RubyGems - mihari - Versions diffs - 3.4.0 → 3.6.1 - Mend

mihari 3.4.0 → 3.6.1

Files changed (173) hide show

checksums.yaml +4 -4
data/.gitmodules +3 -0
data/README.md +2 -0
data/Steepfile +32 -0
data/config.ru +1 -0
data/lib/mihari/analyzers/base.rb +39 -11
data/lib/mihari/analyzers/binaryedge.rb +13 -0
data/lib/mihari/analyzers/censys.rb +42 -9
data/lib/mihari/analyzers/circl.rb +15 -0
data/lib/mihari/analyzers/crtsh.rb +5 -0
data/lib/mihari/analyzers/dnpedia.rb +5 -0
data/lib/mihari/analyzers/dnstwister.rb +17 -0
data/lib/mihari/analyzers/onyphe.rb +50 -9
data/lib/mihari/analyzers/otx.rb +20 -0
data/lib/mihari/analyzers/passivetotal.rb +25 -0
data/lib/mihari/analyzers/pulsedive.rb +10 -0
data/lib/mihari/analyzers/rule.rb +18 -0
data/lib/mihari/analyzers/securitytrails.rb +25 -0
data/lib/mihari/analyzers/shodan.rb +39 -5
data/lib/mihari/analyzers/spyse.rb +20 -0
data/lib/mihari/analyzers/urlscan.rb +10 -0
data/lib/mihari/analyzers/virustotal.rb +20 -0
data/lib/mihari/analyzers/zoomeye.rb +38 -0
data/lib/mihari/cli/analyzer.rb +1 -0
data/lib/mihari/cli/base.rb +0 -2
data/lib/mihari/commands/init.rb +4 -4
data/lib/mihari/commands/search.rb +1 -0
data/lib/mihari/commands/web.rb +1 -0
data/lib/mihari/{constraints.rb → constants.rb} +0 -0
data/lib/mihari/database.rb +42 -3
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +38 -5
data/lib/mihari/emitters/slack.rb +20 -2
data/lib/mihari/emitters/the_hive.rb +16 -3
data/lib/mihari/emitters/webhook.rb +18 -3
data/lib/mihari/mixins/disallowed_data_value.rb +1 -1
data/lib/mihari/models/alert.rb +28 -10
data/lib/mihari/models/artifact.rb +55 -0
data/lib/mihari/models/autonomous_system.rb +9 -0
data/lib/mihari/models/dns.rb +53 -0
data/lib/mihari/models/geolocation.rb +9 -0
data/lib/mihari/models/reverse_dns.rb +24 -0
data/lib/mihari/models/whois.rb +119 -0
data/lib/mihari/schemas/configuration.rb +1 -0
data/lib/mihari/schemas/rule.rb +2 -15
data/lib/mihari/serializers/alert.rb +6 -4
data/lib/mihari/serializers/artifact.rb +11 -2
data/lib/mihari/serializers/autonomous_system.rb +9 -0
data/lib/mihari/serializers/dns.rb +11 -0
data/lib/mihari/serializers/geolocation.rb +11 -0
data/lib/mihari/serializers/reverse_dns.rb +11 -0
data/lib/mihari/serializers/tag.rb +4 -2
data/lib/mihari/serializers/whois.rb +11 -0
data/lib/mihari/structs/censys.rb +92 -0
data/lib/mihari/structs/onyphe.rb +47 -0
data/lib/mihari/structs/shodan.rb +53 -0
data/lib/mihari/type_checker.rb +9 -9
data/lib/mihari/types.rb +21 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/app.rb +2 -0
data/lib/mihari/web/controllers/alerts_controller.rb +3 -4
data/lib/mihari/web/controllers/artifacts_controller.rb +46 -2
data/lib/mihari/web/controllers/ip_address_controller.rb +36 -0
data/lib/mihari/web/controllers/sources_controller.rb +2 -2
data/lib/mihari/web/controllers/tags_controller.rb +3 -1
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +12 -10
data/lib/mihari/web/public/static/fonts/fa-brands-400.1a575a41.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.513aa607.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.592643a8.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.ed311c7a.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.766913e6.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b0e2db3b.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b91d376b.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.d1d7e3b4.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.0c6bfc66.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.b9625119.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d745348d.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d824df7e.woff2 +0 -0
data/lib/mihari/web/public/static/img/fa-brands-400.1d5619cd.svg +3717 -0
data/lib/mihari/web/public/static/img/fa-regular-400.c5d109be.svg +801 -0
data/lib/mihari/web/public/static/img/fa-solid-900.37bc7099.svg +5034 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js +36 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js.map +1 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js +36 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js.map +1 -0
