RubyGems - mihari - Versions diffs - 3.4.1 → 3.7.0 - Mend

mihari 3.4.1 → 3.7.0

Files changed (181) hide show

checksums.yaml +4 -4
data/.gitmodules +3 -0
data/README.md +2 -0
data/Steepfile +32 -0
data/config.ru +1 -0
data/lib/mihari/analyzers/base.rb +24 -11
data/lib/mihari/analyzers/binaryedge.rb +13 -0
data/lib/mihari/analyzers/censys.rb +42 -9
data/lib/mihari/analyzers/circl.rb +15 -0
data/lib/mihari/analyzers/crtsh.rb +5 -0
data/lib/mihari/analyzers/dnpedia.rb +5 -0
data/lib/mihari/analyzers/dnstwister.rb +17 -0
data/lib/mihari/analyzers/onyphe.rb +50 -9
data/lib/mihari/analyzers/otx.rb +20 -0
data/lib/mihari/analyzers/passivetotal.rb +25 -0
data/lib/mihari/analyzers/pulsedive.rb +10 -0
data/lib/mihari/analyzers/rule.rb +18 -0
data/lib/mihari/analyzers/securitytrails.rb +25 -0
data/lib/mihari/analyzers/shodan.rb +39 -5
data/lib/mihari/analyzers/spyse.rb +20 -0
data/lib/mihari/analyzers/urlscan.rb +10 -0
data/lib/mihari/analyzers/virustotal.rb +20 -0
data/lib/mihari/analyzers/zoomeye.rb +38 -0
data/lib/mihari/cli/analyzer.rb +1 -0
data/lib/mihari/cli/base.rb +0 -2
data/lib/mihari/commands/init.rb +1 -1
data/lib/mihari/commands/search.rb +1 -0
data/lib/mihari/commands/web.rb +1 -0
data/lib/mihari/{constraints.rb → constants.rb} +0 -0
data/lib/mihari/database.rb +55 -3
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +38 -5
data/lib/mihari/emitters/slack.rb +20 -2
data/lib/mihari/emitters/the_hive.rb +16 -3
data/lib/mihari/emitters/webhook.rb +18 -3
data/lib/mihari/enrichers/ipinfo.rb +38 -0
data/lib/mihari/mixins/autonomous_system.rb +19 -0
data/lib/mihari/mixins/disallowed_data_value.rb +1 -1
data/lib/mihari/models/alert.rb +28 -10
data/lib/mihari/models/artifact.rb +94 -0
data/lib/mihari/models/autonomous_system.rb +28 -0
data/lib/mihari/models/dns.rb +55 -0
data/lib/mihari/models/geolocation.rb +29 -0
data/lib/mihari/models/reverse_dns.rb +26 -0
data/lib/mihari/models/whois.rb +119 -0
data/lib/mihari/schemas/configuration.rb +1 -0
data/lib/mihari/schemas/rule.rb +2 -15
data/lib/mihari/serializers/alert.rb +6 -4
data/lib/mihari/serializers/artifact.rb +11 -2
data/lib/mihari/serializers/autonomous_system.rb +9 -0
data/lib/mihari/serializers/dns.rb +11 -0
data/lib/mihari/serializers/geolocation.rb +11 -0
data/lib/mihari/serializers/reverse_dns.rb +11 -0
data/lib/mihari/serializers/tag.rb +4 -2
data/lib/mihari/serializers/whois.rb +11 -0
data/lib/mihari/structs/censys.rb +92 -0
data/lib/mihari/structs/ipinfo.rb +36 -0
data/lib/mihari/structs/onyphe.rb +47 -0
data/lib/mihari/structs/shodan.rb +53 -0
data/lib/mihari/type_checker.rb +9 -9
data/lib/mihari/types.rb +21 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/app.rb +2 -0
data/lib/mihari/web/controllers/alerts_controller.rb +3 -4
data/lib/mihari/web/controllers/artifacts_controller.rb +73 -3
data/lib/mihari/web/controllers/ip_address_controller.rb +21 -0
data/lib/mihari/web/controllers/sources_controller.rb +2 -2
data/lib/mihari/web/controllers/tags_controller.rb +3 -1
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +14 -11
data/lib/mihari/web/public/static/fonts/fa-brands-400.1a575a41.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.513aa607.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.592643a8.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.ed311c7a.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.766913e6.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b0e2db3b.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b91d376b.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.d1d7e3b4.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.0c6bfc66.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.b9625119.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d745348d.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d824df7e.woff2 +0 -0
data/lib/mihari/web/public/static/img/fa-brands-400.1d5619cd.svg +3717 -0
data/lib/mihari/web/public/static/img/fa-regular-400.c5d109be.svg +801 -0
data/lib/mihari/web/public/static/img/fa-solid-900.37bc7099.svg +5034 -0
data/lib/mihari/web/public/static/js/app.06d5cf1c.js +36 -0
data/lib/mihari/web/public/static/js/app.06d5cf1c.js.map +1 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js +36 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js.map +1 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js +36 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js.map +1 -0
