RubyGems - mihari - Versions diffs - 4.5.3 → 4.7.0 - Mend

mihari 4.5.3 → 4.7.0

Files changed (29) hide show

checksums.yaml +4 -4
data/lib/mihari/analyzers/rule.rb +17 -0
data/lib/mihari/constants.rb +2 -0
data/lib/mihari/emitters/the_hive.rb +69 -10
data/lib/mihari/emitters/webhook.rb +1 -1
data/lib/mihari/enrichers/google_public_dns.rb +36 -0
data/lib/mihari/enrichers/whois.rb +126 -0
data/lib/mihari/http.rb +2 -2
data/lib/mihari/models/artifact.rb +30 -0
data/lib/mihari/models/cpe.rb +1 -1
data/lib/mihari/models/dns.rb +5 -21
data/lib/mihari/models/reverse_dns.rb +1 -1
data/lib/mihari/models/whois.rb +1 -96
data/lib/mihari/schemas/emitter.rb +1 -0
data/lib/mihari/schemas/enricher.rb +9 -0
data/lib/mihari/schemas/rule.rb +6 -0
data/lib/mihari/structs/google_public_dns.rb +42 -0
data/lib/mihari/structs/rule.rb +2 -1
data/lib/mihari/structs/virustotal_intelligence.rb +2 -2
data/lib/mihari/types.rb +7 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/app.rb +3 -0
data/lib/mihari.rb +52 -28
data/mihari.gemspec +11 -11
data/sig/lib/mihari/emitters/the_hive.rbs +4 -0
data/sig/lib/mihari/enrichers/google_public_dns.rbs +18 -0
data/sig/lib/mihari/structs/google_public_dns.rbs +21 -0
data/sig/lib/mihari.rbs +1 -0
metadata +30 -24

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02c4e60250ffc8e40e4d0c08fd3721101ab943abdfeb1f73ec267cc345bc0dd2
-  data.tar.gz: 5e65063ca7b9cc8c5b9c6d137abe6820abb6b179c3fb8582d1381d583eb27280
+  metadata.gz: '091892853042ab3f1010c89b943eb2a885370da2d619016f3f3cd9dcb59e80cf'
+  data.tar.gz: 119ccbb407a49c741a4bf6c7cfafc7cd99855c3af950af9d0f1dc3735fc24672
 SHA512:
-  metadata.gz: 142cc9ec86582d37e7e5bd472f1a4f085582441e2204d406fa6ff9d2e94331cbc27513a410c00174950750e066ff9c53b100bd4cfe23039e4cb2be7d8f69ed33
-  data.tar.gz: 49a02b02e298b94d8d847d74ea3389a3e873e72e17fdb93d1e5392992be05db73b37f6cea05ead35b04573400b6956e5b34d323008efb679fba60dcf53d6b372
+  metadata.gz: 5364837634a6cde1b370db5613e745f05b40bf7321a5b7fcc4a2c7d32b1d395fa45e4472ef2a5f9f28d664f0b45e31d0554acec7bb641a21ce179ebf70bf9317
+  data.tar.gz: 57ca2f920db2da9e8c9a10f59aa81984dff0a81f0073ba839c351f3fe5e7979358ce44d87f48adcffd7df1bf7268bab178fec82731f72d62c24aa9ce04eed026

data/lib/mihari/analyzers/rule.rb CHANGED Viewed

@@ -51,6 +51,7 @@ module Mihari
       option :disallowed_data_values, default: proc { [] }
       option :emitters, optional: true
+      option :enrichers, optional: true
       attr_reader :source
@@ -60,6 +61,7 @@ module Mihari
         @source = id
         @emitters = emitters || DEFAULT_EMITTERS
+        @enrichers = enrichers || DEFAULT_ENRICHERS
         validate_analyzer_configurations
       end
@@ -112,6 +114,21 @@ module Mihari
         end
       end
+      #
+      # Enriched artifacts
+      #
+      # @return [Array<Mihari::Artifact>]
+      #
+      def enriched_artifacts
+        @enriched_artifacts ||= Parallel.map(unique_artifacts) do |artifact|
+          enrichers.each do |enricher|
+            artifact.enrich_by_enricher(enricher[:enricher])
+          end
+          artifact
+        end
+      end
       #
       # Normalized disallowed data values
       #

data/lib/mihari/constants.rb CHANGED Viewed

@@ -4,4 +4,6 @@ module Mihari
   ALLOWED_DATA_TYPES = ["hash", "ip", "domain", "url", "mail"].freeze
   DEFAULT_EMITTERS = ["database", "misp", "slack", "the_hive", "webhook"].map { |name| { emitter: name } }.freeze
+  DEFAULT_ENRICHERS = ["whois", "ipinfo", "shodan", "google_public_dns"].map { |name| { enricher: name } }.freeze
 end

