mihari 5.4.5 → 5.4.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/docs/analyzers/binaryedge.md +10 -5
- data/docs/analyzers/censys.md +14 -6
- data/docs/analyzers/circl.md +13 -5
- data/docs/analyzers/crtsh.md +7 -6
- data/docs/analyzers/dnstwister.md +5 -3
- data/docs/analyzers/feed.md +44 -20
- data/docs/analyzers/greynoise.md +10 -5
- data/docs/analyzers/hunterhow.md +15 -7
- data/docs/analyzers/onyphe.md +9 -4
- data/docs/analyzers/otx.md +10 -5
- data/docs/analyzers/passivetotal.md +17 -5
- data/docs/analyzers/pulsedive.md +9 -4
- data/docs/analyzers/securitytrails.md +9 -4
- data/docs/analyzers/shodan.md +10 -5
- data/docs/analyzers/urlscan.md +10 -5
- data/docs/analyzers/virustotal.md +10 -5
- data/docs/analyzers/virustotal_intelligence.md +11 -4
- data/docs/analyzers/zoomeye.md +14 -6
- data/docs/configuration.md +29 -29
- data/docs/emitters/hive.md +13 -5
- data/docs/emitters/misp.md +9 -4
- data/docs/emitters/slack.md +10 -0
- data/docs/emitters/webhook.md +19 -19
- data/docs/rule.md +20 -14
- data/lib/mihari/analyzers/feed.rb +7 -7
- data/lib/mihari/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 685244b2cf09a001eacff1c1e0fa1e4fecb44e8affee30dd2bd7914e65cba594
|
|
4
|
+
data.tar.gz: 427285d6992f44011dee5b0038c79da4b0b0958062869b1547d36190d1b27656
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06e99eed502d4df71a79104a7dc1d29bed954866dd3523971f1883316dec2eb74ffdff1f78df64e711ffb65f92e4474e7b45b4057e5e8e84295e4a2677b87dd4
|
|
7
|
+
data.tar.gz: 434ede07d0f8c50626bc975f5c0278013ae7bd989e90c7ccbf8d8f031c93e1313fa9d8fffc17d21f1aaf6893b41a027087ef78f3d523461b857038aee0a8d1b4
|
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://www.binaryedge.io/](https://www.binaryedge.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/)
|
|
10
|
+
This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/) (`/v2/query/search`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: binaryedge
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”BINARYEDGE_API_KEY"]`.
|
data/docs/analyzers/censys.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://censys.io/](https://censys.io/)
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
This analyzer uses [Censys Search 2.0 REST API](https://search.censys.io/api) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: censys
|
|
@@ -16,8 +16,16 @@ id: ...
|
|
|
16
16
|
secret: ...
|
|
17
17
|
```
|
|
18
18
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
19
|
+
## Components
|
|
20
|
+
|
|
21
|
+
### Query
|
|
22
|
+
|
|
23
|
+
`query` is a search query.
|
|
24
|
+
|
|
25
|
+
### ID
|
|
26
|
+
|
|
27
|
+
`id` is a Cencys ID. Optional. Defaults to `ENV[”CENSYS_ID”]`.
|
|
28
|
+
|
|
29
|
+
### Secret
|
|
30
|
+
|
|
31
|
+
`secret` is a Cencys secret. Optional. Defaults to `ENV[”CENSYS_SECRET”]`.
|
data/docs/analyzers/circl.md
CHANGED
|
@@ -22,8 +22,16 @@ password: ...
|
|
|
22
22
|
username: ...
|
|
23
23
|
```
|
|
24
24
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
25
|
+
## Components
|
|
26
|
+
|
|
27
|
+
### Query
|
|
28
|
+
|
|
29
|
+
`query` is a domain or SHA1 certificate fingerprint.
|
|
30
|
+
|
|
31
|
+
### Username
|
|
32
|
+
|
|
33
|
+
`username` is a username. Optional. Defaults to `ENV[”CIRCL_PASSIVE_USERNAME”]`.
