mihari 5.4.5 → 5.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/docs/analyzers/binaryedge.md +10 -5
- data/docs/analyzers/censys.md +14 -6
- data/docs/analyzers/circl.md +13 -5
- data/docs/analyzers/crtsh.md +7 -6
- data/docs/analyzers/dnstwister.md +5 -3
- data/docs/analyzers/feed.md +44 -20
- data/docs/analyzers/greynoise.md +10 -5
- data/docs/analyzers/hunterhow.md +15 -7
- data/docs/analyzers/onyphe.md +9 -4
- data/docs/analyzers/otx.md +10 -5
- data/docs/analyzers/passivetotal.md +17 -5
- data/docs/analyzers/pulsedive.md +9 -4
- data/docs/analyzers/securitytrails.md +9 -4
- data/docs/analyzers/shodan.md +10 -5
- data/docs/analyzers/urlscan.md +10 -5
- data/docs/analyzers/virustotal.md +10 -5
- data/docs/analyzers/virustotal_intelligence.md +11 -4
- data/docs/analyzers/zoomeye.md +14 -6
- data/docs/configuration.md +29 -29
- data/docs/emitters/hive.md +13 -5
- data/docs/emitters/misp.md +9 -4
- data/docs/emitters/slack.md +10 -0
- data/docs/emitters/webhook.md +19 -19
- data/docs/rule.md +20 -14
- data/lib/mihari/analyzers/feed.rb +7 -7
- data/lib/mihari/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 685244b2cf09a001eacff1c1e0fa1e4fecb44e8affee30dd2bd7914e65cba594
|
|
4
|
+
data.tar.gz: 427285d6992f44011dee5b0038c79da4b0b0958062869b1547d36190d1b27656
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06e99eed502d4df71a79104a7dc1d29bed954866dd3523971f1883316dec2eb74ffdff1f78df64e711ffb65f92e4474e7b45b4057e5e8e84295e4a2677b87dd4
|
|
7
|
+
data.tar.gz: 434ede07d0f8c50626bc975f5c0278013ae7bd989e90c7ccbf8d8f031c93e1313fa9d8fffc17d21f1aaf6893b41a027087ef78f3d523461b857038aee0a8d1b4
|
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://www.binaryedge.io/](https://www.binaryedge.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/)
|
|
10
|
+
This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/) (`/v2/query/search`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: binaryedge
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”BINARYEDGE_API_KEY"]`.
|
data/docs/analyzers/censys.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://censys.io/](https://censys.io/)
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
This analyzer uses [Censys Search 2.0 REST API](https://search.censys.io/api) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: censys
|
|
@@ -16,8 +16,16 @@ id: ...
|
|
|
16
16
|
secret: ...
|
|
17
17
|
```
|
|
18
18
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
19
|
+
## Components
|
|
20
|
+
|
|
21
|
+
### Query
|
|
22
|
+
|
|
23
|
+
`query` is a search query.
|
|
24
|
+
|
|
25
|
+
### ID
|
|
26
|
+
|
|
27
|
+
`id` is a Cencys ID. Optional. Defaults to `ENV[”CENSYS_ID”]`.
|
|
28
|
+
|
|
29
|
+
### Secret
|
|
30
|
+
|
|
31
|
+
`secret` is a Cencys secret. Optional. Defaults to `ENV[”CENSYS_SECRET”]`.
|
data/docs/analyzers/circl.md
CHANGED
|
@@ -22,8 +22,16 @@ password: ...
|
|
|
22
22
|
username: ...
|
|
23
23
|
```
|
|
24
24
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
25
|
+
## Components
|
|
26
|
+
|
|
27
|
+
### Query
|
|
28
|
+
|
|
29
|
+
`query` is a domain or SHA1 certificate fingerprint.
|
|
30
|
+
|
|
31
|
+
### Username
|
|
32
|
+
|
|
33
|
+
`username` is a username. Optional. Defaults to `ENV[”CIRCL_PASSIVE_USERNAME”]`.
|
|
34
|
+
|
|
35
|
+
### Password
|
|
36
|
+
|
|
37
|
+
`password` is a password. Optional. Defaults to `ENV[”CIRCL_PASSIVE_PASSWORD”]`.
|
data/docs/analyzers/crtsh.md
CHANGED
|
@@ -15,11 +15,12 @@ query: ...
