mihari 4.8.0 → 4.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +0 -1
- data/lib/mihari/analyzers/rule.rb +0 -1
- data/lib/mihari/commands/search.rb +8 -2
- data/lib/mihari/schemas/analyzer.rb +0 -7
- data/lib/mihari/schemas/rule.rb +4 -4
- data/lib/mihari/version.rb +1 -1
- data/lib/mihari.rb +0 -1
- data/mihari.gemspec +6 -6
- metadata +14 -15
- data/lib/mihari/analyzers/spyse.rb +0 -93
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 85756e55047ef3bde95c50c1ac3c474adbd29828bf1f95618f3aac85638a1752
|
|
4
|
+
data.tar.gz: babe64cf74a96f659057b06ac3b5864b6faa2c3ec9b7e3f0f9b57bce7dd635a8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5c15c65a8952c1fbcf695feba8add8a7fc962eaac9ca426a18dd510663573dc9fe6b27472ca0edcd1ff9fb86b68a49ce8c459e3a7d90eabe9dbbe1e4506181d8
|
|
7
|
+
data.tar.gz: aceb04f0f6e78af7f0df2293d78a4d4d20bcf1827e70d45e3f425e38b128c5f9194dbdac608b29b44852af77b626ccbdd03583e7170d5330a2b584c7cbdca55b
|
data/README.md
CHANGED
|
@@ -44,7 +44,6 @@ Mihari supports the following services by default.
|
|
|
44
44
|
- [Pulsedive](https://pulsedive.com/)
|
|
45
45
|
- [SecurityTrails](https://securitytrails.com/)
|
|
46
46
|
- [Shodan](https://shodan.io)
|
|
47
|
-
- [Spyse](https://spyse.com)
|
|
48
47
|
- [urlscan.io](https://urlscan.io)
|
|
49
48
|
- [VirusTotal](http://virustotal.com) & [VirusTotal Intelligence](https://www.virustotal.com/gui/intelligence-overview)
|
|
50
49
|
- [ZoomEye](https://zoomeye.org)
|
|
@@ -14,7 +14,11 @@ module Mihari
|
|
|
14
14
|
rule = Structs::Rule.from_path_or_id path_or_id
|
|
15
15
|
|
|
16
16
|
# validate
|
|
17
|
-
|
|
17
|
+
begin
|
|
18
|
+
rule.validate!
|
|
19
|
+
rescue RuleValidationError
|
|
20
|
+
return
|
|
21
|
+
end
|
|
18
22
|
|
|
19
23
|
# check update
|
|
20
24
|
id = rule.id
|
|
@@ -23,7 +27,9 @@ module Mihari
|
|
|
23
27
|
with_db_connection do
|
|
24
28
|
rule_ = Mihari::Rule.find(id)
|
|
25
29
|
next if rule.yaml == rule_.yaml
|
|
26
|
-
|
|
30
|
+
unless yes?("This operation will overwrite the rule in the database (Rule ID: #{id}). Are you sure you want to update the rule? (yes/no)")
|
|
31
|
+
return
|
|
32
|
+
end
|
|
27
33
|
rescue ActiveRecord::RecordNotFound
|
|
28
34
|
next
|
|
29
35
|
end
|
|
@@ -58,13 +58,6 @@ module Mihari
|
|
|
58
58
|
optional(:options).hash(AnalyzerOptions)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
|
-
Spyse = Dry::Schema.Params do
|
|
62
|
-
required(:analyzer).value(Types::String.enum("spyse"))
|
|
63
|
-
required(:query).value(:string)
|
|
64
|
-
required(:type).value(Types::String.enum("ip", "domain"))
|
|
65
|
-
optional(:options).hash(AnalyzerOptions)
|
|
66
|
-
end
|
|
67
|
-
|
|
68
61
|
ZoomEye = Dry::Schema.Params do
|
|
69
62
|
required(:analyzer).value(Types::String.enum("zoomeye"))
|
|
70
63
|
required(:query).value(:string)
|
data/lib/mihari/schemas/rule.rb
CHANGED
|
@@ -22,7 +22,9 @@ module Mihari
|
|
|
22
22
|
optional(:created_on).value(:date)
|
|
23
23
|
optional(:updated_on).value(:date)
|
|
24
24
|
|
|
25
|
-
required(:queries).value(:array).each
|
|
25
|
+
required(:queries).value(:array).each do
|
|
26
|
+
AnalyzerWithoutAPIKey | AnalyzerWithAPIKey | Censys | CIRCL | PassiveTotal | ZoomEye | Urlscan | Crtsh | Feed
|
|
27
|
+
end
|
|
26
28
|
|
|
27
29
|
optional(:emitters).value(:array).each { Emitter | MISP | TheHive | Slack | HTTP }
|
|
28
30
|
|
|
@@ -57,9 +59,7 @@ module Mihari
|
|
|
57
59
|
|
|
58
60
|
rule(:disallowed_data_values) do
|
|
59
61
|
value.each do |v|
|
|
60
|
-
unless valid_disallowed_data_value?(v)
|
|
61
|
-
key.failure("#{v} is not a valid format.")