|
|
34
|
+
|
|
35
|
+
### Password
|
|
36
|
+
|
|
37
|
+
`password` is a password. Optional. Defaults to `ENV[”CIRCL_PASSIVE_PASSWORD”]`.
|
data/docs/analyzers/crtsh.md
CHANGED
|
@@ -15,11 +15,12 @@ query: ...
|
|
|
15
15
|
exclude_expired: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
| --------------- | ------------------ | ------- | ----------------------------------------- |
|
|
20
|
-
| query | String | | Search query |
|
|
21
|
-
| exclude_expired | Boolean (optional) | True | Whether to exclude expired domains or not |
|
|
18
|
+
## Components
|
|
22
19
|
|
|
23
|
-
|
|
20
|
+
### Query
|
|
24
21
|
|
|
25
|
-
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### Exclude Expired
|
|
25
|
+
|
|
26
|
+
`exclude_expired` (boolean) determines whether to exclude expired domains or not. Optional. Defaults to `true`.
|
|
@@ -14,9 +14,11 @@ analyzer: dnstwister
|
|
|
14
14
|
query: ...
|
|
15
15
|
```
|
|
16
16
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
17
|
+
## Components
|
|
18
|
+
|
|
19
|
+
### Query
|
|
20
|
+
|
|
21
|
+
`query` is a search query.
|
|
20
22
|
|
|
21
23
|
!!! tip
|
|
22
24
|
|
data/docs/analyzers/feed.md
CHANGED
|
@@ -7,40 +7,64 @@ Note that you should write a selector to get proper IoCs from a feed. A selector
|
|
|
7
7
|
```yaml
|
|
8
8
|
analyzer: feed
|
|
9
9
|
query: ...
|
|
10
|
-
http_request_method: ...
|
|
11
|
-
http_request_payload: ...
|
|
12
|
-
http_request_payload_type: ...
|
|
13
|
-
http_request_headers: ...
|
|
14
10
|
selector: ...
|
|
11
|
+
method: ...
|
|
12
|
+
headers: ...
|
|
13
|
+
params: ...
|
|
14
|
+
data: ...
|
|
15
|
+
json: ...
|
|
15
16
|
```
|
|
16
17
|
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a URL of a feed.
|
|
23
|
+
|
|
24
|
+
!!! note
|
|
25
|
+
|
|
26
|
+
I know this is a strange naming. It's just for keeping the convention with other analyzers.
|
|
27
|
+
|
|
28
|
+
### Method
|
|
29
|
+
|
|
30
|
+
`method` is an HTTP method. Defaults to `GET`.
|
|
31
|
+
|
|
32
|
+
### Selector
|
|
33
|
+
|
|
34
|
+
`selector` is a `jr` selector.
|
|
35
|
+
|
|
36
|
+
### Headers
|
|
37
|
+
|
|
38
|
+
`headers` (hash) is an HTTP headers. Optional.
|
|
39
|
+
|
|
40
|
+
### Params
|
|
41
|
+
|
|
42
|
+
`params` (hash) is an HTTP query params. Optional.
|
|
43
|
+
|
|
44
|
+
### Data
|
|
45
|
+
|
|
46
|
+
`data` (hash) is an HTTP form data. Optional.
|
|
47
|
+
|
|
48
|
+
### JSON
|
|
49
|
+
|
|
50
|
+
`json` (hash) is an JSON body. Optional.
