mihari 4.6.0 → 4.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f340898bd140d76041cde8c5cb266bcb379f056bac511fcd9de9a4dd20fc299
-  data.tar.gz: fb96310ecb6efb1dd5059feea692a8128bdff3610579473134653979c2f0512c
+  metadata.gz: 38f68ec091b2469095f321f104c1e238599c56afa7f55763920cfeef0df03ca0
+  data.tar.gz: 625bbd99f92e4af768b76db15ab72cd53dba6a04150acc3ddfe7feb7d1a82bf7
 SHA512:
-  metadata.gz: 8d9758d027fc056f52be261fb2d7c6fa81dc402d4f47c01a8e49c93e1bc084a501af74c0e51c73ac2967c7795529130f1c34801661f1a9935075e197eaf446b0
-  data.tar.gz: e48d29aa3756a260cc273f9b05e65aa28e6e9e67f377fcc9c4ff722931f7789f363478c9a33470aea41a1bd72a9c9e73c05b76583d52bdb80096c2fdaf627b54
+  metadata.gz: fe847e37658ede26d1910e8c73ee1726e2b32335571e03c97c891b2d799380397ed1d32de7e4ed31ae57c861b4a6aa74433454d4871e38e2137100ce342894a1
+  data.tar.gz: 688c3adcf6ebb754d02b0fecde033602b47fe23ae11fffaff329ce53b93c268ab274319fdb630c819163856ce9708f2658bfe6fe7790e54ab1488e8d2af90245

data/lib/mihari/analyzers/clients/otx.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Analyzers
+    module Clients
+      class OTX
+        attr_reader :api_key
+
+        def initialize(api_key)
+          @api_key = api_key
+        end
+
+        def query_by_ip(ip)
+          get "https://otx.alienvault.com/api/v1/indicators/IPv4/#{ip}/passive_dns"
+        end
+
+        def query_by_domain(domain)
+          get "https://otx.alienvault.com/api/v1/indicators/domain/#{domain}/passive_dns"
+        end
+
+        private
+
+        def headers
+          { "x-otx-api-key": api_key }
+        end
+
+        def get(url)
+          res = HTTP.get(url, headers: headers)
+          JSON.parse(res.body.to_s)
+        rescue HTTPError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/analyzers/otx.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "otx_ruby"
+require "mihari/analyzers/clients/otx"
 
 module Mihari
   module Analyzers
@@ -34,12 +34,8 @@ module Mihari
         %w[otx_api_key]
       end
 
-      def domain_client
-        @domain_client ||= ::OTX::Domain.new(api_key)
-      end
-
-      def ip_client
-        @ip_client ||= ::OTX::IP.new(api_key)
+      def client
+        @client ||= Mihari::Analyzers::Clients::OTX.new(api_key)
       end
 
       #
@@ -73,9 +69,15 @@ module Mihari
       # @return [Array<String>]
       #
       def domain_search
-        records = domain_client.get_passive_dns(query)
+        res = client.query_by_domain(query)
+        return [] if res.nil?
+
+        records = res["passive_dns"] || []
         records.filter_map do |record|
-          record.address if record.record_type == "A"
+          record_type = record["record_type"]
+          address = record["address"]
+
+          address if record_type == "A"
         end.uniq
       end
 
@@ -85,9 +87,15 @@ module Mihari
       # @return [Array<String>]
       #
       def ip_search
-        records = ip_client.get_passive_dns(query)
+        res = client.query_by_ip(query)
+        return [] if res.nil?
+
+        records = res["passive_dns"] || []
         records.filter_map do |record|
-          record.hostname if record.record_type == "A"
+          record_type = record["record_type"]
+          hostname = record["hostname"]
+
+          hostname if record_type == "A"
         end.uniq
       end
     end

data/lib/mihari/analyzers/rule.rb

@@ -51,6 +51,7 @@ module Mihari
       option :disallowed_data_values, default: proc { [] }
 
       option :emitters, optional: true
+      option :enrichers, optional: true
 
       attr_reader :source
 
@@ -60,6 +61,7 @@ module Mihari
         @source = id
 
         @emitters = emitters || DEFAULT_EMITTERS
+        @enrichers = enrichers || DEFAULT_ENRICHERS
 
         validate_analyzer_configurations
       end
@@ -112,6 +114,21 @@ module Mihari
         end
       end
 