data/lib/mihari/emitters/the_hive.rb CHANGED Viewed

@@ -11,11 +11,15 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String, nil]
+      attr_reader :api_version
       def initialize(*args, **kwargs)
         super(*args, **kwargs)
         @api_endpoint = kwargs[:api_endpoint] || Mihari.config.thehive_api_endpoint
         @api_key = kwargs[:api_key] || Mihari.config.thehive_api_key
+        @api_version = kwargs[:api_version] || Mihari.config.thehive_api_version
       end
       # @return [Boolean]
@@ -26,14 +30,28 @@ module Mihari
       def emit(title:, description:, artifacts:, tags: [], **_options)
         return if artifacts.empty?
-        api.alert.create(
-          title: title,
-          description: description,
-          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
-          tags: tags,
-          type: "external",
-          source: "mihari"
-        )
+        payload = payload(title: title, description: description, artifacts: artifacts, tags: tags)
+        api.alert.create(**payload)
+      end
+      #
+      # Normalize API version for API client
+      #
+      # @param [String] version
+      #
+      # @return [String, nil]
+      #
+      def normalized_api_version
+        @normalized_api_version ||= [].tap do |out|
+          # v4 does not have version prefix in path (/api/)
+          # v5 has version prefix in path (/api/v1/)
+          table = {
+            "" => nil,
+            "v4" => nil,
+            "v5" => "v1"
+          }
+          out << table[api_version.to_s.downcase]
+        end.first
       end
       private
@@ -43,7 +61,7 @@ module Mihari
       end
       def api
-        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key)
+        @api ||= Hachi::API.new(api_endpoint: api_endpoint, api_key: api_key, api_version: normalized_api_version)
       end
       #
@@ -64,6 +82,35 @@ module Mihari
         !api_key.nil?
       end
+      def payload(title:, description:, artifacts:, tags: [])
+        return v4_payload(title: title, description: description, artifacts: artifacts, tags: tags) if normalized_api_version.nil?
+        v5_payload(title: title, description: description, artifacts: artifacts, tags: tags)
+      end
+      def v4_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          artifacts: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari"
+        }
+      end
+      def v5_payload(title:, description:, artifacts:, tags: [])
+        {
+          title: title,
+          description: description,
+          observables: artifacts.map { |artifact| { data: artifact.data, data_type: artifact.data_type, message: description } },
+          tags: tags,
+          type: "external",
+          source: "mihari",
+          source_ref: "1"
+        }
+      end
       #
       # Check whether an API endpoint is reachable or not
       #
@@ -71,9 +118,21 @@ module Mihari
       #
       def ping?
         base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
-        url = "#{base_url}/index.html"
+        if normalized_api_version.nil?
+          # for v4
+          base_url = api_endpoint.end_with?("/") ? api_endpoint[0..-2] : api_endpoint
+          url = "#{base_url}/index.html"
+        else
+          # for v5
+          url = "#{base_url}/api/v1/status/public"
+        end
         http = Net::Ping::HTTP.new(url)
+        # use GET for v5
+        http.get_request = true if normalized_api_version
         http.ping?
       end
     end

data/lib/mihari/emitters/webhook.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Mihari
       def emit(title:, description:, artifacts:, source:, tags:)
         return if artifacts.empty?
-        headers = { 'content-type': "application/x-www-form-urlencoded" }
+        headers = { "content-type": "application/x-www-form-urlencoded" }
         headers["content-type"] = "application/json" if use_json_body?
         emitter = Emitters::HTTP.new(uri: Mihari.config.webhook_url)

data/lib/mihari/enrichers/google_public_dns.rb ADDED Viewed

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+require "net/https"
+module Mihari
+  module Enrichers
+    class GooglePublicDNS < Base
+      # @return [Boolean]
+      def valid?
+        true
+      end
+      class << self
+        #
+        # Query Google Public DNS
+        #
+        # @param [String] name
+        # @param [String] resource_type
+        #
+        # @return [Mihari::Structs::Shodan::GooglePublicDNS::Response, nil]
+        #
+        def query(name, resource_type)
+          url = "https://dns.google/resolve"
+          params = { name: name, type: resource_type }
+          res = HTTP.get(url, params: params)
+          data = JSON.parse(res.body.to_s)
+          Structs::GooglePublicDNS::Response.from_dynamic! data
+        rescue HTTPError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/whois.rb ADDED Viewed