|
|
|
15
15
|
exclude_expired: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
| --------------- | ------------------ | ------- | ----------------------------------------- |
|
|
20
|
-
| query | String | | Search query |
|
|
21
|
-
| exclude_expired | Boolean (optional) | True | Whether to exclude expired domains or not |
|
|
18
|
+
## Components
|
|
22
19
|
|
|
23
|
-
|
|
20
|
+
### Query
|
|
24
21
|
|
|
25
|
-
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### Exclude Expired
|
|
25
|
+
|
|
26
|
+
`exclude_expired` (boolean) determines whether to exclude expired domains or not. Optional. Defaults to `true`.
|
|
@@ -14,9 +14,11 @@ analyzer: dnstwister
|
|
|
14
14
|
query: ...
|
|
15
15
|
```
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
17
|
+
## Components
|
|
18
|
+
|
|
19
|
+
### Query
|
|
20
|
+
|
|
21
|
+
`query` is a search query.
|
|
20
22
|
|
|
21
23
|
!!! tip
|
|
22
24
|
|
data/docs/analyzers/feed.md
CHANGED
|
@@ -7,40 +7,64 @@ Note that you should write a selector to get proper IoCs from a feed. A selector
|
|
|
7
7
|
```yaml
|
|
8
8
|
analyzer: feed
|
|
9
9
|
query: ...
|
|
10
|
-
http_request_method: ...
|
|
11
|
-
http_request_payload: ...
|
|
12
|
-
http_request_payload_type: ...
|
|
13
|
-
http_request_headers: ...
|
|
14
10
|
selector: ...
|
|
11
|
+
method: ...
|
|
12
|
+
headers: ...
|
|
13
|
+
params: ...
|
|
14
|
+
data: ...
|
|
15
|
+
json: ...
|
|
15
16
|
```
|
|
16
17
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a URL of a feed.
|
|
23
|
+
|
|
24
|
+
!!! note
|
|
25
|
+
|
|
26
|
+
I know this is a strange naming. It's just for keeping the convention with other analyzers.
|
|
27
|
+
|
|
28
|
+
### Method
|
|
29
|
+
|
|
30
|
+
`method` is an HTTP method. Defaults to `GET`.
|
|
31
|
+
|
|
32
|
+
### Selector
|
|
33
|
+
|
|
34
|
+
`selector` is a `jr` selector.
|
|
35
|
+
|
|
36
|
+
### Headers
|
|
37
|
+
|
|
38
|
+
`headers` (hash) is an HTTP headers. Optional.
|
|
39
|
+
|
|
40
|
+
### Params
|
|
41
|
+
|
|
42
|
+
`params` (hash) is an HTTP query params. Optional.
|
|
43
|
+
|
|
44
|
+
### Data
|
|
45
|
+
|
|
46
|
+
`data` (hash) is an HTTP form data. Optional.
|
|
47
|
+
|
|
48
|
+
### JSON
|
|
49
|
+
|
|
50
|
+
`json` (hash) is an JSON body. Optional.
|
|
25
51
|
|
|
26
52
|
## Examples
|
|
27
53
|
|
|
28
|
-
|
|
54
|
+
### ThreatFox
|
|
29
55
|
|
|
30
56
|
```yaml
|
|
31
57
|
analyzer: feed
|
|
32
58
|
query: "https://threatfox-api.abuse.ch/api/v1/"
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
query:
|
|
59
|
+
method: POST
|
|
60
|
+
json:
|
|
61
|
+
query: get_iocs
|
|
36
62
|
days: 1
|
|
37
|
-
|
|
38
|
-
http_request_headers:
|
|
39
|
-
"api-key": "YOUR_API_KEY"
|
|
63
|
+
headers:
|
|
40
64
|
selector: "map(&:data).unwrap.map(&:ioc).map { |v| v.start_with?('http://', 'https://') ? v : v.split(':').first }"
|
|
41
65
|
```
|
|
42
66
|
|
|
43
|
-
|
|
67
|
+
### URLhaus
|
|
44
68
|
|
|
45
69
|
```yaml
|
|
46
70
|
analyzer: feed
|
data/docs/analyzers/greynoise.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://www.greynoise.io/](https://www.greynoise.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses GreyNoise API
|
|
10
|
+
This analyzer uses GreyNoise API (`/v2/experimental/gnql`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: greynoise
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a GNQL search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”GREYNOISE_API_KEY"]`.
