mihari 3.5.0 → 3.6.0

data/lib/mihari/models/autonomous_system.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "active_record"
+
+module Mihari
+  class AutonomousSystem < ActiveRecord::Base
+    has_one :artifact, dependent: :destroy
+  end
+end

data/lib/mihari/models/dns.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "active_record"
+require "resolv"
+
+module Mihari
+  class DnsRecord < ActiveRecord::Base
+    class << self
+      #
+      # Build DNS records
+      #
+      # @param [String] domain
+      #
+      # @return [Array<Mihari::DnsRecord>]
+      #
+      def build_by_domain(domain)
+        resource_types = [
+          Resolv::DNS::Resource::IN::A,
+          Resolv::DNS::Resource::IN::AAAA,
+          Resolv::DNS::Resource::IN::CNAME,
+          Resolv::DNS::Resource::IN::TXT,
+          Resolv::DNS::Resource::IN::NS
+        ]
+
+        resource_types.map do |resource_type|
+          get_values domain, resource_type
+        rescue Resolv::ResolvError
+          nil
+        end.flatten.compact
+      end
+
+      private
+
+      def get_values(domain, resource_type)
+        resources = Resolv::DNS.new.getresources(domain, resource_type)
+        resource_name = resource_type.to_s.split("::").last
+
+        resources.map do |resource|
+          # A, AAAA
+          if resource.respond_to?(:address)
+            new(resource: resource_name, value: resource.address.to_s)
+          # CNAME, NS
+          elsif resource.respond_to?(:name)
+            new(resource: resource_name, value: resource.name.to_s)
+          # TXT
+          elsif resource.respond_to?(:data)
+            new(resource: resource_name, value: resource.data.to_s)
+          end
+        end.compact
+      end
+    end
+  end
+end

data/lib/mihari/models/geolocation.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "active_record"
+
+module Mihari
+  class Geolocation < ActiveRecord::Base
+    has_one :artifact, dependent: :destroy
+  end
+end

data/lib/mihari/models/reverse_dns.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "active_record"
+require "resolv"
+
+module Mihari
+  class ReverseDnsName < ActiveRecord::Base
+    class << self
+      #
+      # Build reverse DNS names
+      #
+      # @param [String] ip
+      #
+      # @return [Array<Mihari::ReverseDnsName>]
+      #
+      def build_by_ip(ip)
+        names = Resolv.getnames(ip)
+        names.map { |name| new(name: name) }
+      rescue Resolv::ResolvError
+        []
+      end
+    end
+  end
+end

data/lib/mihari/models/whois.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require "active_record"
+require "whois-parser"
+require "public_suffix"
+
+module Mihari
+  class WhoisRecord < ActiveRecord::Base
+    has_one :artifact, dependent: :destroy
+
+    @memo = {}
+
+    class << self
+      #
+      # Build whois record
+      #
+      # @param [Stinrg] domain
+      #
+      # @return [WhoisRecord, nil]
+      #
+      def build_by_domain(domain)
+        domain = PublicSuffix.domain(domain)
+
+        # check memo
+        if @memo.key?(domain)
+          whois_record = @memo[domain]
+          # return clone of the record
+          return whois_record.dup
+        end
+
+        record = Whois.whois(domain)
+        parser = record.parser
+
+        return nil if parser.available?
+
+        whois_record = new(
+          domain: domain,
+          created_on: get_created_on(parser),
+          updated_on: get_updated_on(parser),
+          expires_on: get_expires_on(parser),
+          registrar: get_registrar(parser),
+          contacts: get_contacts(parser)
+        )
+        # set memo
+        @memo[domain] = whois_record
+        whois_record
+      rescue Whois::Error, Whois::ParserError, Timeout::Error
+        nil
+      end
+
+      private
+
+      #
+      # Get created_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_created_on(parser)
+        parser.created_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get updated_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_updated_on(parser)
+        parser.updated_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get expires_on
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Date, nil]
+      #
+      def get_expires_on(parser)
+        parser.expires_on
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get registrar
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Hash, nil]
+      #
+      def get_registrar(parser)
+        parser.registrar&.to_h
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+
+      #
+      # Get contacts
+      #
+      # @param [::Whois::Parser:] parser
+      #
+      # @return [Array[Hash], nil]
+      #
+      def get_contacts(parser)
+        parser.contacts.map(&:to_h)
+      rescue ::Whois::AttributeNotImplemented
+        nil
+      end
+    end
+  end
+end

data/lib/mihari/schemas/rule.rb

@@ -2,26 +2,13 @@
 
 require "dry/schema"
 require "dry/validation"
-require "dry/types"
 
 require "mihari/schemas/macros"
 
 module Mihari
-  module Types
-    include Dry.Types()
-  end
-
-  DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
-
-  AnalyzerTypes = Types::String.enum(
-    "binaryedge", "censys", "circl", "dnpedia", "dnstwister",
-    "onyphe", "otx", "passivetotal", "pulsedive", "securitytrails",
-    "shodan", "virustotal"
-  )
-
   module Schemas
     Analyzer = Dry::Schema.Params do
-      required(:analyzer).value(AnalyzerTypes)
+      required(:analyzer).value(Types::AnalyzerTypes)
       required(:query).value(:string)
     end
 
@@ -62,7 +49,7 @@ module Mihari
 
       required(:queries).value(:array).each { Analyzer | Spyse | ZoomEye | Urlscan | Crtsh }
 
