mihari 3.7.0 → 3.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f6e9001e10ac0891e2e10d90bccbd165afbdfc3bcd2724a3d5adf521b2be843b
-  data.tar.gz: 98119fae9302eb4251ceda56c1ddb0ab615fbf36d67505fd8af2ffb08f1dcfaf
+  metadata.gz: 0a3dcac61a2835aa2f940ab90edf363b10293d0537baf8b1748212686770495f
+  data.tar.gz: 1f1bb0515227d8cb842e511b3045298bec2b981706ddacd0750b9a6a11aa2625
 SHA512:
-  metadata.gz: 92ae37318ffb97ab4746cb44c266e63fba5c505a6c81c141be362c11ecf4e399850f1921b2907bf511f6b0a4ea5884642282f319962af1628fc8bf9e69503fa8
-  data.tar.gz: 45f2a2a748bb362a0daa7f9c3c7da5329cb7bab002f1ddcec4a56d111102d311471b3904b2d77f50f406e05f43deeacbd8f235e5ff4ae2dd2a0096a4dd98074d
+  metadata.gz: ce4ad498c64026a3b349c927dcd5f98bb59415a232acaaf279cde6f45d8f4af18bb62776568c092e261c936e5574f487a02f1fc4089f8af05a367578f06864b5
+  data.tar.gz: a5223e8a9f2060374df5cb21f6dbcfd475ce66408a04356131471fbb0321ac4622fec0df7ebf354ae2b46c537460a8738beb3dda5ac35c3a11588a4a97642712

data/README.md

@@ -46,7 +46,7 @@ Mihari supports the following services by default.
 - [Shodan](https://shodan.io)
 - [Spyse](https://spyse.com)
 - [urlscan.io](https://urlscan.io)
-- [VirusTotal](http://virustotal.com)
+- [VirusTotal](http://virustotal.com) & [VirusTotal Intelligence](https://www.virustotal.com/gui/intelligence-overview)
 - [ZoomEye](https://zoomeye.org)
 
 ## Docs
@@ -64,5 +64,3 @@ The gem is available as open source under the terms of the [MIT License](https:/
 ## Acknowledgement
 
 Mihari is proudly supported by [Tines.io](https://tines.io?utm_source=github&utm_medium=sponsorship&utm_campaign=ninoseki), The SOAR Platform for Enterprise Security Teams.
-
-$ bundle exec rbs -rpathname  --repo=gem_rbs/gems -ractivesupport -ractionpack -ractivejob -ractivemodel -ractionview -ractiverecord -rrailties -I sig validate

data/lib/mihari/analyzers/rule.rb

@@ -4,6 +4,30 @@ require "uuidtools"
 
 module Mihari
   module Analyzers
+    ANALYZER_TO_CLASS = {
+      "binaryedge" => BinaryEdge,
+      "censys" => Censys,
+      "circl" => CIRCL,
+      "crtsh" => Crtsh,
+      "dnpedia" => DNPedia,
+      "dnstwister" => DNSTwister,
+      "onyphe" => Onyphe,
+      "otx" => OTX,
+      "passivetotal" => PassiveTotal,
+      "pt" => PassiveTotal,
+      "pulsedive" => Pulsedive,
+      "securitytrails" => SecurityTrails,
+      "shodan" => Shodan,
+      "spyse" => Spyse,
+      "st" => SecurityTrails,
+      "urlscan" => Urlscan,
+      "virustotal_intelligence" => VirusTotalIntelligence,
+      "virustotal" => VirusTotal,
+      "vt_intel" => VirusTotalIntelligence,
+      "vt" => VirusTotal,
+      "zoomeye" => ZoomEye
+    }.freeze
+
     class Rule < Base
       include Mihari::Mixins::DisallowedDataValue
 
@@ -26,25 +50,6 @@ module Mihari
         validate_analyzer_configurations
       end
 
