as development
4
+ ENV["RACK_ENV"] ||= "development"
5
+
6
+ run Mihari::App
Binary file
data/lib/mihari.rb CHANGED
@@ -9,6 +9,7 @@ require "yaml"
9
9
  # Mixins
10
10
  require "mihari/mixins/configurable"
11
11
  require "mihari/mixins/configuration"
12
+ require "mihari/mixins/disallowed_data_value"
12
13
  require "mihari/mixins/hash"
13
14
  require "mihari/mixins/refang"
14
15
  require "mihari/mixins/retriable"
@@ -94,6 +95,7 @@ require "mihari/type_checker"
94
95
  require "mihari/constraints"
95
96
 
96
97
  # Schemas
98
+ require "mihari/schemas/analyzer"
97
99
  require "mihari/schemas/configuration"
98
100
  require "mihari/schemas/rule"
99
101
 
@@ -5,6 +5,8 @@ require "uuidtools"
5
5
  module Mihari
6
6
  module Analyzers
7
7
  class Rule < Base
8
+ include Mihari::Mixins::DisallowedDataValue
9
+
8
10
  option :title
9
11
  option :description
10
12
  option :queries
@@ -12,6 +14,7 @@ module Mihari
12
14
  option :id, default: proc {}
13
15
  option :tags, default: proc { [] }
14
16
  option :allowed_data_types, default: proc { ALLOWED_DATA_TYPES }
17
+ option :disallowed_data_values, default: proc { [] }
15
18
 
16
19
  attr_reader :source
17
20
 
@@ -68,12 +71,36 @@ module Mihari
68
71
  # - Uniquefy artifacts by #uniq(&:data)
69
72
  # - Reject an invalid artifact (for just in case)
70
73
  # - Select artifacts with allowed data types
74
+ # - Reject artifacts with disallowed data values
71
75
  #
72
76
  # @return [Array<Mihari::Artifact>]
73
77
  #
74
78
  def normalized_artifacts
75
79
  @normalized_artifacts ||= artifacts.uniq(&:data).select(&:valid?).select do |artifact|
76
80
  allowed_data_types.include? artifact.data_type
81
+ end.reject do |artifact|
82
+ disallowed_data_value? artifact.data
83
+ end
84
+ end
85
+
86
+ #
87
+ # Normalized disallowed data values
88
+ #
89
+ # @return [Array<Regexp, String>]
90
+ #
91
+ def normalized_disallowed_data_values
92
+ @normalized_disallowed_data_values ||= disallowed_data_values.map { |v| normalize_disallowed_data_value v }
93
+ end
94
+
95
+ #
96
+ # Check whether a value is a disallowed data value or not
97
+ #
98
+ # @return [Boolean]
99
+ #
100
+ def disallowed_data_value?(value)
101
+ normalized_disallowed_data_values.any? do |disallowed_data_value|
102
+ return value == disallowed_data_value if disallowed_data_value.is_a?(String)
103
+ return disallowed_data_value.match?(value) if disallowed_data_value.is_a?(Regexp)
77
104
  end
78
105
  end
79
106
 
@@ -22,6 +22,9 @@ require "mihari/commands/json"
22
22
  module Mihari
23
23
  module CLI
24
24
  class Analyzer < Base
25
+ class_option :ignore_old_artifacts, type: :boolean, default: false, desc: "Whether to ignore old artifacts from checking or not."
26
+ class_option :ignore_threshold, type: :numeric, default: 0, desc: "Number of days to define whether an artifact is old or not."
27
+
25
28
  include Mihari::Commands::BinaryEdge
26
29
  include Mihari::Commands::Censys
27
30
  include Mihari::Commands::CIRCL
@@ -14,9 +14,6 @@ module Mihari
14
14
 
15
15
  class_option :config, type: :string, desc: "Path to the config file"
16
16
 
17
- class_option :ignore_old_artifacts, type: :boolean, default: false, desc: "Whether to ignore old artifacts from checking or not. Only affects with analyze commands."
18
- class_option :ignore_threshold, type: :numeric, default: 0, desc: "Number of days to define whether an artifact is old or not. Only affects with analyze commands."
19
-
20
17
  class << self
21
18
  def exit_on_failure?
22
19
  true
@@ -5,10 +5,10 @@ require "colorize"
5
5
  module Mihari
6
6
  module Commands
7
7
  module Initialization
8
- def self.included(thor)
9
- include Mixins::Configuration
10
- include Mixins::Rule
8
+ include Mixins::Configuration
9
+ include Mixins::Rule
11
10
 
11
+ def self.included(thor)
12
12
  thor.class_eval do
13
13
  desc "config", "Create a config file"
14
14
  method_option :filename, type: :string, default: "mihari.yml"
@@ -13,12 +13,21 @@ module Mihari
13
13
  rule = load_rule(rule)
14
14
 
15
15
  # validate rule schema
16
- validate_rule rule
16
+ rule = validate_rule(rule)
17
17
 
