RubyGems - mihari - Versions diffs - 5.6.1 → 5.7.0 - Mend

mihari 5.6.1 → 5.7.0

Files changed (153) hide show

checksums.yaml +4 -4
data/.rubocop.yml +5 -1
data/README.md +1 -0
data/config.ru +1 -1
data/docs/analyzers/fofa.md +31 -0
data/docs/analyzers/index.md +1 -0
data/frontend/package-lock.json +183 -186
data/frontend/package.json +10 -10
data/frontend/src/components/alert/Form.vue +1 -14
data/frontend/src/components/artifact/AS.vue +2 -8
data/frontend/src/components/artifact/DnsRecords.vue +2 -8
data/frontend/src/components/artifact/ReverseDnsNames.vue +2 -10
data/frontend/src/components/artifact/WhoisRecord.vue +1 -1
data/lib/mihari/{base.rb → actor.rb} +27 -3
data/lib/mihari/analyzers/base.rb +16 -20
data/lib/mihari/analyzers/binaryedge.rb +4 -1
data/lib/mihari/analyzers/censys.rb +5 -3
data/lib/mihari/analyzers/circl.rb +4 -1
data/lib/mihari/analyzers/crtsh.rb +4 -1
data/lib/mihari/analyzers/dnstwister.rb +4 -1
data/lib/mihari/analyzers/feed.rb +3 -0
data/lib/mihari/analyzers/fofa.rb +65 -0
data/lib/mihari/analyzers/greynoise.rb +4 -1
data/lib/mihari/analyzers/hunterhow.rb +7 -2
data/lib/mihari/analyzers/onyphe.rb +4 -1
data/lib/mihari/analyzers/otx.rb +4 -1
data/lib/mihari/analyzers/passivetotal.rb +5 -2
data/lib/mihari/analyzers/pulsedive.rb +4 -1
data/lib/mihari/analyzers/securitytrails.rb +5 -2
data/lib/mihari/analyzers/shodan.rb +4 -1
data/lib/mihari/analyzers/urlscan.rb +5 -2
data/lib/mihari/analyzers/virustotal.rb +9 -6
data/lib/mihari/analyzers/virustotal_intelligence.rb +4 -1
data/lib/mihari/analyzers/zoomeye.rb +8 -5
data/lib/mihari/cli/alert.rb +3 -0
data/lib/mihari/cli/base.rb +3 -0
data/lib/mihari/cli/database.rb +3 -0
data/lib/mihari/cli/main.rb +3 -0
data/lib/mihari/cli/rule.rb +3 -0
data/lib/mihari/clients/base.rb +3 -0
data/lib/mihari/clients/binaryedge.rb +5 -2
data/lib/mihari/clients/censys.rb +7 -4
data/lib/mihari/clients/circl.rb +3 -0
data/lib/mihari/clients/crtsh.rb +5 -2
data/lib/mihari/clients/dnstwister.rb +3 -0
data/lib/mihari/clients/fofa.rb +83 -0
data/lib/mihari/clients/greynoise.rb +5 -2
data/lib/mihari/clients/hunterhow.rb +5 -2
data/lib/mihari/clients/misp.rb +3 -0
data/lib/mihari/clients/onyphe.rb +5 -2
data/lib/mihari/clients/otx.rb +3 -0
data/lib/mihari/clients/passivetotal.rb +7 -4
data/lib/mihari/clients/publsedive.rb +4 -1
data/lib/mihari/clients/securitytrails.rb +6 -3
data/lib/mihari/clients/shodan.rb +5 -2
data/lib/mihari/clients/the_hive.rb +3 -0
data/lib/mihari/clients/urlscan.rb +7 -4
data/lib/mihari/clients/virustotal.rb +5 -2
data/lib/mihari/clients/zoomeye.rb +3 -0
data/lib/mihari/commands/alert.rb +5 -14
data/lib/mihari/commands/database.rb +3 -0
data/lib/mihari/commands/rule.rb +11 -11
data/lib/mihari/commands/search.rb +9 -6
data/lib/mihari/commands/version.rb +3 -0
data/lib/mihari/commands/web.rb +4 -1
data/lib/mihari/config.rb +139 -150
data/lib/mihari/constants.rb +1 -1
data/lib/mihari/database.rb +6 -0
data/lib/mihari/emitters/base.rb +16 -25
data/lib/mihari/emitters/database.rb +10 -9
data/lib/mihari/emitters/misp.rb +20 -41
data/lib/mihari/emitters/slack.rb +16 -13
data/lib/mihari/emitters/the_hive.rb +18 -46
data/lib/mihari/emitters/webhook.rb +34 -23
data/lib/mihari/enrichers/base.rb +16 -15
data/lib/mihari/enrichers/google_public_dns.rb +6 -5
data/lib/mihari/enrichers/ipinfo.rb +10 -8
