RubyGems - mihari - Versions diffs - 5.1.1 → 5.1.3 - Mend

mihari 5.1.1 → 5.1.3

Files changed (57) hide show

checksums.yaml +4 -4
data/.gitmodules +0 -3
data/.rubocop.yml +6 -0
data/README.md +0 -1
data/lib/mihari/analyzers/base.rb +32 -27
data/lib/mihari/analyzers/binaryedge.rb +8 -2
data/lib/mihari/analyzers/censys.rb +10 -61
data/lib/mihari/analyzers/circl.rb +13 -19
data/lib/mihari/analyzers/crtsh.rb +6 -0
data/lib/mihari/analyzers/dnstwister.rb +12 -19
data/lib/mihari/analyzers/feed.rb +21 -0
data/lib/mihari/analyzers/greynoise.rb +5 -28
data/lib/mihari/analyzers/onyphe.rb +8 -33
data/lib/mihari/analyzers/otx.rb +11 -17
data/lib/mihari/analyzers/passivetotal.rb +13 -19
data/lib/mihari/analyzers/pulsedive.rb +3 -1
data/lib/mihari/analyzers/rule.rb +0 -1
data/lib/mihari/analyzers/securitytrails.rb +18 -29
data/lib/mihari/analyzers/shodan.rb +13 -92
data/lib/mihari/analyzers/urlscan.rb +12 -4
data/lib/mihari/analyzers/virustotal.rb +4 -0
data/lib/mihari/analyzers/virustotal_intelligence.rb +9 -6
data/lib/mihari/analyzers/zoomeye.rb +9 -0
data/lib/mihari/clients/binaryedge.rb +5 -0
data/lib/mihari/clients/censys.rb +4 -4
data/lib/mihari/clients/circl.rb +3 -3
data/lib/mihari/clients/greynoise.rb +6 -1
data/lib/mihari/clients/misp.rb +8 -1
data/lib/mihari/clients/onyphe.rb +13 -1
data/lib/mihari/clients/otx.rb +20 -0
data/lib/mihari/clients/passivetotal.rb +6 -2
data/lib/mihari/clients/publsedive.rb +18 -1
data/lib/mihari/clients/securitytrails.rb +94 -0
data/lib/mihari/clients/shodan.rb +14 -3
data/lib/mihari/clients/the_hive.rb +6 -1
data/lib/mihari/clients/urlscan.rb +3 -1
data/lib/mihari/clients/virustotal.rb +9 -3
data/lib/mihari/clients/zoomeye.rb +7 -1
data/lib/mihari/commands/database.rb +1 -6
data/lib/mihari/commands/searcher.rb +1 -2
data/lib/mihari/database.rb +9 -0
data/lib/mihari/http.rb +14 -18
data/lib/mihari/structs/censys.rb +62 -0
data/lib/mihari/structs/greynoise.rb +43 -0
data/lib/mihari/structs/onyphe.rb +45 -0
data/lib/mihari/structs/shodan.rb +83 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/middleware/connection_adapter.rb +1 -3
data/lib/mihari/web/public/assets/{index-63900d73.js → index-7d0fb8c4.js} +2 -2
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +2 -2
data/lib/mihari.rb +1 -3
data/mihari.gemspec +2 -3
metadata +8 -24
data/lib/mihari/analyzers/dnpedia.rb +0 -33
data/lib/mihari/clients/dnpedia.rb +0 -64
data/lib/mihari/mixins/database.rb +0 -16