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+require "whois-parser"
+module Mihari
+  module Enrichers
+    class Whois < Base
+      @memo = {}
+      # @return [Boolean]
+      def valid?
+        true
+      end
+      class << self
+        #
+        # Query IAIA Whois API
+        #
+        # @param [String] name
+        #
+        # @return [Mihari::WhoisRecord, nil]
+        #
+        def query(domain)
+          domain = PublicSuffix.domain(domain)
+          # check memo
+          if @memo.key?(domain)
+            whois_record = @memo[domain]
+            # return clone of the record
+            return whois_record.dup
+          end
+          record = ::Whois.whois(domain)
+          parser = record.parser
+          return nil if parser.available?
+          whois_record = WhoisRecord.new(
+            domain: domain,
+            created_on: get_created_on(parser),
+            updated_on: get_updated_on(parser),
+            expires_on: get_expires_on(parser),
+            registrar: get_registrar(parser),
+            contacts: get_contacts(parser)
+          )
+          # set memo
+          @memo[domain] = whois_record
+          whois_record
+        rescue ::Whois::Error, ::Whois::ParserError, Timeout::Error
+          nil
+        end
+        def reset_cache
+          @memo = {}
+        end
+        private
+        #
+        # Get created_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_created_on(parser)
+          parser.created_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+        #
+        # Get updated_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_updated_on(parser)
+          parser.updated_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+        #
+        # Get expires_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_expires_on(parser)
+          parser.expires_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+        #
+        # Get registrar
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Hash, nil]
+        #
+        def get_registrar(parser)
+          parser.registrar&.to_h
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+        #
+        # Get contacts
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Array[Hash], nil]
+        #
+        def get_contacts(parser)
+          parser.contacts.map(&:to_h)
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/http.rb CHANGED Viewed

@@ -44,8 +44,8 @@ module Mihari
     end
     class << self
-      def get(uri, headers: {}, payload: {})
-        client = new(uri, headers: headers, payload: payload)
+      def get(uri, headers: {}, params: {})
+        client = new(uri, headers: headers, payload: params)
         client.get
       end

data/lib/mihari/models/artifact.rb CHANGED Viewed

@@ -135,6 +135,36 @@ module Mihari
       enrich_cpes
     end
+    ENRICH_METHODS_BY_ENRICHER = {
+      whois: [
+        :enrich_whois
+      ],
+      ipinfo: [
+        :enrich_autonomous_system,
+        :enrich_geolocation
+      ],
+      shodan: [
+        :enrich_ports,
+        :enrich_cpes,
+        :enrich_reverse_dns
+      ],
+      google_public_dns: [
+        :enrich_dns
+      ]
+    }.freeze
+    #
+    # Enrich by name of enricher
+    #
+    # @param [String] enricher
+    #
+    def enrich_by_enricher(enricher)
+      methods = ENRICH_METHODS_BY_ENRICHER[enricher.downcase.to_sym] || []
+      methods.each do |method|
+        send(method) if respond_to?(method)
+      end
+    end
     private
     def normalize_as_domain(url_or_domain)

data/lib/mihari/models/cpe.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
         res.cpes.map { |cpe| new(cpe: cpe) }
       end

data/lib/mihari/models/dns.rb CHANGED Viewed

@@ -13,14 +13,7 @@ module Mihari
       # @return [Array<Mihari::DnsRecord>]
       #
       def build_by_domain(domain)
-        resource_types = [
-          Resolv::DNS::Resource::IN::A,
-          Resolv::DNS::Resource::IN::AAAA,
-          Resolv::DNS::Resource::IN::CNAME,
-          Resolv::DNS::Resource::IN::TXT,
-          Resolv::DNS::Resource::IN::NS
-        ]
+        resource_types = %w[A AAAA CNAME TXT NS]
         resource_types.map do |resource_type|
           get_values domain, resource_type
         rescue Resolv::ResolvError
@@ -31,20 +24,11 @@ module Mihari
       private
       def get_values(domain, resource_type)
-        resources = Resolv::DNS.new.getresources(domain, resource_type)
-        resource_name = resource_type.to_s.split("::").last
+        response = Enrichers::GooglePublicDNS.query(domain, resource_type)
+        answers = response.answers || []
-        resources.filter_map do |resource|
-          # A, AAAA
-          if resource.respond_to?(:address)
-            new(resource: resource_name, value: resource.address.to_s)
-          # CNAME, NS
-          elsif resource.respond_to?(:name)
-            new(resource: resource_name, value: resource.name.to_s)
-          # TXT
-          elsif resource.respond_to?(:data)
-            new(resource: resource_name, value: resource.data.to_s)
-          end
+        answers.filter_map do |answer|
+          new(resource: answer.resource_type, value: answer.data)
         end
       end
     end

