RubyGems - mihari - Versions diffs - 3.6.0 → 3.7.2 - Mend

mihari 3.6.0 → 3.7.2

Files changed (139) hide show

checksums.yaml +4 -4
data/.gitmodules +3 -0
data/Steepfile +32 -0
data/lib/mihari/analyzers/base.rb +7 -22
data/lib/mihari/analyzers/binaryedge.rb +13 -0
data/lib/mihari/analyzers/censys.rb +5 -0
data/lib/mihari/analyzers/circl.rb +15 -0
data/lib/mihari/analyzers/crtsh.rb +5 -0
data/lib/mihari/analyzers/dnpedia.rb +5 -0
data/lib/mihari/analyzers/dnstwister.rb +17 -0
data/lib/mihari/analyzers/onyphe.rb +20 -4
data/lib/mihari/analyzers/otx.rb +20 -0
data/lib/mihari/analyzers/passivetotal.rb +25 -0
data/lib/mihari/analyzers/pulsedive.rb +10 -0
data/lib/mihari/analyzers/rule.rb +18 -0
data/lib/mihari/analyzers/securitytrails.rb +25 -0
data/lib/mihari/analyzers/shodan.rb +13 -0
data/lib/mihari/analyzers/spyse.rb +20 -0
data/lib/mihari/analyzers/urlscan.rb +10 -0
data/lib/mihari/analyzers/virustotal.rb +20 -0
data/lib/mihari/analyzers/zoomeye.rb +38 -0
data/lib/mihari/database.rb +13 -0
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +38 -5
data/lib/mihari/emitters/slack.rb +20 -2
data/lib/mihari/emitters/the_hive.rb +16 -3
data/lib/mihari/emitters/webhook.rb +18 -3
data/lib/mihari/enrichers/base.rb +18 -0
data/lib/mihari/enrichers/ipinfo.rb +49 -0
data/lib/mihari/mixins/autonomous_system.rb +19 -0
data/lib/mihari/mixins/disallowed_data_value.rb +1 -1
data/lib/mihari/models/artifact.rb +42 -3
data/lib/mihari/models/autonomous_system.rb +18 -1
data/lib/mihari/models/dns.rb +2 -0
data/lib/mihari/models/geolocation.rb +21 -1
data/lib/mihari/models/reverse_dns.rb +2 -0
data/lib/mihari/models/whois.rb +1 -1
data/lib/mihari/status.rb +7 -2
data/lib/mihari/structs/ipinfo.rb +39 -0
data/lib/mihari/structs/onyphe.rb +2 -2
data/lib/mihari/type_checker.rb +9 -9
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/controllers/artifacts_controller.rb +27 -1
data/lib/mihari/web/controllers/ip_address_controller.rb +4 -19
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +7 -6
data/lib/mihari/web/public/static/js/app.06d5cf1c.js +36 -0
data/lib/mihari/web/public/static/js/app.06d5cf1c.js.map +1 -0
data/lib/mihari.rb +40 -26
data/mihari.gemspec +7 -4
data/sig/lib/mihari/analyzers/base.rbs +90 -0
data/sig/lib/mihari/analyzers/basic.rbs +17 -0
data/sig/lib/mihari/analyzers/binaryedge.rbs +25 -0
data/sig/lib/mihari/analyzers/censys.rbs +38 -0
data/sig/lib/mihari/analyzers/circl.rbs +29 -0
data/sig/lib/mihari/analyzers/crtsh.rbs +19 -0
data/sig/lib/mihari/analyzers/dnpedia.rbs +18 -0
data/sig/lib/mihari/analyzers/dnstwister.rbs +27 -0
data/sig/lib/mihari/analyzers/onyphe.rbs +33 -0
data/sig/lib/mihari/analyzers/otx.rbs +33 -0
data/sig/lib/mihari/analyzers/passivetotal.rbs +33 -0
data/sig/lib/mihari/analyzers/pulsedive.rbs +27 -0
data/sig/lib/mihari/analyzers/rule.rbs +68 -0
data/sig/lib/mihari/analyzers/securitytrails.rbs +33 -0
data/sig/lib/mihari/analyzers/shodan.rbs +33 -0
data/sig/lib/mihari/analyzers/spyse.rbs +29 -0
data/sig/lib/mihari/analyzers/urlscan.rbs +28 -0
data/sig/lib/mihari/analyzers/virustotal.rbs +31 -0
data/sig/lib/mihari/analyzers/zoomeye.rbs +33 -0
data/sig/lib/mihari/cli/analyzer.rbs +39 -0