+      #
+      # Enriched artifacts
+      #
+      # @return [Array<Mihari::Artifact>]
+      #
+      def enriched_artifacts
+        @enriched_artifacts ||= Parallel.map(unique_artifacts) do |artifact|
+          enrichers.each do |enricher|
+            artifact.enrich_by_enricher(enricher[:enricher])
+          end
+
+          artifact
+        end
+      end
+
       #
       # Normalized disallowed data values
       #

data/lib/mihari/constants.rb

@@ -4,4 +4,6 @@ module Mihari
   ALLOWED_DATA_TYPES = ["hash", "ip", "domain", "url", "mail"].freeze
 
   DEFAULT_EMITTERS = ["database", "misp", "slack", "the_hive", "webhook"].map { |name| { emitter: name } }.freeze
+
+  DEFAULT_ENRICHERS = ["whois", "ipinfo", "shodan", "google_public_dns"].map { |name| { enricher: name } }.freeze
 end

data/lib/mihari/enrichers/google_public_dns.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "net/https"
+
+module Mihari
+  module Enrichers
+    class GooglePublicDNS < Base
+      # @return [Boolean]
+      def valid?
+        true
+      end
+
+      class << self
+        #
+        # Query Google Public DNS
+        #
+        # @param [String] name
+        # @param [String] resource_type
+        #
+        # @return [Mihari::Structs::Shodan::GooglePublicDNS::Response, nil]
+        #
+        def query(name, resource_type)
+          url = "https://dns.google/resolve"
+          params = { name: name, type: resource_type }
+          res = HTTP.get(url, params: params)
+
+          data = JSON.parse(res.body.to_s)
+
+          Structs::GooglePublicDNS::Response.from_dynamic! data
+        rescue HTTPError
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/enrichers/whois.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "whois-parser"
+
+module Mihari
+  module Enrichers
+    class Whois < Base
+      @memo = {}
+
+      # @return [Boolean]
+      def valid?
+        true
+      end
+
+      class << self
+        #
+        # Query IAIA Whois API
+        #
+        # @param [String] name
+        #
+        # @return [Mihari::WhoisRecord, nil]
+        #
+        def query(domain)
+          domain = PublicSuffix.domain(domain)
+
+          # check memo
+          if @memo.key?(domain)
+            whois_record = @memo[domain]
+            # return clone of the record
+            return whois_record.dup
+          end
+
+          record = ::Whois.whois(domain)
+          parser = record.parser
+
+          return nil if parser.available?
+
+          whois_record = WhoisRecord.new(
+            domain: domain,
+            created_on: get_created_on(parser),
+            updated_on: get_updated_on(parser),
+            expires_on: get_expires_on(parser),
+            registrar: get_registrar(parser),
+            contacts: get_contacts(parser)
+          )
+          # set memo
+          @memo[domain] = whois_record
+          whois_record
+        rescue ::Whois::Error, ::Whois::ParserError, Timeout::Error
+          nil
+        end
+
+        def reset_cache
+          @memo = {}
+        end
+
+        private
+
+        #
+        # Get created_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_created_on(parser)
+          parser.created_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+
+        #
+        # Get updated_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_updated_on(parser)
+          parser.updated_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+
+        #
+        # Get expires_on
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Date, nil]
+        #
+        def get_expires_on(parser)
+          parser.expires_on
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+
+        #
+        # Get registrar
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Hash, nil]
+        #
+        def get_registrar(parser)
+          parser.registrar&.to_h
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+
+        #
+        # Get contacts
+        #
+        # @param [::Whois::Parser:] parser
+        #
+        # @return [Array[Hash], nil]
+        #
+        def get_contacts(parser)
+          parser.contacts.map(&:to_h)
+        rescue ::Whois::AttributeNotImplemented
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/mihari/http.rb

