RubyGems - mihari - Versions diffs - 5.1.1 → 5.1.3 - Mend

mihari 5.1.1 → 5.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

checksums.yaml +4 -4
data/.gitmodules +0 -3
data/.rubocop.yml +6 -0
data/README.md +0 -1
data/lib/mihari/analyzers/base.rb +32 -27
data/lib/mihari/analyzers/binaryedge.rb +8 -2
data/lib/mihari/analyzers/censys.rb +10 -61
data/lib/mihari/analyzers/circl.rb +13 -19
data/lib/mihari/analyzers/crtsh.rb +6 -0
data/lib/mihari/analyzers/dnstwister.rb +12 -19
data/lib/mihari/analyzers/feed.rb +21 -0
data/lib/mihari/analyzers/greynoise.rb +5 -28
data/lib/mihari/analyzers/onyphe.rb +8 -33
data/lib/mihari/analyzers/otx.rb +11 -17
data/lib/mihari/analyzers/passivetotal.rb +13 -19
data/lib/mihari/analyzers/pulsedive.rb +3 -1
data/lib/mihari/analyzers/rule.rb +0 -1
data/lib/mihari/analyzers/securitytrails.rb +18 -29
data/lib/mihari/analyzers/shodan.rb +13 -92
data/lib/mihari/analyzers/urlscan.rb +12 -4
data/lib/mihari/analyzers/virustotal.rb +4 -0
data/lib/mihari/analyzers/virustotal_intelligence.rb +9 -6
data/lib/mihari/analyzers/zoomeye.rb +9 -0
data/lib/mihari/clients/binaryedge.rb +5 -0
data/lib/mihari/clients/censys.rb +4 -4
data/lib/mihari/clients/circl.rb +3 -3
data/lib/mihari/clients/greynoise.rb +6 -1
data/lib/mihari/clients/misp.rb +8 -1
data/lib/mihari/clients/onyphe.rb +13 -1
data/lib/mihari/clients/otx.rb +20 -0
data/lib/mihari/clients/passivetotal.rb +6 -2
data/lib/mihari/clients/publsedive.rb +18 -1
data/lib/mihari/clients/securitytrails.rb +94 -0
data/lib/mihari/clients/shodan.rb +14 -3
data/lib/mihari/clients/the_hive.rb +6 -1
data/lib/mihari/clients/urlscan.rb +3 -1
data/lib/mihari/clients/virustotal.rb +9 -3
data/lib/mihari/clients/zoomeye.rb +7 -1
data/lib/mihari/commands/database.rb +1 -6
data/lib/mihari/commands/searcher.rb +1 -2
data/lib/mihari/database.rb +9 -0
data/lib/mihari/http.rb +14 -18
data/lib/mihari/structs/censys.rb +62 -0
data/lib/mihari/structs/greynoise.rb +43 -0
data/lib/mihari/structs/onyphe.rb +45 -0
data/lib/mihari/structs/shodan.rb +83 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/middleware/connection_adapter.rb +1 -3
data/lib/mihari/web/public/assets/{index-63900d73.js → index-7d0fb8c4.js} +2 -2
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari/web/public/redoc-static.html +2 -2
data/lib/mihari.rb +1 -3
data/mihari.gemspec +2 -3
metadata +8 -24
data/lib/mihari/analyzers/dnpedia.rb +0 -33
data/lib/mihari/clients/dnpedia.rb +0 -64
data/lib/mihari/mixins/database.rb +0 -16