|
data/docs/analyzers/hunterhow.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://hunter.how/](https://hunter.how/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses `https://api.hunter.how/search`
|
|
10
|
+
This analyzer uses Hunter How API (`https://api.hunter.how/search`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: hunterhow
|
|
@@ -17,9 +17,17 @@ start_time: ...
|
|
|
17
17
|
end_time: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a search query.
|
|
25
|
+
|
|
26
|
+
### Start/End Time
|
|
27
|
+
|
|
28
|
+
- `start_time` (date): Only show results after the given date.
|
|
29
|
+
- `end_time` (date): Only show results after the given date.
|
|
30
|
+
|
|
31
|
+
### API key
|
|
32
|
+
|
|
33
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”HUNTERHOW_API_KEY"]`.
|
data/docs/analyzers/onyphe.md
CHANGED
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”ONYPHE_API_KEY”"]`.
|
data/docs/analyzers/otx.md
CHANGED
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://otx.alienvault.com/](https://otx.alienvault.com/dashboard/new)
|
|
11
11
|
|
|
12
|
-
This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API
|
|
12
|
+
This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API to search.
|
|
13
13
|
|
|
14
14
|
```yaml
|
|
15
15
|
analyzer: otx
|
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”OTX_API_KEY”"]`.
|
|
@@ -29,8 +29,20 @@ username: ...
|
|
|
29
29
|
api_key: ...
|
|
30
30
|
```
|
|
31
31
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
32
|
+
## Components
|
|
33
|
+
|
|
34
|
+
### Query
|
|
35
|
+
|
|
36
|
+
`query` is a passive DNS/SSL or reverse whois search query. Domain, IP address, mail or SHA1 certificate fingerprint.
|
|
37
|
+
|
|
38
|
+
- Passive DNS: Domain, IP Address
|
|
39
|
+
- Passive SSL: SHA1 certificate fingerprint
|
|
40
|
+
- Reverse whois: mail
|
|
41
|
+
|
|
42
|
+
### Username
|
|
43
|
+
|
|
44
|
+
`username` is a username. Optional. Defaults to `ENV[”PASSIVETOTAL_USERNAME"]`.
|
|
45
|
+
|
|
46
|
+
### API Key
|
|
47
|
+
|
|
48
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”PASSIVETOTAL_API_KEY"]`.
|
data/docs/analyzers/pulsedive.md
CHANGED
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”PULSEDIVE_API_KEY"]`.
|
|
@@ -26,7 +26,12 @@ query: ...
|
|
|
26
26
|
api_key: ...
|
|
27
27
|
```
|
|
28
28
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
29
|
+
## Components
|
|
30
|
+
|
|
31
|
+
### Query
|
|
32
|
+
|
|
33
|
+
`query` is a passive DNS search/reverse whois query. Domain, IP address or mail.
|
|
34
|
+
|
|
35
|
+
### API Key
|
|
36
|
+
|
|
37
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”SECURITYTRAILS_API_KEY"]`.
|
data/docs/analyzers/shodan.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://shodan.io/](https://shodan.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search.
|
|
10
|
+
This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: shodan
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”SHODAN_API_KEY"]`.
|
data/docs/analyzers/urlscan.md
CHANGED
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://urlscan.io/](https://urlscan.io/)
|
|
11
11
|
|
|
12
|
-
This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search.
|
|
12
|
+
This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search. Pagination is supported.
|
|
13
13
|
|
|
14
14
|
```yaml
|
|
15
15
|
analyzer: urlscan
|
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a search query.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”URLSCAN_API_KEY"]`.
|
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
This analyzer uses VirusTotal API v3.
|
|
13
13
|
|
|
14
14
|
An API endpoint to use is changed based on a type of a query.
|
|
15
15
|
|
|
@@ -28,7 +28,12 @@ query: ...
|
|
|
28
28
|
api_key: ...
|
|
29
29
|
```
|
|
30
30
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
31
|
+
## Components
|
|
32
|
+
|
|
33
|
+
### Query
|
|
34
|
+
|
|
35
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
36
|
+
|
|
37
|
+
### API Key
|
|
38
|
+
|
|
39
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
|
|
@@ -10,13 +10,20 @@ tags:
|
|
|
10
10
|
|
|
11
11
|
- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
|
|
12
12
|
|
|
13
|
+
This analyzer uses VirusTotal Intelligence API. Pagination is supported.