@@ -44,8 +44,8 @@ module Mihari
     end
 
     class << self
-      def get(uri, headers: {}, payload: {})
-        client = new(uri, headers: headers, payload: payload)
+      def get(uri, headers: {}, params: {})
+        client = new(uri, headers: headers, payload: params)
         client.get
       end
 

data/lib/mihari/models/artifact.rb

@@ -135,6 +135,36 @@ module Mihari
       enrich_cpes
     end
 
+    ENRICH_METHODS_BY_ENRICHER = {
+      whois: [
+        :enrich_whois
+      ],
+      ipinfo: [
+        :enrich_autonomous_system,
+        :enrich_geolocation
+      ],
+      shodan: [
+        :enrich_ports,
+        :enrich_cpes,
+        :enrich_reverse_dns
+      ],
+      google_public_dns: [
+        :enrich_dns
+      ]
+    }.freeze
+
+    #
+    # Enrich by name of enricher
+    #
+    # @param [String] enricher
+    #
+    def enrich_by_enricher(enricher)
+      methods = ENRICH_METHODS_BY_ENRICHER[enricher.downcase.to_sym] || []
+      methods.each do |method|
+        send(method) if respond_to?(method)
+      end
+    end
+
     private
 
     def normalize_as_domain(url_or_domain)

data/lib/mihari/models/cpe.rb

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
 
         res.cpes.map { |cpe| new(cpe: cpe) }
       end

data/lib/mihari/models/dns.rb

@@ -13,14 +13,7 @@ module Mihari
       # @return [Array<Mihari::DnsRecord>]
       #
       def build_by_domain(domain)
-        resource_types = [
-          Resolv::DNS::Resource::IN::A,
-          Resolv::DNS::Resource::IN::AAAA,
-          Resolv::DNS::Resource::IN::CNAME,
-          Resolv::DNS::Resource::IN::TXT,
-          Resolv::DNS::Resource::IN::NS
-        ]
-
+        resource_types = %w[A AAAA CNAME TXT NS]
         resource_types.map do |resource_type|
           get_values domain, resource_type
         rescue Resolv::ResolvError
@@ -31,20 +24,11 @@ module Mihari
       private
 
       def get_values(domain, resource_type)
-        resources = Resolv::DNS.new.getresources(domain, resource_type)
-        resource_name = resource_type.to_s.split("::").last
+        response = Enrichers::GooglePublicDNS.query(domain, resource_type)
+        answers = response.answers || []
 
-        resources.filter_map do |resource|
-          # A, AAAA
-          if resource.respond_to?(:address)
-            new(resource: resource_name, value: resource.address.to_s)
-          # CNAME, NS
-          elsif resource.respond_to?(:name)
-            new(resource: resource_name, value: resource.name.to_s)
-          # TXT
-          elsif resource.respond_to?(:data)
-            new(resource: resource_name, value: resource.data.to_s)
-          end
+        answers.filter_map do |answer|
+          new(resource: answer.resource_type, value: answer.data)
         end
       end
     end

data/lib/mihari/models/reverse_dns.rb

@@ -14,7 +14,7 @@ module Mihari
       #
       def build_by_ip(ip)
         res = Enrichers::Shodan.query(ip)
-        return if res.nil?
+        return [] if res.nil?
 