data/lib/mihari/analyzers/securitytrails.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrails < Base
@@ -15,6 +13,9 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super
@@ -25,7 +26,16 @@ module Mihari
       end
       def artifacts
-        search || []
+        case type
+        when "domain"
+          domain_search
+        when "ip"
+          ip_search
+        when "mail"
+          mail_search
+        else
+          raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
+        end
       end
       private
@@ -34,8 +44,8 @@ module Mihari
         %w[securitytrails_api_key]
       end
-      def api
-        @api ||= ::SecurityTrails::API.new(api_key)
+      def client
+        @client ||= Clients::SecurityTrails.new(api_key: api_key)
       end
       #
@@ -47,32 +57,13 @@ module Mihari
         %w[ip domain mail].include? type
       end
-      #
-      # IP/domain/mail search
-      #
-      # @return [Array<String>, Array<Mihari::Artifact>]
-      #
-      def search
-        case type
-        when "domain"
-          domain_search
-        when "ip"
-          ip_search
-        when "mail"
-          mail_search
-        else
-          raise InvalidInputError, "#{query}(type: #{type || "unknown"}) is not supported." unless valid_type?
-        end
-      end
       #
       # Domain search
       #
       # @return [Array<String>]
       #
       def domain_search
-        result = api.history.get_all_dns_history(query, type: "a")
-        records = result["records"] || []
+        records = client.get_all_dns_history(query, type: "a")
         records.map do |record|
           (record["values"] || []).map { |value| value["ip"] }
         end.flatten.compact.uniq
@@ -84,8 +75,7 @@ module Mihari
       # @return [Array<Mihari::Artifact>]
       #
       def ip_search
-        result = api.domains.search(filter: { ipv4: query })
-        records = result["records"] || []
+        records = client.search_by_ip(query)
         records.filter_map do |record|
           data = record["hostname"]
           Artifact.new(data: data, source: source, metadata: record)
@@ -98,8 +88,7 @@ module Mihari
       # @return [Array<String>]
       #
       def mail_search
-        result = api.domains.search(filter: { whois_email: query })
-        records = result["records"] || []
+        records = client.search_by_mail(query)
         records.filter_map do |record|
           data = record["hostname"]
           Artifact.new(data: data, source: source, metadata: record)

data/lib/mihari/analyzers/shodan.rb CHANGED Viewed

@@ -10,6 +10,12 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [Integer]
+      attr_reader :interval
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super(*args, **kwargs)
@@ -18,13 +24,9 @@ module Mihari
       def artifacts
         results = search
-        return [] unless results || results.empty?
-        results = results.map { |result| Structs::Shodan::Result.from_dynamic!(result) }
-        matches = results.map { |result| result.matches || [] }.flatten
+        return [] if results.empty?
-        uniq_matches = matches.uniq(&:ip_str)
-        uniq_matches.map { |match| build_artifact(match, matches) }
+        results.map { |result| result.to_artifacts(source) }.flatten.uniq(&:data)
       end
       private
@@ -42,29 +44,25 @@ module Mihari
       #
       # Search with pagination
       #
-      # @param [String] query
       # @param [Integer] page
       #
-      # @return [Hash]
+      # @return [Structs::Shodan::Result]
       #
-      def search_with_page(query, page: 1)
+      def search_with_page(page: 1)
         client.search(query, page: page)
       end
       #
       # Search
       #
-      # @return [Array<Hash>]
+      # @return [Array<Structs::Shodan::Result>]
       #
       def search
         responses = []
         (1..Float::INFINITY).each do |page|
-          res = search_with_page(query, page: page)
-          break unless res
+          res = search_with_page(page: page)
           responses << res
-          break if res["total"].to_i <= page * PAGE_SIZE
+          break if res.total <= page * PAGE_SIZE
           # sleep #{interval} seconds to avoid the rate limitation (if it is set)
           sleep interval
@@ -75,83 +73,6 @@ module Mihari
         end
         responses
       end
-      #
-      # Collect metadata from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<Hash>]
-      #
-      def collect_metadata_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:metadata)
-      end
-      #
-      # Collect ports from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<String>]
-      #
-      def collect_ports_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:port)
-      end
-      #
-      # Collect hostnames from matches
-      #
-      # @param [Array<Structs::Shodan::Match>] matches
-      # @param [String] ip
-      #
-      # @return [Array<String>]
-      #
-      def collect_hostnames_by_ip(matches, ip)
-        matches.select { |match| match.ip_str == ip }.map(&:hostnames).flatten.uniq
-      end
-      #
-      # Build an artifact from a Shodan search API response
-      #
-      # @param [Structs::Shodan::Match] match
-      # @param [Array<Structs::Shodan::Match>] matches
-      #
-      # @return [Artifact]
-      #
-      def build_artifact(match, matches)
-        as = nil
-        as = AutonomousSystem.new(asn: normalize_asn(match.asn)) unless match.asn.nil?
-        geolocation = nil
-        if !match.location.country_name.nil? && !match.location.country_code.nil?
-          geolocation = Geolocation.new(
-            country: match.location.country_name,
-            country_code: match.location.country_code
-          )
-        end
-        metadata = collect_metadata_by_ip(matches, match.ip_str)
-        ports = collect_ports_by_ip(matches, match.ip_str).map do |port|
-          Port.new(port: port)
-        end
-        reverse_dns_names = collect_hostnames_by_ip(matches, match.ip_str).map do |name|
-          ReverseDnsName.new(name: name)
-        end
-        Artifact.new(
-          data: match.ip_str,
-          source: source,
-          metadata: metadata,
-          autonomous_system: as,
-          geolocation: geolocation,
-          ports: ports,
-          reverse_dns_names: reverse_dns_names
-        )
-      end
     end
   end
 end