|
|
25
51
|
|
|
26
52
|
## Examples
|
|
27
53
|
|
|
28
|
-
|
|
54
|
+
### ThreatFox
|
|
29
55
|
|
|
30
56
|
```yaml
|
|
31
57
|
analyzer: feed
|
|
32
58
|
query: "https://threatfox-api.abuse.ch/api/v1/"
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
query:
|
|
59
|
+
method: POST
|
|
60
|
+
json:
|
|
61
|
+
query: get_iocs
|
|
36
62
|
days: 1
|
|
37
|
-
|
|
38
|
-
http_request_headers:
|
|
39
|
-
"api-key": "YOUR_API_KEY"
|
|
63
|
+
headers:
|
|
40
64
|
selector: "map(&:data).unwrap.map(&:ioc).map { |v| v.start_with?('http://', 'https://') ? v : v.split(':').first }"
|
|
41
65
|
```
|
|
42
66
|
|
|
43
|
-
|
|
67
|
+
### URLhaus
|
|
44
68
|
|
|
45
69
|
```yaml
|
|
46
70
|
analyzer: feed
|
data/docs/analyzers/greynoise.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://www.greynoise.io/](https://www.greynoise.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses GreyNoise API
|
|
10
|
+
This analyzer uses GreyNoise API (`/v2/experimental/gnql`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: greynoise
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a GNQL search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”GREYNOISE_API_KEY"]`.
|
data/docs/analyzers/hunterhow.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://hunter.how/](https://hunter.how/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses `https://api.hunter.how/search`
|
|
10
|
+
This analyzer uses Hunter How API (`https://api.hunter.how/search`) to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: hunterhow
|
|
@@ -17,9 +17,17 @@ start_time: ...
|
|
|
17
17
|
end_time: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a search query.
|
|
25
|
+
|
|
26
|
+
### Start/End Time
|
|
27
|
+
|
|
28
|
+
- `start_time` (date): Only show results after the given date.
|
|
29
|
+
- `end_time` (date): Only show results after the given date.
|
|
30
|
+
|
|
31
|
+
### API key
|
|
32
|
+
|
|
33
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”HUNTERHOW_API_KEY"]`.
|
data/docs/analyzers/onyphe.md
CHANGED
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”ONYPHE_API_KEY”"]`.
|
data/docs/analyzers/otx.md
CHANGED
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://otx.alienvault.com/](https://otx.alienvault.com/dashboard/new)
|
|
11
11
|
|
|
12
|
-
This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API
|
|
12
|
+
This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API to search.
|
|
13
13
|
|
|
14
14
|
```yaml
|
|
15
15
|
analyzer: otx
|
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”OTX_API_KEY”"]`.
|
|
@@ -29,8 +29,20 @@ username: ...
|
|
|
29
29
|
api_key: ...
|
|
30
30
|
```
|
|
31
31
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
32
|
+
## Components
|
|
33
|
+
|
|
34
|
+
### Query
|
|
35
|
+
|
|
36
|
+
`query` is a passive DNS/SSL or reverse whois search query. Domain, IP address, mail or SHA1 certificate fingerprint.
|
|
37
|
+
|
|
38
|
+
- Passive DNS: Domain, IP Address
|
|
39
|
+
- Passive SSL: SHA1 certificate fingerprint
|
|
40
|
+
- Reverse whois: mail
|
|
41
|
+
|
|
42
|
+
### Username
|
|
43
|
+
|
|
44
|
+
`username` is a username. Optional. Defaults to `ENV[”PASSIVETOTAL_USERNAME"]`.
|
|
45
|
+
|
|
46
|
+
### API Key
|
|
47
|
+
|
|
48
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”PASSIVETOTAL_API_KEY"]`.
|
data/docs/analyzers/pulsedive.md
CHANGED
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”PULSEDIVE_API_KEY"]`.
|
|
@@ -26,7 +26,12 @@ query: ...
|
|
|
26
26
|
api_key: ...
|
|
27
27
|
```
|
|
28
28
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
29
|
+
## Components
|
|
30
|
+
|
|
31
|
+
### Query
|
|
32
|
+
|
|
33
|
+
`query` is a passive DNS search/reverse whois query. Domain, IP address or mail.
|
|
34
|
+
|
|
35
|
+
### API Key
|
|
36
|
+
|
|
37
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”SECURITYTRAILS_API_KEY"]`.
|
data/docs/analyzers/shodan.md
CHANGED
|
@@ -7,7 +7,7 @@ tags:
|
|
|
7
7
|
|
|
8
8
|
- [https://shodan.io/](https://shodan.io/)
|
|
9
9
|
|
|
10
|
-
This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search.
|
|
10
|
+
This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search. Pagination is supported.
|
|
11
11
|
|
|
12
12
|
```yaml
|
|
13
13
|
analyzer: shodan
|
|
@@ -15,7 +15,12 @@ query: ...
|
|
|
15
15
|
api_key: ...