         res.hostnames.map { |name| new(name: name) }
       end

data/lib/mihari/models/whois.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "whois-parser"
-
 module Mihari
   class WhoisRecord < ActiveRecord::Base
     belongs_to :artifact
@@ -17,100 +15,7 @@ module Mihari
       # @return [WhoisRecord, nil]
       #
       def build_by_domain(domain)
-        domain = PublicSuffix.domain(domain)
-
-        # check memo
-        if @memo.key?(domain)
-          whois_record = @memo[domain]
-          # return clone of the record
-          return whois_record.dup
-        end
-
-        record = Whois.whois(domain)
-        parser = record.parser
-
-        return nil if parser.available?
-
-        whois_record = new(
-          domain: domain,
-          created_on: get_created_on(parser),
-          updated_on: get_updated_on(parser),
-          expires_on: get_expires_on(parser),
-          registrar: get_registrar(parser),
-          contacts: get_contacts(parser)
-        )
-        # set memo
-        @memo[domain] = whois_record
-        whois_record
-      rescue Whois::Error, Whois::ParserError, Timeout::Error
-        nil
-      end
-
-      private
-
-      #
-      # Get created_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_created_on(parser)
-        parser.created_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get updated_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_updated_on(parser)
-        parser.updated_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get expires_on
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Date, nil]
-      #
-      def get_expires_on(parser)
-        parser.expires_on
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get registrar
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Hash, nil]
-      #
-      def get_registrar(parser)
-        parser.registrar&.to_h
-      rescue ::Whois::AttributeNotImplemented
-        nil
-      end
-
-      #
-      # Get contacts
-      #
-      # @param [::Whois::Parser:] parser
-      #
-      # @return [Array[Hash], nil]
-      #
-      def get_contacts(parser)
-        parser.contacts.map(&:to_h)
-      rescue ::Whois::AttributeNotImplemented
-        nil
+        Enrichers::Whois.query domain
       end
     end
   end

data/lib/mihari/schemas/enricher.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Schemas
+    Enricher = Dry::Schema.Params do
+      required(:enricher).value(Types::EnricherTypes)
+    end
+  end
+end

data/lib/mihari/schemas/rule.rb

@@ -2,6 +2,7 @@
 
 require "mihari/schemas/analyzer"
 require "mihari/schemas/emitter"
+require "mihari/schemas/enricher"
 
 module Mihari
   module Schemas
@@ -20,6 +21,8 @@ module Mihari
 
       optional(:emitters).value(:array).each { Emitter | MISP | TheHive | Slack | HTTP }
 
+      optional(:enrichers).value(:array).each(Enricher)
+
       optional(:allowed_data_types).value(array[Types::DataTypes]).default(ALLOWED_DATA_TYPES)
       optional(:disallowed_data_values).value(array[:string]).default([])
 
@@ -35,6 +38,9 @@ module Mihari
         emitters = h[:emitters]
         h[:emitters] = emitters || DEFAULT_EMITTERS
 
+        enrichers = h[:enrichers]
+        h[:enrichers] = enrichers || DEFAULT_ENRICHERS
+
         h
       end
     end

data/lib/mihari/structs/google_public_dns.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Structs
+    module GooglePublicDNS
+      INT_TYPE_TO_TYPE = {
+        1 => "A",
+        2 => "NS",
+        5 => "CNAME",
+        16 => "TXT",
+        28 => "AAAA"
+      }
+
+      class Answer < Dry::Struct
+        attribute :name, Types::String
+        attribute :data, Types::String
+        attribute :resource_type, Types::String
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          resource_type = INT_TYPE_TO_TYPE[d.fetch("type")]
+          new(
+            name: d.fetch("name"),
+            data: d.fetch("data"),
+            resource_type: resource_type
+          )
+        end
+      end
+
+      class Response < Dry::Struct
+        attribute :answers, Types.Array(Answer)
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            answers: d.fetch("Answer", []).map { |x| Answer.from_dynamic!(x) }
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/rule.rb

@@ -88,7 +88,7 @@ module Mihari
 
           raise RuleValidationError, error_messages.join("\n") if errors?
 
