RubyGems - mihari - Versions diffs - 3.4.1 → 3.7.0 - Mend

mihari 3.4.1 → 3.7.0

Files changed (181) hide show

checksums.yaml +4 -4
data/.gitmodules +3 -0
data/README.md +2 -0
data/Steepfile +32 -0
data/config.ru +1 -0
data/lib/mihari/analyzers/base.rb +24 -11
data/lib/mihari/analyzers/binaryedge.rb +13 -0
data/lib/mihari/analyzers/censys.rb +42 -9
data/lib/mihari/analyzers/circl.rb +15 -0
data/lib/mihari/analyzers/crtsh.rb +5 -0
data/lib/mihari/analyzers/dnpedia.rb +5 -0
data/lib/mihari/analyzers/dnstwister.rb +17 -0
data/lib/mihari/analyzers/onyphe.rb +50 -9
data/lib/mihari/analyzers/otx.rb +20 -0
data/lib/mihari/analyzers/passivetotal.rb +25 -0
data/lib/mihari/analyzers/pulsedive.rb +10 -0
data/lib/mihari/analyzers/rule.rb +18 -0
data/lib/mihari/analyzers/securitytrails.rb +25 -0
data/lib/mihari/analyzers/shodan.rb +39 -5
data/lib/mihari/analyzers/spyse.rb +20 -0
data/lib/mihari/analyzers/urlscan.rb +10 -0
data/lib/mihari/analyzers/virustotal.rb +20 -0
data/lib/mihari/analyzers/zoomeye.rb +38 -0
data/lib/mihari/cli/analyzer.rb +1 -0
data/lib/mihari/cli/base.rb +0 -2
data/lib/mihari/commands/init.rb +1 -1
data/lib/mihari/commands/search.rb +1 -0
data/lib/mihari/commands/web.rb +1 -0
data/lib/mihari/{constraints.rb → constants.rb} +0 -0
data/lib/mihari/database.rb +55 -3
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +38 -5
data/lib/mihari/emitters/slack.rb +20 -2
data/lib/mihari/emitters/the_hive.rb +16 -3
data/lib/mihari/emitters/webhook.rb +18 -3
data/lib/mihari/enrichers/ipinfo.rb +38 -0
data/lib/mihari/mixins/autonomous_system.rb +19 -0
data/lib/mihari/mixins/disallowed_data_value.rb +1 -1
data/lib/mihari/models/alert.rb +28 -10
data/lib/mihari/models/artifact.rb +94 -0
data/lib/mihari/models/autonomous_system.rb +28 -0
data/lib/mihari/models/dns.rb +55 -0
data/lib/mihari/models/geolocation.rb +29 -0
data/lib/mihari/models/reverse_dns.rb +26 -0
data/lib/mihari/models/whois.rb +119 -0
data/lib/mihari/schemas/configuration.rb +1 -0
data/lib/mihari/schemas/rule.rb +2 -15
data/lib/mihari/serializers/alert.rb +6 -4
data/lib/mihari/serializers/artifact.rb +11 -2
data/lib/mihari/serializers/autonomous_system.rb +9 -0
data/lib/mihari/serializers/dns.rb +11 -0
data/lib/mihari/serializers/geolocation.rb +11 -0
data/lib/mihari/serializers/reverse_dns.rb +11 -0
data/lib/mihari/serializers/tag.rb +4 -2
data/lib/mihari/serializers/whois.rb +11 -0
data/lib/mihari/structs/censys.rb +92 -0
data/lib/mihari/structs/ipinfo.rb +36 -0
data/lib/mihari/structs/onyphe.rb +47 -0
data/lib/mihari/structs/shodan.rb +53 -0
data/lib/mihari/type_checker.rb +9 -9
data/lib/mihari/types.rb +21 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/app.rb +2 -0
data/lib/mihari/web/controllers/alerts_controller.rb +3 -4
data/lib/mihari/web/controllers/artifacts_controller.rb +73 -3
data/lib/mihari/web/controllers/ip_address_controller.rb +21 -0
data/lib/mihari/web/controllers/sources_controller.rb +2 -2
data/lib/mihari/web/controllers/tags_controller.rb +3 -1
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +14 -11
data/lib/mihari/web/public/static/fonts/fa-brands-400.1a575a41.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.513aa607.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.592643a8.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-brands-400.ed311c7a.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.766913e6.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b0e2db3b.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.b91d376b.woff2 +0 -0
data/lib/mihari/web/public/static/fonts/fa-regular-400.d1d7e3b4.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.0c6bfc66.eot +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.b9625119.ttf +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d745348d.woff +0 -0
data/lib/mihari/web/public/static/fonts/fa-solid-900.d824df7e.woff2 +0 -0
data/lib/mihari/web/public/static/img/fa-brands-400.1d5619cd.svg +3717 -0
data/lib/mihari/web/public/static/img/fa-regular-400.c5d109be.svg +801 -0
data/lib/mihari/web/public/static/img/fa-solid-900.37bc7099.svg +5034 -0
data/lib/mihari/web/public/static/js/app.06d5cf1c.js +36 -0
data/lib/mihari/web/public/static/js/app.06d5cf1c.js.map +1 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js +36 -0
