mihari 3.10.0 → 4.0.0

data/lib/mihari/cli/analyzer.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-require "mihari/commands/binaryedge"
-require "mihari/commands/censys"
-require "mihari/commands/circl"
-require "mihari/commands/crtsh"
-require "mihari/commands/dnpedia"
-require "mihari/commands/dnstwister"
-require "mihari/commands/greynoise"
-require "mihari/commands/onyphe"
-require "mihari/commands/otx"
-require "mihari/commands/passivetotal"
-require "mihari/commands/pulsedive"
-require "mihari/commands/securitytrails"
-require "mihari/commands/shodan"
-require "mihari/commands/spyse"
-require "mihari/commands/urlscan"
-require "mihari/commands/virustotal_intelligence"
-require "mihari/commands/virustotal"
-require "mihari/commands/zoomeye"
-
-require "mihari/commands/json"
-
-module Mihari
-  module CLI
-    class Analyzer < Base
-      class_option :ignore_old_artifacts, type: :boolean, default: false, desc: "Whether to ignore old artifacts from checking or not."
-      class_option :ignore_threshold, type: :numeric, default: 0, desc: "Number of days to define whether an artifact is old or not."
-      class_option :config, type: :string, desc: "Path to the config file"
-
-      include Mihari::Commands::BinaryEdge
-      include Mihari::Commands::Censys
-      include Mihari::Commands::CIRCL
-      include Mihari::Commands::Crtsh
-      include Mihari::Commands::DNPedia
-      include Mihari::Commands::DNSTwister
-      include Mihari::Commands::GreyNoise
-      include Mihari::Commands::JSON
-      include Mihari::Commands::Onyphe
-      include Mihari::Commands::OTX
-      include Mihari::Commands::PassiveTotal
-      include Mihari::Commands::Pulsedive
-      include Mihari::Commands::SecurityTrails
-      include Mihari::Commands::Shodan
-      include Mihari::Commands::Spyse
-      include Mihari::Commands::Urlscan
-      include Mihari::Commands::VirusTotal
-      include Mihari::Commands::VirusTotalIntelligence
-      include Mihari::Commands::ZoomEye
-    end
-  end
-end

data/lib/mihari/commands/binaryedge.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module BinaryEdge
-      def self.included(thor)
-        thor.class_eval do
-          desc "binaryedge [QUERY]", "BinaryEdge host search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def binaryedge(query)
-            with_error_handling do
-              run_analyzer Analyzers::BinaryEdge, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/censys.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Censys
-      def self.included(thor)
-        thor.class_eval do
-          desc "censys [QUERY]", "Censys IPv4 search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          method_option :type, type: :string, desc: "type to search (ipv4 / websites / certificates)", default: "ipv4"
-          def censys(query)
-            with_error_handling do
-              run_analyzer Analyzers::Censys, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/circl.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module CIRCL
-      def self.included(thor)
-        thor.class_eval do
-          desc "circl [DOMAIN|SHA1]", "CIRCL passive DNS/SSL search by a domain or SHA1 certificate fingerprint"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def circl(query)
-            with_error_handling do
-              run_analyzer Analyzers::CIRCL, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/crtsh.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Crtsh
-      def self.included(thor)
-        thor.class_eval do
-          desc "crtsh [QUERY]", "crt.sh search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          method_option :exclude_expired, type: :boolean, desc: "exclude expired certificates"
-          def crtsh(query)
-            with_error_handling do
-              run_analyzer Analyzers::Crtsh, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/dnpedia.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module DNPedia
-      def self.included(thor)
-        thor.class_eval do
-          desc "dnpedia [QUERY]", "DNPedia domain search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def dnpedia(query)
-            with_error_handling do
-              run_analyzer Analyzers::DNPedia, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/dnstwister.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module DNSTwister
-      def self.included(thor)
-        thor.class_eval do
-          desc "dnstwister [DOMAIN]", "dnstwister search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def dnstwister(domain)
-            with_error_handling do
-              run_analyzer Analyzers::DNSTwister, query: domain, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/greynoise.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module GreyNoise
-      def self.included(thor)
-        thor.class_eval do
-          desc "greynoise [QUERY]", "GreyNoise search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def greynoise(query)
-            with_error_handling do
-              run_analyzer Analyzers::GreyNoise, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/json.rb