data/lib/mihari.rb +25 -4
data/mihari.gemspec +10 -2
data/sig/lib/mihari/analyzers/base.rbs +99 -0
data/sig/lib/mihari/analyzers/basic.rbs +17 -0
data/sig/lib/mihari/analyzers/binaryedge.rbs +25 -0
data/sig/lib/mihari/analyzers/censys.rbs +38 -0
data/sig/lib/mihari/analyzers/circl.rbs +29 -0
data/sig/lib/mihari/analyzers/crtsh.rbs +19 -0
data/sig/lib/mihari/analyzers/dnpedia.rbs +18 -0
data/sig/lib/mihari/analyzers/dnstwister.rbs +27 -0
data/sig/lib/mihari/analyzers/onyphe.rbs +33 -0
data/sig/lib/mihari/analyzers/otx.rbs +33 -0
data/sig/lib/mihari/analyzers/passivetotal.rbs +33 -0
data/sig/lib/mihari/analyzers/pulsedive.rbs +27 -0
data/sig/lib/mihari/analyzers/rule.rbs +68 -0
data/sig/lib/mihari/analyzers/securitytrails.rbs +33 -0
data/sig/lib/mihari/analyzers/shodan.rbs +33 -0
data/sig/lib/mihari/analyzers/spyse.rbs +29 -0
data/sig/lib/mihari/analyzers/urlscan.rbs +28 -0
data/sig/lib/mihari/analyzers/virustotal.rbs +31 -0
data/sig/lib/mihari/analyzers/zoomeye.rbs +33 -0
data/sig/lib/mihari/cli/analyzer.rbs +39 -0
data/sig/lib/mihari/cli/base.rbs +11 -0
data/sig/lib/mihari/cli/init.rbs +7 -0
data/sig/lib/mihari/cli/main.rbs +9 -0
data/sig/lib/mihari/cli/mixins/utils.rbs +50 -0
data/sig/lib/mihari/cli/validator.rbs +7 -0
data/sig/lib/mihari/commands/binaryedge.rbs +7 -0
data/sig/lib/mihari/commands/censys.rbs +7 -0
data/sig/lib/mihari/commands/circl.rbs +7 -0
data/sig/lib/mihari/commands/crtsh.rbs +7 -0
data/sig/lib/mihari/commands/dnpedia.rbs +7 -0
data/sig/lib/mihari/commands/dnstwister.rbs +7 -0
data/sig/lib/mihari/commands/init.rbs +11 -0
data/sig/lib/mihari/commands/json.rbs +7 -0
data/sig/lib/mihari/commands/onyphe.rbs +7 -0
data/sig/lib/mihari/commands/otx.rbs +7 -0
data/sig/lib/mihari/commands/passivetotal.rbs +7 -0
data/sig/lib/mihari/commands/pulsedive.rbs +7 -0
data/sig/lib/mihari/commands/search.rbs +35 -0
data/sig/lib/mihari/commands/securitytrails.rbs +7 -0
data/sig/lib/mihari/commands/shodan.rbs +7 -0
data/sig/lib/mihari/commands/spyse.rbs +7 -0
data/sig/lib/mihari/commands/urlscan.rbs +7 -0
data/sig/lib/mihari/commands/validator.rbs +11 -0
data/sig/lib/mihari/commands/virustotal.rbs +7 -0
data/sig/lib/mihari/commands/web.rbs +7 -0
data/sig/lib/mihari/commands/zoomeye.rbs +7 -0
data/sig/lib/mihari/constants.rbs +3 -0
data/sig/lib/mihari/database.rbs +25 -0
data/sig/lib/mihari/emitters/base.rbs +18 -0
data/sig/lib/mihari/emitters/database.rbs +9 -0
data/sig/lib/mihari/emitters/misp.rbs +28 -0
data/sig/lib/mihari/emitters/slack.rbs +58 -0
data/sig/lib/mihari/emitters/stdout.rbs +9 -0
data/sig/lib/mihari/emitters/the_hive.rbs +24 -0
data/sig/lib/mihari/emitters/webhook.rbs +20 -0
data/sig/lib/mihari/errors.rbs +10 -0
data/sig/lib/mihari/mixins/configurable.rbs +26 -0
data/sig/lib/mihari/mixins/configuration.rbs +45 -0
data/sig/lib/mihari/mixins/disallowed_data_value.rbs +25 -0
data/sig/lib/mihari/mixins/hash.rbs +14 -0
data/sig/lib/mihari/mixins/refang.rbs +14 -0
data/sig/lib/mihari/mixins/retriable.rbs +15 -0
data/sig/lib/mihari/mixins/rule.rbs +41 -0
data/sig/lib/mihari/models/alert.rbs +46 -0
data/sig/lib/mihari/models/artifact.rbs +54 -0
data/sig/lib/mihari/models/autonomous_system.rbs +5 -0
data/sig/lib/mihari/models/dns.rbs +19 -0
data/sig/lib/mihari/models/geolocation.rbs +6 -0
data/sig/lib/mihari/models/reverse_dns.rbs +14 -0
data/sig/lib/mihari/models/tag.rbs +5 -0
data/sig/lib/mihari/models/tagging.rbs +4 -0
data/sig/lib/mihari/models/whois.rbs +66 -0
data/sig/lib/mihari/notifiers/base.rbs +18 -0
data/sig/lib/mihari/notifiers/exception_notifier.rbs +75 -0
data/sig/lib/mihari/notifiers/slack.rbs +50 -0
data/sig/lib/mihari/status.rbs +25 -0
data/sig/lib/mihari/structs/censys.rbs +50 -0
data/sig/lib/mihari/structs/onyphe.rbs +25 -0
data/sig/lib/mihari/structs/shodan.rbs +28 -0
data/sig/lib/mihari/type_checker.rbs +48 -0
data/sig/lib/mihari/types.rbs +17 -0
data/sig/lib/mihari/version.rbs +3 -0
data/sig/lib/mihari/web/app.rbs +5 -0
data/sig/lib/mihari.rbs +57 -0
metadata +240 -8

