mihari 4.3.0 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dc5b6ab7daa3030a0ef0778df2753247bde10b978be709102ecf1be60b672a9c
-  data.tar.gz: 1c1c283cf1e2989e9e94e0aa582567dd71b7900f5c5faa40a0ce3f1b327982a3
+  metadata.gz: 44f680c0a24d2b66c8f13c8abe14994138231a4099b975d94a917f105561329c
+  data.tar.gz: b9da29828c04ad6151bb748f17c3518875b90208f728e4f1be9e0f716acd5368
 SHA512:
-  metadata.gz: 918ee19022035b5f5e3db9a00318253803b1cc430b45676225af94861fe6dc6fe51343545d224e6094f09ad37dc003713fbbcb1777904b01205903e22d05bf23
-  data.tar.gz: c5ce99eb3d8e01b1b2a8ac51916afa172c1fecb55611a3b8aa76e686c72801beb11135ed1c8aed31e11b693b7467dbe513902f55e229c834bbfcb09460ba4202
+  metadata.gz: ddccc9e9b10822bc93bb595f837a327c6459c51799ad95483014173c7d911405fd7fcd869f435a7404af585ccfa21ddfcd1ae922a94096a850eda52c4886627b
+  data.tar.gz: 8962eb94f57de019a7dd1040132d315482dbf3668a36ae4f61da46f31994c3bac0df47142fdbe998b80603cdcce86de0c7bb276eb2335e48d25820eebc94dee8

data/lib/mihari/analyzers/binaryedge.rb

@@ -9,6 +9,15 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.binaryedge_api_key
+      end
+
       def artifacts
         results = search
         return [] unless results || results.empty?
@@ -67,7 +76,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::BinaryEdge::API.new(Mihari.config.binaryedge_api_key)
+        @api ||= ::BinaryEdge::API.new(api_key)
       end
     end
   end

data/lib/mihari/analyzers/censys.rb

@@ -9,10 +9,27 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :id
+
+      # @return [String, nil]
+      attr_reader :secret
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @id = kwargs[:id] || Mihari.config.censys_id
+        @secret = kwargs[:secret] || Mihari.config.censys_secret
+      end
+
       def artifacts
         search
       end
 
+      def configured?
+        configuration_keys.all? { |key| Mihari.config.send(key) } || (id? && secret?)
+      end
+
       private
 
       #
@@ -85,7 +102,15 @@ module Mihari
       end
 
       def api
-        @api ||= ::Censys::API.new(Mihari.config.censys_id, Mihari.config.censys_secret)
+        @api ||= ::Censys::API.new(id, secret)
+      end
+
+      def id?
+        !id.nil?
+      end
+
+      def secret?
+        !secret.nil?
       end
     end
   end

data/lib/mihari/analyzers/circl.rb

@@ -9,19 +9,33 @@ module Mihari
 
       param :query
 
+      # @return [String, nil]
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :username
+
+      # @return [String, nil]
+      attr_reader :password
+
       def initialize(*args, **kwargs)
         super
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @username = kwargs[:username] || Mihari.config.circl_passive_username
+        @password = kwargs[:password] || Mihari.config.circl_passive_password
       end
 
       def artifacts
         search || []
       end
 
+      def configured?
+        configuration_keys.all? { |key| Mihari.config.send(key) } || (username? && password?)
+      end
+
       private
 
       def configuration_keys
@@ -29,7 +43,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::PassiveCIRCL::API.new(username: Mihari.config.circl_passive_username, password: Mihari.config.circl_passive_password)
+        @api ||= ::PassiveCIRCL::API.new(username: username, password: password)
       end
 
       #
@@ -71,6 +85,14 @@ module Mihari
         seen = result["seen"] || []
         seen.uniq
       end
+
+      def username?
+        !username.nil?
+      end
+
+      def password?
+        !password.nil?
+      end
     end
   end
 end

data/lib/mihari/analyzers/greynoise.rb

@@ -7,6 +7,15 @@ module Mihari
     class GreyNoise < Base
       param :query
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.greynoise_api_key
+      end
+
       def artifacts
         res = Structs::GreyNoise::Response.from_dynamic!(search)
         res.data.map do |datum|
@@ -23,7 +32,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::GreyNoise::API.new(key: Mihari.config.greynoise_api_key)
+        @api ||= ::GreyNoise::API.new(key: api_key)
       end
 
       #

data/lib/mihari/analyzers/onyphe.rb

@@ -10,6 +10,15 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.onyphe_api_key
+      end
+
       def artifacts
         responses = search
         return [] unless responses
@@ -29,7 +38,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::Onyphe::API.new(Mihari.config.onyphe_api_key)
+        @api ||= ::Onyphe::API.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/otx.rb

@@ -9,13 +9,19 @@ module Mihari
 
       param :query
 
+      # @return [String, nil]
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
         super
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @api_key = kwargs[:api_key] || Mihari.config.otx_api_key
       end
 
       def artifacts
@@ -29,11 +35,11 @@ module Mihari
       end
 
       def domain_client
-        @domain_client ||= ::OTX::Domain.new(Mihari.config.otx_api_key)
+        @domain_client ||= ::OTX::Domain.new(api_key)
       end
 
       def ip_client
-        @ip_client ||= ::OTX::IP.new(Mihari.config.otx_api_key)
+        @ip_client ||= ::OTX::IP.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/passivetotal.rb