-      ANALYZER_TO_CLASS = {
-        "binaryedge" => BinaryEdge,
-        "censys" => Censys,
-        "circl" => CIRCL,
-        "crtsh" => Crtsh,
-        "dnpedia" => DNPedia,
-        "dnstwister" => DNSTwister,
-        "onyphe" => Onyphe,
-        "otx" => OTX,
-        "passivetotal" => PassiveTotal,
-        "pulsedive" => Pulsedive,
-        "securitytrails" => SecurityTrails,
-        "shodan" => Shodan,
-        "spyse" => Spyse,
-        "urlscan" => Urlscan,
-        "virustotal" => VirusTotal,
-        "zoomeye" => ZoomEye
-      }.freeze
-
       #
       # Returns a list of artifacts matched with queries
       #

data/lib/mihari/analyzers/virustotal_intelligence.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "virustotal"
+
+module Mihari
+  module Analyzers
+    class VirusTotalIntelligence < Base
+      param :query
+      option :title, default: proc { "VirusTotal Intelligence search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
+
+      def initialize(*args, **kwargs)
+        super
+
+        @query = query
+      end
+
+      def artifacts
+        responses = search_witgh_cursor
+        responses.map do |response|
+          response.data.map(&:value)
+        end.flatten.compact.uniq
+      end
+
+      private
+
+      def configuration_keys
+        %w[virustotal_api_key]
+      end
+
+      #
+      # VT API
+      #
+      # @return [::VirusTotal::API]
+      #
+      def api
+        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
+      end
+
+      #
+      # Search with cursor
+      #
+      # @return [Array<Structs::VirusTotalIntelligence::Response>]
+      #
+      def search_witgh_cursor
+        cursor = nil
+        responses = []
+
+        loop do
+          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(api.intelligence.search(query, cursor: cursor))
+          responses << response
+
+          break if response.meta.cursor.nil?
+
+          cursor = response.meta.cursor
+        end
+
+        responses
+      end
+    end
+  end
+end

data/lib/mihari/cli/analyzer.rb

@@ -14,6 +14,7 @@ require "mihari/commands/securitytrails"
 require "mihari/commands/shodan"
 require "mihari/commands/spyse"
 require "mihari/commands/urlscan"
+require "mihari/commands/virustotal_intelligence"
 require "mihari/commands/virustotal"
 require "mihari/commands/zoomeye"
 
@@ -42,6 +43,7 @@ module Mihari
       include Mihari::Commands::Spyse
       include Mihari::Commands::Urlscan
       include Mihari::Commands::VirusTotal
+      include Mihari::Commands::VirusTotalIntelligence
       include Mihari::Commands::ZoomEye
     end
   end

data/lib/mihari/commands/passivetotal.rb

@@ -14,6 +14,7 @@ module Mihari
               run_analyzer Analyzers::PassiveTotal, query: indicator, options: options
             end
           end
+          map "pt" => :passivetotal
         end
       end
     end

data/lib/mihari/commands/virustotal.rb

@@ -14,6 +14,7 @@ module Mihari
               run_analyzer Analyzers::VirusTotal, query: indiactor, options: options
             end
           end
+          map "vt" => :virustotal
         end
       end
     end

data/lib/mihari/commands/virustotal_intelligence.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module VirusTotalIntelligence
+      def self.included(thor)
+        thor.class_eval do
+          desc "virustotal_intelligence [QUERY]", "VirusTotal Intelligence search"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def virustotal_intelligence(query)
+            with_error_handling do
+              run_analyzer Analyzers::VirusTotalIntelligence, query: query, options: options
+            end
+          end
+          map "vt_intel" => :virustotal_intelligence
+        end
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/base.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Enrichers
+    class Base
+      include Mixins::Configurable
+
+      def self.inherited(child)
+        Mihari.enrichers << child
+      end
+
+      # @return [Boolean]
+      def valid?
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/ipinfo.rb

@@ -4,7 +4,18 @@ require "memist"
 
 module Mihari
   module Enrichers
-    class IPInfo
+    class IPInfo < Base
+      # @return [Boolean]
+      def valid?
+        Mihari.config.ipinfo_api_key.nil?
+      end
+
+      private
+
+      def configuration_keys
+        %w[ipinfo_api_key]
+      end
+
       class << self
         include Memist::Memoizable
 

data/lib/mihari/models/autonomous_system.rb

@@ -17,11 +17,9 @@ module Mihari
       def build_by_ip(ip)
         res = Enrichers::IPInfo.query(ip)
 
-        unless res.nil?
-          return new(asn: res.asn)
-        end
+        return nil if res.nil? || res.asn.nil?
 