|
|
62
|
-
end
|
|
62
|
+
key.failure("#{v} is not a valid format.") unless valid_disallowed_data_value?(v)
|
|
63
63
|
end
|
|
64
64
|
end
|
|
65
65
|
end
|
data/lib/mihari/version.rb
CHANGED
data/lib/mihari.rb
CHANGED
|
@@ -235,7 +235,6 @@ require "mihari/analyzers/passivetotal"
|
|
|
235
235
|
require "mihari/analyzers/pulsedive"
|
|
236
236
|
require "mihari/analyzers/securitytrails"
|
|
237
237
|
require "mihari/analyzers/shodan"
|
|
238
|
-
require "mihari/analyzers/spyse"
|
|
239
238
|
require "mihari/analyzers/urlscan"
|
|
240
239
|
require "mihari/analyzers/virustotal_intelligence"
|
|
241
240
|
require "mihari/analyzers/virustotal"
|
data/mihari.gemspec
CHANGED
|
@@ -45,7 +45,7 @@ Gem::Specification.new do |spec|
|
|
|
45
45
|
spec.add_development_dependency "vcr", "~> 6.1"
|
|
46
46
|
spec.add_development_dependency "webmock", "~> 3.18"
|
|
47
47
|
|
|
48
|
-
spec.add_dependency "activerecord", "7.0.
|
|
48
|
+
spec.add_dependency "activerecord", "7.0.4"
|
|
49
49
|
spec.add_dependency "addressable", "2.8.1"
|
|
50
50
|
spec.add_dependency "awrence", "2.0.1"
|
|
51
51
|
spec.add_dependency "binaryedge", "0.1.0"
|
|
@@ -55,10 +55,10 @@ Gem::Specification.new do |spec|
|
|
|
55
55
|
spec.add_dependency "dnstwister", "0.1.0"
|
|
56
56
|
spec.add_dependency "dotenv", "2.8.1"
|
|
57
57
|
spec.add_dependency "dry-configurable", "0.15.0"
|
|
58
|
-
spec.add_dependency "dry-container", "0.
|
|
59
|
-
spec.add_dependency "dry-files", "0.
|
|
58
|
+
spec.add_dependency "dry-container", "0.11.0"
|
|
59
|
+
spec.add_dependency "dry-files", "0.3.0"
|
|
60
60
|
spec.add_dependency "dry-initializer", "3.1.1"
|
|
61
|
-
spec.add_dependency "dry-schema", "1.10.
|
|
61
|
+
spec.add_dependency "dry-schema", "1.10.5"
|
|
62
62
|
spec.add_dependency "dry-struct", "1.4.0"
|
|
63
63
|
spec.add_dependency "dry-validation", "1.8.1"
|
|
64
64
|
spec.add_dependency "email_address", "0.2.4"
|
|
@@ -92,12 +92,12 @@ Gem::Specification.new do |spec|
|
|
|
92
92
|
spec.add_dependency "shodanx", "0.2.1"
|
|
93
93
|
spec.add_dependency "slack-notifier", "2.4.0"
|
|
94
94
|
spec.add_dependency "spysex", "0.2.0"
|
|
95
|
-
spec.add_dependency "sqlite3", "1.
|
|
95
|
+
spec.add_dependency "sqlite3", "1.5.0"
|
|
96
96
|
spec.add_dependency "thor", "1.2.1"
|
|
97
97
|
spec.add_dependency "urlscan", "0.8.0"
|
|
98
98
|
spec.add_dependency "uuidtools", "2.2.0"
|
|
99
99
|
spec.add_dependency "virustotalx", "1.2.0"
|
|
100
100
|
spec.add_dependency "whois", "5.1.0"
|
|
101
|
-
spec.add_dependency "whois-parser", "
|
|
101
|
+
spec.add_dependency "whois-parser", "2.0.0"
|
|
102
102
|
spec.add_dependency "zoomeye-rb", "0.2.0"
|
|
103
103
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-10-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -254,14 +254,14 @@ dependencies:
|
|
|
254
254
|
requirements:
|
|
255
255
|
- - '='
|
|
256
256
|
- !ruby/object:Gem::Version
|
|
257
|
-
version: 7.0.