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Query
|
|
21
|
+
|
|
22
|
+
`query` is a search query.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”SHODAN_API_KEY"]`.
|
data/docs/analyzers/urlscan.md
CHANGED
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://urlscan.io/](https://urlscan.io/)
|
|
11
11
|
|
|
12
|
-
This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search.
|
|
12
|
+
This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search. Pagination is supported.
|
|
13
13
|
|
|
14
14
|
```yaml
|
|
15
15
|
analyzer: urlscan
|
|
@@ -17,7 +17,12 @@ query: ...
|
|
|
17
17
|
api_key: ...
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
20
|
+
## Components
|
|
21
|
+
|
|
22
|
+
### Query
|
|
23
|
+
|
|
24
|
+
`query` is a search query.
|
|
25
|
+
|
|
26
|
+
### API Key
|
|
27
|
+
|
|
28
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”URLSCAN_API_KEY"]`.
|
|
@@ -9,7 +9,7 @@ tags:
|
|
|
9
9
|
|
|
10
10
|
- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
This analyzer uses VirusTotal API v3.
|
|
13
13
|
|
|
14
14
|
An API endpoint to use is changed based on a type of a query.
|
|
15
15
|
|
|
@@ -28,7 +28,12 @@ query: ...
|
|
|
28
28
|
api_key: ...
|
|
29
29
|
```
|
|
30
30
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
31
|
+
## Components
|
|
32
|
+
|
|
33
|
+
### Query
|
|
34
|
+
|
|
35
|
+
`query` is a passive DNS search query. Domain or IP address.
|
|
36
|
+
|
|
37
|
+
### API Key
|
|
38
|
+
|
|
39
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
|
|
@@ -10,13 +10,20 @@ tags:
|
|
|
10
10
|
|
|
11
11
|
- [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
|
|
12
12
|
|
|
13
|
+
This analyzer uses VirusTotal Intelligence API. Pagination is supported.
|
|
14
|
+
|
|
13
15
|
```yaml
|
|
14
16
|
analyzer: virustotal_intelligence
|
|
15
17
|
query: ...
|
|
16
18
|
api_key: ...
|
|
17
19
|
```
|
|
18
20
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
21
|
+
## Components
|
|
22
|
+
|
|
23
|
+
### Query
|
|
24
|
+
|
|
25
|
+
`query` is a search query.
|
|
26
|
+
|
|
27
|
+
### API Key
|
|
28
|
+
|
|
29
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
|
data/docs/analyzers/zoomeye.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
- [https://zoomeye.org/](https://zoomeye.org/)
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
This analyzer uses ZoomEye API v3. Pagination is supported.
|
|
6
6
|
|
|
7
7
|
An API endpoint to use is changed based on a `type` option.
|
|
8
8
|
|
|
@@ -18,8 +18,16 @@ type: ...
|
|
|
18
18
|
api_key: ...
|
|
19
19
|
```
|
|
20
20
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
21
|
+
## Components
|
|
22
|
+
|
|
23
|
+
### Query
|
|
24
|
+
|
|
25
|
+
`query` is a search query.
|
|
26
|
+
|
|
27
|
+
### Type
|
|
28
|
+
|
|
29
|
+
`type` determines a search type. `web` or `host`.
|
|
30
|
+
|
|
31
|
+
### API Key
|
|
32
|
+
|
|
33
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”ZOOMEYE_API_KEY"]`.
|
data/docs/configuration.md
CHANGED
|
@@ -2,34 +2,34 @@
|
|
|
2
2
|
|
|
3
3
|
Configuration can be done via environment variables.