data/lib/mihari/analyzers/securitytrails.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrails < Base
@@ -15,6 +13,9 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super
@@ -25,7 +26,16 @@ module Mihari
       end
       def artifacts
-        search || []
+        case type
+        when "domain"
+          domain_search
+        when "ip"
+          ip_search
+        when "mail"
+          mail_search
+        else
+          raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
+        end
       end
       private
@@ -34,8 +44,8 @@ module Mihari
         %w[securitytrails_api_key]
       end
-      def api
-        @api ||= ::SecurityTrails::API.new(api_key)
+      def client
+        @client ||= Clients::SecurityTrails.new(api_key: api_key)
       end
       #
@@ -47,32 +57,13 @@ module Mihari
         %w[ip domain mail].include? type
       end
-      #
-      # IP/domain/mail search
-      #
-      # @return [Array<String>, Array<Mihari::Artifact>]
-      #
-      def search
-        case type
-        when "domain"
-          domain_search
-        when "ip"
-          ip_search
-        when "mail"
-          mail_search
-        else
-          raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
-        end
-      end
       #
       # Domain search
       #
       # @return [Array<String>]
       #
       def domain_search
-        result = api.history.get_all_dns_history(query, type: "a")
-        records = result["records"] || []
+        records = client.get_all_dns_history(query, type: "a")
         records.map do |record|
           (record["values"] || []).map { |value| value["ip"] }
         end.flatten.compact.uniq
@@ -84,8 +75,7 @@ module Mihari
       # @return [Array<Mihari::Artifact>]
       #
       def ip_search
-        result = api.domains.search(filter: { ipv4: query })
-        records = result["records"] || []
+        records = client.search_by_ip(query)
         records.filter_map do |record|
           data = record["hostname"]
           Artifact.new(data: data, source: source, metadata: record)
@@ -98,8 +88,7 @@ module Mihari
       # @return [Array<String>]
       #
       def mail_search
-        result = api.domains.search(filter: { whois_email: query })
-        records = result["records"] || []
+        records = client.search_by_mail(query)
         records.filter_map do |record|
           data = record["hostname"]
           Artifact.new(data: data, source: source, metadata: record)

data/lib/mihari/analyzers/shodan.rb CHANGED Viewed

@@ -10,6 +10,12 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [Integer]
+      attr_reader :interval
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super(*args, **kwargs)
@@ -18,13 +24,9 @@ module Mihari
       def artifacts
         results = search
-        return [] unless results || results.empty?
-        results = results.map { |result| Structs::Shodan::Result.from_dynamic!(result) }
-        matches = results.map { |result| result.matches || [] }.flatten
+        return [] if results.empty?
-        uniq_matches = matches.uniq(&:ip_str)
-        uniq_matches.map { |match| build_artifact(match, matches) }
+        results.map { |result| result.to_artifacts(source) }.flatten.uniq(&:data)
       end
       private
@@ -42,29 +44,25 @@ module Mihari
       #
       # Search with pagination
       #
-      # @param [String] query
       # @param [Integer] page
       #
-      # @return [Hash]
+      # @return [Structs::Shodan::Result]
       #
-      def search_with_page(query, page: 1)
+      def search_with_page(page: 1)
         client.search(query, page: page)
       end
       #
       # Search
       #
-      # @return [Array<Hash>]
+      # @return [Array<Structs::Shodan::Result>]
       #
       def search
         responses = []
         (1..Float::INFINITY).each do |page|
-          res = search_with_page(query, page: page)
-          break unless res
+          res = search_with_page(page: page)
           responses << res
-          break if res["total"].to_i <= page * PAGE_SIZE
+          break if res.total <= page * PAGE_SIZE
           # sleep #{interval} seconds to avoid the rate limitation (if it is set)
           sleep interval
@@ -75,83 +73,6 @@ module Mihari
         end
         responses
       end
-      #
-      # Collect metadata from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<Hash>]
-      #
-      def collect_metadata_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:metadata)
-      end
-      #
-      # Collect ports from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<String>]
-      #
-      def collect_ports_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:port)
-      end
-      #
-      # Collect hostnames from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<String>]
-      #
-      def collect_hostnames_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:hostnames).flatten.uniq
-      end
-      #
-      # Build an artifact from a Shodan search API response
-      #
-      # @param [Structs::Shodan::Match] match
-      # @param [Array<Structs::Shodan::Match>] matches
-      #
-      # @return [Artifact]
-      #
-      def build_artifact(match, matches)
-        as = nil
-        as = AutonomousSystem.new(asn: normalize_asn(match.asn)) unless match.asn.nil?
-        geolocation = nil
-        if !match.location.country_name.nil? && !match.location.country_code.nil?
-          geolocation = Geolocation.new(
-            country: match.location.country_name,
-            country_code: match.location.country_code
-          )
-        end
-        metadata = collect_metadata_by_ip(matches, match.ip_str)
-        ports = collect_ports_by_ip(matches, match.ip_str).map do |port|
-          Port.new(port: port)
-        end
-        reverse_dns_names = collect_hostnames_by_ip(matches, match.ip_str).map do |name|
-          ReverseDnsName.new(name: name)
-        end
-        Artifact.new(
-          data: match.ip_str,
-          source: source,
-          metadata: metadata,
-          autonomous_system: as,
-          geolocation: geolocation,
-          ports: ports,
-          reverse_dns_names: reverse_dns_names
-        )
-      end
     end
   end
 end