-          raise RuleValidationError, "Something wrong with queries or emitters." unless @no_method_error.nil?
+          raise RuleValidationError, "Something wrong with queries, emitters or enrichers." unless @no_method_error.nil?
         end
 
         def [](key)
@@ -150,6 +150,7 @@ module Mihari
             allowed_data_types: self[:allowed_data_types],
             disallowed_data_values: self[:disallowed_data_values],
             emitters: self[:emitters],
+            enrichers: self[:enrichers],
             id: id
           )
           analyzer.ignore_old_artifacts = self[:ignore_old_artifacts]
@@ -168,6 +169,7 @@ module Mihari
           #
           def from_model(model)
             data = model.data.deep_symbolize_keys
+            # set ID if YAML data do not have ID
             data[:id] = model.id unless data.key?(:id)
 
             Structs::Rule::Rule.new(data, model.yaml)
@@ -177,9 +179,13 @@ module Mihari
           # @param [String] yaml
           #
           # @return [Mihari::Structs::Rule::Rule]
+          # @param [String, nil] id
           #
-          def from_yaml(yaml)
+          def from_yaml(yaml, id: nil)
             data = load_erb_yaml(yaml)
+            # set ID if id is given & YAML data do not have ID
+            data[:id] = id if !id.nil? && !data.key?(:id)
+
             Structs::Rule::Rule.new(data, yaml)
           end
         end

data/lib/mihari/structs/virustotal_intelligence.rb

@@ -4,7 +4,7 @@ module Mihari
   module Structs
     module VirusTotalIntelligence
       class ContextAttributes < Dry::Struct
-        attribute :url, Types.Array(Types::String).optional
+        attribute :url, Types::String.optional
 
         def self.from_dynamic!(d)
           d = Types::Hash[d]
@@ -25,7 +25,7 @@ module Mihari
           when "file"
             id
           when "url"
-            (context_attributes.url || []).first
+            context_attributes&.url
           when "domain"
             id
           when "ip_address"

data/lib/mihari/types.rb

@@ -21,5 +21,12 @@ module Mihari
       "database",
       "webhook"
     )
+
+    EnricherTypes = Types::String.enum(
+      "whois",
+      "ipinfo",
+      "shodan",
+      "google_public_dns"
+    )
   end
 end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "4.6.0"
+  VERSION = "4.7.1"
 end

data/lib/mihari/web/app.rb

@@ -53,6 +53,9 @@ module Mihari
 
         Rack::Handler::Puma.run(instance, Port: port, Host: host, Threads: threads, Verbose: verbose) do |_launcher|
           Launchy.open(url) if ENV["RACK_ENV"] != "development"
+        rescue Launchy::CommandNotFoundError
+          # ref. https://github.com/ninoseki/mihari/issues/477
+          # do nothing
         end
       end
     end

data/lib/mihari/web/endpoints/rules.rb

@@ -144,8 +144,7 @@ module Mihari
             error!({ message: "ID:#{id} is not found" }, 404)
           end
 
-          rule = Structs::Rule::Rule.from_yaml(yaml)
-          rule.id = id
+          rule = Structs::Rule::Rule.from_yaml(yaml, id: id)
 
           begin
             rule.validate!

data/lib/mihari.rb

@@ -173,6 +173,7 @@ require "mihari/types"
 # Structs
 require "mihari/structs/alert"
 require "mihari/structs/censys"
+require "mihari/structs/google_public_dns"
 require "mihari/structs/greynoise"
 require "mihari/structs/ipinfo"
 require "mihari/structs/onyphe"
@@ -189,8 +190,10 @@ require "mihari/schemas/rule"
 
 # Enrichers
 require "mihari/enrichers/base"
+require "mihari/enrichers/google_public_dns"
 require "mihari/enrichers/ipinfo"
 require "mihari/enrichers/shodan"
+require "mihari/enrichers/whois"
 