data/lib/mihari/web/public/static/js/app.8e3e5150.js.map +1 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js +36 -0
data/lib/mihari/web/public/static/js/app.b5914c39.js.map +1 -0
data/lib/mihari.rb +30 -4
data/mihari.gemspec +10 -1
data/sig/lib/mihari/analyzers/base.rbs +90 -0
data/sig/lib/mihari/analyzers/basic.rbs +17 -0
data/sig/lib/mihari/analyzers/binaryedge.rbs +25 -0
data/sig/lib/mihari/analyzers/censys.rbs +38 -0
data/sig/lib/mihari/analyzers/circl.rbs +29 -0
data/sig/lib/mihari/analyzers/crtsh.rbs +19 -0
data/sig/lib/mihari/analyzers/dnpedia.rbs +18 -0
data/sig/lib/mihari/analyzers/dnstwister.rbs +27 -0
data/sig/lib/mihari/analyzers/onyphe.rbs +33 -0
data/sig/lib/mihari/analyzers/otx.rbs +33 -0
data/sig/lib/mihari/analyzers/passivetotal.rbs +33 -0
data/sig/lib/mihari/analyzers/pulsedive.rbs +27 -0
data/sig/lib/mihari/analyzers/rule.rbs +68 -0
data/sig/lib/mihari/analyzers/securitytrails.rbs +33 -0
data/sig/lib/mihari/analyzers/shodan.rbs +33 -0
data/sig/lib/mihari/analyzers/spyse.rbs +29 -0
data/sig/lib/mihari/analyzers/urlscan.rbs +28 -0
data/sig/lib/mihari/analyzers/virustotal.rbs +31 -0
data/sig/lib/mihari/analyzers/zoomeye.rbs +33 -0
data/sig/lib/mihari/cli/analyzer.rbs +39 -0
data/sig/lib/mihari/cli/base.rbs +11 -0
data/sig/lib/mihari/cli/init.rbs +7 -0
data/sig/lib/mihari/cli/main.rbs +9 -0
data/sig/lib/mihari/cli/mixins/utils.rbs +50 -0
data/sig/lib/mihari/cli/validator.rbs +7 -0
data/sig/lib/mihari/commands/binaryedge.rbs +7 -0
data/sig/lib/mihari/commands/censys.rbs +7 -0
data/sig/lib/mihari/commands/circl.rbs +7 -0
data/sig/lib/mihari/commands/crtsh.rbs +7 -0
data/sig/lib/mihari/commands/dnpedia.rbs +7 -0
data/sig/lib/mihari/commands/dnstwister.rbs +7 -0
data/sig/lib/mihari/commands/init.rbs +11 -0
data/sig/lib/mihari/commands/json.rbs +7 -0
data/sig/lib/mihari/commands/onyphe.rbs +7 -0
data/sig/lib/mihari/commands/otx.rbs +7 -0
data/sig/lib/mihari/commands/passivetotal.rbs +7 -0
data/sig/lib/mihari/commands/pulsedive.rbs +7 -0
data/sig/lib/mihari/commands/search.rbs +35 -0
data/sig/lib/mihari/commands/securitytrails.rbs +7 -0
data/sig/lib/mihari/commands/shodan.rbs +7 -0
data/sig/lib/mihari/commands/spyse.rbs +7 -0
data/sig/lib/mihari/commands/urlscan.rbs +7 -0
data/sig/lib/mihari/commands/validator.rbs +11 -0
data/sig/lib/mihari/commands/virustotal.rbs +7 -0
data/sig/lib/mihari/commands/web.rbs +7 -0
data/sig/lib/mihari/commands/zoomeye.rbs +7 -0
data/sig/lib/mihari/constants.rbs +3 -0
data/sig/lib/mihari/database.rbs +25 -0
data/sig/lib/mihari/emitters/base.rbs +18 -0
data/sig/lib/mihari/emitters/database.rbs +9 -0
data/sig/lib/mihari/emitters/misp.rbs +28 -0
data/sig/lib/mihari/emitters/slack.rbs +58 -0
data/sig/lib/mihari/emitters/stdout.rbs +9 -0
data/sig/lib/mihari/emitters/the_hive.rbs +24 -0
data/sig/lib/mihari/emitters/webhook.rbs +20 -0
data/sig/lib/mihari/enrichers/ipinfo.rbs +14 -0
data/sig/lib/mihari/errors.rbs +10 -0
data/sig/lib/mihari/mixins/autonomous_system.rbs +14 -0
data/sig/lib/mihari/mixins/configurable.rbs +26 -0
data/sig/lib/mihari/mixins/configuration.rbs +45 -0
data/sig/lib/mihari/mixins/disallowed_data_value.rbs +25 -0
data/sig/lib/mihari/mixins/hash.rbs +14 -0
data/sig/lib/mihari/mixins/refang.rbs +14 -0
data/sig/lib/mihari/mixins/retriable.rbs +15 -0
data/sig/lib/mihari/mixins/rule.rbs +41 -0
data/sig/lib/mihari/models/alert.rbs +46 -0
data/sig/lib/mihari/models/artifact.rbs +65 -0
data/sig/lib/mihari/models/autonomous_system.rbs +14 -0
data/sig/lib/mihari/models/dns.rbs +19 -0
data/sig/lib/mihari/models/geolocation.rbs +15 -0
data/sig/lib/mihari/models/reverse_dns.rbs +14 -0
data/sig/lib/mihari/models/tag.rbs +5 -0
data/sig/lib/mihari/models/tagging.rbs +4 -0
data/sig/lib/mihari/models/whois.rbs +66 -0
data/sig/lib/mihari/notifiers/base.rbs +18 -0
data/sig/lib/mihari/notifiers/exception_notifier.rbs +75 -0
data/sig/lib/mihari/notifiers/slack.rbs +50 -0
data/sig/lib/mihari/status.rbs +25 -0
data/sig/lib/mihari/structs/censys.rbs +50 -0
data/sig/lib/mihari/structs/ipinfo.rbs +17 -0
data/sig/lib/mihari/structs/onyphe.rbs +25 -0
data/sig/lib/mihari/structs/shodan.rbs +28 -0
data/sig/lib/mihari/type_checker.rbs +48 -0
data/sig/lib/mihari/types.rbs +17 -0
data/sig/lib/mihari/version.rbs +3 -0
data/sig/lib/mihari/web/app.rbs +5 -0
data/sig/lib/mihari.rbs +57 -0
metadata +259 -5