-        nil
+        new(asn: res.asn)
       end
     end
   end

data/lib/mihari/status.rb

@@ -18,7 +18,7 @@ module Mihari
     # @return [Array<Hash>]
     #
     def statuses
-      (Mihari.analyzers + Mihari.emitters).map do |klass|
+      (Mihari.analyzers + Mihari.emitters + Mihari.enrichers).map do |klass|
         name = klass.to_s.split("::").last.to_s
 
         [name, build_status(klass)]
@@ -36,11 +36,16 @@ module Mihari
       return nil if klass == Mihari::Analyzers::Rule
 
       is_analyzer = klass.ancestors.include?(Mihari::Analyzers::Base)
+      is_emitter = klass.ancestors.include?(Mihari::Emitters::Base)
+      is_enricher = klass.ancestors.include?(Mihari::Enrichers::Base)
 
       instance = is_analyzer ? klass.new("dummy") : klass.new
       is_configured = instance.configured?
       values = instance.configuration_values
-      type = is_analyzer ? "Analyzer" : "Emitter"
+
+      type = "Analyzer"
+      type = "Emitter" if is_emitter
+      type = "Enricher" if is_enricher
 
       values ? { is_configured: is_configured, values: values, type: type } : nil
     rescue ArgumentError => _e

data/lib/mihari/structs/ipinfo.rb

@@ -9,7 +9,7 @@ module Mihari
         attribute :hostname, Types::String.optional
         attribute :loc, Types::String
         attribute :country_code, Types::String
-        attribute :asn, Types::Integer
+        attribute :asn, Types::Integer.optional
 
         class << self
           include Mixins::AutonomousSystem
@@ -17,9 +17,12 @@ module Mihari
           def from_dynamic!(d)
             d = Types::Hash[d]
 
-            org = d.fetch("org")
-            asn = org.split.first
-            asn = normalize_asn(asn)
+            asn = nil
+            org = d["org"]
+            unless org.nil?
+              asn = org.split.first
+              asn = normalize_asn(asn)
+            end
 
             new(
               ip: d.fetch("ip"),
@@ -29,7 +32,7 @@ module Mihari
               asn: asn
             )
           end
-      end
+        end
       end
     end
   end

data/lib/mihari/structs/virustotal_intelligence.rb

@@ -0,0 +1,75 @@
+require "json"
+require "dry/struct"
+
+module Mihari
+  module Structs
+    module VirusTotalIntelligence
+      class ContextAttributes < Dry::Struct
+        attribute :url, Types.Array(Types::String).optional
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            url: d["url"]
+          )
+        end
+      end
+
+      class Datum < Dry::Struct
+        attribute :type, Types::String
+        attribute :id, Types::String
+        attribute :context_attributes, ContextAttributes.optional
+
+        def value
+          case type
+          when "file"
+            id
+          when "url"
+            (context_attributes.url || []).first
+          when "domain"
+            id
+          when "ip_address"
+            id
+          end
+        end
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+
+          context_attributes = nil
+          context_attributes = ContextAttributes.from_dynamic!(d.fetch("context_attributes")) if d.key?("context_attributes")
+
+          new(
+            type: d.fetch("type"),
+            id: d.fetch("id"),
+            context_attributes: context_attributes
+          )
+        end
+      end
+
+      class Meta < Dry::Struct
+        attribute :cursor, Types::String.optional
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            cursor: d["cursor"]
+          )
+        end
+      end
+
+      class Response < Dry::Struct
+        attribute :meta, Meta
+        attribute :data, Types.Array(Datum)
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            meta: Meta.from_dynamic!(d.fetch("meta")),
+            data: d.fetch("data").map { |x| Datum.from_dynamic!(x) }
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/types.rb

@@ -13,9 +13,23 @@ module Mihari
     DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
 
     AnalyzerTypes = Types::String.enum(
-      "binaryedge", "censys", "circl", "dnpedia", "dnstwister",
-      "onyphe", "otx", "passivetotal", "pulsedive", "securitytrails",
-      "shodan", "virustotal"
+      "binaryedge",
+      "censys",
+      "circl",
+      "dnpedia",
+      "dnstwister",
+      "onyphe",
+      "otx",
+      "passivetotal",
+      "pt",
+      "pulsedive",
+      "securitytrails",
+      "shodan",
+      "st",
+      "virustotal_intelligence",
+      "virustotal",
+      "vt_intel",
+      "vt"
     )
   end
 end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "3.7.0"
+  VERSION = "3.8.1"
 end

data/lib/mihari/web/public/index.html

@@ -1 +1 @@
-<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="/static/favicon.ico"><title>Mihari</title><link href="/static/js/app.06d5cf1c.js" rel="preload" as="script"></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/static/js/app.06d5cf1c.js"></script></body></html>
+<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="/static/favicon.ico"><title>Mihari</title><link href="/static/js/app.a862ebca.js" rel="preload" as="script"></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/static/js/app.a862ebca.js"></script></body></html>