data/lib/mihari/analyzers/urlscan.rb CHANGED Viewed

@@ -15,12 +15,20 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [Integer]
+      attr_reader :interval
+      # @return [String]
+      attr_reader :allowed_data_types
       def initialize(*args, **kwargs)
         super
-        unless valid_alllowed_data_types?
-          raise InvalidInputError,
-            "allowed_data_types should be any of url, domain and ip."
+        unless valid_allowed_data_types?
+          raise InvalidInputError, "allowed_data_types should be any of url, domain and ip."
         end
         @api_key = kwargs[:api_key] || Mihari.config.urlscan_api_key
@@ -88,7 +96,7 @@ module Mihari
       #
       # @return [Boolean]
       #
-      def valid_alllowed_data_types?
+      def valid_allowed_data_types?
         allowed_data_types.all? { |type| SUPPORTED_DATA_TYPES.include? type }
       end
     end

data/lib/mihari/analyzers/virustotal.rb CHANGED Viewed

@@ -7,11 +7,15 @@ module Mihari
       param :query
+      # @return [String]
       attr_reader :type
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super(*args, **kwargs)

data/lib/mihari/analyzers/virustotal_intelligence.rb CHANGED Viewed

@@ -10,6 +10,12 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [Integer]
+      attr_reader :interval
       def initialize(*args, **kwargs)
         super
@@ -19,7 +25,7 @@ module Mihari
       end
       def artifacts
-        responses = search_witgh_cursor
+        responses = search_with_cursor
         responses.map do |response|
           response.data.map do |datum|
             Artifact.new(data: datum.value, source: source, metadata: datum.metadata)
@@ -47,19 +53,16 @@ module Mihari
       #
       # @return [Array<Structs::VirusTotalIntelligence::Response>]
       #
-      def search_witgh_cursor
+      def search_with_cursor
         cursor = nil
         responses = []
         loop do
-          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(client.intel_search(query,
-            cursor: cursor))
+          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(client.intel_search(query, cursor: cursor))
           responses << response
           break if response.meta.cursor.nil?
           cursor = response.meta.cursor
           # sleep #{interval} seconds to avoid the rate limitation (if it is set)
           sleep interval
         end

data/lib/mihari/analyzers/zoomeye.rb CHANGED Viewed

@@ -12,6 +12,15 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [String]
+      attr_reader :type
+      # @return [Integer]
+      attr_reader :interval
       def initialize(*args, **kwargs)
         super(*args, **kwargs)

data/lib/mihari/clients/binaryedge.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class BinaryEdge < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://api.binaryedge.io/v2", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key

data/lib/mihari/clients/censys.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class Censys < Base
       #
       # @param [String] base_url
-      # @param [String] id
-      # @param [String] secret
+      # @param [String, nil] id
+      # @param [String, nil] secret
       # @param [Hash] headers
       #
       def initialize(base_url = "https://search.censys.io", id:, secret:, headers: {})
@@ -30,12 +30,12 @@ module Mihari
       # @params [Integer, nil] per_page the number of results to be returned for each page.
       # @params [Integer, nil] cursor the cursor of the desired result set.
       #
-      # @return [Hash]
+      # @return [Structs::Censys::Response]
       #
       def search(query, per_page: nil, cursor: nil)
         params = { q: query, per_page: per_page, cursor: cursor }.compact
         res = get("/api/v2/hosts/search", params: params)
-        JSON.parse(res.body.to_s)
+        Structs::Censys::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/circl.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class CIRCL < Base
       #
       # @param [String] base_url
-      # @param [String] username
-      # @param [String] password
+      # @param [String, nil] username
+      # @param [String, nil] password
       # @param [Hash] headers
       #
       def initialize(base_url = "https://www.circl.lu", username:, password:, headers: {})
@@ -43,7 +43,7 @@ module Mihari
       #
       #
       # @param [String] path
-      # @param [Array<Hash>] params
+      # @param [Hash] params
       #
       def _get(path, params: {})
         res = get(path, params: params)

data/lib/mihari/clients/greynoise.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class GreyNoise < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://api.greynoise.io", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
@@ -22,7 +27,7 @@ module Mihari
       def gnql_search(query, size: nil, scroll: nil)
         params = { query: query, size: size, scroll: scroll }.compact
         res = get("/v2/experimental/gnql", params: params)
-        JSON.parse res.body.to_s
+        Structs::GreyNoise::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/misp.rb CHANGED Viewed