data/lib/mihari/models/alert.rb CHANGED Viewed

@@ -18,8 +18,8 @@ module Mihari
       # @param [String, nil] source
       # @param [String, nil] tag_name
       # @param [String, nil] title
-      # @param [String, nil] from_at
-      # @param [String, nil] to_at
+      # @param [DateTime, nil] from_at
+      # @param [DateTime, nil] to_at
       # @param [Integer, nil] limit
       # @param [Integer, nil] page
       #
@@ -34,12 +34,22 @@ module Mihari
         offset = (page - 1) * limit
-        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        relation = build_relation(
+          artifact_data: artifact_data,
+          title: title,
+          description: description,
+          source: source,
+          tag_name: tag_name,
+          from_at: from_at,
+          to_at: to_at
+        )
-        alerts = relation.limit(limit).offset(offset).order(id: :desc)
+        # TODO: improve queires
+        alert_ids = relation.limit(limit).offset(offset).order(id: :desc).pluck(:id).uniq
+        alerts = includes(:artifacts, :tags).where(id: [alert_ids]).order(id: :desc)
         alerts.map do |alert|
-          json = AlertSerializer.new(alert).as_json
+          json = Serializers::AlertSerializer.new(alert).as_json
           json[:artifacts] = json[:artifacts] || []
           json[:tags] = json[:tags] || []
           json
@@ -54,13 +64,21 @@ module Mihari
       # @param [String, nil] source
       # @param [String, nil] tag_name
       # @param [String, nil] title
-      # @param [String, nil] from_at
-      # @param [String, nil] to_at
+      # @param [DateTime, nil] from_at
+      # @param [DateTime, nil] to_at
       #
       # @return [Integer]
       #
       def count(artifact_data: nil, description: nil, source: nil, tag_name: nil, title: nil, from_at: nil, to_at: nil)
-        relation = build_relation(artifact_data: artifact_data, title: title, description: description, source: source, tag_name: tag_name, from_at: from_at, to_at: to_at)
+        relation = build_relation(
+          artifact_data: artifact_data,
+          title: title,
+          description: description,
+          source: source,
+          tag_name: tag_name,
+          from_at: from_at,
+          to_at: to_at
+        )
         relation.distinct("alerts.id").count
       end
@@ -68,8 +86,8 @@ module Mihari
       def build_relation(artifact_data: nil, title: nil, description: nil, source: nil, tag_name: nil, from_at: nil, to_at: nil)
         relation = self
-        relation = joins(:tags) if tag_name
-        relation = joins(:artifacts) if artifact_data
+        relation = relation.includes(:artifacts, :tags)
         relation = relation.where(artifacts: { data: artifact_data }) if artifact_data
         relation = relation.where(tags: { name: tag_name }) if tag_name