18
- analyzer = build_rule_analyzer(**rule)
18
+ analyzer = build_rule_analyzer(
19
+ title: rule[:title],
20
+ description: rule[:description],
21
+ queries: rule[:queries],
22
+ tags: rule[:tags],
23
+ allowed_data_types: rule[:allowed_data_types],
24
+ disallowed_data_values: rule[:disallowed_data_values],
25
+ source: rule[:source],
26
+ id: rule[:id]
27
+ )
19
28
 
20
- ignore_old_artifacts = options["ignore_old_artifacts"] || false
21
- ignore_threshold = options["ignore_threshold"] || 0
29
+ ignore_old_artifacts = rule[:ignore_old_artifacts]
30
+ ignore_threshold = rule[:ignore_threshold]
22
31
 
23
32
  with_error_handling do
24
33
  run_rule_analyzer analyzer, ignore_old_artifacts: ignore_old_artifacts, ignore_threshold: ignore_threshold
@@ -37,13 +46,15 @@ module Mihari
37
46
  # @param [Array<Hash>] queries
38
47
  # @param [Array<String>, nil] tags
39
48
  # @param [Array<String>, nil] allowed_data_types
49
+ # @param [Array<String>, nil] disallowed_data_values
40
50
  # @param [String, nil] source
41
51
  #
42
52
  # @return [Mihari::Analyzers::Rule]
43
53
  #
44
- def build_rule_analyzer(title:, description:, queries:, tags: nil, allowed_data_types: nil, source: nil)
54
+ def build_rule_analyzer(title:, description:, queries:, tags: nil, allowed_data_types: nil, disallowed_data_values: nil, source: nil, id: nil)
45
55
  tags = [] if tags.nil?
46
56
  allowed_data_types = ALLOWED_DATA_TYPES if allowed_data_types.nil?
57
+ disallowed_data_values = [] if disallowed_data_values.nil?
47
58
 
48
59
  Analyzers::Rule.new(
49
60
  title: title,
@@ -51,7 +62,9 @@ module Mihari
51
62
  tags: tags,
52
63
  queries: queries,
53
64
  allowed_data_types: allowed_data_types,
54
- source: source
65
+ disallowed_data_values: disallowed_data_values,
66
+ source: source,
67
+ id: id
55
68
  )
56
69
  end
57
70
 
@@ -59,8 +72,6 @@ module Mihari
59
72
  # Run rule analyzer
60
73
  #
61
74
  # @param [Mihari::Analyzer::Rule] analyzer
62
- # @param [Boolean] ignore_old_artifacts
63
- # @param [Integer] ignore_threshold
64
75
  #
65
76
  # @return [nil]
66
77
  #
@@ -13,6 +13,10 @@ module Mihari
13
13
  host = options["host"] || "localhost"
14
14
 
15
15
  load_configuration
16
+
17
+ # set rack env as production
18
+ ENV["RACK_ENV"] ||= "production"
19
+
16
20
  Mihari::App.run!(port: port, host: host)
17
21
  end
18
22
  end
@@ -0,0 +1,42 @@
1
+ require "mem"
2
+
3
+ module Mihari
4
+ module Mixins
5
+ module DisallowedDataValue
6
+ include Mem
7
+
8
+ #
9
+ # Normalize a value as a disallowed data value
10
+ #
11
+ # @param [String] value Data value
12
+ #
13
+ # @return [String, Regexp] Normalized value
14
+ #
15
+ def normalize_disallowed_data_value(value)
16
+ return value if !value.start_with?("/") || !value.end_with?("/")
17
+
18
+ # if a value is surrounded by slashes, take it as a regexp
19
+ value_without_slashes = value[1..-2]
20
+ Regexp.compile value_without_slashes
21
+ end
22
+
23
+ memoize :normalize_disallowed_data_value
24
+
25
+ #
26
+ # Check whetehr a value is valid format as a disallowed data value
27
+ #
28
+ # @param [String] value Data value
29
+ #
30
+ # @return [Boolean] true if it is valid, otherwise false
31
+ #
32
+ def valid_disallowed_data_value?(value)
33
+ begin
34
+ normalize_disallowed_data_value value
35
+ rescue RegexpError
36
+ return false
37
+ end
38
+ true
39
+ end
40
+ end
41
+ end
42
+ end
@@ -20,10 +20,12 @@ module Mihari
20
20
  end
21
21
 
22
22
  #
23
- # Validate rule schema
23
+ # Validate rule schema and return a normalized rule
24
24
  #
25
25
  # @param [Hash] rule
26
26
  #
27
+ # @return [Hash]
28
+ #
27
29
  def validate_rule(rule)
28
30
  error_message = "Failed to parse the input as a rule!"
29
31
 
@@ -42,6 +44,8 @@ module Mihari
42
44
  puts error_message.colorize(:red)
43
45
  raise ArgumentError, "Invalid rule schema"
44
46
  end
47
+
48
+ result.to_h
45
49
  end
46
50
 