 # Models
 require "mihari/models/alert"

data/mihari.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 2.3"
   spec.add_development_dependency "coveralls_reborn", "~> 0.24"
-  spec.add_development_dependency "fakefs", "~> 1.4"
+  spec.add_development_dependency "fakefs", "~> 1.5"
   spec.add_development_dependency "mysql2", "~> 0.5"
   spec.add_development_dependency "overcommit", "~> 0.59"
   spec.add_development_dependency "pg", "~> 1.3"
@@ -40,7 +40,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec", "~> 3.11"
   spec.add_development_dependency "simplecov-lcov", "~> 0.8.0"
   spec.add_development_dependency "standard", "~> 1.12"
-  spec.add_development_dependency "steep", "~> 0.52"
+  spec.add_development_dependency "steep", "~> 1.0"
   spec.add_development_dependency "timecop", "~> 0.9"
   spec.add_development_dependency "vcr", "~> 6.1"
   spec.add_development_dependency "webmock", "~> 3.14"
@@ -58,9 +58,9 @@ Gem::Specification.new do |spec|
   spec.add_dependency "dry-container", "0.9.0"
   spec.add_dependency "dry-files", "0.1.0"
   spec.add_dependency "dry-initializer", "3.1.1"
-  spec.add_dependency "dry-schema", "1.9.1"
+  spec.add_dependency "dry-schema", "1.9.2"
   spec.add_dependency "dry-struct", "1.4.0"
-  spec.add_dependency "dry-validation", "1.8.0"
+  spec.add_dependency "dry-validation", "1.8.1"
   spec.add_dependency "email_address", "0.2.3"
   spec.add_dependency "grape", "1.6.2"
   spec.add_dependency "grape-entity", "0.10.1"
@@ -76,7 +76,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "net-ping", "2.0.8"
   spec.add_dependency "normalize_country", "0.3.2"
   spec.add_dependency "onyphe", "2.0.0"
-  spec.add_dependency "otx_ruby", "0.9.9"
   spec.add_dependency "parallel", "1.22.1"
   spec.add_dependency "passive_circl", "0.1.0"
   spec.add_dependency "passivetotalx", "0.1.1"
@@ -84,16 +83,16 @@ Gem::Specification.new do |spec|
   spec.add_dependency "public_suffix", "4.0.7"
   spec.add_dependency "pulsedive", "0.1.5"
   spec.add_dependency "puma", "5.6.4"
-  spec.add_dependency "rack", "2.2.3"
+  spec.add_dependency "rack", "2.2.3.1"
   spec.add_dependency "rack-contrib", "2.3.0"
   spec.add_dependency "rack-cors", "1.1.1"
   spec.add_dependency "securitytrails", "1.0.0"
   spec.add_dependency "semantic_logger", "4.11.0"
-  spec.add_dependency "sentry-ruby", "5.3.0"
+  spec.add_dependency "sentry-ruby", "5.3.1"
   spec.add_dependency "shodanx", "0.2.1"
   spec.add_dependency "slack-notifier", "2.4.0"
   spec.add_dependency "spysex", "0.2.0"
-  spec.add_dependency "sqlite3", "1.4.2"
+  spec.add_dependency "sqlite3", "1.4.4"
   spec.add_dependency "thor", "1.2.1"
   spec.add_dependency "urlscan", "0.8.0"
   spec.add_dependency "uuidtools", "2.2.0"

data/sig/lib/mihari/enrichers/google_public_dns.rbs

@@ -0,0 +1,18 @@
+module Mihari
+  module Enrichers
+    class GooglePublicDNS < Base
+      # @return [Boolean]
+      def valid?: () -> true
+
+      #
+      # Query Google Public DNS
+      #
+      # @param [String] name
+      # @param [String] resource_type
+      #
+      # @return [Mihari::Structs::Shodan::GooglePublicDNS::Response, nil]
+      #
+      def self.query: (String name, String resource_type) -> Mihari::Structs::Shodan::GooglePublicDNS::Response?
+    end
+  end
+end