|
|
14
|
+
|
|
13
15
|
```yaml
|
|
14
16
|
analyzer: virustotal_intelligence
|
|
15
17
|
query: ...
|
|
16
18
|
api_key: ...
|
|
17
19
|
```
|
|
18
20
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
21
|
+
## Components
|
|
22
|
+
|
|
23
|
+
### Query
|
|
24
|
+
|
|
25
|
+
`query` is a search query.
|
|
26
|
+
|
|
27
|
+
### API Key
|
|
28
|
+
|
|
29
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
|
data/docs/analyzers/zoomeye.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
- [https://zoomeye.org/](https://zoomeye.org/)
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
This analyzer uses ZoomEye API v3. Pagination is supported.
|
|
6
6
|
|
|
7
7
|
An API endpoint to use is changed based on a `type` option.
|
|
8
8
|
|
|
@@ -18,8 +18,16 @@ type: ...
|
|
|
18
18
|
api_key: ...
|
|
19
19
|
```
|
|
20
20
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
21
|
+
## Components
|
|
22
|
+
|
|
23
|
+
### Query
|
|
24
|
+
|
|
25
|
+
`query` is a search query.
|
|
26
|
+
|
|
27
|
+
### Type
|
|
28
|
+
|
|
29
|
+
`type` determines a search type. `web` or `host`.
|
|
30
|
+
|
|
31
|
+
### API Key
|
|
32
|
+
|
|
33
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”ZOOMEYE_API_KEY"]`.
|
data/docs/configuration.md
CHANGED
|
@@ -2,34 +2,34 @@
|
|
|
2
2
|
|
|
3
3
|
Configuration can be done via environment variables.
|
|
4
4
|
|
|
5
|
-
| Environmental Variable | Description | Default
|
|
6
|
-
| ---------------------- | ------------------------------- |
|
|
7
|
-
| DATABASE_URL | Database URL | sqlite3:///mihari.db |
|
|
8
|
-
| BINARYEDGE_API_KEY | BinaryEdge API key |
|
|
9
|
-
| CENSYS_ID | Censys API ID |
|
|
10
|
-
| CENSYS_SECRET | Censys secret |
|
|
11
|
-
| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password |
|
|
12
|
-
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, |
|
|
13
|
-
| IPINFO_API_KEY | IPInfo API key (token) |
|
|
14
|
-
| MISP_URL | MISP URL |
|
|
15
|
-
| MISP_API_KEY | MISP API key |
|
|
16
|
-
| ONYPHE_API_KEY | Onyphe API key |
|
|
17
|
-
| OTX_API_KEY | OTX API key |
|
|
18
|
-
| PASSIVETOTAL_API_KEY | PassiveTotal API key |
|
|
19
|
-
| PASSIVETOTAL_USERNAME | PassiveTotal username |
|
|
20
|
-
| PULSEDIVE_API_KEY | Pulsedive API key |
|
|
21
|
-
| SECURITYTRAILS_API_KEY | SecurityTrails API key |
|
|
22
|
-
| SHODAN_API_KEY | Shodan API key |
|
|
23
|
-
| SLACK_CHANNEL | Slack channel name |
|
|
24
|
-
| SLACK_WEBHOOK_URL | Slack Webhook URL |
|
|
25
|
-
| THEHIVE_URL | TheHive URL, |
|
|
26
|
-
| THEHIVE_API_KEY | TheHive API key, |
|
|
27
|
-
| URLSCAN_API_KEY | urlscan.io API key, |
|
|
28
|
-
| VIRUSTOTAL_API_KEY | VirusTotal API key |
|
|
29
|
-
| ZOOMEYE_API_KEY | ZoomEye API key |
|
|
30
|
-
| SENTRY_DSN | Sentry DSN |
|
|
31
|
-
| RETRY_INTERVAL | Retry interval | 5
|
|
32
|
-
| RETRY_TIMES | Retry times | 3
|
|
33
|
-
| PAGINATION_LIMIT | Pagination limit | 100
|
|
5
|
+
| Environmental Variable | Description | Default |
|
|
6
|
+
| ---------------------- | ------------------------------- | ---------------------- |
|
|
7
|
+
| DATABASE_URL | Database URL | `sqlite3:///mihari.db` |
|
|
8
|
+
| BINARYEDGE_API_KEY | BinaryEdge API key | |
|
|
9
|
+
| CENSYS_ID | Censys API ID | |