data/lib/mihari/models/reverse_dns.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
         res.hostnames.map { |name| new(name: name) }
       end

data/lib/mihari/models/whois.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require "whois-parser"
 module Mihari
   class WhoisRecord < ActiveRecord::Base
     belongs_to :artifact
@@ -17,100 +15,7 @@ module Mihari
       # @return [WhoisRecord, nil]
       #
       def build_by_domain(domain)
-        domain = PublicSuffix.domain(domain)
-        # check memo
-        if @memo.key?(domain)
-          whois_record = @memo[domain]
-          # return clone of the record
-          return whois_record.dup
-        end
-        record = Whois.whois(domain)
-        parser = record.parser
-        return nil if parser.available?
-        whois_record = new(
-          domain: domain,
-          created_on: get_created_on(parser),
-          updated_on: get_updated_on(parser),
-          expires_on: get_expires_on(parser),
-          registrar: get_registrar(parser),
-          contacts: get_contacts(parser)
-        )
-        # set memo
-        @memo[domain] = whois_record
-        whois_record
-      rescue Whois::Error, Whois::ParserError, Timeout::Error
-        nil
-      end
-      private
-      #
-      # Get created_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_created_on(parser)
-        parser.created_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-      #
-      # Get updated_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_updated_on(parser)
-        parser.updated_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-      #
-      # Get expires_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_expires_on(parser)
-        parser.expires_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-      #
-      # Get registrar
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Hash, nil]
-      #
-      def get_registrar(parser)
-        parser.registrar&.to_h
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-      #
-      # Get contacts
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Array[Hash], nil]
-      #
-      def get_contacts(parser)
-        parser.contacts.map(&:to_h)
-      rescue ::Whois::AttributeNotImplemented
-        nil
+        Enrichers::Whois.query domain
       end
     end
   end

data/lib/mihari/schemas/emitter.rb CHANGED Viewed

@@ -16,6 +16,7 @@ module Mihari
       required(:emitter).value(Types::String.enum("the_hive"))
       optional(:api_endpoint).value(:string)
       optional(:api_key).value(:string)
+      optional(:api_version).value(Types::String.enum("v4", "v5")).default("v4")
     end
     Slack = Dry::Schema.Params do

data/lib/mihari/schemas/enricher.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+module Mihari
+  module Schemas
+    Enricher = Dry::Schema.Params do
+      required(:enricher).value(Types::EnricherTypes)
+    end
+  end
+end

data/lib/mihari/schemas/rule.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "mihari/schemas/analyzer"
 require "mihari/schemas/emitter"
+require "mihari/schemas/enricher"
 module Mihari
   module Schemas
@@ -20,6 +21,8 @@ module Mihari
       optional(:emitters).value(:array).each { Emitter | MISP | TheHive | Slack | HTTP }
+      optional(:enrichers).value(:array).each(Enricher)
       optional(:allowed_data_types).value(array[Types::DataTypes]).default(ALLOWED_DATA_TYPES)
       optional(:disallowed_data_values).value(array[:string]).default([])
@@ -35,6 +38,9 @@ module Mihari
         emitters = h[:emitters]
         h[:emitters] = emitters || DEFAULT_EMITTERS
+        enrichers = h[:enrichers]
+        h[:enrichers] = enrichers || DEFAULT_ENRICHERS
         h
       end
     end

data/lib/mihari/structs/google_public_dns.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module Mihari
+  module Structs
+    module GooglePublicDNS
+      INT_TYPE_TO_TYPE = {
+        1 => "A",
+        2 => "NS",
+        5 => "CNAME",
+        16 => "TXT",
+        28 => "AAAA"
+      }
+      class Answer < Dry::Struct
+        attribute :name, Types::String
+        attribute :data, Types::String
+        attribute :resource_type, Types::String
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          resource_type = INT_TYPE_TO_TYPE[d.fetch("type")]
+          new(
+            name: d.fetch("name"),
+            data: d.fetch("data"),
+            resource_type: resource_type
+          )
+        end
+      end
+      class Response < Dry::Struct
+        attribute :answers, Types.Array(Answer)
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            answers: d.fetch("Answer", []).map { |x| Answer.from_dynamic!(x) }
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/rule.rb CHANGED Viewed