data/sig/lib/mihari/cli/base.rbs +11 -0
data/sig/lib/mihari/cli/init.rbs +7 -0
data/sig/lib/mihari/cli/main.rbs +9 -0
data/sig/lib/mihari/cli/mixins/utils.rbs +50 -0
data/sig/lib/mihari/cli/validator.rbs +7 -0
data/sig/lib/mihari/commands/binaryedge.rbs +7 -0
data/sig/lib/mihari/commands/censys.rbs +7 -0
data/sig/lib/mihari/commands/circl.rbs +7 -0
data/sig/lib/mihari/commands/crtsh.rbs +7 -0
data/sig/lib/mihari/commands/dnpedia.rbs +7 -0
data/sig/lib/mihari/commands/dnstwister.rbs +7 -0
data/sig/lib/mihari/commands/init.rbs +11 -0
data/sig/lib/mihari/commands/json.rbs +7 -0
data/sig/lib/mihari/commands/onyphe.rbs +7 -0
data/sig/lib/mihari/commands/otx.rbs +7 -0
data/sig/lib/mihari/commands/passivetotal.rbs +7 -0
data/sig/lib/mihari/commands/pulsedive.rbs +7 -0
data/sig/lib/mihari/commands/search.rbs +35 -0
data/sig/lib/mihari/commands/securitytrails.rbs +7 -0
data/sig/lib/mihari/commands/shodan.rbs +7 -0
data/sig/lib/mihari/commands/spyse.rbs +7 -0
data/sig/lib/mihari/commands/urlscan.rbs +7 -0
data/sig/lib/mihari/commands/validator.rbs +11 -0
data/sig/lib/mihari/commands/virustotal.rbs +7 -0
data/sig/lib/mihari/commands/web.rbs +7 -0
data/sig/lib/mihari/commands/zoomeye.rbs +7 -0
data/sig/lib/mihari/constants.rbs +3 -0
data/sig/lib/mihari/database.rbs +25 -0
data/sig/lib/mihari/emitters/base.rbs +18 -0
data/sig/lib/mihari/emitters/database.rbs +9 -0
data/sig/lib/mihari/emitters/misp.rbs +28 -0
data/sig/lib/mihari/emitters/slack.rbs +58 -0
data/sig/lib/mihari/emitters/stdout.rbs +9 -0
data/sig/lib/mihari/emitters/the_hive.rbs +24 -0
data/sig/lib/mihari/emitters/webhook.rbs +20 -0
data/sig/lib/mihari/enrichers/base.rbs +12 -0
data/sig/lib/mihari/enrichers/ipinfo.rbs +16 -0
data/sig/lib/mihari/errors.rbs +10 -0
data/sig/lib/mihari/mixins/autonomous_system.rbs +14 -0
data/sig/lib/mihari/mixins/configurable.rbs +26 -0
data/sig/lib/mihari/mixins/configuration.rbs +45 -0
data/sig/lib/mihari/mixins/disallowed_data_value.rbs +25 -0
data/sig/lib/mihari/mixins/hash.rbs +14 -0
data/sig/lib/mihari/mixins/refang.rbs +14 -0
data/sig/lib/mihari/mixins/retriable.rbs +15 -0
data/sig/lib/mihari/mixins/rule.rbs +41 -0
data/sig/lib/mihari/models/alert.rbs +46 -0
data/sig/lib/mihari/models/artifact.rbs +65 -0
data/sig/lib/mihari/models/autonomous_system.rbs +14 -0
data/sig/lib/mihari/models/dns.rbs +19 -0
data/sig/lib/mihari/models/geolocation.rbs +15 -0
data/sig/lib/mihari/models/reverse_dns.rbs +14 -0
data/sig/lib/mihari/models/tag.rbs +5 -0
data/sig/lib/mihari/models/tagging.rbs +4 -0
data/sig/lib/mihari/models/whois.rbs +66 -0
data/sig/lib/mihari/notifiers/base.rbs +18 -0
data/sig/lib/mihari/notifiers/exception_notifier.rbs +75 -0
data/sig/lib/mihari/notifiers/slack.rbs +50 -0
data/sig/lib/mihari/status.rbs +25 -0
data/sig/lib/mihari/structs/censys.rbs +50 -0
data/sig/lib/mihari/structs/ipinfo.rbs +17 -0
data/sig/lib/mihari/structs/onyphe.rbs +25 -0
data/sig/lib/mihari/structs/shodan.rbs +28 -0
data/sig/lib/mihari/type_checker.rbs +48 -0
data/sig/lib/mihari/types.rbs +17 -0
data/sig/lib/mihari/version.rbs +3 -0
data/sig/lib/mihari/web/app.rbs +5 -0
data/sig/lib/mihari.rbs +59 -0
metadata +148 -10