|
|
4
4
|
|
|
5
|
-
| Environmental Variable | Description | Default
|
|
6
|
-
| ---------------------- | ------------------------------- |
|
|
7
|
-
| DATABASE_URL | Database URL | sqlite3:///mihari.db |
|
|
8
|
-
| BINARYEDGE_API_KEY | BinaryEdge API key |
|
|
9
|
-
| CENSYS_ID | Censys API ID |
|
|
10
|
-
| CENSYS_SECRET | Censys secret |
|
|
11
|
-
| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password |
|
|
12
|
-
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, |
|
|
13
|
-
| IPINFO_API_KEY | IPInfo API key (token) |
|
|
14
|
-
| MISP_URL | MISP URL |
|
|
15
|
-
| MISP_API_KEY | MISP API key |
|
|
16
|
-
| ONYPHE_API_KEY | Onyphe API key |
|
|
17
|
-
| OTX_API_KEY | OTX API key |
|
|
18
|
-
| PASSIVETOTAL_API_KEY | PassiveTotal API key |
|
|
19
|
-
| PASSIVETOTAL_USERNAME | PassiveTotal username |
|
|
20
|
-
| PULSEDIVE_API_KEY | Pulsedive API key |
|
|
21
|
-
| SECURITYTRAILS_API_KEY | SecurityTrails API key |
|
|
22
|
-
| SHODAN_API_KEY | Shodan API key |
|
|
23
|
-
| SLACK_CHANNEL | Slack channel name |
|
|
24
|
-
| SLACK_WEBHOOK_URL | Slack Webhook URL |
|
|
25
|
-
| THEHIVE_URL | TheHive URL, |
|
|
26
|
-
| THEHIVE_API_KEY | TheHive API key, |
|
|
27
|
-
| URLSCAN_API_KEY | urlscan.io API key, |
|
|
28
|
-
| VIRUSTOTAL_API_KEY | VirusTotal API key |
|
|
29
|
-
| ZOOMEYE_API_KEY | ZoomEye API key |
|
|
30
|
-
| SENTRY_DSN | Sentry DSN |
|
|
31
|
-
| RETRY_INTERVAL | Retry interval | 5
|
|
32
|
-
| RETRY_TIMES | Retry times | 3
|
|
33
|
-
| PAGINATION_LIMIT | Pagination limit | 100
|
|
5
|
+
| Environmental Variable | Description | Default |
|
|
6
|
+
| ---------------------- | ------------------------------- | ---------------------- |
|
|
7
|
+
| DATABASE_URL | Database URL | `sqlite3:///mihari.db` |
|
|
8
|
+
| BINARYEDGE_API_KEY | BinaryEdge API key | |
|
|
9
|
+
| CENSYS_ID | Censys API ID | |
|
|
10
|
+
| CENSYS_SECRET | Censys secret | |
|
|
11
|
+
| CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
|
|
12
|
+
| CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, | |
|
|
13
|
+
| IPINFO_API_KEY | IPInfo API key (token) | |
|
|
14
|
+
| MISP_URL | MISP URL | |
|
|
15
|
+
| MISP_API_KEY | MISP API key | |
|
|
16
|
+
| ONYPHE_API_KEY | Onyphe API key | |
|
|
17
|
+
| OTX_API_KEY | OTX API key | |
|
|
18
|
+
| PASSIVETOTAL_API_KEY | PassiveTotal API key | |
|
|
19
|
+
| PASSIVETOTAL_USERNAME | PassiveTotal username | |
|
|
20
|
+
| PULSEDIVE_API_KEY | Pulsedive API key | |
|
|
21
|
+
| SECURITYTRAILS_API_KEY | SecurityTrails API key | |
|
|
22
|
+
| SHODAN_API_KEY | Shodan API key | |
|
|
23
|
+
| SLACK_CHANNEL | Slack channel name | `#general` |
|
|
24
|
+
| SLACK_WEBHOOK_URL | Slack Webhook URL | |
|
|
25
|
+
| THEHIVE_URL | TheHive URL, | |
|
|
26
|
+
| THEHIVE_API_KEY | TheHive API key, | |
|
|
27
|
+
| URLSCAN_API_KEY | urlscan.io API key, | |
|
|
28
|
+
| VIRUSTOTAL_API_KEY | VirusTotal API key | |
|
|
29
|
+
| ZOOMEYE_API_KEY | ZoomEye API key | |
|
|
30
|
+
| SENTRY_DSN | Sentry DSN | |
|
|
31
|
+
| RETRY_INTERVAL | Retry interval | 5 |
|
|
32
|
+
| RETRY_TIMES | Retry times | 3 |
|
|
33
|
+
| PAGINATION_LIMIT | Pagination limit | 100 |
|
|
34
34
|
|
|
35
35
|
Or you can set values through `.env` file. Values in `.env` file will be automatically loaded.