|
|
257
|
+
version: 7.0.4
|
|
258
258
|
type: :runtime
|
|
259
259
|
prerelease: false
|
|
260
260
|
version_requirements: !ruby/object:Gem::Requirement
|
|
261
261
|
requirements:
|
|
262
262
|
- - '='
|
|
263
263
|
- !ruby/object:Gem::Version
|
|
264
|
-
version: 7.0.
|
|
264
|
+
version: 7.0.4
|
|
265
265
|
- !ruby/object:Gem::Dependency
|
|
266
266
|
name: addressable
|
|
267
267
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -394,28 +394,28 @@ dependencies:
|
|
|
394
394
|
requirements:
|
|
395
395
|
- - '='
|
|
396
396
|
- !ruby/object:Gem::Version
|
|
397
|
-
version: 0.
|
|
397
|
+
version: 0.11.0
|
|
398
398
|
type: :runtime
|
|
399
399
|
prerelease: false
|
|
400
400
|
version_requirements: !ruby/object:Gem::Requirement
|
|
401
401
|
requirements:
|
|
402
402
|
- - '='
|
|
403
403
|
- !ruby/object:Gem::Version
|
|
404
|
-
version: 0.
|
|
404
|
+
version: 0.11.0
|
|
405
405
|
- !ruby/object:Gem::Dependency
|
|
406
406
|
name: dry-files
|
|
407
407
|
requirement: !ruby/object:Gem::Requirement
|
|
408
408
|
requirements:
|
|
409
409
|
- - '='
|
|
410
410
|
- !ruby/object:Gem::Version
|
|
411
|
-
version: 0.
|
|
411
|
+
version: 0.3.0
|
|
412
412
|
type: :runtime
|
|
413
413
|
prerelease: false
|
|
414
414
|
version_requirements: !ruby/object:Gem::Requirement
|
|
415
415
|
requirements:
|
|
416
416
|
- - '='
|
|
417
417
|
- !ruby/object:Gem::Version
|
|
418
|
-
version: 0.
|
|
418
|
+
version: 0.3.0
|
|
419
419
|
- !ruby/object:Gem::Dependency
|
|
420
420
|
name: dry-initializer
|
|
421
421
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -436,14 +436,14 @@ dependencies:
|
|
|
436
436
|
requirements:
|
|
437
437
|
- - '='
|
|
438
438
|
- !ruby/object:Gem::Version
|
|
439
|
-
version: 1.10.
|
|
439
|
+
version: 1.10.5
|
|
440
440
|
type: :runtime
|
|
441
441
|
prerelease: false
|
|
442
442
|
version_requirements: !ruby/object:Gem::Requirement
|
|
443
443
|
requirements:
|
|
444
444
|
- - '='
|
|
445
445
|
- !ruby/object:Gem::Version
|
|
446
|
-
version: 1.10.
|
|
446
|
+
version: 1.10.5
|
|
447
447
|
- !ruby/object:Gem::Dependency
|
|
448
448
|
name: dry-struct
|
|
449
449
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -912,14 +912,14 @@ dependencies:
|
|
|
912
912
|
requirements:
|
|
913
913
|
- - '='
|
|
914
914
|
- !ruby/object:Gem::Version
|
|
915
|
-
version: 1.
|
|
915
|
+
version: 1.5.0
|
|
916
916
|
type: :runtime
|
|
917
917
|
prerelease: false
|
|
918
918
|
version_requirements: !ruby/object:Gem::Requirement
|
|
919
919
|
requirements:
|
|
920
920
|
- - '='
|
|
921
921
|
- !ruby/object:Gem::Version
|
|
922
|
-
version: 1.