data/lib/mihari/emitters/the_hive.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require "net/ping"
 module Mihari
   module Emitters
     class TheHive < Base
-      # @return [true, false]
+      # @return [Boolean]
       def valid?
         api_endpont? && api_key? && ping?
       end
@@ -34,16 +34,29 @@ module Mihari
         @api ||= Hachi::API.new(api_endpoint: Mihari.config.thehive_api_endpoint, api_key: Mihari.config.thehive_api_key)
       end
-      # @return [true, false]
+      #
+      # Check whether an API endpoint is set or not
+      #
+      # @return [Boolean]
+      #
       def api_endpont?
         !Mihari.config.thehive_api_endpoint.nil?
       end
-      # @return [true, false]
+      #
+      # Check whether an API key is set or not
+      #
+      # @return [Boolean]
+      # ]
       def api_key?
         !Mihari.config.thehive_api_key.nil?
       end
+      #
+      # Check whether an API endpoint is reachable or not
+      #
+      # @return [Boolean]
+      #
       def ping?
         base_url = Mihari.config.thehive_api_endpoint
         base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url

data/lib/mihari/emitters/webhook.rb CHANGED Viewed

@@ -7,7 +7,7 @@ require "uri"
 module Mihari
   module Emitters
     class Webhook < Base
-      # @return [true, false]
+      # @return [Boolean]
       def valid?
         webhook_url?
       end
@@ -24,7 +24,7 @@ module Mihari
           tags: tags
         }
-        if use_json_body
+        if use_json_body?
           Net::HTTP.post(uri, data.to_json, "Content-Type" => "application/json")
         else
           Net::HTTP.post_form(uri, data)
@@ -37,15 +37,30 @@ module Mihari
         %w[webhook_url]
       end
+      #
+      # Webhook URL
+      #
+      # @return [String, nil]
+      #
       def webhook_url
         @webhook_url ||= Mihari.config.webhook_url
       end
+      #
+      # Check whether a webhook URL is set or not
+      #
+      # @return [<Type>] <description>
+      #
       def webhook_url?
         !webhook_url.nil?
       end
-      def use_json_body
+      #
+      # Check whether to use JSON body or NOT
+      #
+      # @return [<Type>] <description>
+      #
+      def use_json_body?
         @use_json_body ||= Mihari.config.webhook_use_json_body
       end
     end

data/lib/mihari/enrichers/base.rb ADDED Viewed

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module Mihari
+  module Enrichers
+    class Base
+      include Mixins::Configurable
+      def self.inherited(child)
+        Mihari.enrichers << child
+      end
+      # @return [Boolean]
+      def valid?
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/ipinfo.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require "http"
+require "json"
+require "memist"
+module Mihari
+  module Enrichers
+    class IPInfo < Base
+      # @return [Boolean]
+      def valid?
+        Mihari.config.ipinfo_api_key.nil?
+      end
+      private
+      def configuration_keys
+        %w[ipinfo_api_key]
+      end
+      class << self
+        include Memist::Memoizable
+        #
+        # Query IPInfo
+        #
+        # @param [String] ip
+        #
+        # @return [Mihari::Structs::IPInfo::Response, nil]
+        #
+        def query(ip)
+          headers = {}
+          token = Mihari.config.ipinfo_api_key
+          unless token.nil?
+            headers[:authorization] = "Bearer #{token}"
+          end
+          begin
+            res = HTTP.headers(headers).get("https://ipinfo.io/#{ip}/json")
+            data = JSON.parse(res.body.to_s)
+            Structs::IPInfo::Response.from_dynamic! data
+          rescue HTTP::Error
+            nil
+          end
+        end
+        memoize :query
+      end
+    end
+  end
+end