|
data/docs/emitters/hive.md
CHANGED
|
@@ -11,8 +11,16 @@ api_key: ...
|
|
|
11
11
|
api_version: ...
|
|
12
12
|
```
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
14
|
+
## Components
|
|
15
|
+
|
|
16
|
+
### URL
|
|
17
|
+
|
|
18
|
+
`url` is a TheHive URL. Optional. Defaults to `ENV[”THEHIVE_URL”]`.
|
|
19
|
+
|
|
20
|
+
### API Key
|
|
21
|
+
|
|
22
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”THEHIVE_API_KEY”]`.
|
|
23
|
+
|
|
24
|
+
### API Version
|
|
25
|
+
|
|
26
|
+
`api_version` is a version of The Hive API. Optional. Defaults to `ENV[”THEHIVE_API_VERSION”]`.
|
data/docs/emitters/misp.md
CHANGED
|
@@ -10,7 +10,12 @@ url: ...
|
|
|
10
10
|
api_key: ...
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
13
|
+
## Components
|
|
14
|
+
|
|
15
|
+
### URL
|
|
16
|
+
|
|
17
|
+
`url` is a MISP URL. Optional. Defaults to `ENV[MISP_URL]`.
|
|
18
|
+
|
|
19
|
+
### API Key
|
|
20
|
+
|
|
21
|
+
`api_key` is an API key. Optional. Defaults to `ENV[”MISP_API_KEY”]`.
|
data/docs/emitters/slack.md
CHANGED
|
@@ -14,3 +14,13 @@ channel: ...
|
|
|
14
14
|
| ----------- | ------ | --------- | ------------------------------- | ----------------- |
|
|
15
15
|
| webhook_url | String | No | ENV[SLACK_WEBHOOK_URL] | Slack webhook URL |
|
|
16
16
|
| channel | String | No | ENV[SLACK_CHANNEL] / `#general` | Slack channel |
|
|
17
|
+
|
|
18
|
+
## Components
|
|
19
|
+
|
|
20
|
+
### Webhook URL
|
|
21
|
+
|
|
22
|
+
`url` is a Slack's incoming webhook URL. Optional. Defaults to `ENV[SLACK_WEBHOOK_URL]`.
|
|
23
|
+
|
|
24
|
+
### API Key
|
|
25
|
+
|
|
26
|
+
`channel` is a Slack channel to sent a message. Optional. Defaults to `ENV[SLACK_CHANNEL]` or `#general`.
|
data/docs/emitters/webhook.md
CHANGED
|
@@ -10,32 +10,32 @@ headers: ...
|
|
|
10
10
|
template: ...
|
|
11
11
|
```
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
| -------- | ------ | --------- | ------- | ---------------------------------------------------- |
|
|
15
|
-
| url | String | Yes | | URL |
|
|
16
|
-
| method | String | No | POST | HTTP request method (GET or POST) |
|
|
17
|
-
| headers | Hash | No | | HTTP request headers |
|
|
18
|
-
| template | String | No | | ERB template to customize the payload in JSON format |
|
|
13
|
+
## Components
|
|
19
14
|
|
|
20
|
-
|
|
15
|
+
### URL
|
|
21
16
|
|
|
22
|
-
|
|
17
|
+
`url` is a webhook URL.