@@ -9,19 +9,33 @@ module Mihari
 
       param :query
 
+      # @return [String, nil]
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :username
+
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
-        super
+        super(*args, **kwargs)
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @username = kwargs[:username] || Mihari.config.passivetotal_username
+        @api_key = kwargs[:api_key] || Mihari.config.passivetotal_api_key
       end
 
       def artifacts
         search || []
       end
 
+      def configured?
+        configuration_keys.all? { |key| Mihari.config.send(key) } || (username? && api_key?)
+      end
+
       private
 
       def configuration_keys
@@ -29,7 +43,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::PassiveTotal::API.new(username: Mihari.config.passivetotal_username, api_key: Mihari.config.passivetotal_api_key)
+        @api ||= ::PassiveTotal::API.new(username: username, api_key: api_key)
       end
 
       #
@@ -93,9 +107,17 @@ module Mihari
         results = res["results"] || []
         results.map do |result|
           data = result["ipAddresses"]
-          Artifact.new(data: data, source: source, metadata: result)
+          data.map { |d| Artifact.new(data: d, source: source, metadata: result) }
         end.flatten
       end
+
+      def username?
+        !username.nil?
+      end
+
+      def api_key?
+        !api_key.nil?
+      end
     end
   end
 end

data/lib/mihari/analyzers/pulsedive.rb

@@ -9,13 +9,19 @@ module Mihari
 
       param :query
 
+      # @return [String, nil]
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
         super
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @api_key = kwargs[:api_key] || Mihari.config.pulsedive_api_key
       end
 
       def artifacts
@@ -29,7 +35,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::Pulsedive::API.new(Mihari.config.pulsedive_api_key)
+        @api ||= ::Pulsedive::API.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/securitytrails.rb

@@ -9,13 +9,19 @@ module Mihari
 
       param :query
 
+      # @return [String, nil]
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
         super
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @api_key = kwargs[:api_key] || Mihari.config.securitytrails_api_key
       end
 
       def artifacts
@@ -29,7 +35,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::SecurityTrails::API.new(Mihari.config.securitytrails_api_key)
+        @api ||= ::SecurityTrails::API.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/shodan.rb

@@ -9,6 +9,15 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.shodan_api_key
+      end
+
       def artifacts
         results = search
         return [] unless results || results.empty?
@@ -29,7 +38,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::Shodan::API.new(key: Mihari.config.shodan_api_key)
+        @api ||= ::Shodan::API.new(key: api_key)
       end
 
       #

data/lib/mihari/analyzers/spyse.rb

@@ -9,6 +9,15 @@ module Mihari
 
       option :type, default: proc { "domain" }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.spyse_api_key
+      end
+
       def artifacts
         search || []
       end
@@ -24,7 +33,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::Spyse::API.new(Mihari.config.spyse_api_key)
+        @api ||= ::Spyse::API.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/urlscan.rb

@@ -14,10 +14,15 @@ module Mihari
       SUPPORTED_DATA_TYPES = %w[url domain ip].freeze
       SIZE = 1000
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
         super
 
         raise InvalidInputError, "allowed_data_types should be any of url, domain and ip." unless valid_alllowed_data_types?
+
+        @api_key = kwargs[:api_key] || Mihari.config.urlscan_api_key
       end
 
       def artifacts
@@ -40,7 +45,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::UrlScan::API.new(Mihari.config.urlscan_api_key)
+        @api ||= ::UrlScan::API.new(api_key)
       end
 
       #

data/lib/mihari/analyzers/virustotal.rb

@@ -11,11 +11,16 @@ module Mihari
 
       attr_reader :type
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
-        super
+        super(*args, **kwargs)
 
         @query = refang(query)
         @type = TypeChecker.type(query)
+
+        @api_key = kwargs[:api_key] || Mihari.config.virustotal_api_key
       end
 
       def artifacts
@@ -29,7 +34,7 @@ module Mihari
       end
 
       def api
-        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
+        @api = ::VirusTotal::API.new(key: api_key)
       end
 
       #

data/lib/mihari/analyzers/virustotal_intelligence.rb

@@ -9,10 +9,15 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
       def initialize(*args, **kwargs)
         super
 
         @query = query
+
+        @api_key = kwargs[:api_key] || Mihari.config.virustotal_api_key
       end
 
       def artifacts
@@ -36,7 +41,7 @@ module Mihari
       # @return [::VirusTotal::API]
       #
       def api
-        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
+        @api = ::VirusTotal::API.new(key: api_key)
       end
 
       #

data/lib/mihari/analyzers/zoomeye.rb

@@ -11,6 +11,15 @@ module Mihari
 
       option :interval, default: proc { 0 }
 
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_key = kwargs[:api_key] || Mihari.config.zoomeye_api_key
+      end
+
       def artifacts
         case type
         when "host"
@@ -40,7 +49,7 @@ module Mihari
       end
 
       def api
-        @api ||= ::ZoomEye::API.new(api_key: Mihari.config.zoomeye_api_key)
+        @api ||= ::ZoomEye::API.new(api_key: api_key)
       end
 