data/lib/mihari/enrichers/shodan.rb +4 -6
data/lib/mihari/enrichers/whois.rb +13 -10
data/lib/mihari/errors.rb +6 -0
data/lib/mihari/feed/parser.rb +3 -0
data/lib/mihari/feed/reader.rb +3 -0
data/lib/mihari/http.rb +6 -0
data/lib/mihari/mixins/autonomous_system.rb +3 -0
data/lib/mihari/mixins/configurable.rb +3 -0
data/lib/mihari/mixins/error_notification.rb +3 -0
data/lib/mihari/mixins/falsepositive.rb +3 -0
data/lib/mihari/mixins/refang.rb +3 -0
data/lib/mihari/mixins/retriable.rb +6 -2
data/lib/mihari/models/alert.rb +78 -73
data/lib/mihari/models/artifact.rb +186 -178
data/lib/mihari/models/autonomous_system.rb +25 -20
data/lib/mihari/models/cpe.rb +24 -19
data/lib/mihari/models/dns.rb +27 -22
data/lib/mihari/models/geolocation.rb +25 -20
data/lib/mihari/models/port.rb +24 -19
data/lib/mihari/models/reverse_dns.rb +24 -19
data/lib/mihari/models/rule.rb +71 -66
data/lib/mihari/models/tag.rb +8 -3
data/lib/mihari/models/tagging.rb +8 -3
data/lib/mihari/models/whois.rb +20 -17
data/lib/mihari/rule.rb +357 -0
data/lib/mihari/schemas/alert.rb +3 -0
data/lib/mihari/schemas/analyzer.rb +105 -87
data/lib/mihari/schemas/emitter.rb +12 -5
data/lib/mihari/schemas/enricher.rb +11 -4
data/lib/mihari/schemas/macros.rb +4 -0
data/lib/mihari/schemas/mixins.rb +20 -0
data/lib/mihari/schemas/rule.rb +6 -10
data/lib/mihari/service.rb +16 -0
data/lib/mihari/services/alert_builder.rb +8 -5
data/lib/mihari/services/alert_proxy.rb +16 -7
data/lib/mihari/services/alert_runner.rb +10 -14
data/lib/mihari/services/rule_builder.rb +10 -7
data/lib/mihari/services/rule_runner.rb +11 -13
data/lib/mihari/structs/binaryedge.rb +14 -29
data/lib/mihari/structs/censys.rb +54 -133
data/lib/mihari/structs/config.rb +20 -31
data/lib/mihari/structs/filters.rb +38 -0
data/lib/mihari/structs/fofa.rb +44 -0
data/lib/mihari/structs/google_public_dns.rb +10 -28
data/lib/mihari/structs/greynoise.rb +38 -89
data/lib/mihari/structs/hunterhow.rb +27 -25
data/lib/mihari/structs/ipinfo.rb +14 -35
data/lib/mihari/structs/onyphe.rb +36 -81
data/lib/mihari/structs/shodan.rb +53 -118
data/lib/mihari/structs/urlscan.rb +27 -66
data/lib/mihari/structs/virustotal_intelligence.rb +23 -59
data/lib/mihari/type_checker.rb +4 -0
data/lib/mihari/types.rb +3 -0
data/lib/mihari/version.rb +1 -1
data/lib/mihari/web/api.rb +15 -10
data/lib/mihari/web/app.rb +59 -54
data/lib/mihari/web/endpoints/alerts.rb +94 -89
data/lib/mihari/web/endpoints/artifacts.rb +115 -110
data/lib/mihari/web/endpoints/configs.rb +18 -13
data/lib/mihari/web/endpoints/ip_addresses.rb +21 -16
data/lib/mihari/web/endpoints/rules.rb +202 -204
data/lib/mihari/web/endpoints/tags.rb +41 -36
data/lib/mihari/web/middleware/connection_adapter.rb +16 -9
data/lib/mihari/web/middleware/error_notification_adapter.rb +17 -10
data/lib/mihari/web/public/assets/{index-9cc489e6.js → index-821134e2.js} +54 -54
data/lib/mihari/web/public/assets/mode-yaml-24faa242.js +8 -0
data/lib/mihari/web/public/index.html +1 -1
data/lib/mihari.rb +30 -13
data/mihari.gemspec +9 -3
data/mkdocs.yml +3 -2
data/requirements.txt +1 -1
metadata +44 -26
data/lib/mihari/analyzers/rule.rb +0 -232
data/lib/mihari/services/rule_proxy.rb +0 -182
data/lib/mihari/templates/rule.yml.erb +0 -5
data/lib/mihari/web/public/assets/mode-yaml-a21faa53.js +0 -8