data/lib/mihari/mixins/autonomous_system.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module Mihari
+  module Mixins
+    module AutonomousSystem
+      #
+      # Normalize ASN value
+      #
+      # @param [String, Integer] asn
+      #
+      # @return [Integer]
+      #
+      def normalize_asn(asn)
+        return asn if asn.is_a?(Integer)
+        return asn.to_i unless asn.start_with?("AS")
+        asn.delete_prefix("AS").to_i
+      end
+    end
+  end
+end

data/lib/mihari/mixins/disallowed_data_value.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Mihari
         # if a value is surrounded by slashes, take it as a regexp
         value_without_slashes = value[1..-2]
-        Regexp.compile value_without_slashes
+        Regexp.compile value_without_slashes.to_s
       end
       memoize :normalize_disallowed_data_value

data/lib/mihari/models/artifact.rb CHANGED Viewed

@@ -16,6 +16,8 @@ end
 module Mihari
   class Artifact < ActiveRecord::Base
+    belongs_to :alert
     has_one :autonomous_system, dependent: :destroy
     has_one :geolocation, dependent: :destroy
     has_one :whois_record, dependent: :destroy
@@ -80,6 +82,35 @@ module Mihari
       self.reverse_dns_names = ReverseDnsName.build_by_ip(data)
     end
+    #
+    # Enrich(add) geolocation
+    #
+    def enrich_geolocation
+      return unless can_enrich_geolocation?
+      self.geolocation = Geolocation.build_by_ip(data)
+    end
+    #
+    # Enrich(add) geolocation
+    #
+    def enrich_autonomous_system
+      return unless can_enrich_autonomous_system?
+      self.autonomous_system = AutonomousSystem.build_by_ip(data)
+    end
+    #
+    # Enrich all the enrichable relationships of the artifact
+    #
+    def enrich_all
+      enrich_autonomous_system
+      enrich_dns
+      enrich_geolocation
+      enrich_reverse_dns
+      enrich_whois
+    end
     private
     def normalize_as_domain(url_or_domain)
@@ -89,15 +120,23 @@ module Mihari
     end
     def can_enrich_whois?
-      %w[domain url].include? data_type
+      %w[domain url].include?(data_type) && whois_record.nil?
     end
     def can_enrich_dns?
-      %w[domain url].include? data_type
+      %w[domain url].include?(data_type) && dns_records.empty?
     end
     def can_enrich_revese_dns?
-      data_type == "ip"
+      data_type == "ip" && reverse_dns_names.empty?
+    end
+    def can_enrich_geolocation?
+      data_type == "ip" && geolocation.nil?
+    end
+    def can_enrich_autonomous_system?
+      data_type == "ip" && autonomous_system.nil?
     end
   end
 end

data/lib/mihari/models/autonomous_system.rb CHANGED Viewed

@@ -4,6 +4,23 @@ require "active_record"
 module Mihari
   class AutonomousSystem < ActiveRecord::Base
-    has_one :artifact, dependent: :destroy
+    belongs_to :artifact
+    class << self
+      #
+      # Build AS
+      #
+      # @param [String] ip
+      #
+      # @return [Mihari::AutonomousSystem, nil]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::IPInfo.query(ip)
+        return nil if res.nil? || res.asn.nil?
+        new(asn: res.asn)
+      end
+    end
   end
 end

data/lib/mihari/models/dns.rb CHANGED Viewed

@@ -5,6 +5,8 @@ require "resolv"
 module Mihari
   class DnsRecord < ActiveRecord::Base
+    belongs_to :artifact
     class << self
       #
       # Build DNS records

data/lib/mihari/models/geolocation.rb CHANGED Viewed

@@ -1,9 +1,29 @@
 # frozen_string_literal: true
 require "active_record"
+require "normalize_country"
 module Mihari
   class Geolocation < ActiveRecord::Base
-    has_one :artifact, dependent: :destroy
+    belongs_to :artifact
+    class << self
+      #
+      # Build Geolocation
+      #
+      # @param [String] ip
+      #
+      # @return [Mihari::Geolocation, nil]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::IPInfo.query(ip)
+        unless res.nil?
+          return new(country: NormalizeCountry(res.country_code, to: :short), country_code: res.country_code)
+        end
+        nil
+      end
+    end
   end
 end

data/lib/mihari/models/reverse_dns.rb CHANGED Viewed

@@ -5,6 +5,8 @@ require "resolv"
 module Mihari
   class ReverseDnsName < ActiveRecord::Base
+    belongs_to :artifact
     class << self
       #
       # Build reverse DNS names