|
|
10
|
+
| CENSYS_SECRET | Censys secret | |
|
|
11
|
+
| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
|
|
12
|
+
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, | |
|
|
13
|
+
| IPINFO_API_KEY | IPInfo API key (token) | |
|
|
14
|
+
| MISP_URL | MISP URL | |
|
|
15
|
+
| MISP_API_KEY | MISP API key | |
|
|
16
|
+
| ONYPHE_API_KEY | Onyphe API key | |
|
|
17
|
+
| OTX_API_KEY | OTX API key | |
|
|
18
|
+
| PASSIVETOTAL_API_KEY | PassiveTotal API key | |
|
|
19
|
+
| PASSIVETOTAL_USERNAME | PassiveTotal username | |
|
|
20
|
+
| PULSEDIVE_API_KEY | Pulsedive API key | |
|
|
21
|
+
| SECURITYTRAILS_API_KEY | SecurityTrails API key | |
|
|
22
|
+
| SHODAN_API_KEY | Shodan API key | |
|
|
23
|
+
| SLACK_CHANNEL | Slack channel name | `#general` |
|
|
24
|
+
| SLACK_WEBHOOK_URL | Slack Webhook URL | |
|
|
25
|
+
| THEHIVE_URL | TheHive URL, | |
|
|
26
|
+
| THEHIVE_API_KEY | TheHive API key, | |
|
|
27
|
+
| URLSCAN_API_KEY | urlscan.io API key, | |
|
|
28
|
+
| VIRUSTOTAL_API_KEY | VirusTotal API key | |
|
|
29
|
+
| ZOOMEYE_API_KEY | ZoomEye API key | |
|
|
30
|
+
| SENTRY_DSN | Sentry DSN | |
|
|
31
|
+
| RETRY_INTERVAL | Retry interval | 5 |
|
|
32
|
+
| RETRY_TIMES | Retry times | 3 |
|
|
33
|
+
| PAGINATION_LIMIT | Pagination limit | 100 |
|
|
34
34
|
|
|
35
35
|
Or you can set values through `.env` file. Values in `.env` file will be automatically loaded.
|
data/docs/emitters/hive.md
CHANGED
|
@@ -11,8 +11,16 @@ api_key: ...
|
|
|
11
11
|
api_version: ...
|
|
12
12
|
```
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
14
|
+
## Components
|
|
15
|
+
|
|
16
|
+
### URL
|
|
17
|
+
|
|
18
|
+
`url` is a TheHive URL. Optional. Defaults to `ENV[”THEHIVE_URL”]`.
|
|
19
|
+
|
|
20
|
+
### API Key
|
|
21
|
+
|
|
22
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”THEHIVE_API_KEY”]`.
|
|
23
|
+
|
|
24
|
+
### API Version
|
|
25
|
+
|
|
26
|
+
`api_version` is a version of The Hive API. Optional. Defaults to `ENV[”THEHIVE_API_VERSION”]`.
|
data/docs/emitters/misp.md
CHANGED
|
@@ -10,7 +10,12 @@ url: ...
|
|
|
10
10
|
api_key: ...
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
13
|
+
## Components
|
|
14
|
+
|
|
15
|
+
### URL
|
|
16
|
+
|
|
17
|
+
`url` is a MISP URL. Optional. Defaults to `ENV[MISP_URL]`.
|
|
18
|
+
|
|
19
|
+
### API Key
|
|
20
|
+
|
|
21
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”MISP_API_KEY”]`.
|
data/docs/emitters/slack.md
CHANGED
|
@@ -14,3 +14,13 @@ channel: ...
|
|
|
14
14
|
| ----------- | ------ | --------- | ------------------------------- | ----------------- |
|
|
15
15
|
| webhook_url | String | No | ENV[SLACK_WEBHOOK_URL] | Slack webhook URL |
|
|
16
16
|
| channel | String | No | ENV[SLACK_CHANNEL] / `#general` | Slack channel |
|
|
17
|
+
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Webhook URL
|
|
21
|
+
|
|
22
|
+
`url` is a Slack's incoming webhook URL. Optional. Defaults to `ENV[SLACK_WEBHOOK_URL]`.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`channel` is a Slack channel to sent a message. Optional. Defaults to `ENV[SLACK_CHANNEL]` or `#general`.
|
data/docs/emitters/webhook.md
CHANGED
|
@@ -10,32 +10,32 @@ headers: ...
|
|
|
10
10
|
template: ...