data/lib/mihari/models/artifact.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "active_record"
 require "active_record/filter"
 require "active_support/core_ext/integer/time"
 require "active_support/core_ext/numeric/time"
+require "uri"
 class ArtifactValidator < ActiveModel::Validator
   def validate(record)
@@ -15,6 +16,15 @@ end
 module Mihari
   class Artifact < ActiveRecord::Base
+    belongs_to :alert
+    has_one :autonomous_system, dependent: :destroy
+    has_one :geolocation, dependent: :destroy
+    has_one :whois_record, dependent: :destroy
+    has_many :dns_records, dependent: :destroy
+    has_many :reverse_dns_names, dependent: :destroy
     include ActiveModel::Validations
     validates_with ArtifactValidator
@@ -44,5 +54,89 @@ module Mihari
       #                           within {ignore_threshold} days, do not ignore it
       artifact.created_at < days_before
     end
+    #
+    # Enrich(add) whois record
+    #
+    def enrich_whois
+      return unless can_enrich_whois?
+      self.whois_record = WhoisRecord.build_by_domain(normalize_as_domain(data))
+    end
+    #
+    # Enrich(add) DNS records
+    #
+    def enrich_dns
+      return unless can_enrich_dns?
+      self.dns_records = DnsRecord.build_by_domain(normalize_as_domain(data))
+    end
+    #
+    # Enrich(add) reverse DNS names
+    #
+    def enrich_reverse_dns
+      return unless can_enrich_revese_dns?
+      self.reverse_dns_names = ReverseDnsName.build_by_ip(data)
+    end
+    #
+    # Enrich(add) geolocation
+    #
+    def enrich_geolocation
+      return unless can_enrich_geolocation?
+      self.geolocation = Geolocation.build_by_ip(data)
+    end
+    #
+    # Enrich(add) geolocation
+    #
+    def enrich_autonomous_system
+      return unless can_enrich_autonomous_system?
+      self.autonomous_system = AutonomousSystem.build_by_ip(data)
+    end
+    #
+    # Enrich all the enrichable relationships of the artifact
+    #
+    def enrich_all
+      enrich_autonomous_system
+      enrich_dns
+      enrich_geolocation
+      enrich_reverse_dns
+      enrich_whois
+    end
+    private
+    def normalize_as_domain(url_or_domain)
+      return url_or_domain if data_type == "domain"
+      URI.parse(url_or_domain).host
+    end
+    def can_enrich_whois?
+      %w[domain url].include?(data_type) && whois_record.nil?
+    end
+    def can_enrich_dns?
+      %w[domain url].include?(data_type) && dns_records.empty?
+    end
+    def can_enrich_revese_dns?
+      data_type == "ip" && reverse_dns_names.empty?
+    end
+    def can_enrich_geolocation?
+      data_type == "ip" && geolocation.nil?
+    end
+    def can_enrich_autonomous_system?
+      data_type == "ip" && autonomous_system.nil?
+    end
   end
 end