@@ -88,7 +88,7 @@ module Mihari
           raise RuleValidationError, error_messages.join("\n") if errors?
-          raise RuleValidationError, "Something wrong with queries or emitters." unless @no_method_error.nil?
+          raise RuleValidationError, "Something wrong with queries, emitters or enrichers." unless @no_method_error.nil?
         end
         def [](key)
@@ -150,6 +150,7 @@ module Mihari
             allowed_data_types: self[:allowed_data_types],
             disallowed_data_values: self[:disallowed_data_values],
             emitters: self[:emitters],
+            enrichers: self[:enrichers],
             id: id
           )
           analyzer.ignore_old_artifacts = self[:ignore_old_artifacts]

data/lib/mihari/structs/virustotal_intelligence.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Mihari
   module Structs
     module VirusTotalIntelligence
       class ContextAttributes < Dry::Struct
-        attribute :url, Types.Array(Types::String).optional
+        attribute :url, Types::String.optional
         def self.from_dynamic!(d)
           d = Types::Hash[d]
@@ -25,7 +25,7 @@ module Mihari
           when "file"
             id
           when "url"
-            (context_attributes.url || []).first
+            context_attributes&.url
           when "domain"
             id
           when "ip_address"

data/lib/mihari/types.rb CHANGED Viewed

@@ -21,5 +21,12 @@ module Mihari
       "database",
       "webhook"
     )
+    EnricherTypes = Types::String.enum(
+      "whois",
+      "ipinfo",
+      "shodan",
+      "google_public_dns"
+    )
   end
 end

data/lib/mihari/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "4.5.3"
+  VERSION = "4.7.0"
 end

data/lib/mihari/web/app.rb CHANGED Viewed

@@ -53,6 +53,9 @@ module Mihari
         Rack::Handler::Puma.run(instance, Port: port, Host: host, Threads: threads, Verbose: verbose) do |_launcher|
           Launchy.open(url) if ENV["RACK_ENV"] != "development"
+        rescue Launchy::CommandNotFoundError
+          # ref. https://github.com/ninoseki/mihari/issues/477
+          # do nothing
         end
       end
     end