data/lib/mihari/analyzers/urlscan.rb CHANGED Viewed

@@ -15,12 +15,20 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [Integer]
+      attr_reader :interval
+      # @return [String]
+      attr_reader :allowed_data_types
       def initialize(*args, **kwargs)
         super
-        unless valid_alllowed_data_types?
-          raise InvalidInputError,
-            "allowed_data_types should be any of url, domain and ip."
+        unless valid_allowed_data_types?
+          raise InvalidInputError, "allowed_data_types should be any of url, domain and ip."
         end
         @api_key = kwargs[:api_key] || Mihari.config.urlscan_api_key
@@ -88,7 +96,7 @@ module Mihari
       #
       # @return [Boolean]
       #
-      def valid_alllowed_data_types?
+      def valid_allowed_data_types?
         allowed_data_types.all? { |type| SUPPORTED_DATA_TYPES.include? type }
       end
     end

data/lib/mihari/analyzers/virustotal.rb CHANGED Viewed

@@ -7,11 +7,15 @@ module Mihari
       param :query
+      # @return [String]
       attr_reader :type
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
       def initialize(*args, **kwargs)
         super(*args, **kwargs)

data/lib/mihari/analyzers/virustotal_intelligence.rb CHANGED Viewed

@@ -10,6 +10,12 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [Integer]
+      attr_reader :interval
       def initialize(*args, **kwargs)
         super
@@ -19,7 +25,7 @@ module Mihari
       end
       def artifacts
-        responses = search_witgh_cursor
+        responses = search_with_cursor
         responses.map do |response|
           response.data.map do |datum|
             Artifact.new(data: datum.value, source: source, metadata: datum.metadata)
@@ -47,19 +53,16 @@ module Mihari
       #
       # @return [Array<Structs::VirusTotalIntelligence::Response>]
       #
-      def search_witgh_cursor
+      def search_with_cursor
         cursor = nil
         responses = []
         loop do
-          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(client.intel_search(query,
-            cursor: cursor))
+          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(client.intel_search(query, cursor: cursor))
           responses << response
           break if response.meta.cursor.nil?
           cursor = response.meta.cursor
           # sleep #{interval} seconds to avoid the rate limitation (if it is set)
           sleep interval
         end

data/lib/mihari/analyzers/zoomeye.rb CHANGED Viewed

@@ -12,6 +12,15 @@ module Mihari
       # @return [String, nil]
       attr_reader :api_key
+      # @return [String]
+      attr_reader :query
+      # @return [String]
+      attr_reader :type
+      # @return [Integer]
+      attr_reader :interval
       def initialize(*args, **kwargs)
         super(*args, **kwargs)

data/lib/mihari/clients/binaryedge.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class BinaryEdge < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://api.binaryedge.io/v2", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key

data/lib/mihari/clients/censys.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class Censys < Base
       #
       # @param [String] base_url
-      # @param [String] id
-      # @param [String] secret
+      # @param [String, nil] id
+      # @param [String, nil] secret
       # @param [Hash] headers
       #
       def initialize(base_url = "https://search.censys.io", id:, secret:, headers: {})
@@ -30,12 +30,12 @@ module Mihari
       # @params [Integer, nil] per_page the number of results to be returned for each page.
       # @params [Integer, nil] cursor the cursor of the desired result set.
       #
-      # @return [Hash]
+      # @return [Structs::Censys::Response]
       #
       def search(query, per_page: nil, cursor: nil)
         params = { q: query, per_page: per_page, cursor: cursor }.compact
         res = get("/api/v2/hosts/search", params: params)
-        JSON.parse(res.body.to_s)
+        Structs::Censys::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/circl.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class CIRCL < Base
       #
       # @param [String] base_url
-      # @param [String] username
-      # @param [String] password
+      # @param [String, nil] username
+      # @param [String, nil] password
       # @param [Hash] headers
       #
       def initialize(base_url = "https://www.circl.lu", username:, password:, headers: {})
@@ -43,7 +43,7 @@ module Mihari
       #
       #
       # @param [String] path
-      # @param [Array<Hash>] params
+      # @param [Hash] params
       #
       def _get(path, params: {})
         res = get(path, params: params)

data/lib/mihari/clients/greynoise.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class GreyNoise < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://api.greynoise.io", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
@@ -22,7 +27,7 @@ module Mihari
       def gnql_search(query, size: nil, scroll: nil)
         params = { query: query, size: size, scroll: scroll }.compact
         res = get("/v2/experimental/gnql", params: params)
-        JSON.parse res.body.to_s
+        Structs::GreyNoise::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/misp.rb CHANGED Viewed