data/lib/mihari/models/cpe.rb CHANGED Viewed

@@ -1,29 +1,34 @@
 # frozen_string_literal: true
 module Mihari
-  class CPE < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # CPE model
+    #
+    class CPE < ActiveRecord::Base
+      belongs_to :artifact
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
-      #
-      # Build CPEs
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::CPE>]
-      #
-      def build_by_ip(ip, enricher: Enrichers::Shodan.new)
-        result = enricher.query_result(ip).bind do |res|
-          if res.nil?
-            Success []
-          else
-            Success(res.cpes.map { |cpe| new(cpe: cpe) })
+        #
+        # Build CPEs
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::CPE>]
+        #
+        def build_by_ip(ip, enricher: Enrichers::Shodan.new)
+          result = enricher.result(ip).bind do |res|
+            if res.nil?
+              Success []
+            else
+              Success(res.cpes.map { |cpe| new(cpe: cpe) })
+            end
           end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/dns.rb CHANGED Viewed

@@ -1,31 +1,36 @@
 # frozen_string_literal: true
 module Mihari
-  class DnsRecord < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # DNS record model
+    #
+    class DnsRecord < ActiveRecord::Base
+      belongs_to :artifact
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
-      #
-      # Build DNS records
-      #
-      # @param [String] domain
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::DnsRecord>]
-      #
-      def build_by_domain(domain, enricher: Enrichers::GooglePublicDNS.new)
-        result = enricher.query_result(domain).bind do |responses|
-          Success(
-            responses.map do |res|
-              res.answers.map do |answer|
-                new(resource: answer.resource_type, value: answer.data)
-              end
-            end.flatten
-          )
+        #
+        # Build DNS records
+        #
+        # @param [String] domain
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::Models::DnsRecord>]
+        #
+        def build_by_domain(domain, enricher: Enrichers::GooglePublicDNS.new)
+          result = enricher.result(domain).bind do |responses|
+            Success(
+              responses.map do |res|
+                res.answers.map do |answer|
+                  new(resource: answer.resource_type, value: answer.data)
+                end
+              end.flatten
+            )
+          end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/geolocation.rb CHANGED Viewed

@@ -3,30 +3,35 @@
 require "normalize_country"
 module Mihari
-  class Geolocation < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # Geolocation model
+    #
+    class Geolocation < ActiveRecord::Base
+      belongs_to :artifact
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
-      #
-      # Build Geolocation
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::IPinfo] enricher
-      #
-      # @return [Mihari::Geolocation, nil]
-      #
-      def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
-        result = enricher.query_result(ip).bind do |res|
-          value = res&.country_code
-          if value.nil?
-            Success nil
-          else
-            Success new(country: NormalizeCountry(value, to: :short), country_code: value)
+        #
+        # Build Geolocation
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::IPinfo] enricher
+        #
+        # @return [Mihari::Geolocation, nil]
+        #
+        def build_by_ip(ip, enricher: Enrichers::IPInfo.new)
+          result = enricher.result(ip).bind do |res|
+            value = res&.country_code
+            if value.nil?
+              Success nil
+            else
+              Success new(country: NormalizeCountry(value, to: :short), country_code: value)
+            end
           end
+          result.value_or nil
         end
-        result.value_or nil
       end
     end
   end