data/lib/mihari/structs/censys.rb ADDED Viewed

@@ -0,0 +1,92 @@
+require "json"
+require "dry/struct"
+module Mihari
+  module Structs
+    module Censys
+      class AutonomousSystem < Dry::Struct
+        attribute :asn, Types::Int
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            asn: d.fetch("asn")
+          )
+        end
+      end
+      class Location < Dry::Struct
+        attribute :country, Types::String.optional
+        attribute :country_code, Types::String.optional
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            country: d["country"],
+            country_code: d["country_code"]
+          )
+        end
+      end
+      class Hit < Dry::Struct
+        attribute :ip, Types::String
+        attribute :location, Location
+        attribute :autonomous_system, AutonomousSystem
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            ip: d.fetch("ip"),
+            location: Location.from_dynamic!(d.fetch("location")),
+            autonomous_system: AutonomousSystem.from_dynamic!(d.fetch("autonomous_system"))
+          )
+        end
+      end
+      class Links < Dry::Struct
+        attribute :next, Types::String
+        attribute :prev, Types::String
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            next: d.fetch("next"),
+            prev: d.fetch("prev")
+          )
+        end
+      end
+      class Result < Dry::Struct
+        attribute :query, Types::String
+        attribute :total, Types::Int
+        attribute :hits, Types.Array(Hit)
+        attribute :links, Links
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            query: d.fetch("query"),
+            total: d.fetch("total"),
+            hits: d.fetch("hits", []).map { |x| Hit.from_dynamic!(x) },
+            links: Links.from_dynamic!(d.fetch("links"))
+          )
+        end
+      end
+      class Response < Dry::Struct
+        attribute :code, Types::Int
+        attribute :status, Types::String
+        attribute :result, Result
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            code: d.fetch("code"),
+            status: d.fetch("status"),
+            result: Result.from_dynamic!(d.fetch("result"))
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/onyphe.rb ADDED Viewed