       #
@@ -55,7 +64,12 @@ module Mihari
           matches = res["matches"] || []
           matches.map do |match|
             data = match["ip"]
-            Artifact.new(data: data, source: source, metadata: match)
+
+            if data.is_a?(Array)
+              data.map { |d| Artifact.new(data: d, source: source, metadata: match) }
+            else
+              Artifact.new(data: data, source: source, metadata: match)
+            end
           end
         end.flatten.compact.uniq
       end

data/lib/mihari/cli/main.rb

@@ -4,6 +4,7 @@ require "thor"
 
 # Commands
 require "mihari/commands/search"
+require "mihari/commands/version"
 require "mihari/commands/web"
 
 # CLIs
@@ -16,6 +17,7 @@ module Mihari
   module CLI
     class Main < Base
       include Mihari::Commands::Search
+      include Mihari::Commands::Version
       include Mihari::Commands::Web
 
       desc "init", "Sub commands to initialize a rule"

data/lib/mihari/commands/search.rb

@@ -10,6 +10,7 @@ module Mihari
       def self.included(thor)
         thor.class_eval do
           desc "search [RULE]", "Search by a rule"
+          method_option :yes, type: :boolean, aliases: "-y", desc: "yes to overwrite the rule in the database"
           def search_by_rule(path_or_id)
             rule = load_rule(path_or_id)
 
@@ -20,6 +21,19 @@ module Mihari
               raise e
             end
 
+            # check update
+            id = rule.id
+            yes = options["yes"] || false
+            unless yes
+              with_db_connection do
+                rule_ = Mihari::Rule.find(id)
+                next if rule.yaml == rule_.yaml
+                return unless yes?("This operation will overwrite the rule in the database (Rule ID: #{id}). Are you sure you want to update the rule? (yes/no)")
+              rescue ActiveRecord::RecordNotFound
+                next
+              end
+            end
+
             analyzer = rule.to_analyzer
 
             with_error_notification do

data/lib/mihari/commands/version.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Version
+      def self.included(thor)
+        thor.class_eval do
+          map %w[--version -v] => :__print_version
+
+          desc "--version, -v", "Print the version"
+          def __print_version
+            puts Mihari::VERSION
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/database.rb

@@ -112,6 +112,12 @@ class AddeMetadataToArtifactSchema < ActiveRecord::Migration[7.0]
   end
 end
 
+class AddYAMLToRulesSchema < ActiveRecord::Migration[7.0]
+  def change
+    add_column :rules, :yaml, :text, if_not_exists: true
+  end
+end
+
 def adapter
   return "postgresql" if Mihari.config.database.start_with?("postgresql://", "postgres://")
   return "mysql2" if Mihari.config.database.start_with?("mysql2://")
@@ -137,9 +143,11 @@ module Mihari
           AddeSourceToArtifactSchema,
           EnrichmentsSchema,
           EnrichmentCreatedAtSchema,
-          # v4
+          # v4.0
           RuleSchema,
-          AddeMetadataToArtifactSchema
+          AddeMetadataToArtifactSchema,
+          # v4.4
+          AddYAMLToRulesSchema
         ].each { |schema| schema.migrate direction }
       end
       memoize :migrate unless test_env?

data/lib/mihari/emitters/misp.rb

@@ -5,12 +5,21 @@ require "misp"
 module Mihari
   module Emitters
     class MISP < Base
-      def initialize
-        super()
+      # @return [String, nil]
+      attr_reader :api_endpoint
+
+      # @return [String, nil]
+      attr_reader :api_key
+
+      def initialize(*args, **kwargs)
+        super(*args, **kwargs)
+
+        @api_endpoint = kwargs[:api_endpoint] || Mihari.config.misp_api_endpoint
+        @api_key = kwargs[:api_key] || Mihari.config.misp_api_key
 
         ::MISP.configure do |config|
-          config.api_endpoint = Mihari.config.misp_api_endpoint
-          config.api_key = Mihari.config.misp_api_key
+          config.api_endpoint = api_endpoint
+          config.api_key = api_key
         end
       end
 
@@ -99,7 +108,6 @@ module Mihari
       # @return [Boolean]
       #
       def api_endpoint?
-        api_endpoint = ::MISP.configuration.api_endpoint
         !api_endpoint.nil? && !api_endpoint.empty?
       end
 
@@ -109,7 +117,6 @@ module Mihari
       # @return [Boolean]
       #
       def api_key?
-        api_key = ::MISP.configuration.api_key
         !api_key.nil? && !api_key.empty?
       end
 
@@ -119,8 +126,7 @@ module Mihari
       # @return [Boolean]
       #
       def ping?
-        base_url = ::MISP.configuration.api_endpoint
-        base_url = base_url.end_with?("/") ? base_url[0..-2] : base_url
+        base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
         url = "#{base_url}/users/login"
 
         http = Net::Ping::HTTP.new(url)