data/lib/mihari.rb +30 -4
data/mihari.gemspec +10 -1
data/sig/lib/mihari/analyzers/base.rbs +90 -0
data/sig/lib/mihari/analyzers/basic.rbs +17 -0
data/sig/lib/mihari/analyzers/binaryedge.rbs +25 -0
data/sig/lib/mihari/analyzers/censys.rbs +38 -0
data/sig/lib/mihari/analyzers/circl.rbs +29 -0
data/sig/lib/mihari/analyzers/crtsh.rbs +19 -0
data/sig/lib/mihari/analyzers/dnpedia.rbs +18 -0
data/sig/lib/mihari/analyzers/dnstwister.rbs +27 -0
data/sig/lib/mihari/analyzers/onyphe.rbs +33 -0
data/sig/lib/mihari/analyzers/otx.rbs +33 -0
data/sig/lib/mihari/analyzers/passivetotal.rbs +33 -0
data/sig/lib/mihari/analyzers/pulsedive.rbs +27 -0
data/sig/lib/mihari/analyzers/rule.rbs +68 -0
data/sig/lib/mihari/analyzers/securitytrails.rbs +33 -0
data/sig/lib/mihari/analyzers/shodan.rbs +33 -0
data/sig/lib/mihari/analyzers/spyse.rbs +29 -0
data/sig/lib/mihari/analyzers/urlscan.rbs +28 -0
data/sig/lib/mihari/analyzers/virustotal.rbs +31 -0
data/sig/lib/mihari/analyzers/zoomeye.rbs +33 -0
data/sig/lib/mihari/cli/analyzer.rbs +39 -0
data/sig/lib/mihari/cli/base.rbs +11 -0
data/sig/lib/mihari/cli/init.rbs +7 -0
data/sig/lib/mihari/cli/main.rbs +9 -0
data/sig/lib/mihari/cli/mixins/utils.rbs +50 -0
data/sig/lib/mihari/cli/validator.rbs +7 -0
data/sig/lib/mihari/commands/binaryedge.rbs +7 -0
data/sig/lib/mihari/commands/censys.rbs +7 -0
data/sig/lib/mihari/commands/circl.rbs +7 -0
data/sig/lib/mihari/commands/crtsh.rbs +7 -0
data/sig/lib/mihari/commands/dnpedia.rbs +7 -0
data/sig/lib/mihari/commands/dnstwister.rbs +7 -0
data/sig/lib/mihari/commands/init.rbs +11 -0
data/sig/lib/mihari/commands/json.rbs +7 -0
data/sig/lib/mihari/commands/onyphe.rbs +7 -0
data/sig/lib/mihari/commands/otx.rbs +7 -0
data/sig/lib/mihari/commands/passivetotal.rbs +7 -0
data/sig/lib/mihari/commands/pulsedive.rbs +7 -0
data/sig/lib/mihari/commands/search.rbs +35 -0
data/sig/lib/mihari/commands/securitytrails.rbs +7 -0
data/sig/lib/mihari/commands/shodan.rbs +7 -0
data/sig/lib/mihari/commands/spyse.rbs +7 -0
data/sig/lib/mihari/commands/urlscan.rbs +7 -0
data/sig/lib/mihari/commands/validator.rbs +11 -0
data/sig/lib/mihari/commands/virustotal.rbs +7 -0
data/sig/lib/mihari/commands/web.rbs +7 -0
data/sig/lib/mihari/commands/zoomeye.rbs +7 -0
data/sig/lib/mihari/constants.rbs +3 -0
data/sig/lib/mihari/database.rbs +25 -0
data/sig/lib/mihari/emitters/base.rbs +18 -0
data/sig/lib/mihari/emitters/database.rbs +9 -0
data/sig/lib/mihari/emitters/misp.rbs +28 -0
data/sig/lib/mihari/emitters/slack.rbs +58 -0
data/sig/lib/mihari/emitters/stdout.rbs +9 -0
data/sig/lib/mihari/emitters/the_hive.rbs +24 -0
data/sig/lib/mihari/emitters/webhook.rbs +20 -0
data/sig/lib/mihari/enrichers/ipinfo.rbs +14 -0
data/sig/lib/mihari/errors.rbs +10 -0
data/sig/lib/mihari/mixins/autonomous_system.rbs +14 -0
data/sig/lib/mihari/mixins/configurable.rbs +26 -0
data/sig/lib/mihari/mixins/configuration.rbs +45 -0
data/sig/lib/mihari/mixins/disallowed_data_value.rbs +25 -0
data/sig/lib/mihari/mixins/hash.rbs +14 -0
data/sig/lib/mihari/mixins/refang.rbs +14 -0
data/sig/lib/mihari/mixins/retriable.rbs +15 -0
data/sig/lib/mihari/mixins/rule.rbs +41 -0
data/sig/lib/mihari/models/alert.rbs +46 -0
data/sig/lib/mihari/models/artifact.rbs +65 -0
data/sig/lib/mihari/models/autonomous_system.rbs +14 -0
data/sig/lib/mihari/models/dns.rbs +19 -0
data/sig/lib/mihari/models/geolocation.rbs +15 -0
data/sig/lib/mihari/models/reverse_dns.rbs +14 -0
data/sig/lib/mihari/models/tag.rbs +5 -0
data/sig/lib/mihari/models/tagging.rbs +4 -0
data/sig/lib/mihari/models/whois.rbs +66 -0
data/sig/lib/mihari/notifiers/base.rbs +18 -0
data/sig/lib/mihari/notifiers/exception_notifier.rbs +75 -0
data/sig/lib/mihari/notifiers/slack.rbs +50 -0
data/sig/lib/mihari/status.rbs +25 -0
data/sig/lib/mihari/structs/censys.rbs +50 -0
data/sig/lib/mihari/structs/ipinfo.rbs +17 -0
data/sig/lib/mihari/structs/onyphe.rbs +25 -0
data/sig/lib/mihari/structs/shodan.rbs +28 -0
data/sig/lib/mihari/type_checker.rbs +48 -0
data/sig/lib/mihari/types.rbs +17 -0
data/sig/lib/mihari/version.rbs +3 -0
data/sig/lib/mihari/web/app.rbs +5 -0
data/sig/lib/mihari.rbs +57 -0
metadata +259 -5