data/lib/mihari/models/port.rb CHANGED Viewed

@@ -1,29 +1,34 @@
 # frozen_string_literal: true
 module Mihari
-  class Port < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # Port model
+    #
+    class Port < ActiveRecord::Base
+      belongs_to :artifact
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
-      #
-      # Build ports
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::Port>]
-      #
-      def build_by_ip(ip, enricher: Enrichers::Shodan.new)
-        result = enricher.query_result(ip).bind do |res|
-          if res.nil?
-            Success []
-          else
-            Success(res.ports.map { |port| new(port: port) })
+        #
+        # Build ports
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::Port>]
+        #
+        def build_by_ip(ip, enricher: Enrichers::Shodan.new)
+          result = enricher.result(ip).bind do |res|
+            if res.nil?
+              Success []
+            else
+              Success(res.ports.map { |port| new(port: port) })
+            end
           end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/reverse_dns.rb CHANGED Viewed

@@ -1,29 +1,34 @@
 # frozen_string_literal: true
 module Mihari
-  class ReverseDnsName < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # Reverse DNS name model
+    #
+    class ReverseDnsName < ActiveRecord::Base
+      belongs_to :artifact
-    class << self
-      include Dry::Monads[:result]
+      class << self
+        include Dry::Monads[:result]
-      #
-      # Build reverse DNS names
-      #
-      # @param [String] ip
-      # @param [Mihari::Enrichers::Shodan] enricher
-      #
-      # @return [Array<Mihari::ReverseDnsName>]
-      #
-      def build_by_ip(ip, enricher: Enrichers::Shodan.new)
-        result = enricher.query_result(ip).bind do |res|
-          if res.nil?
-            Success []
-          else
-            Success(res.hostnames.map { |name| new(name: name) })
+        #
+        # Build reverse DNS names
+        #
+        # @param [String] ip
+        # @param [Mihari::Enrichers::Shodan] enricher
+        #
+        # @return [Array<Mihari::Models::ReverseDnsName>]
+        #
+        def build_by_ip(ip, enricher: Enrichers::Shodan.new)
+          result = enricher.result(ip).bind do |res|
+            if res.nil?
+              Success []
+            else
+              Success(res.hostnames.map { |name| new(name: name) })
+            end
           end
+          result.value_or []
         end
-        result.value_or []
       end
     end
   end