-      optional(:allowed_data_types).value(array[DataTypes]).default(ALLOWED_DATA_TYPES)
+      optional(:allowed_data_types).value(array[Types::DataTypes]).default(ALLOWED_DATA_TYPES)
       optional(:disallowed_data_values).value(array[:string]).default([])
 
       optional(:ignore_old_artifacts).value(:bool).default(false)

data/lib/mihari/serializers/alert.rb

@@ -3,10 +3,12 @@
 require "active_model_serializers"
 
 module Mihari
-  class AlertSerializer < ActiveModel::Serializer
-    attributes :id, :title, :description, :source, :created_at
+  module Serializers
+    class AlertSerializer < ActiveModel::Serializer
+      attributes :id, :title, :description, :source, :created_at
 
-    has_many :artifacts
-    has_many :tags, through: :taggings
+      has_many :artifacts, serializer: ArtifactSerializer
+      has_many :tags, through: :taggings, serializer: TagSerializer
+    end
   end
 end

data/lib/mihari/serializers/artifact.rb

@@ -3,7 +3,16 @@
 require "active_model_serializers"
 
 module Mihari
-  class ArtifactSerializer < ActiveModel::Serializer
-    attributes :id, :data, :data_type, :source
+  module Serializers
+    class ArtifactSerializer < ActiveModel::Serializer
+      attributes :id, :data, :data_type, :source
+
+      has_one :autonomous_system, serializer: AutonomousSystemSerializer
+      has_one :geolocation, serializer: GeolocationSerializer
+      has_one :whois_record, serializer: WhoisRecordSerializer
+
+      has_many :dns_records, serializer: DnsRecordSerializer
+      has_many :reverse_dns_names, serializer: ReverseDnsNameSerializer
+    end
   end
 end

data/lib/mihari/serializers/autonomous_system.rb

@@ -0,0 +1,9 @@
+require "active_model_serializers"
+
+module Mihari
+  module Serializers
+    class AutonomousSystemSerializer < ActiveModel::Serializer
+      attributes :asn
+    end
+  end
+end

data/lib/mihari/serializers/dns.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "active_model_serializers"
+
+module Mihari
+  module Serializers
+    class DnsRecordSerializer < ActiveModel::Serializer
+      attributes :resource, :value
+    end
+  end
+end

data/lib/mihari/serializers/geolocation.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "active_model_serializers"
+
+module Mihari
+  module Serializers
+    class GeolocationSerializer < ActiveModel::Serializer
+      attributes :country, :country_code
+    end
+  end
+end

data/lib/mihari/serializers/reverse_dns.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "active_model_serializers"
+
+module Mihari
+  module Serializers
+    class ReverseDnsNameSerializer < ActiveModel::Serializer
+      attributes :name
+    end
+  end
+end

data/lib/mihari/serializers/tag.rb

@@ -3,7 +3,9 @@
 require "active_model_serializers"
 
 module Mihari
-  class TagSerializer < ActiveModel::Serializer
-    attributes :id, :name
+  module Serializers
+    class TagSerializer < ActiveModel::Serializer
+      attributes :id, :name
+    end
   end
 end

data/lib/mihari/serializers/whois.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "active_model_serializers"
+
+module Mihari
+  module Serializers
+    class WhoisRecordSerializer < ActiveModel::Serializer
+      attributes :domain, :created_on, :updated_on, :expires_on, :registrar, :contacts
+    end
+  end
+end

data/lib/mihari/structs/censys.rb

@@ -0,0 +1,92 @@
+require "json"
+require "dry/struct"
+
+module Mihari
+  module Structs
+    module Censys
+      class AutonomousSystem < Dry::Struct
+        attribute :asn, Types::Int
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            asn: d.fetch("asn")
+          )
+        end
+      end
+
+      class Location < Dry::Struct
+        attribute :country, Types::String.optional
+        attribute :country_code, Types::String.optional
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            country: d["country"],
+            country_code: d["country_code"]
+          )
+        end
+      end
+
+      class Hit < Dry::Struct
+        attribute :ip, Types::String
+        attribute :location, Location
+        attribute :autonomous_system, AutonomousSystem
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            ip: d.fetch("ip"),
+            location: Location.from_dynamic!(d.fetch("location")),
+            autonomous_system: AutonomousSystem.from_dynamic!(d.fetch("autonomous_system"))
+          )
+        end
+      end
+
+      class Links < Dry::Struct
+        attribute :next, Types::String
+        attribute :prev, Types::String
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            next: d.fetch("next"),
+            prev: d.fetch("prev")
+          )
+        end
+      end
+
+      class Result < Dry::Struct
+        attribute :query, Types::String
+        attribute :total, Types::Int
+        attribute :hits, Types.Array(Hit)
+        attribute :links, Links
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            query: d.fetch("query"),
+            total: d.fetch("total"),
+            hits: d.fetch("hits", []).map { |x| Hit.from_dynamic!(x) },
+            links: Links.from_dynamic!(d.fetch("links"))
+          )
+        end
+      end
+
+      class Response < Dry::Struct
+        attribute :code, Types::Int
+        attribute :status, Types::String
+        attribute :result, Result
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            code: d.fetch("code"),
+            status: d.fetch("status"),
+            result: Result.from_dynamic!(d.fetch("result"))
+          )
+        end
+      end
+    end
+  end
+end