data/lib/mihari/analyzers/otx.rb CHANGED Viewed

@@ -39,10 +39,20 @@ module Mihari
         @ip_client ||= ::OTX::IP.new(Mihari.config.otx_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain].include? type
       end
+      #
+      # IP/domain search
+      #
+      # @return [Array<String>]
+      #
       def search
         case type
         when "domain"
@@ -54,6 +64,11 @@ module Mihari
         end
       end
+      #
+      # Domain search
+      #
+      # @return [Array<String>]
+      #
       def domain_search
         records = domain_client.get_passive_dns(query)
         records.filter_map do |record|
@@ -61,6 +76,11 @@ module Mihari
         end.uniq
       end
+      #
+      # IP search
+      #
+      # @return [Array<String>]
+      #
       def ip_search
         records = ip_client.get_passive_dns(query)
         records.filter_map do |record|

data/lib/mihari/analyzers/passivetotal.rb CHANGED Viewed

@@ -35,10 +35,20 @@ module Mihari
         @api ||= ::PassiveTotal::API.new(username: Mihari.config.passivetotal_username, api_key: Mihari.config.passivetotal_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain mail hash].include? type
       end
+      #
+      # Passive DNS/SSL, reverse whois search
+      #
+      # @return [Array<String>]
+      #
       def search
         case type
         when "domain", "ip"
@@ -52,11 +62,21 @@ module Mihari
         end
       end
+      #
+      # Passive DNS search
+      #
+      # @return [Array<String>]
+      #
       def passive_dns_search
         res = api.dns.passive_unique(query)
         res["results"] || []
       end
+      #
+      # Reverse whois search
+      #
+      # @return [Array<String>]
+      #
       def reverse_whois_search
         res = api.whois.search(query: query, field: "email")
         results = res["results"] || []
@@ -65,6 +85,11 @@ module Mihari
         end.flatten.compact.uniq
       end
+      #
+      # Passive SSL search
+      #
+      # @return [Array<String>]
+      #
       def ssl_search
         res = api.ssl.history(query)
         results = res["results"] || []