data/lib/mihari/models/rule.rb CHANGED Viewed

@@ -3,77 +3,82 @@
 require "yaml"
 module Mihari
-  class Rule < ActiveRecord::Base
-    has_many :alerts, dependent: :destroy
-    def symbolized_data
-      @symbolized_data ||= data.deep_symbolize_keys
-    end
-    def yaml
-      data.to_yaml
-    end
-    def tags
-      (data["tags"] || []).map { |tag| { name: tag } }
-    end
-    class << self
-      #
-      # Search rules
-      #
-      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
-      #
-      # @return [Array<Rule>]
-      #
-      def search(filter)
-        limit = filter.limit.to_i
-        raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
-        page = filter.page.to_i
-        raise ArgumentError, "page should be bigger than zero" unless page.positive?
-        offset = (page - 1) * limit
-        relation = build_relation(filter.without_pagination)
-        # TODO: improve queires
-        rule_ids = relation.limit(limit).offset(offset).order(created_at: :desc).pluck(:id).uniq
-        where(id: [rule_ids]).order(created_at: :desc)
+  module Models
+    #
+    # Rule model
+    #
+    class Rule < ActiveRecord::Base
+      has_many :alerts, dependent: :destroy
+      def symbolized_data
+        @symbolized_data ||= data.deep_symbolize_keys
       end
-      #
-      # Count alerts
-      #
-      # @param [Structs::Filters::Rule::SearchFilterWithPagination] filter
-      #
-      # @return [Integer]
-      #
-      def count(filter)
-        relation = build_relation(filter)
-        relation.distinct("rules.id").count
+      def yaml
+        data.to_yaml
       end
-      private
-      #
-      # @param [Structs::Filters::Rule::SearchFilter] filter
-      #
-      # @return [Mihari::Rule]
-      #
-      def build_relation(filter)
-        relation = self
-        relation = relation.includes(alerts: :tags)
-        relation = relation.where(alerts: { tags: { name: filter.tag_name } }) if filter.tag_name
-        relation = relation.where("rules.title LIKE ?", "%#{filter.title}%") if filter.title
-        relation = relation.where("rules.description LIKE ?", "%#{filter.description}%") if filter.description
-        relation = relation.where("rules.created_at >= ?", filter.from_at) if filter.from_at
-        relation = relation.where("rules.created_at <= ?", filter.to_at) if filter.to_at
+      def tags
+        (data["tags"] || []).map { |tag| { name: tag } }
+      end
-        relation
+      class << self
+        #
+        # Search rules
+        #
+        # @param [Mihari::Structs::Filters::Rule::SearchFilterWithPagination] filter
+        #
+        # @return [Array<Rule>]
+        #
+        def search(filter)
+          limit = filter.limit.to_i
+          raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+          page = filter.page.to_i
+          raise ArgumentError, "page should be bigger than zero" unless page.positive?
+          offset = (page - 1) * limit
+          relation = build_relation(filter.without_pagination)
+          # TODO: improve queires
+          rule_ids = relation.limit(limit).offset(offset).order(created_at: :desc).pluck(:id).uniq
+          where(id: [rule_ids]).order(created_at: :desc)
+        end
+        #
+        # Count alerts
+        #
+        # @param [Mihari::Structs::Filters::Rule::SearchFilterWithPagination] filter
+        #
+        # @return [Integer]
+        #
+        def count(filter)
+          relation = build_relation(filter)
+          relation.distinct("rules.id").count
+        end
+        private
+        #
+        # @param [Mihari::Structs::Filters::Rule::SearchFilter] filter
+        #
+        # @return [Mihari::Models::Rule]
+        #
+        def build_relation(filter)
+          relation = self
+          relation = relation.includes(alerts: :tags)
+          relation = relation.where(alerts: { tags: { name: filter.tag_name } }) if filter.tag_name
+          relation = relation.where("rules.title LIKE ?", "%#{filter.title}%") if filter.title
+          relation = relation.where("rules.description LIKE ?", "%#{filter.description}%") if filter.description
+          relation = relation.where("rules.created_at >= ?", filter.from_at) if filter.from_at
+          relation = relation.where("rules.created_at <= ?", filter.to_at) if filter.to_at
+          relation
+        end
       end
     end
   end

data/lib/mihari/models/tag.rb CHANGED Viewed

@@ -1,8 +1,13 @@
 # frozen_string_literal: true
 module Mihari
-  class Tag < ActiveRecord::Base
-    has_many :taggings, dependent: :destroy
-    has_many :tags, through: :taggings
+  module Models
+    #
+    # Tag model
+    #
+    class Tag < ActiveRecord::Base
+      has_many :taggings, dependent: :destroy
+      has_many :tags, through: :taggings
+    end
   end
 end

data/lib/mihari/models/tagging.rb CHANGED Viewed

@@ -1,8 +1,13 @@
 # frozen_string_literal: true
 module Mihari
-  class Tagging < ActiveRecord::Base
-    belongs_to :alert
-    belongs_to :tag
+  module Models
+    #
+    # Tagging model
+    #
+    class Tagging < ActiveRecord::Base
+      belongs_to :alert
+      belongs_to :tag
+    end
   end
 end

data/lib/mihari/models/whois.rb CHANGED Viewed

@@ -1,25 +1,28 @@
 # frozen_string_literal: true
 module Mihari
-  class WhoisRecord < ActiveRecord::Base
-    belongs_to :artifact
+  module Models
+    #
+    # Whois record model
+    #
+    class WhoisRecord < ActiveRecord::Base
+      belongs_to :artifact
-    @memo = {}
+      @memo = {}
-    class << self
-      include Dry::Monads[:result]
-      #
-      # Build whois record
-      #
-      # @param [String] domain
-      # @param [Mihari::Enrichers::Whois] enricher
-      #
-      # @return [WhoisRecord, nil]
-      #
-      def build_by_domain(domain, enricher: Enrichers::Whois.new)
-        result = enricher.query_result(domain)
-        result.value_or nil
+      class << self
+        #
+        # Build whois record
+        #
+        # @param [String] domain
+        # @param [Mihari::Enrichers::Whois] enricher
+        #
+        # @return [WhoisRecord, nil]
+        #
+        def build_by_domain(domain, enricher: Enrichers::Whois.new)
+          result = enricher.result(domain)
+          result.value_or nil
+        end
       end
     end
   end