@@ -0,0 +1,47 @@
+require "json"
+require "dry/struct"
+module Mihari
+  module Structs
+    module Onyphe
+      class Result < Dry::Struct
+        attribute :asn, Types::String
+        attribute :country_code, Types::String.optional
+        attribute :ip, Types::String
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            asn: d.fetch("asn"),
+            ip: d.fetch("ip"),
+            # Onyphe's country = 2-letter country code
+            country_code: d["country"]
+          )
+        end
+      end
+      class Response < Dry::Struct
+        attribute :count, Types::Int
+        attribute :error, Types::Int
+        attribute :max_page, Types::Int
+        attribute :page, Types::String
+        attribute :results, Types.Array(Result)
+        attribute :status, Types::String
+        attribute :total, Types::Int
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            count: d.fetch("count"),
+            error: d.fetch("error"),
+            max_page: d.fetch("max_page"),
+            page: d.fetch("page"),
+            results: d.fetch("results").map { |x| Result.from_dynamic!(x) },
+            status: d.fetch("status"),
+            total: d.fetch("total")
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/shodan.rb ADDED Viewed

@@ -0,0 +1,53 @@
+require "json"
+require "dry/struct"
+module Mihari
+  module Structs
+    module Shodan
+      class Location < Dry::Struct
+        attribute :country_code, Types::String
+        attribute :country_name, Types::String
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            country_code: d.fetch("country_code"),
+            country_name: d.fetch("country_name")
+          )
+        end
+      end
+      class Match < Dry::Struct
+        attribute :asn, Types::String
+        attribute :hostnames, Types.Array(Types::String)
+        attribute :location, Location
+        attribute :domains, Types.Array(Types::String)
+        attribute :ip_str, Types::String
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            asn: d.fetch("asn"),
+            hostnames: d.fetch("hostnames"),
+            location: Location.from_dynamic!(d.fetch("location")),
+            domains: d.fetch("domains"),
+            ip_str: d.fetch("ip_str")
+          )
+        end
+      end
+      class Result < Dry::Struct
+        attribute :matches, Types.Array(Match)
+        attribute :total, Types::Int
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            matches: d.fetch("matches", []).map { |x| Match.from_dynamic!(x) },
+            total: d.fetch("total")
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/type_checker.rb CHANGED Viewed

@@ -18,12 +18,12 @@ module Mihari
       raise ArgumentError if data.is_a?(Hash)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def hash?
       md5? || sha1? || sha256? || sha512?
     end
-    # @return [true, false]
+    # @return [Boolean]
     def ip?
       IPAddr.new data
       true
@@ -31,7 +31,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def domain?
       uri = Addressable::URI.parse("http://#{data}")
       uri.host == data && PublicSuffix.valid?(uri.host)
@@ -39,7 +39,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def url?
       uri = Addressable::URI.parse(data)
       uri.scheme && uri.host && uri.path && PublicSuffix.valid?(uri.host)
@@ -47,7 +47,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def mail?
       EmailAddress.valid? data, host_validation: :syntax
     end
@@ -83,22 +83,22 @@ module Mihari
     private
-    # @return [true, false]
+    # @return [Boolean]
     def md5?
       data.match?(/^[A-Fa-f0-9]{32}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha1?
       data.match?(/^[A-Fa-f0-9]{40}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha256?
       data.match?(/^[A-Fa-f0-9]{64}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha512?
       data.match?(/^[A-Fa-f0-9]{128}$/)
     end

data/lib/mihari/types.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require "dry/types"
+module Mihari
+  module Types
+    include Dry.Types()
+    Int = Strict::Integer
+    Nil = Strict::Nil
+    Hash = Strict::Hash
+    String = Strict::String
+    Double = Strict::Float | Strict::Integer
+    DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
+    AnalyzerTypes = Types::String.enum(
+      "binaryedge", "censys", "circl", "dnpedia", "dnstwister",
+      "onyphe", "otx", "passivetotal", "pulsedive", "securitytrails",
+      "shodan", "virustotal"
+    )
+  end
+end

data/lib/mihari/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "3.4.0"
+  VERSION = "3.6.1"
 end

data/lib/mihari/web/app.rb CHANGED Viewed

@@ -14,6 +14,7 @@ require "mihari/web/controllers/analyzers_controller"
 require "mihari/web/controllers/artifacts_controller"
 require "mihari/web/controllers/command_controller"
 require "mihari/web/controllers/config_controller"
+require "mihari/web/controllers/ip_address_controller"
 require "mihari/web/controllers/sources_controller"
 require "mihari/web/controllers/tags_controller"
@@ -31,6 +32,7 @@ module Mihari
     use Mihari::Controllers::ArtifactsController
     use Mihari::Controllers::CommandController
     use Mihari::Controllers::ConfigController
+    use Mihari::Controllers::IPAddressController
     use Mihari::Controllers::SourcesController
     use Mihari::Controllers::TagsController