data/lib/mihari/analyzers/pulsedive.rb CHANGED Viewed

@@ -35,10 +35,20 @@ module Mihari
         @api ||= ::Pulsedive::API.new(Mihari.config.pulsedive_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain].include? type
       end
+      #
+      # Search
+      #
+      # @return [Array<String>]
+      #
       def search
         raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?

data/lib/mihari/analyzers/rule.rb CHANGED Viewed

@@ -22,6 +22,8 @@ module Mihari
         super(**kwargs)
         @source = id || UUIDTools::UUID.md5_create(UUIDTools::UUID_URL_NAMESPACE, title + description).to_s
+        validate_analyzer_configurations
       end
       ANALYZER_TO_CLASS = {
@@ -119,6 +121,22 @@ module Mihari
         raise ArgumentError, "#{analyzer_name} is not supported"
       end
+      #
+      # Validate configuration of analyzers
+      #
+      def validate_analyzer_configurations
+        queries.each do |params|
+          analyzer_name = params[:analyzer]
+          klass = get_analyzer_class(analyzer_name)
+          instance = klass.new("dummy")
+          unless instance.configured?
+            klass_name = klass.to_s.split("::").last
+            raise ArgumentError, "#{klass_name} is not configured correctly"
+          end
+        end
+      end
     end
   end
 end

data/lib/mihari/analyzers/securitytrails.rb CHANGED Viewed

@@ -35,10 +35,20 @@ module Mihari
         @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain mail].include? type
       end
+      #
+      # IP/domain/mail search
+      #
+      # @return [Array<String>]
+      #
       def search
         case type
         when "domain"
@@ -52,6 +62,11 @@ module Mihari
         end
       end
+      #
+      # Domain search
+      #
+      # @return [Array<String>]
+      #
       def domain_search
         result = api.history.get_all_dns_history(query, type: "a")
         records = result["records"] || []
@@ -60,12 +75,22 @@ module Mihari
         end.flatten.compact.uniq
       end
+      #
+      # IP search
+      #
+      # @return [Array<String>]
+      #
       def ip_search
         result = api.domains.search(filter: { ipv4: query })
         records = result["records"] || []
         records.filter_map { |record| record["hostname"] }.uniq
       end
+      #
+      # Mail search
+      #
+      # @return [Array<String>]
+      #
       def mail_search
         result = api.domains.search(filter: { whois_email: query })
         records = result["records"] || []

data/lib/mihari/analyzers/shodan.rb CHANGED Viewed

@@ -14,12 +14,11 @@ module Mihari
         results = search
         return [] unless results || results.empty?
+        results = results.map { |result| Structs::Shodan::Result.from_dynamic!(result) }
         results.map do |result|
-          matches = result["matches"] || []
-          matches.filter_map do |match|
-            match["ip_str"]
-          end
-        end.flatten.compact.uniq
+          matches = result.matches || []
+          matches.map { |match| build_artifact match }
+        end.flatten.compact.uniq(&:data)
       end
       private
@@ -34,6 +33,14 @@ module Mihari
         @api ||= ::Shodan::API.new(key: Mihari.config.shodan_api_key)
       end
+      #
+      # Search with pagination
+      #
+      # @param [String] query
+      # @param [Integer] page
+      #
+      # @return [Hash]
+      #
       def search_with_page(query, page: 1)
         api.host.search(query, page: page)
       rescue ::Shodan::Error => e
@@ -42,6 +49,11 @@ module Mihari
         raise e
       end
+      #
+      # Search
+      #
+      # @return [Array<Hash>]
+      #
       def search
         responses = []
         (1..Float::INFINITY).each do |page|
@@ -57,6 +69,28 @@ module Mihari
         end
         responses
       end
+      #
+      # Build an artifact from a Shodan search API response
+      #
+      # @param [Structs::Shodan::Match] match
+      #
+      # @return [Artifact]
+      #
+      def build_artifact(match)
+        as = AutonomousSystem.new(asn: normalize_asn(match.asn))
+        geolocation = Geolocation.new(
+          country: match.location.country_name,
+          country_code: match.location.country_code
+        )
+        Artifact.new(
+          data: match.ip_str,
+          source: source,
+          autonomous_system: as,
+          geolocation: geolocation
+        )
+      end
     end
   end
 end