data/lib/mihari.rb CHANGED Viewed

@@ -71,34 +71,55 @@ end
 module Mihari
   extend Dry::Configurable
-  setting :binaryedge_api_key, default: ENV["BINARYEDGE_API_KEY"]
-  setting :censys_id, default: ENV["CENSYS_ID"]
-  setting :censys_secret, default: ENV["CENSYS_SECRET"]
-  setting :circl_passive_password, default: ENV["CIRCL_PASSIVE_PASSWORD"]
-  setting :circl_passive_username, default: ENV["CIRCL_PASSIVE_USERNAME"]
-  setting :database, default: ENV["DATABASE"] || "mihari.db"
-  setting :greynoise_api_key, default: ENV["GREYNOISE_API_KEY"]
-  setting :ipinfo_api_key, default: ENV["IPINFO_API_KEY"]
-  setting :misp_api_endpoint, default: ENV["MISP_API_ENDPOINT"]
-  setting :misp_api_key, default: ENV["MISP_API_KEY"]
-  setting :onyphe_api_key, default: ENV["ONYPHE_API_KEY"]
-  setting :otx_api_key, default: ENV["OTX_API_KEY"]
-  setting :passivetotal_api_key, default: ENV["PASSIVETOTAL_API_KEY"]
-  setting :passivetotal_username, default: ENV["PASSIVETOTAL_USERNAME"]
-  setting :pulsedive_api_key, default: ENV["PULSEDIVE_API_KEY"]
-  setting :securitytrails_api_key, default: ENV["SECURITYTRAILS_API_KEY"]
-  setting :shodan_api_key, default: ENV["SHODAN_API_KEY"]
-  setting :slack_channel, default: ENV["SLACK_CHANNEL"]
-  setting :slack_webhook_url, default: ENV["SLACK_WEBHOOK_URL"]
-  setting :spyse_api_key, default: ENV["SPYSE_API_KEY"]
-  setting :thehive_api_endpoint, default: ENV["THEHIVE_API_ENDPOINT"]
-  setting :thehive_api_key, default: ENV["THEHIVE_API_KEY"]
-  setting :urlscan_api_key, default: ENV["URLSCAN_API_KEY"]
-  setting :virustotal_api_key, default: ENV["VIRUSTOTAL_API_KEY"]
-  setting :webhook_url, default: ENV["WEBHOOK_URL"]
-  setting :webhook_use_json_body, constructor: ->(value = ENV["WEBHOOK_USE_JSON_BODY"]) { truthy?(value) }
-  setting :zoomeye_api_key, default: ENV["ZOOMEYE_API_KEY"]
-  setting :sentry_dsn, default: ENV["SENTRY_DSN"]
+  setting :binaryedge_api_key, default: ENV.fetch("BINARYEDGE_API_KEY", nil)
+  setting :censys_id, default: ENV.fetch("CENSYS_ID", nil)
+  setting :censys_secret, default: ENV.fetch("CENSYS_SECRET", nil)
+  setting :circl_passive_password, default: ENV.fetch("CIRCL_PASSIVE_PASSWORD", nil)
+  setting :circl_passive_username, default: ENV.fetch("CIRCL_PASSIVE_USERNAME", nil)
+  setting :database, default: ENV.fetch("DATABASE", "mihari.db")
+  setting :greynoise_api_key, default: ENV.fetch("GREYNOISE_API_KEY", nil)
+  setting :ipinfo_api_key, default: ENV.fetch("IPINFO_API_KEY", nil)
+  setting :misp_api_endpoint, default: ENV.fetch("MISP_API_ENDPOINT", nil)
+  setting :misp_api_key, default: ENV.fetch("MISP_API_KEY", nil)
+  setting :onyphe_api_key, default: ENV.fetch("ONYPHE_API_KEY", nil)
+  setting :otx_api_key, default: ENV.fetch("OTX_API_KEY", nil)
+  setting :passivetotal_api_key, default: ENV.fetch("PASSIVETOTAL_API_KEY", nil)
+  setting :passivetotal_username, default: ENV.fetch("PASSIVETOTAL_USERNAME", nil)
+  setting :pulsedive_api_key, default: ENV.fetch("PULSEDIVE_API_KEY", nil)
+  setting :securitytrails_api_key, default: ENV.fetch("SECURITYTRAILS_API_KEY", nil)
+  setting :shodan_api_key, default: ENV.fetch("SHODAN_API_KEY", nil)
+  setting :slack_channel, default: ENV.fetch("SLACK_CHANNEL", nil)
+  setting :slack_webhook_url, default: ENV.fetch("SLACK_WEBHOOK_URL", nil)
+  setting :spyse_api_key, default: ENV.fetch("SPYSE_API_KEY", nil)
+  setting :thehive_api_endpoint, default: ENV.fetch("THEHIVE_API_ENDPOINT", nil)
+  setting :thehive_api_key, default: ENV.fetch("THEHIVE_API_KEY", nil)
+  setting :thehive_api_version, default: ENV.fetch("THEHIVE_API_VERSION", nil)
+  setting :urlscan_api_key, default: ENV.fetch("URLSCAN_API_KEY", nil)
+  setting :virustotal_api_key, default: ENV.fetch("VIRUSTOTAL_API_KEY", nil)
+  setting :webhook_url, default: ENV.fetch("WEBHOOK_URL", nil)
+  setting :webhook_use_json_body, constructor: ->(value = ENV.fetch("WEBHOOK_USE_JSON_BODY", nil)) { truthy?(value) }
+  setting :zoomeye_api_key, default: ENV.fetch("ZOOMEYE_API_KEY", nil)
+  setting :sentry_dsn, default: ENV.fetch("SENTRY_DSN", nil)
   class << self
     include Memist::Memoizable
@@ -152,6 +173,7 @@ require "mihari/types"
 # Structs
 require "mihari/structs/alert"
 require "mihari/structs/censys"
+require "mihari/structs/google_public_dns"
 require "mihari/structs/greynoise"
 require "mihari/structs/ipinfo"
 require "mihari/structs/onyphe"
@@ -168,8 +190,10 @@ require "mihari/schemas/rule"
 # Enrichers
 require "mihari/enrichers/base"
+require "mihari/enrichers/google_public_dns"
 require "mihari/enrichers/ipinfo"
 require "mihari/enrichers/shodan"
+require "mihari/enrichers/whois"
 # Models
 require "mihari/models/alert"