data/sig/lib/mihari/structs/google_public_dns.rbs

@@ -0,0 +1,21 @@
+module Mihari
+  module Structs
+    module GooglePublicDNS
+      INT_TYPE_TO_TYPE: { 1 => "A", 2 => "NS", 5 => "CNAME", 16 => "TXT", 28 => "AAAA" }
+
+      class Answer < Dry::Struct
+			  attr_reader name: String
+        attr_reader data: String
+        attr_reader resource_type: String
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::GooglePublicDNS::Answer
+      end
+
+      class Response < Dry::Struct
+        attr_reader answers: Array[Mihari::Structs::GooglePublicDNS::Answer]
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::GooglePublicDNS::Response
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 4.6.0
+  version: 4.7.1
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-05-15 00:00:00.000000000 Z
+date: 2022-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: mysql2
   requirement: !ruby/object:Gem::Requirement
@@ -198,14 +198,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.52'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -436,14 +436,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.9.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.9.2
 - !ruby/object:Gem::Dependency
   name: dry-struct
   requirement: !ruby/object:Gem::Requirement
@@ -464,14 +464,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.1
 - !ruby/object:Gem::Dependency
   name: email_address
   requirement: !ruby/object:Gem::Requirement
@@ -682,20 +682,6 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.0.0
-- !ruby/object:Gem::Dependency
-  name: otx_ruby
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.9.9
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.9.9
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -800,14 +786,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 2.2.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.3
+        version: 2.2.3.1
 - !ruby/object:Gem::Dependency
   name: rack-contrib
   requirement: !ruby/object:Gem::Requirement
@@ -870,14 +856,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.3.0
+        version: 5.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.3.0
+        version: 5.3.1
 - !ruby/object:Gem::Dependency
   name: shodanx
   requirement: !ruby/object:Gem::Requirement
@@ -926,14 +912,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.4.2
+        version: 1.4.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.4.2
+        version: 1.4.4
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -1074,6 +1060,7 @@ files:
 - lib/mihari/analyzers/binaryedge.rb
 - lib/mihari/analyzers/censys.rb
 - lib/mihari/analyzers/circl.rb
+- lib/mihari/analyzers/clients/otx.rb
 - lib/mihari/analyzers/crtsh.rb
 - lib/mihari/analyzers/dnpedia.rb
 - lib/mihari/analyzers/dnstwister.rb
@@ -1110,8 +1097,10 @@ files:
 - lib/mihari/emitters/the_hive.rb
 - lib/mihari/emitters/webhook.rb
 - lib/mihari/enrichers/base.rb
+- lib/mihari/enrichers/google_public_dns.rb
 - lib/mihari/enrichers/ipinfo.rb
 - lib/mihari/enrichers/shodan.rb
+- lib/mihari/enrichers/whois.rb
 - lib/mihari/entities/alert.rb
 - lib/mihari/entities/artifact.rb
 - lib/mihari/entities/autonomous_system.rb
@@ -1153,11 +1142,13 @@ files:
 - lib/mihari/models/whois.rb
 - lib/mihari/schemas/analyzer.rb
 - lib/mihari/schemas/emitter.rb
+- lib/mihari/schemas/enricher.rb
 - lib/mihari/schemas/macros.rb
 - lib/mihari/schemas/rule.rb
 - lib/mihari/status.rb
 - lib/mihari/structs/alert.rb
 - lib/mihari/structs/censys.rb
+- lib/mihari/structs/google_public_dns.rb
 - lib/mihari/structs/greynoise.rb
 - lib/mihari/structs/ipinfo.rb
 - lib/mihari/structs/onyphe.rb
@@ -1243,6 +1234,7 @@ files:
 - sig/lib/mihari/emitters/the_hive.rbs
 - sig/lib/mihari/emitters/webhook.rbs
 - sig/lib/mihari/enrichers/base.rbs
+- sig/lib/mihari/enrichers/google_public_dns.rbs
 - sig/lib/mihari/enrichers/ipinfo.rbs
 - sig/lib/mihari/errors.rbs
 - sig/lib/mihari/feed/parser.rbs
@@ -1272,6 +1264,7 @@ files:
 - sig/lib/mihari/status.rbs
 - sig/lib/mihari/structs/alert.rbs
 - sig/lib/mihari/structs/censys.rbs
+- sig/lib/mihari/structs/google_public_dns.rbs
 - sig/lib/mihari/structs/greynoise.rbs
 - sig/lib/mihari/structs/ipinfo.rbs
 - sig/lib/mihari/structs/onyphe.rbs