data/lib/mihari/models/whois.rb CHANGED Viewed

@@ -6,7 +6,7 @@ require "public_suffix"
 module Mihari
   class WhoisRecord < ActiveRecord::Base
-    has_one :artifact, dependent: :destroy
+    belongs_to :artifact
     @memo = {}

data/lib/mihari/status.rb CHANGED Viewed

@@ -18,7 +18,7 @@ module Mihari
     # @return [Array<Hash>]
     #
     def statuses
-      (Mihari.analyzers + Mihari.emitters).map do |klass|
+      (Mihari.analyzers + Mihari.emitters + Mihari.enrichers).map do |klass|
         name = klass.to_s.split("::").last.to_s
         [name, build_status(klass)]
@@ -36,11 +36,16 @@ module Mihari
       return nil if klass == Mihari::Analyzers::Rule
       is_analyzer = klass.ancestors.include?(Mihari::Analyzers::Base)
+      is_emitter = klass.ancestors.include?(Mihari::Emitters::Base)
+      is_enricher = klass.ancestors.include?(Mihari::Enrichers::Base)
       instance = is_analyzer ? klass.new("dummy") : klass.new
       is_configured = instance.configured?
       values = instance.configuration_values
-      type = is_analyzer ? "Analyzer" : "Emitter"
+      type = "Analyzer"
+      type = "Emitter" if is_emitter
+      type = "Enricher" if is_enricher
       values ? { is_configured: is_configured, values: values, type: type } : nil
     rescue ArgumentError => _e

data/lib/mihari/structs/ipinfo.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require "json"
+require "dry/struct"
+module Mihari
+  module Structs
+    module IPInfo
+      class Response < Dry::Struct
+        attribute :ip, Types::String
+        attribute :hostname, Types::String.optional
+        attribute :loc, Types::String
+        attribute :country_code, Types::String
+        attribute :asn, Types::Integer.optional
+        class << self
+          include Mixins::AutonomousSystem
+          def from_dynamic!(d)
+            d = Types::Hash[d]
+            asn = nil
+            org = d["org"]
+            unless org.nil?
+              asn = org.split.first
+              asn = normalize_asn(asn)
+            end
+            new(
+              ip: d.fetch("ip"),
+              loc: d.fetch("loc"),
+              hostname: d["hostname"],
+              country_code: d.fetch("country"),
+              asn: asn
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/onyphe.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Mihari
     module Onyphe
       class Result < Dry::Struct
         attribute :asn, Types::String
-        attribute :country_code, Types::String
+        attribute :country_code, Types::String.optional
         attribute :ip, Types::String
         def self.from_dynamic!(d)
@@ -15,7 +15,7 @@ module Mihari
             asn: d.fetch("asn"),
             ip: d.fetch("ip"),
             # Onyphe's country = 2-letter country code
-            country_code: d.fetch("country")
+            country_code: d["country"]
           )
         end
       end

data/lib/mihari/type_checker.rb CHANGED Viewed

@@ -18,12 +18,12 @@ module Mihari
       raise ArgumentError if data.is_a?(Hash)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def hash?
       md5? || sha1? || sha256? || sha512?
     end
-    # @return [true, false]
+    # @return [Boolean]
     def ip?
       IPAddr.new data
       true
@@ -31,7 +31,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def domain?
       uri = Addressable::URI.parse("http://#{data}")
       uri.host == data && PublicSuffix.valid?(uri.host)
@@ -39,7 +39,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def url?
       uri = Addressable::URI.parse(data)
       uri.scheme && uri.host && uri.path && PublicSuffix.valid?(uri.host)
@@ -47,7 +47,7 @@ module Mihari
       false
     end
-    # @return [true, false]
+    # @return [Boolean]
     def mail?
       EmailAddress.valid? data, host_validation: :syntax
     end
@@ -83,22 +83,22 @@ module Mihari
     private
-    # @return [true, false]
+    # @return [Boolean]
     def md5?
       data.match?(/^[A-Fa-f0-9]{32}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha1?
       data.match?(/^[A-Fa-f0-9]{40}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha256?
       data.match?(/^[A-Fa-f0-9]{64}$/)
     end
-    # @return [true, false]
+    # @return [Boolean]
     def sha512?
       data.match?(/^[A-Fa-f0-9]{128}$/)
     end