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
| -------- | ------ | --------- | ------- | ---------------------------------------------------- |
|
|
15
|
-
| url | String | Yes | | URL |
|
|
16
|
-
| method | String | No | POST | HTTP request method (GET or POST) |
|
|
17
|
-
| headers | Hash | No | | HTTP request headers |
|
|
18
|
-
| template | String | No | | ERB template to customize the payload in JSON format |
|
|
13
|
+
## Components
|
|
19
14
|
|
|
20
|
-
|
|
15
|
+
### URL
|
|
21
16
|
|
|
22
|
-
|
|
17
|
+
`url` is a webhook URL.
|
|
23
18
|
|
|
24
|
-
|
|
19
|
+
### Method
|
|
25
20
|
|
|
26
|
-
|
|
21
|
+
`method` is an HTTP method. Optional. Defaults to `POST`.
|
|
27
22
|
|
|
28
|
-
|
|
29
|
-
| ----------- | ----------------------- | ------- | ------------ |
|
|
30
|
-
| title | String | | |
|
|
31
|
-
| description | String | | |
|
|
32
|
-
| source | String | | ID of a rule |
|
|
33
|
-
| tags | Array<String> | [] | |
|
|
34
|
-
| artifacts | Array<Mihari::Artifact> | | |
|
|
23
|
+
### Headers
|
|
35
24
|
|
|
36
|
-
|
|
25
|
+
`headers` (hash) is HTTP headers. Optional.
|
|
37
26
|
|
|
38
|
-
|
|
27
|
+
### Template
|
|
28
|
+
|
|
29
|
+
`template` is an [ERB](https://github.com/ruby/erb) template to customize the payload to sent. A template should generate a valid JSON.
|
|
30
|
+
|
|
31
|
+
You can use the following parameters inside an ERB template.
|
|
32
|
+
|
|
33
|
+
- `rule`: a rule
|
|
34
|
+
- `artifacts`: a list of artifacts
|
|
35
|
+
|
|
36
|
+
## Examples
|
|
37
|
+
|
|
38
|
+
### ThreatFox
|
|
39
39
|
|
|
40
40
|
```yaml
|
|
41
41
|
- emitter: webhook
|
data/docs/rule.md
CHANGED
|
@@ -20,6 +20,10 @@ An artifact has five types:
|
|
|
20
20
|
|
|
21
21
|
An alert can have multiple artifacts bundled by a rule.
|
|
22
22
|
|
|
23
|
+
!!! note
|
|
24
|
+
|
|
25
|
+
A rule is assumed to be executed multiple times continuously. An alert generated by a rule will only have new findings at that time.
|
|
26
|
+
|
|
23
27
|
Let's break down the following example:
|
|
24
28
|
|
|
25
29
|
```yaml
|
|
@@ -60,45 +64,47 @@ data_types:
|
|
|
60
64
|
falsepositives: []
|
|
61
65
|
```
|
|
62
66
|
|
|
63
|
-
##
|
|
67
|
+
## Components
|
|
68
|
+
|
|
69
|
+
### ID
|
|
64
70
|
|
|
65
71
|
`id` is an unique ID of a rule. UUID v4 is recommended.
|
|
66
72
|
|
|
67
|
-
|
|
73
|
+
### Title
|
|
68
74
|
|
|
69
75
|
`title` is a title of a rule.
|
|
70
76
|
|
|
71
|
-
|
|
77
|
+
### Description
|
|
72
78
|
|
|
73
79
|
`description` is a short description of a rule.
|
|
74
80
|
|
|
75
|
-
|
|
81
|
+
### Created/Updated On
|
|
76
82
|
|
|
77
83
|
`created_on` is a date of a rule creation. Optional.
|
|
78
84
|
Also a rule can have `updated_on` that is a date of a rule modification. Optional.
|
|
79
85
|
|
|
80
|
-
|
|
86
|
+
### Tags
|
|
81
87
|
|
|
82
88
|
`tags` is a list of tags of a rule.