data/lib/mihari/models/autonomous_system.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require "active_record"
+module Mihari
+  class AutonomousSystem < ActiveRecord::Base
+    belongs_to :artifact
+    class << self
+      #
+      # Build AS
+      #
+      # @param [String] ip
+      #
+      # @return [Mihari::AutonomousSystem, nil]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::IPInfo.query(ip)
+        unless res.nil?
+          return new(asn: res.asn)
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/models/dns.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+require "active_record"
+require "resolv"
+module Mihari
+  class DnsRecord < ActiveRecord::Base
+    belongs_to :artifact
+    class << self
+      #
+      # Build DNS records
+      #
+      # @param [String] domain
+      #
+      # @return [Array<Mihari::DnsRecord>]
+      #
+      def build_by_domain(domain)
+        resource_types = [
+          Resolv::DNS::Resource::IN::A,
+          Resolv::DNS::Resource::IN::AAAA,
+          Resolv::DNS::Resource::IN::CNAME,
+          Resolv::DNS::Resource::IN::TXT,
+          Resolv::DNS::Resource::IN::NS
+        ]
+        resource_types.map do |resource_type|
+          get_values domain, resource_type
+        rescue Resolv::ResolvError
+          nil
+        end.flatten.compact
+      end
+      private
+      def get_values(domain, resource_type)
+        resources = Resolv::DNS.new.getresources(domain, resource_type)
+        resource_name = resource_type.to_s.split("::").last
+        resources.map do |resource|
+          # A, AAAA
+          if resource.respond_to?(:address)
+            new(resource: resource_name, value: resource.address.to_s)
+          # CNAME, NS
+          elsif resource.respond_to?(:name)
+            new(resource: resource_name, value: resource.name.to_s)
+          # TXT
+          elsif resource.respond_to?(:data)
+            new(resource: resource_name, value: resource.data.to_s)
+          end
+        end.compact
+      end
+    end
+  end
+end

data/lib/mihari/models/geolocation.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+require "active_record"
+require "normalize_country"
+module Mihari
+  class Geolocation < ActiveRecord::Base
+    belongs_to :artifact
+    class << self
+      #
+      # Build Geolocation
+      #
+      # @param [String] ip
+      #
+      # @return [Mihari::Geolocation, nil]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::IPInfo.query(ip)
+        unless res.nil?
+          return new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/models/reverse_dns.rb ADDED Viewed

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+require "active_record"
+require "resolv"
+module Mihari
+  class ReverseDnsName < ActiveRecord::Base
+    belongs_to :artifact
+    class << self
+      #
+      # Build reverse DNS names
+      #
+      # @param [String] ip
+      #
+      # @return [Array<Mihari::ReverseDnsName>]
+      #
+      def build_by_ip(ip)
+        names = Resolv.getnames(ip)
+        names.map { |name| new(name: name) }
+      rescue Resolv::ResolvError
+        []
+      end
+    end
+  end
+end

data/lib/mihari/models/whois.rb ADDED Viewed

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+require "active_record"
+require "whois-parser"
+require "public_suffix"
+module Mihari
+  class WhoisRecord < ActiveRecord::Base
+    belongs_to :artifact
+    @memo = {}
+    class << self
+      #
+      # Build whois record
+      #
+      # @param [Stinrg] domain
+      #
+      # @return [WhoisRecord, nil]
+      #
+      def build_by_domain(domain)
+        domain = PublicSuffix.domain(domain)
+        # check memo
+        if @memo.key?(domain)
+          whois_record = @memo[domain]
+          # return clone of the record
+          return whois_record.dup
+        end
+        record = Whois.whois(domain)
+        parser = record.parser
+        return nil if parser.available?
+        whois_record = new(
+          domain: domain,
+          created_on: get_created_on(parser),
+          updated_on: get_updated_on(parser),
+          expires_on: get_expires_on(parser),
+          registrar: get_registrar(parser),
+          contacts: get_contacts(parser)
+        )
+        # set memo
+        @memo[domain] = whois_record
+        whois_record
+      rescue Whois::Error, Whois::ParserError, Timeout::Error
+        nil
+      end
+      private
+      #
+      # Get created_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_created_on(parser)
+        parser.created_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+      #
+      # Get updated_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_updated_on(parser)
+        parser.updated_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+      #
+      # Get expires_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_expires_on(parser)
+        parser.expires_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+      #
+      # Get registrar
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Hash, nil]
+      #
+      def get_registrar(parser)
+        parser.registrar&.to_h
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+      #
+      # Get contacts
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Array[Hash], nil]
+      #
+      def get_contacts(parser)
+        parser.contacts.map(&:to_h)
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+    end
+  end
+end