data/lib/mihari/web/controllers/alerts_controller.rb CHANGED Viewed

@@ -26,9 +26,7 @@ module Mihari
         title = params["title"]
         from_at = params["from_at"] || params["fromAt"]
-        from_at = DateTime.parse(from_at) if from_at
         to_at = params["to_at"] || params["toAt"]
-        to_at = DateTime.parse(to_at) if to_at
         alerts = Mihari::Alert.search(
           artifact_data: artifact_data,
@@ -55,8 +53,9 @@ module Mihari
       end
       delete "/api/alerts/:id" do
-        id = params["id"]
-        id = id.to_i
+        param :id, Integer, required: true
+        id = params["id"].to_i
         begin
           alert = Mihari::Alert.find(id)

data/lib/mihari/web/controllers/artifacts_controller.rb CHANGED Viewed

@@ -3,9 +3,53 @@
 module Mihari
   module Controllers
     class ArtifactsController < BaseController
+      get "/api/artifacts/:id" do
+        param :id, Integer, required: true
+        id = params["id"].to_i
+        begin
+          artifact = Mihari::Artifact.includes(
+            :autonomous_system,
+            :geolocation,
+            :whois_record,
+            :dns_records,
+            :reverse_dns_names
+          ).find(id)
+        rescue ActiveRecord::RecordNotFound
+          status 404
+          return json({ message: "ID:#{id} is not found" })
+        end
+        # TODO: improve queries
+        alert_ids = Mihari::Artifact.where(data: artifact.data).pluck(:alert_id)
+        tag_ids = Mihari::Tagging.where(alert_id: alert_ids).pluck(:tag_id)
+        tag_names = Mihari::Tag.where(id: tag_ids).distinct.pluck(:name)
+        artifact_json = Serializers::ArtifactSerializer.new(artifact).as_json
+        # convert reverse DNS names into an array of string
+        # also change it as nil if it is empty
+        reverse_dns_names = (artifact_json[:reverse_dns_names] || []).filter_map { |v| v[:name] }
+        reverse_dns_names = nil if reverse_dns_names.empty?
+        artifact_json[:reverse_dns_names] = reverse_dns_names
+        # change DNS records as nil if it is empty
+        dns_records = artifact_json[:dns_records] || []
+        dns_records = nil if dns_records.empty?
+        artifact_json[:dns_records] = dns_records
+        # set tags
+        artifact_json[:tags] = tag_names
+        json artifact_json
+      end
       delete "/api/artifacts/:id" do
-        id = params["id"]
-        id = id.to_i
+        param :id, Integer, required: true
+        id = params["id"].to_i
         begin
           alert = Mihari::Artifact.find(id)

data/lib/mihari/web/controllers/ip_address_controller.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+require "http"
+require "json"
+module Mihari
+  module Controllers
+    class IPAddressController < BaseController
+      def query(ip)
+        headers = {}
+        token = Mihari.config.ipinfo_api_key
+        unless token.nil?
+          headers[:authorization] = "Bearer #{token}"
+        end
+        res = HTTP.headers(headers).get("https://ipinfo.io/#{ip}/json")
+        JSON.parse res.to_s
+      end
+      get "/api/ip_addresses/:ip" do
+        param :ip, String, required: true
+        ip = params["ip"].to_s
+        begin
+          data = query(ip)
+          json data
+        rescue HTTP::Error
+          status 404
+          json({ message: "IP:#{ip} is not found" })
+        end
+      end
+    end
+  end
+end

data/lib/mihari/web/controllers/sources_controller.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module Mihari
   module Controllers
     class SourcesController < BaseController
       get "/api/sources" do
-        tags = Mihari::Alert.distinct.pluck(:source)
-        json tags
+        sources = Mihari::Alert.distinct.pluck(:source)
+        json sources
       end
     end
   end

data/lib/mihari/web/controllers/tags_controller.rb CHANGED Viewed

@@ -9,7 +9,9 @@ module Mihari
       end
       delete "/api/tags/:name" do
-        name = params["name"]
+        param :name, String, required: true
+        name = params["name"].to_s
         begin
           Mihari::Tag.where(name: name).destroy_all