|
|
23
18
|
|
|
24
|
-
|
|
19
|
+
### Method
|
|
25
20
|
|
|
26
|
-
|
|
21
|
+
`method` is an HTTP method. Optional. Defaults to `POST`.
|
|
27
22
|
|
|
28
|
-
|
|
29
|
-
| ----------- | ----------------------- | ------- | ------------ |
|
|
30
|
-
| title | String | | |
|
|
31
|
-
| description | String | | |
|
|
32
|
-
| source | String | | ID of a rule |
|
|
33
|
-
| tags | Array<String> | [] | |
|
|
34
|
-
| artifacts | Array<Mihari::Artifact> | | |
|
|
23
|
+
### Headers
|
|
35
24
|
|
|
36
|
-
|
|
25
|
+
`headers` (hash) is HTTP headers. Optional.
|
|
37
26
|
|
|
38
|
-
|
|
27
|
+
### Template
|
|
28
|
+
|
|
29
|
+
`template` is an [ERB](https://github.com/ruby/erb) template to customize the payload to sent. A template should generate a valid JSON.
|
|
30
|
+
|
|
31
|
+
You can use the following parameters inside an ERB template.
|
|
32
|
+
|
|
33
|
+
- `rule`: a rule
|
|
34
|
+
- `artifacts`: a list of artifacts
|
|
35
|
+
|
|
36
|
+
## Examples
|
|
37
|
+
|
|
38
|
+
### ThreatFox
|
|
39
39
|
|
|
40
40
|
```yaml
|
|
41
41
|
- emitter: webhook
|
data/docs/rule.md
CHANGED
|
@@ -20,6 +20,10 @@ An artifact has five types:
|
|
|
20
20
|
|
|
21
21
|
An alert can have multiple artifacts bundled by a rule.
|
|
22
22
|
|
|
23
|
+
!!! note
|
|
24
|
+
|
|
25
|
+
A rule is assumed to be executed multiple times continuously. An alert generated by a rule will only have new findings at that time.
|
|
26
|
+
|
|
23
27
|
Let's break down the following example:
|
|
24
28
|
|
|
25
29
|
```yaml
|
|
@@ -60,45 +64,47 @@ data_types:
|
|
|
60
64
|
falsepositives: []
|
|
61
65
|
```
|
|
62
66
|
|
|
63
|
-
##
|
|
67
|
+
## Components
|
|
68
|
+
|
|
69
|
+
### ID
|
|
64
70
|
|
|
65
71
|
`id` is an unique ID of a rule. UUID v4 is recommended.
|
|
66
72
|
|
|
67
|
-
|
|
73
|
+
### Title
|
|
68
74
|
|
|
69
75
|
`title` is a title of a rule.
|
|
70
76
|
|
|
71
|
-
|
|
77
|
+
### Description
|
|
72
78
|
|
|
73
79
|
`description` is a short description of a rule.
|
|
74
80
|
|
|
75
|
-
|
|
81
|
+
### Created/Updated On
|
|
76
82
|
|
|
77
83
|
`created_on` is a date of a rule creation. Optional.
|
|
78
84
|
Also a rule can have `updated_on` that is a date of a rule modification. Optional.
|
|
79
85
|
|
|
80
|
-
|
|
86
|
+
### Tags
|
|
81
87
|
|
|
82
88
|
`tags` is a list of tags of a rule.
|
|
83
89
|
|
|
84
|
-
|
|
90
|
+
### Author
|
|
85
91
|
|
|
86
92
|
`author` is an author of a rule. Optional.
|
|
87
93
|
|
|
88
|
-
|
|
94
|
+
### References
|
|
89
95
|
|
|
90
96
|
`references` is a list of a references of a rule. Optional.
|
|
91
97
|
|
|
92
|
-
|
|
98
|
+
### Related
|
|
93
99
|
|
|
94
100
|
`related` is a list of related rule IDs. Optional.