data/mihari.gemspec CHANGED Viewed

@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 2.3"
   spec.add_development_dependency "coveralls_reborn", "~> 0.24"
-  spec.add_development_dependency "fakefs", "~> 1.4"
+  spec.add_development_dependency "fakefs", "~> 1.5"
   spec.add_development_dependency "mysql2", "~> 0.5"
   spec.add_development_dependency "overcommit", "~> 0.59"
   spec.add_development_dependency "pg", "~> 1.3"
@@ -39,13 +39,13 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rerun", "~> 0.13"
   spec.add_development_dependency "rspec", "~> 3.11"
   spec.add_development_dependency "simplecov-lcov", "~> 0.8.0"
-  spec.add_development_dependency "standard", "~> 1.11"
-  spec.add_development_dependency "steep", "~> 0.52"
+  spec.add_development_dependency "standard", "~> 1.12"
+  spec.add_development_dependency "steep", "~> 1.0"
   spec.add_development_dependency "timecop", "~> 0.9"
   spec.add_development_dependency "vcr", "~> 6.1"
   spec.add_development_dependency "webmock", "~> 3.14"
-  spec.add_dependency "activerecord", "7.0.2.4"
+  spec.add_dependency "activerecord", "7.0.3"
   spec.add_dependency "addressable", "2.8.0"
   spec.add_dependency "awrence", "2.0.1"
   spec.add_dependency "binaryedge", "0.1.0"
@@ -58,16 +58,16 @@ Gem::Specification.new do |spec|
   spec.add_dependency "dry-container", "0.9.0"
   spec.add_dependency "dry-files", "0.1.0"
   spec.add_dependency "dry-initializer", "3.1.1"
-  spec.add_dependency "dry-schema", "1.9.1"
+  spec.add_dependency "dry-schema", "1.9.2"
   spec.add_dependency "dry-struct", "1.4.0"
-  spec.add_dependency "dry-validation", "1.8.0"
-  spec.add_dependency "email_address", "0.2.2"
+  spec.add_dependency "dry-validation", "1.8.1"
+  spec.add_dependency "email_address", "0.2.3"
   spec.add_dependency "grape", "1.6.2"
   spec.add_dependency "grape-entity", "0.10.1"
   spec.add_dependency "grape-swagger", "1.4.2"
   spec.add_dependency "grape-swagger-entity", "0.5.1"
   spec.add_dependency "greynoise", "0.1.1"
-  spec.add_dependency "hachi", "1.0.0"
+  spec.add_dependency "hachi", "2.0.0"
   spec.add_dependency "insensitive_hash", "0.3.3"
   spec.add_dependency "jr-cli", "0.5.1"
   spec.add_dependency "launchy", "2.5.0"
@@ -84,12 +84,12 @@ Gem::Specification.new do |spec|
   spec.add_dependency "public_suffix", "4.0.7"
   spec.add_dependency "pulsedive", "0.1.5"
   spec.add_dependency "puma", "5.6.4"
-  spec.add_dependency "rack", "2.2.3"
+  spec.add_dependency "rack", "2.2.3.1"
   spec.add_dependency "rack-contrib", "2.3.0"
   spec.add_dependency "rack-cors", "1.1.1"
   spec.add_dependency "securitytrails", "1.0.0"
-  spec.add_dependency "semantic_logger", "4.10.0"
-  spec.add_dependency "sentry-ruby", "5.3.0"
+  spec.add_dependency "semantic_logger", "4.11.0"
+  spec.add_dependency "sentry-ruby", "5.3.1"
   spec.add_dependency "shodanx", "0.2.1"
   spec.add_dependency "slack-notifier", "2.4.0"
   spec.add_dependency "spysex", "0.2.0"

data/sig/lib/mihari/emitters/the_hive.rbs CHANGED Viewed

@@ -5,11 +5,15 @@ module Mihari
       attr_reader api_key: String?
+      attr_reader api_version: String?
       # @return [true, false]
       def valid?: () -> bool
       def emit: (title: untyped title, description: untyped description, artifacts: untyped artifacts, ?tags: untyped tags, **untyped _options) -> (nil | untyped)
+      def normalized_api_version: () -> String?
       private
       def configuration_keys: () -> ::Array["thehive_api_endpoint" | "thehive_api_key"]

data/sig/lib/mihari/enrichers/google_public_dns.rbs ADDED Viewed

@@ -0,0 +1,18 @@
+module Mihari
+  module Enrichers
+    class GooglePublicDNS < Base
+      # @return [Boolean]
+      def valid?: () -> true
+      #
+      # Query Google Public DNS
+      #
+      # @param [String] name
+      # @param [String] resource_type
+      #
+      # @return [Mihari::Structs::Shodan::GooglePublicDNS::Response, nil]
+      #
+      def self.query: (String name, String resource_type) -> Mihari::Structs::Shodan::GooglePublicDNS::Response?
+    end
+  end
+end