@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module JSON
-      def self.included(thor)
-        thor.class_eval do
-          desc "import_from_json", "Give a JSON input via STDIN"
-          def import_from_json(input = nil)
-            with_error_handling do
-              json = input || $stdin.gets.chomp
-              raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
-
-              json = parse_as_json(json)
-              raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless required_alert_keys?(json)
-
-              title = json["title"]
-              description = json["description"]
-              artifacts = json["artifacts"]
-              tags = json["tags"] || []
-
-              basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, source: "json", tags: tags)
-
-              basic.ignore_old_artifacts = options["ignore_old_artifacts"] || false
-              basic.ignore_threshold = options["ignore_threshold"] || 0
-
-              basic.run
-            end
-          end
-
-          no_commands do
-            def parse_as_json(input)
-              ::JSON.parse input
-            rescue ::JSON::ParserError => _e
-              nil
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/onyphe.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Onyphe
-      def self.included(thor)
-        thor.class_eval do
-          desc "onyphe [QUERY]", "Onyphe datascan search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def onyphe(query)
-            with_error_handling do
-              run_analyzer Analyzers::Onyphe, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/otx.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module OTX
-      def self.included(thor)
-        thor.class_eval do
-          desc "otx [IP|DOMAIN]", "OTX search by an IP or domain"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def otx(domain)
-            with_error_handling do
-              run_analyzer Analyzers::OTX, query: domain, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/passivetotal.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module PassiveTotal
-      def self.included(thor)
-        thor.class_eval do
-          desc "passivetotal [IP|DOMAIN|EMAIL|SHA1]", "PassiveTotal search by an ip, domain, email or SHA1 certificate fingerprint"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def passivetotal(indicator)
-            with_error_handling do
-              run_analyzer Analyzers::PassiveTotal, query: indicator, options: options
-            end
-          end
-          map "pt" => :passivetotal
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/pulsedive.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Pulsedive
-      def self.included(thor)
-        thor.class_eval do
-          desc "pulsedive [IP|DOMAIN]", "Pulsedive search by an ip or domain"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def pulsedive(indiactor)
-            with_error_handling do
-              run_analyzer Analyzers::Pulsedive, query: indiactor, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/securitytrails.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module SecurityTrails
-      def self.included(thor)
-        thor.class_eval do
-          desc "securitytrails [IP|DOMAIN|EMAIL]", "SecurityTrails search by an ip, domain or email"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def securitytrails(indiactor)
-            with_error_handling do
-              run_analyzer Analyzers::SecurityTrails, query: indiactor, options: options
-            end
-          end
-          map "st" => :securitytrails
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/shodan.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Shodan
-      def self.included(thor)
-        thor.class_eval do
-          desc "shodan [QUERY]", "Shodan host search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def shodan(query)
-            with_error_handling do
-              run_analyzer Analyzers::Shodan, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/spyse.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Spyse
-      def self.included(thor)
-        thor.class_eval do
-          desc "spyse [QUERY]", "Spyse search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          method_option :type, type: :string, desc: "type to search (ip or domain)", default: "doamin"
-          def spyse(query)
-            with_error_handling do
-              run_analyzer Analyzers::Spyse, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/urlscan.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module Urlscan
-      def self.included(thor)
-        thor.class_eval do
-          desc "urlscan [QUERY]", "urlscan search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          method_option :target_type, type: :string, default: "url", desc: "target type to fetch from search results (target type should be 'url', 'domain' or 'ip')"
-          method_option :use_similarity, type: :boolean, default: false, desc: "use similarity API or not"
-          def urlscan(query)
-            with_error_handling do
-              run_analyzer Analyzers::Urlscan, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/virustotal.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module VirusTotal
-      def self.included(thor)
-        thor.class_eval do
-          desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions search by an ip or domain"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def virustotal(indiactor)
-            with_error_handling do
-              run_analyzer Analyzers::VirusTotal, query: indiactor, options: options
-            end
-          end
-          map "vt" => :virustotal
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/virustotal_intelligence.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module VirusTotalIntelligence
-      def self.included(thor)
-        thor.class_eval do
-          desc "virustotal_intelligence [QUERY]", "VirusTotal Intelligence search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          def virustotal_intelligence(query)
-            with_error_handling do
-              run_analyzer Analyzers::VirusTotalIntelligence, query: query, options: options
-            end
-          end
-          map "vt_intel" => :virustotal_intelligence
-        end
-      end
-    end
-  end
-end

data/lib/mihari/commands/zoomeye.rb

@@ -1,22 +0,0 @@
-# frozen_string_literal: true
-
-module Mihari
-  module Commands
-    module ZoomEye
-      def self.included(thor)
-        thor.class_eval do
-          desc "zoomeye [QUERY]", "ZoomEye search"
-          method_option :title, type: :string, desc: "title"
-          method_option :description, type: :string, desc: "description"
-          method_option :tags, type: :array, desc: "tags"
-          method_option :type, type: :string, desc: "type to search(host / web)", default: "host"
-          def zoomeye(query)
-            with_error_handling do
-              run_analyzer Analyzers::ZoomEye, query: query, options: options
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mihari/mixins/configuration.rb