47
51
  #
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "dry/schema"
4
+ require "dry/validation"
5
+
6
+ require "mihari/schemas/macros"
7
+
8
+ module Mihari
9
+ module Schemas
10
+ AnalyzerRun = Dry::Schema.Params do
11
+ required(:title).value(:string)
12
+ required(:description).value(:string)
13
+ required(:source).value(:string)
14
+ required(:artifacts).value(array[:string])
15
+
16
+ optional(:tags).value(array[:string]).default([])
17
+ optional(:ignoreOldArtifacts).value(:bool).default(false)
18
+ optional(:ignoreThreshold).value(:integer).default(0)
19
+ end
20
+
21
+ class AnalyzerRunContract < Dry::Validation::Contract
22
+ params(AnalyzerRun)
23
+ end
24
+ end
25
+ end
@@ -63,10 +63,24 @@ module Mihari
63
63
  required(:queries).value(:array).each { Analyzer | Spyse | ZoomEye | Urlscan | Crtsh }
64
64
 
65
65
  optional(:allowed_data_types).value(array[DataTypes]).default(ALLOWED_DATA_TYPES)
66
+ optional(:disallowed_data_values).value(array[:string]).default([])
67
+
68
+ optional(:ignore_old_artifacts).value(:bool).default(false)
69
+ optional(:ignore_threshold).value(:integer).default(0)
66
70
  end
67
71
 
68
72
  class RuleContract < Dry::Validation::Contract
73
+ include Mihari::Mixins::DisallowedDataValue
74
+
69
75
  params(Rule)
76
+
77
+ rule(:disallowed_data_values) do
78
+ value.each do |v|
79
+ unless valid_disallowed_data_value?(v)
80
+ key.failure("#{v} is not a valid format.")
81
+ end
82
+ end
83
+ end
70
84
  end
71
85
  end
72
86
  end
@@ -2,7 +2,7 @@ title: ... # String (required)
2
2
  description: ... # String (required)
3
3
 
4
4
  id: ... # String (optional)
5
- author: .. # String (optional)
5
+ author: ... # String (optional)
6
6
  created_on: <%= Date.today %> # Date (optional)
7
7
  updated_on: <%= Date.today %> # Date (optional)
8
8
 
@@ -13,6 +13,10 @@ allowed_data_types: # Array<String> (Optional, defaults to ["hash", "ip", "domai
13
13
  - domain
14
14
  - url
15
15
  - mail
16
+ disallowed_data_values: [] # Array<String> (Optional, defaults to [])
17
+
18
+ ignore_old_artifacts: true # Whether to ignore old artifacts from checking or not (Optional, defaults to true)
19
+ ignore_threshold: 0 # Number of days to define whether an artifact is old or not (Optional, defaults to 0)
16
20
 
17
21
  queries: # Array<Hash> (required)
18
22
  - analyzer: shodan # String (required)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Mihari
4
- VERSION = "3.1.0"
4
+ VERSION = "3.4.1"
5
5
  end
@@ -10,6 +10,7 @@ require "mihari/web/helpers/json"
10
10
  require "mihari/web/controllers/base_controller"
11
11
 
12
12
  require "mihari/web/controllers/alerts_controller"
13
+ require "mihari/web/controllers/analyzers_controller"
13
14
  require "mihari/web/controllers/artifacts_controller"
14
15
  require "mihari/web/controllers/command_controller"
15
16
  require "mihari/web/controllers/config_controller"
@@ -26,6 +27,7 @@ module Mihari
26
27
  end
27
28
 
28
29
  use Mihari::Controllers::AlertsController
30
+ use Mihari::Controllers::AnalyzersController
29
31
  use Mihari::Controllers::ArtifactsController
30
32
  use Mihari::Controllers::CommandController
31
33
  use Mihari::Controllers::ConfigController
@@ -0,0 +1,38 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Mihari
4
+ module Controllers
5
+ class AnalyzersController < BaseController
6
+ post "/api/analyzer" do
7
+ contract = Mihari::Schemas::AnalyzerRunContract.new
8
+ result = contract.call(params)
9
+
10
+ unless result.errors.empty?
11
+ status 400
12
+
13
+ return json(result.errors.to_h)
14
+ end
15
+
16
+ args = result.to_h
17
+
18
+ ignore_old_artifacts = args[:ignoreOldArtifacts]
19
+ ignore_threshold = args[:ignoreThreshold]
20
+
21
+ analyzer = Mihari::Analyzers::Basic.new(
22
+ title: args[:title],
23
+ description: args[:description],
24
+ source: args[:source],
25
+ artifacts: args[:artifacts],
26
+ tags: args[:tags]
27
+ )
28
+ analyzer.ignore_old_artifacts = ignore_old_artifacts
29
+ analyzer.ignore_threshold = ignore_threshold
30
+
31
+ analyzer.run
32
+
33
+ status 201
34
+ body ""
35
+ end
36
+ end
37
+ end
38
+ end