@@ -5,16 +5,23 @@ module Mihari
     class MISP < Base
       #
       # @param [String] base_url
-      # @param [String] api_key
+      # @param [String, nil] api_key
       # @param [Hash] headers
       #
       def initialize(base_url, api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
         headers["authorization"] = api_key
+        headers["accept"] = "application/json"
         super(base_url, headers: headers)
       end
+      #
+      # @param [Hash] payload
+      #
+      # @return [Hash]
+      #
       def create_event(payload)
         res = post("/events/add", json: payload)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/onyphe.rb CHANGED Viewed

@@ -3,8 +3,14 @@
 module Mihari
   module Clients
     class Onyphe < Base
+      # @return [String]
       attr_reader :api_key
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://www.onyphe.io", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") if api_key.nil?
@@ -13,10 +19,16 @@ module Mihari
         @api_key = api_key
       end
+      #
+      # @param [String] query
+      # @param [Integer] page
+      #
+      # @return [Hash]
+      #
       def datascan(query, page: 1)
         params = { page: page, apikey: api_key }
         res = get("/api/v2/simple/datascan/#{query}", params: params)
-        JSON.parse(res.body.to_s)
+        Structs::Onyphe::Response.from_dynamic! JSON.parse(res.body.to_s)
       end
     end
   end

data/lib/mihari/clients/otx.rb CHANGED Viewed

@@ -3,6 +3,11 @@
 module Mihari
   module Clients
     class OTX < Base
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://otx.alienvault.com", api_key:, headers: {})
         raise(ArgumentError, "'api_key' argument is required") unless api_key
@@ -10,16 +15,31 @@ module Mihari
         super(base_url, headers: headers)
       end
+      #
+      # @param [String] ip
+      #
+      # @return [Hash]
+      #
       def query_by_ip(ip)
         _get "/api/v1/indicators/IPv4/#{ip}/passive_dns"
       end
+      #
+      # @param [String] domain
+      #
+      # @return [Hash]
+      #
       def query_by_domain(domain)
         _get "/api/v1/indicators/domain/#{domain}/passive_dns"
       end
       private
+      #
+      # @param [String] path
+      #
+      # @return [Hash]
+      #
       def _get(path)
         res = get(path)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/passivetotal.rb CHANGED Viewed

@@ -7,8 +7,8 @@ module Mihari
     class PassiveTotal < Base
       #
       # @param [String] base_url
-      # @param [String] username
-      # @param [String] api_key
+      # @param [String, nil] username
+      # @param [String, nil] api_key
       # @param [Hash] headers
       #
       def initialize(base_url = "https://api.passivetotal.org", username:, api_key:, headers: {})
@@ -31,6 +31,8 @@ module Mihari
       #
       # @param [String] query
       #
+      # @return [Hash]
+      #
       def passive_dns_search(query)
         params = { query: query }
         _get("/v2/dns/passive/unique", params: params)
@@ -56,6 +58,8 @@ module Mihari
       # @param [String] path
       # @param [Hash] params
       #
+      # @return [Hash]
+      #
       def _get(path, params: {})
         res = get(path, params: params)
         JSON.parse(res.body.to_s)

data/lib/mihari/clients/publsedive.rb CHANGED Viewed

@@ -3,8 +3,14 @@
 module Mihari
   module Clients
     class PulseDive < Base
+      # @return [String]
       attr_reader :api_key
+      #
+      # @param [String] base_url
+      # @param [String, nil] api_key
+      # @param [Hash] headers
+      #
       def initialize(base_url = "https://pulsedive.com", api_key:, headers: {})
         super(base_url, headers: headers)
@@ -13,21 +19,32 @@ module Mihari
         raise(ArgumentError, "'api_key' argument is required") unless api_key
       end
+      #
+      # @param [String] indicator_id
+      #
+      # @return [Hash]
+      #
       def get_indicator(ip_or_domain)
         _get "/api/info.php", params: { indicator: ip_or_domain }
       end
+      #
+      # @param [String] indicator_id
+      #
+      # @return [Hash]
+      #
       def get_properties(indicator_id)
         _get "/api/info.php", params: { iid: indicator_id, get: "properties" }
       end
       private
-      #
       #
       # @param [String] path
       # @param [Hash] params
       #
+      # @return [Hash]
+      #
       def _get(path, params: {})
         params["key"] = api_key