|
|
83
89
|
|
|
84
|
-
|
|
90
|
+
### Author
|
|
85
91
|
|
|
86
92
|
`author` is an author of a rule. Optional.
|
|
87
93
|
|
|
88
|
-
|
|
94
|
+
### References
|
|
89
95
|
|
|
90
96
|
`references` is a list of a references of a rule. Optional.
|
|
91
97
|
|
|
92
|
-
|
|
98
|
+
### Related
|
|
93
99
|
|
|
94
100
|
`related` is a list of related rule IDs. Optional.
|
|
95
101
|
|
|
96
|
-
|
|
102
|
+
### Queries
|
|
97
103
|
|
|
98
104
|
`queries` is a list of queries/analyzers.
|
|
99
105
|
See [Analyzers](./analyzers/index.md) to know details of each analyzer.
|
|
100
106
|
|
|
101
|
-
|
|
107
|
+
### Enrichers
|
|
102
108
|
|
|
103
109
|
`enrichers` is a list of enrichers.
|
|
104
110
|
See [Enrichers](./enrichers/index.md) to know details of each enricher.
|
|
@@ -110,7 +116,7 @@ Defaults to:
|
|
|
110
116
|
- `shodan`
|
|
111
117
|
- `whois`
|
|
112
118
|
|
|
113
|
-
|
|
119
|
+
### Emitters
|
|
114
120
|
|
|
115
121
|
`emitters` is a list of emitters.
|
|
116
122
|
See [Emitters](./emitters/index.md) to know details of each emitter.
|
|
@@ -122,7 +128,7 @@ Defaults to:
|
|
|
122
128
|
- `slack`
|
|
123
129
|
- `the_hive`
|
|
124
130
|
|
|
125
|
-
|
|
131
|
+
### Data Types
|
|
126
132
|
|
|
127
133
|
`data_types` is a list of data (artifact) types to allow by a rule. Types not defined in here will be automatically rejected.
|
|
128
134
|
|
|
@@ -134,11 +140,11 @@ Defaults to:
|
|
|
134
140
|
- `mail`
|
|
135
141
|
- `hash`
|
|
136
142
|
|
|
137
|
-
|
|
143
|
+
### False positives
|
|
138
144
|
|
|
139
145
|
`falsepositives` is a list of false positive values. A string or regexp can be used in here.
|
|
140
146
|
|
|
141
|
-
|
|
147
|
+
### Artifact TTL
|
|
142
148
|
|
|
143
149
|
`artifact_ttl` (alias: `artifact_lifetime`) is an integer value of artifact TTL (Time-To-Live) in seconds.
|
|
144
150
|
|
|
@@ -15,7 +15,7 @@ module Mihari
|
|
|
15
15
|
# @return [Hash, nil]
|
|
16
16
|
attr_reader :params
|
|
17
17
|
|
|
18
|
-
# @return [Hash
|
|
18
|
+
# @return [Hash]
|
|
19
19
|
attr_reader :headers
|
|
20
20
|
|
|
21
21
|
# @return [String]
|
|
@@ -31,17 +31,17 @@ module Mihari
|
|
|
31
31
|
# @param [String] query
|
|
32
32
|
# @param [Hash, nil] options
|
|
33
33
|
# @param [String] method
|
|
34
|
-
# @param [Hash] headers
|
|
35
|
-
# @param [Hash] params
|
|
36
|
-
# @param [Hash] json
|
|
37
|
-
# @param [Hash] data
|
|
34
|
+
# @param [Hash, nil] headers
|
|
35
|
+
# @param [Hash, nil] params
|
|
36
|
+
# @param [Hash, nil] json
|
|
37
|
+
# @param [Hash, nil] data
|
|
38
38
|
# @param [String] selector
|
|
39
39
|
#
|
|
40
|
-
def initialize(query, options: nil, method: "GET", headers:
|
|
40
|
+
def initialize(query, options: nil, method: "GET", headers: nil, params: nil, json: nil, data: nil, selector: "")
|
|
41
41
|
super(query, options: options)
|
|
42
42
|
|
|
43
43
|
@method = method
|
|
44
|
-
@headers = headers
|
|
44
|
+
@headers = headers || {}
|
|
45
45
|
@params = params
|
|
46
46
|
@json = json
|
|
47
47
|
@data = data
|
data/lib/mihari/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.4.
|
|
4
|
+
version: 5.4.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-10-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|