|
|
95
101
|
|
|
96
|
-
|
|
102
|
+
### Queries
|
|
97
103
|
|
|
98
104
|
`queries` is a list of queries/analyzers.
|
|
99
105
|
See [Analyzers](./analyzers/index.md) to know details of each analyzer.
|
|
100
106
|
|
|
101
|
-
|
|
107
|
+
### Enrichers
|
|
102
108
|
|
|
103
109
|
`enrichers` is a list of enrichers.
|
|
104
110
|
See [Enrichers](./enrichers/index.md) to know details of each enricher.
|
|
@@ -110,7 +116,7 @@ Defaults to:
|
|
|
110
116
|
- `shodan`
|
|
111
117
|
- `whois`
|
|
112
118
|
|
|
113
|
-
|
|
119
|
+
### Emitters
|
|
114
120
|
|
|
115
121
|
`emitters` is a list of emitters.
|
|
116
122
|
See [Emitters](./emitters/index.md) to know details of each emitter.
|
|
@@ -122,7 +128,7 @@ Defaults to:
|
|
|
122
128
|
- `slack`
|
|
123
129
|
- `the_hive`
|
|
124
130
|
|
|
125
|
-
|
|
131
|
+
### Data Types
|
|
126
132
|
|
|
127
133
|
`data_types` is a list of data (artifact) types to allow by a rule. Types not defined in here will be automatically rejected.
|
|
128
134
|
|
|
@@ -134,11 +140,11 @@ Defaults to:
|
|
|
134
140
|
- `mail`
|
|
135
141
|
- `hash`
|
|
136
142
|
|
|
137
|
-
|
|
143
|
+
### False positives
|
|
138
144
|
|
|
139
145
|
`falsepositives` is a list of false positive values. A string or regexp can be used in here.
|
|
140
146
|
|
|
141
|
-
|
|
147
|
+
### Artifact TTL
|
|
142
148
|
|
|
143
149
|
`artifact_ttl` (alias: `artifact_lifetime`) is an integer value of artifact TTL (Time-To-Live) in seconds.
|
|
144
150
|
|
|
@@ -15,7 +15,7 @@ module Mihari
|
|
|
15
15
|
# @return [Hash, nil]
|
|
16
16
|
attr_reader :params
|
|
17
17
|
|
|
18
|
-
# @return [Hash
|
|
18
|
+
# @return [Hash]
|
|
19
19
|
attr_reader :headers
|
|
20
20
|
|
|
21
21
|
# @return [String]
|
|
@@ -31,17 +31,17 @@ module Mihari
|
|
|
31
31
|
# @param [String] query
|
|
32
32
|
# @param [Hash, nil] options
|
|
33
33
|
# @param [String] method
|
|
34
|
-
# @param [Hash] headers
|
|
35
|
-
# @param [Hash] params
|
|
36
|
-
# @param [Hash] json
|
|
37
|
-
# @param [Hash] data
|
|
34
|
+
# @param [Hash, nil] headers
|
|
35
|
+
# @param [Hash, nil] params
|
|
36
|
+
# @param [Hash, nil] json
|
|
37
|
+
# @param [Hash, nil] data
|
|
38
38
|
# @param [String] selector
|
|
39
39
|
#
|
|
40
|
-
def initialize(query, options: nil, method: "GET", headers:
|
|
40
|
+
def initialize(query, options: nil, method: "GET", headers: nil, params: nil, json: nil, data: nil, selector: "")
|
|
41
41
|
super(query, options: options)
|
|
42
42
|
|
|
43
43
|
@method = method
|
|
44
|
-
@headers = headers
|
|
44
|
+
@headers = headers || {}
|
|
45
45
|
@params = params
|
|
46
46
|
@json = json
|
|
47
47
|
@data = data
|
data/lib/mihari/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mihari
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.4.
|
|
4
|
+
version: 5.4.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Manabu Niseki
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-10-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|