|
|
922
|
+
version: 1.5.0
|
|
923
923
|
- !ruby/object:Gem::Dependency
|
|
924
924
|
name: thor
|
|
925
925
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -996,14 +996,14 @@ dependencies:
|
|
|
996
996
|
requirements:
|
|
997
997
|
- - '='
|
|
998
998
|
- !ruby/object:Gem::Version
|
|
999
|
-
version:
|
|
999
|
+
version: 2.0.0
|
|
1000
1000
|
type: :runtime
|
|
1001
1001
|
prerelease: false
|
|
1002
1002
|
version_requirements: !ruby/object:Gem::Requirement
|
|
1003
1003
|
requirements:
|
|
1004
1004
|
- - '='
|
|
1005
1005
|
- !ruby/object:Gem::Version
|
|
1006
|
-
version:
|
|
1006
|
+
version: 2.0.0
|
|
1007
1007
|
- !ruby/object:Gem::Dependency
|
|
1008
1008
|
name: zoomeye-rb
|
|
1009
1009
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -1074,7 +1074,6 @@ files:
|
|
|
1074
1074
|
- lib/mihari/analyzers/rule.rb
|
|
1075
1075
|
- lib/mihari/analyzers/securitytrails.rb
|
|
1076
1076
|
- lib/mihari/analyzers/shodan.rb
|
|
1077
|
-
- lib/mihari/analyzers/spyse.rb
|
|
1078
1077
|
- lib/mihari/analyzers/urlscan.rb
|
|
1079
1078
|
- lib/mihari/analyzers/virustotal.rb
|
|
1080
1079
|
- lib/mihari/analyzers/virustotal_intelligence.rb
|
|
@@ -1,93 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "spyse"
|
|
4
|
-
|
|
5
|
-
module Mihari
|
|
6
|
-
module Analyzers
|
|
7
|
-
class Spyse < Base
|
|
8
|
-
param :query
|
|
9
|
-
|
|
10
|
-
option :type, default: proc { "domain" }
|
|
11
|
-
|
|
12
|
-
# @return [String, nil]
|
|
13
|
-
attr_reader :api_key
|
|
14
|
-
|
|
15
|
-
def initialize(*args, **kwargs)
|
|
16
|
-
super(*args, **kwargs)
|
|
17
|
-
|
|
18
|
-
@api_key = kwargs[:api_key] || Mihari.config.spyse_api_key
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
def artifacts
|
|
22
|
-
search || []
|
|
23
|
-
end
|
|
24
|
-
|
|
25
|
-
private
|
|
26
|
-
|
|
27
|
-
def search_params
|
|
28
|
-
@search_params ||= JSON.parse(query)
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
def configuration_keys
|
|
32
|
-
%w[spyse_api_key]
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
def api
|
|
36
|
-
@api ||= ::Spyse::API.new(api_key)
|
|
37
|
-
end
|
|
38
|
-
|
|
39
|
-
#
|
|
40
|
-
# Check whether a type is valid or not
|
|
41
|
-
#
|
|
42
|
-
# @return [Boolean]
|
|
43
|
-
#
|
|
44
|
-
def valid_type?
|
|
45
|
-
%w[ip domain cert].include? type
|
|
46
|
-
end
|
|
47
|
-
|
|
48
|
-
#
|
|
49
|
-
# Domain search
|
|
50
|
-
#
|
|
51
|
-
# @return [Array<Mihari::Artifact>]
|
|
52
|
-
#
|
|
53
|
-
def domain_search
|
|
54
|
-
res = api.domain.search(search_params, limit: 100)
|
|
55
|
-
items = res.dig("data", "items") || []
|
|
56
|
-
items.map do |item|
|
|
57
|
-
data = item["name"]
|
|
58
|
-
Artifact.new(data: data, source: source, metadata: item)
|
|
59
|
-
end
|
|
60
|
-
end
|
|
61
|
-
|
|
62
|
-
#
|
|
63
|
-
# IP search
|
|
64
|
-
#
|
|
65
|
-
# @return [Array<Mihari::Artifact>]
|
|
66
|
-
#
|
|
67
|
-
def ip_search
|
|
68
|
-
res = api.ip.search(search_params, limit: 100)
|
|
69
|
-
items = res.dig("data", "items") || []
|
|
70
|
-
items.map do |item|
|
|
71
|
-
data = item["ip"]
|
|
72
|
-
Artifact.new(data: data, source: source, metadata: item)
|
|
73
|
-
end
|
|
74
|
-
end
|
|
75
|
-
|
|
76
|
-
#
|
|
77
|
-
# IP/domain search
|
|
78
|
-
#
|
|
79
|
-
# @return [Array<Mihari::Artifact>]
|
|
80
|
-
#
|
|
81
|
-
def search
|
|
82
|
-
case type
|
|
83
|
-
when "domain"
|
|
84
|
-
domain_search
|
|
85
|
-
when "ip"
|
|
86
|
-
ip_search
|
|
87
|
-
else
|
|
88
|
-
raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
|
|
89
|
-
end
|
|
90
|
-
end
|
|
91
|
-
end
|
|
92
|
-
end
|
|
93
|
-
end
|