data/sig/lib/mihari/structs/google_public_dns.rbs ADDED Viewed

@@ -0,0 +1,21 @@
+module Mihari
+  module Structs
+    module GooglePublicDNS
+      INT_TYPE_TO_TYPE: { 1 => "A", 2 => "NS", 5 => "CNAME", 16 => "TXT", 28 => "AAAA" }
+      class Answer < Dry::Struct
+			  attr_reader name: String
+        attr_reader data: String
+        attr_reader resource_type: String
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::GooglePublicDNS::Answer
+      end
+      class Response < Dry::Struct
+        attr_reader answers: Array[Mihari::Structs::GooglePublicDNS::Answer]
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::GooglePublicDNS::Response
+      end
+    end
+  end
+end

data/sig/lib/mihari.rbs CHANGED Viewed

@@ -19,6 +19,7 @@ class Configuration
   attr_accessor spyse_api_key (): String?
   attr_accessor thehive_api_endpoint (): String?
   attr_accessor thehive_api_key (): String?
+  attr_accessor thehive_api_version (): String?
   attr_accessor urlscan_api_key (): String?
   attr_accessor virustotal_api_key (): String?
   attr_accessor zoomeye_api_key (): String?

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 4.5.3
+  version: 4.7.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-05-08 00:00:00.000000000 Z
+date: 2022-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: mysql2
   requirement: !ruby/object:Gem::Requirement
@@ -184,28 +184,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '1.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '1.12'
 - !ruby/object:Gem::Dependency
   name: steep
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -254,14 +254,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.4
+        version: 7.0.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.2.4
+        version: 7.0.3
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -436,14 +436,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.9.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.9.2
 - !ruby/object:Gem::Dependency
   name: dry-struct
   requirement: !ruby/object:Gem::Requirement
@@ -464,28 +464,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.1
 - !ruby/object:Gem::Dependency
   name: email_address
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.2
+        version: 0.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.2
+        version: 0.2.3
 - !ruby/object:Gem::Dependency
   name: grape
   requirement: !ruby/object:Gem::Requirement
@@ -562,14 +562,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: insensitive_hash
   requirement: !ruby/object:Gem::Requirement
@@ -800,14 +800,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 2.2.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 2.2.3.1
 - !ruby/object:Gem::Dependency
   name: rack-contrib
   requirement: !ruby/object:Gem::Requirement
@@ -856,28 +856,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: 4.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.10.0
+        version: 4.11.0
 - !ruby/object:Gem::Dependency
   name: sentry-ruby
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.3.0
+        version: 5.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.3.0
+        version: 5.3.1
 - !ruby/object:Gem::Dependency
   name: shodanx
   requirement: !ruby/object:Gem::Requirement
@@ -1110,8 +1110,10 @@ files:
 - lib/mihari/emitters/the_hive.rb
 - lib/mihari/emitters/webhook.rb
 - lib/mihari/enrichers/base.rb
+- lib/mihari/enrichers/google_public_dns.rb
 - lib/mihari/enrichers/ipinfo.rb
 - lib/mihari/enrichers/shodan.rb
+- lib/mihari/enrichers/whois.rb
 - lib/mihari/entities/alert.rb
 - lib/mihari/entities/artifact.rb
 - lib/mihari/entities/autonomous_system.rb
@@ -1153,11 +1155,13 @@ files:
 - lib/mihari/models/whois.rb
 - lib/mihari/schemas/analyzer.rb
 - lib/mihari/schemas/emitter.rb
+- lib/mihari/schemas/enricher.rb
 - lib/mihari/schemas/macros.rb
 - lib/mihari/schemas/rule.rb
 - lib/mihari/status.rb
 - lib/mihari/structs/alert.rb
 - lib/mihari/structs/censys.rb
+- lib/mihari/structs/google_public_dns.rb
 - lib/mihari/structs/greynoise.rb
 - lib/mihari/structs/ipinfo.rb
 - lib/mihari/structs/onyphe.rb
@@ -1243,6 +1247,7 @@ files:
 - sig/lib/mihari/emitters/the_hive.rbs
 - sig/lib/mihari/emitters/webhook.rbs
 - sig/lib/mihari/enrichers/base.rbs
+- sig/lib/mihari/enrichers/google_public_dns.rbs
 - sig/lib/mihari/enrichers/ipinfo.rbs
 - sig/lib/mihari/errors.rbs
 - sig/lib/mihari/feed/parser.rbs
@@ -1272,6 +1277,7 @@ files:
 - sig/lib/mihari/status.rbs
 - sig/lib/mihari/structs/alert.rbs
 - sig/lib/mihari/structs/censys.rbs
+- sig/lib/mihari/structs/google_public_dns.rbs
 - sig/lib/mihari/structs/greynoise.rbs
 - sig/lib/mihari/structs/ipinfo.rbs
 - sig/lib/mihari/structs/onyphe.rbs