@@ -1,100 +0,0 @@
-# frozen_string_literal: true
-
-require "colorize"
-require "yaml"
-
-module Mihari
-  module Mixins
-    module Configuration
-      #
-      # Load config file into hash
-      #
-      # @param [String] path Path to YAML file
-      #
-      # @return [Hash]
-      #
-      def load_config(path)
-        data = _load_config(path)
-        data.transform_keys(&:downcase)
-      end
-
-      #
-      # Validate config schema
-      #
-      # @param [Hash] config
-      #
-      def validate_config(config)
-        error_message = "Failed to parse the input as a config!"
-
-        contract = Schemas::ConfigurationContract.new
-        result = contract.call(config)
-        unless result.errors.empty?
-          puts error_message.colorize(:red)
-          show_validation_errors result.errors
-          raise ArgumentError, "Invalid config schema"
-        end
-
-        # check keys
-        # TODO: check keys with dry-schema
-        valid_keys = Mihari.config.values.keys
-        config.each_key do |key|
-          unless valid_keys.include?(key)
-            puts error_message.colorize(:red)
-            raise ArgumentError, "#{key} is not a valid key."
-          end
-        end
-      end
-
-      #
-      # Returns a template for config
-      #
-      # @return [String] A template for config
-      #
-      def config_template
-        config = Mihari.config.values.keys.map do |key|
-          [key.to_s, nil]
-        end.to_h
-
-        YAML.dump(config)
-      end
-
-      #
-      # Create (blank) config file
-      #
-      # @param [String] filename
-      # @param [Dry::Files] files
-      # @param [String] template
-      #
-      # @return [nil]
-      #
-      def initialize_config_yaml(filename, files = Dry::Files.new, template: config_template)
-        files.write(filename, template)
-      end
-
-      private
-
-      def show_validation_errors(errors)
-        errors.messages.each do |message|
-          path = message.path.map(&:to_s).join
-          puts "- #{path} #{message.text}".colorize(:red)
-        end
-      end
-
-      #
-      # Load configuration file
-      #
-      # @param [String] path
-      #
-      # @return [Hash]
-      #
-      def _load_config(path)
-        unless Pathname(path).exist?
-          puts "#{path} does not exist".colorize(:red)
-          raise FileNotFoundError
-        end
-
-        YAML.safe_load(File.read(path), symbolize_names: true)
-      end
-    end
-  end
-end

data/lib/mihari/mixins/hash.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-require "cymbal"
-
-module Mihari
-  module Mixins
-    module Hash
-      #
-      # Symbolize hash keys
-      #
-      # @param [Hash] hash
-      #
-      # @return [Hash]
-      #
-      def symbolize_hash(hash)
-        Cymbal.symbolize hash
-      end
-    end
-  end
-end

data/lib/mihari/schemas/configuration.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require "dry/schema"
-require "dry/validation"
-
-require "mihari/schemas/macros"
-
-module Mihari
-  module Schemas
-    Configuration = Dry::Schema.Params do
-      optional(:binaryedge_api_key).value(:string)
-      optional(:censys_id).value(:string)
-      optional(:censys_secret).value(:string)
-      optional(:circl_passive_password).value(:string)
-      optional(:circl_passive_username).value(:string)
-      optional(:database).value(:string)
-      optional(:greynoise_api_key).value(:string)
-      optional(:ipinfo_api_key).value(:string)
-      optional(:misp_api_endpoint).value(:string)
-      optional(:misp_api_key).value(:string)
-      optional(:onyphe_api_key).value(:string)
-      optional(:otx_api_key).value(:string)
-      optional(:passivetotal_api_key).value(:string)
-      optional(:passivetotal_username).value(:string)
-      optional(:pulsedive_api_key).value(:string)
-      optional(:securitytrails_api_key).value(:string)
-      optional(:shodan_api_key).value(:string)
-      optional(:slack_channel).value(:string)
-      optional(:slack_webhook_url).value(:string)
-      optional(:spyse_api_key).value(:string)
-      optional(:thehive_api_endpoint).value(:string)
-      optional(:thehive_api_key).value(:string)
-      optional(:urlscan_api_key).value(:string)
-      optional(:virustotal_api_key).value(:string)
-      optional(:webhook_url).value(:string)
-      optional(:webhook_use_json_body).value(:bool)
-      optional(:zoomeye_api_key).value(:string)
-    end
-
-    class ConfigurationContract < Dry::Validation::Contract
-      params(Configuration)
-    end
-  end
-end