@@ -5,16 +5,23 @@ module Mihari
     class MISP < Base
       #
       # @param [String] base_url
-      # @param [String] api_key
+      # @param [String, nil] api_key
       # @param [Hash] headers
       #
       def initialize(base_url, api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
         headers["authorization"] = api_key
+        headers["accept"] = "application/json"
         super(base_url, headers: headers)
       end
+      #
+      # @param [Hash] payload
+      #
+      # @return [Hash]
+      #
       def create_event(payload)
         res = post("/events/add", json: payload)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/onyphe.rb CHANGED Viewed

@@ -3,8 +3,14 @@
 module Mihari
   module Clients
     class Onyphe < Base
+      # @return [String]
       attr_reader :api_key
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://www.onyphe.io", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
@@ -13,10 +19,16 @@ module Mihari
         @api_key = api_key
       end
+      #
+      # @param [String] query
+      # @param [Integer] page
+      #
+      # @return [Hash]
+      #
       def datascan(query, page: 1)
         params = { page: page, apikey: api_key }
         res = get("/api/v2/simple/datascan/#{query}", params: params)
-        JSON.parse(res.body.to_s)
+        Structs::Onyphe::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/otx.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class OTX < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://otx.alienvault.com", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
@@ -10,16 +15,31 @@ module Mihari
         super(base_url, headers: headers)
       end
+      #
+      # @param [String] ip
+      #
+      # @return [Hash]
+      #
       def query_by_ip(ip)
         _get "/api/v1/indicators/IPv4/#{ip}/passive_dns"
       end
+      #
+      # @param [String] domain
+      #
+      # @return [Hash]
+      #
       def query_by_domain(domain)
         _get "/api/v1/indicators/domain/#{domain}/passive_dns"
       end
       private
+      #
+      # @param [String] path
+      #
+      # @return [Hash]
+      #
       def _get(path)
         res = get(path)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/passivetotal.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class PassiveTotal < Base
       #
       # @param [String] base_url
-      # @param [String] username
-      # @param [String] api_key
+      # @param [String, nil] username
+      # @param [String, nil] api_key
       # @param [Hash] headers
       #
       def initialize(base_url = "https://api.passivetotal.org", username:, api_key:, headers: {})
@@ -31,6 +31,8 @@ module Mihari
       #
       # @param [String] query
       #
+      # @return [Hash]
+      #
       def passive_dns_search(query)
         params = { query: query }
         _get("/v2/dns/passive/unique", params: params)
@@ -56,6 +58,8 @@ module Mihari
       # @param [String] path
       # @param [Hash] params
       #
+      # @return [Hash]
+      #
       def _get(path, params: {})
         res = get(path, params: params)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/publsedive.rb CHANGED Viewed

@@ -3,8 +3,14 @@
 module Mihari
   module Clients
     class PulseDive < Base
+      # @return [String]
       attr_reader :api_key
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://pulsedive.com", api_key:, headers: {})
         super(base_url, headers: headers)
@@ -13,21 +19,32 @@ module Mihari
         raise(ArgumentError, "'api_key' argument is required") unless api_key
       end
+      #
+      # @param [String] indicator_id
+      #
+      # @return [Hash]
+      #
       def get_indicator(ip_or_domain)
         _get "/api/info.php", params: { indicator: ip_or_domain }
       end
+      #
+      # @param [String] indicator_id
+      #
+      # @return [Hash]
+      #
       def get_properties(indicator_id)
         _get "/api/info.php", params: { iid: indicator_id, get: "properties" }
       end
       private
-      #
       #
       # @param [String] path
       # @param [Hash] params
       #
+      # @return [Hash]
+      #
       def _get(path, params: {})
         params["key"] = api_key