data/lib/mihari/analyzers/spyse.rb CHANGED Viewed

@@ -30,10 +30,20 @@ module Mihari
         @api ||= ::Spyse::API.new(Mihari.config.spyse_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain cert].include? type
       end
+      #
+      # Domain search
+      #
+      # @return [Array<String>]
+      #
       def domain_search
         res = api.domain.search(search_params, limit: 100)
         items = res.dig("data", "items") || []
@@ -42,6 +52,11 @@ module Mihari
         end.uniq.compact
       end
+      #
+      # IP search
+      #
+      # @return [Array<String>]
+      #
       def ip_search
         res = api.ip.search(search_params, limit: 100)
         items = res.dig("data", "items") || []
@@ -50,6 +65,11 @@ module Mihari
         end.uniq.compact
       end
+      #
+      # IP/domain search
+      #
+      # @return [Array<String>]
+      #
       def search
         case type
         when "domain"

data/lib/mihari/analyzers/urlscan.rb CHANGED Viewed

@@ -43,12 +43,22 @@ module Mihari
         @api ||= ::UrlScan::API.new(Mihari.config.urlscan_api_key)
       end
+      #
+      # Search
+      #
+      # @return [Array<Hash>]
+      #
       def search
         return api.pro.similar(query) if use_similarity
         api.search(query, size: 10_000)
       end
+      #
+      # Check whether a data type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_alllowed_data_types?
         allowed_data_types.all? { |type| SUPPORTED_DATA_TYPES.include? type }
       end

data/lib/mihari/analyzers/virustotal.rb CHANGED Viewed

@@ -35,10 +35,20 @@ module Mihari
         @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
       end
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[ip domain].include? type
       end
+      #
+      # Search
+      #
+      # @return [Array<String>]
+      #
       def search
         case type
         when "domain"
@@ -50,6 +60,11 @@ module Mihari
         end
       end
+      #
+      # Domain search
+      #
+      # @return [Array<String>]
+      #
       def domain_search
         res = api.domain.resolutions(query)
@@ -59,6 +74,11 @@ module Mihari
         end.uniq
       end
+      #
+      # IP search
+      #
+      # @return [Array<String>]
+      #
       def ip_search
         res = api.ip_address.resolutions(query)

data/lib/mihari/analyzers/zoomeye.rb CHANGED Viewed

@@ -26,6 +26,11 @@ module Mihari
       PAGE_SIZE = 10
+      #
+      # Check whether a type is valid or not
+      #
+      # @return [Boolean]
+      #
       def valid_type?
         %w[host web].include? type
       end
@@ -38,6 +43,13 @@ module Mihari
         @api ||= ::ZoomEye::API.new(api_key: Mihari.config.zoomeye_api_key)
       end
+      #
+      # Convert responses into an array of String
+      #
+      # @param [Array<Hash>] responses
+      #
+      # @return [Array<String>]
+      #
       def convert_responses(responses)
         responses.map do |res|
           matches = res["matches"] || []
@@ -47,12 +59,25 @@ module Mihari
         end.flatten.compact.uniq
       end
+      #
+      # Host search
+      #
+      # @param [String] query
+      # @param [Integer] page
+      #
+      # @return [Hash, nil]
+      #
       def _host_search(query, page: 1)
         api.host.search(query, page: page)
       rescue ::ZoomEye::Error => _e
         nil
       end
+      #
+      # Host search
+      #
+      # @return [Array<String>]
+      #
       def host_search
         responses = []
         (1..Float::INFINITY).each do |page|
@@ -66,12 +91,25 @@ module Mihari
         convert_responses responses.compact
       end
+      #
+      # Web search
+      #
+      # @param [String] query
+      # @param [Integer] page
+      #
+      # @return [Hash, nil]
+      #
       def _web_search(query, page: 1)
         api.web.search(query, page: page)
       rescue ::ZoomEye::Error => _e
         nil
       end
+      #
+      # Web search
+      #
+      # @return [Array<String>]
+      #
       def web_search
         responses = []
         (1..Float::INFINITY).each do |page|