mihari 5.6.2 → 5.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (267) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +5 -1
  3. data/README.md +1 -0
  4. data/config.ru +1 -1
  5. data/lib/mihari/actor.rb +18 -2
  6. data/lib/mihari/analyzers/base.rb +13 -12
  7. data/lib/mihari/analyzers/binaryedge.rb +4 -1
  8. data/lib/mihari/analyzers/censys.rb +4 -2
  9. data/lib/mihari/analyzers/circl.rb +4 -1
  10. data/lib/mihari/analyzers/crtsh.rb +4 -1
  11. data/lib/mihari/analyzers/dnstwister.rb +4 -1
  12. data/lib/mihari/analyzers/feed.rb +3 -0
  13. data/lib/mihari/analyzers/fofa.rb +65 -0
  14. data/lib/mihari/analyzers/greynoise.rb +4 -1
  15. data/lib/mihari/analyzers/hunterhow.rb +6 -1
  16. data/lib/mihari/analyzers/onyphe.rb +4 -1
  17. data/lib/mihari/analyzers/otx.rb +4 -1
  18. data/lib/mihari/analyzers/passivetotal.rb +4 -1
  19. data/lib/mihari/analyzers/pulsedive.rb +3 -0
  20. data/lib/mihari/analyzers/securitytrails.rb +4 -1
  21. data/lib/mihari/analyzers/shodan.rb +4 -1
  22. data/lib/mihari/analyzers/urlscan.rb +4 -1
  23. data/lib/mihari/analyzers/virustotal.rb +4 -1
  24. data/lib/mihari/analyzers/virustotal_intelligence.rb +4 -1
  25. data/lib/mihari/analyzers/zoomeye.rb +5 -2
  26. data/lib/mihari/cli/alert.rb +3 -0
  27. data/lib/mihari/cli/base.rb +3 -0
  28. data/lib/mihari/cli/database.rb +3 -0
  29. data/lib/mihari/cli/main.rb +3 -0
  30. data/lib/mihari/cli/rule.rb +3 -0
  31. data/lib/mihari/clients/base.rb +3 -0
  32. data/lib/mihari/clients/binaryedge.rb +5 -2
  33. data/lib/mihari/clients/censys.rb +7 -4
  34. data/lib/mihari/clients/circl.rb +3 -0
  35. data/lib/mihari/clients/crtsh.rb +3 -0
  36. data/lib/mihari/clients/dnstwister.rb +3 -0
  37. data/lib/mihari/clients/fofa.rb +83 -0
  38. data/lib/mihari/clients/greynoise.rb +5 -2
  39. data/lib/mihari/clients/hunterhow.rb +5 -2
  40. data/lib/mihari/clients/misp.rb +3 -0
  41. data/lib/mihari/clients/onyphe.rb +5 -2
  42. data/lib/mihari/clients/otx.rb +3 -0
  43. data/lib/mihari/clients/passivetotal.rb +3 -0
  44. data/lib/mihari/clients/publsedive.rb +4 -1
  45. data/lib/mihari/clients/securitytrails.rb +3 -0
  46. data/lib/mihari/clients/shodan.rb +5 -2
  47. data/lib/mihari/clients/the_hive.rb +3 -0
  48. data/lib/mihari/clients/urlscan.rb +7 -4
  49. data/lib/mihari/clients/virustotal.rb +5 -2
  50. data/lib/mihari/clients/zoomeye.rb +3 -0
  51. data/lib/mihari/commands/alert.rb +9 -16
  52. data/lib/mihari/commands/database.rb +3 -0
  53. data/lib/mihari/commands/rule.rb +10 -1
  54. data/lib/mihari/commands/search.rb +13 -29
  55. data/lib/mihari/commands/version.rb +3 -0
  56. data/lib/mihari/commands/web.rb +4 -1
  57. data/lib/mihari/config.rb +139 -150
  58. data/lib/mihari/constants.rb +1 -1
  59. data/lib/mihari/database.rb +6 -0
  60. data/lib/mihari/emitters/base.rb +13 -11
  61. data/lib/mihari/emitters/database.rb +4 -1
  62. data/lib/mihari/emitters/misp.rb +7 -4
  63. data/lib/mihari/emitters/slack.rb +3 -3
  64. data/lib/mihari/emitters/the_hive.rb +3 -3
  65. data/lib/mihari/emitters/webhook.rb +4 -3
  66. data/lib/mihari/enrichers/base.rb +15 -9
  67. data/lib/mihari/enrichers/google_public_dns.rb +6 -5
  68. data/lib/mihari/enrichers/ipinfo.rb +11 -9
  69. data/lib/mihari/enrichers/shodan.rb +4 -6
  70. data/lib/mihari/enrichers/whois.rb +12 -9
  71. data/lib/mihari/entities/tag.rb +1 -0
  72. data/lib/mihari/errors.rb +6 -0
  73. data/lib/mihari/feed/parser.rb +3 -0
  74. data/lib/mihari/feed/reader.rb +3 -0
  75. data/lib/mihari/http.rb +6 -0
  76. data/lib/mihari/mixins/autonomous_system.rb +3 -0
  77. data/lib/mihari/mixins/configurable.rb +3 -0
  78. data/lib/mihari/mixins/error_notification.rb +3 -0
  79. data/lib/mihari/mixins/falsepositive.rb +3 -0
  80. data/lib/mihari/mixins/refang.rb +3 -0
  81. data/lib/mihari/mixins/retriable.rb +6 -2
  82. data/lib/mihari/models/alert.rb +7 -4
  83. data/lib/mihari/models/artifact.rb +6 -0
  84. data/lib/mihari/models/autonomous_system.rb +4 -1
  85. data/lib/mihari/models/cpe.rb +4 -1
  86. data/lib/mihari/models/dns.rb +4 -1
  87. data/lib/mihari/models/geolocation.rb +4 -1
  88. data/lib/mihari/models/port.rb +4 -1
  89. data/lib/mihari/models/reverse_dns.rb +4 -1
  90. data/lib/mihari/models/rule.rb +6 -3
  91. data/lib/mihari/models/tag.rb +3 -0
  92. data/lib/mihari/models/tagging.rb +3 -0
  93. data/lib/mihari/models/whois.rb +4 -3
  94. data/lib/mihari/rule.rb +31 -12
  95. data/lib/mihari/schemas/alert.rb +3 -0
  96. data/lib/mihari/schemas/analyzer.rb +11 -0
  97. data/lib/mihari/schemas/emitter.rb +3 -0
  98. data/lib/mihari/schemas/enricher.rb +3 -0
  99. data/lib/mihari/schemas/macros.rb +4 -0
  100. data/lib/mihari/schemas/mixins.rb +5 -0
  101. data/lib/mihari/schemas/rule.rb +3 -0
  102. data/lib/mihari/service.rb +26 -0
  103. data/lib/mihari/services/alert_builder.rb +85 -9
  104. data/lib/mihari/services/alert_runner.rb +8 -19
  105. data/lib/mihari/services/rule_builder.rb +13 -12
  106. data/lib/mihari/services/rule_runner.rb +7 -32
  107. data/lib/mihari/structs/binaryedge.rb +22 -28
  108. data/lib/mihari/structs/censys.rb +48 -141
  109. data/lib/mihari/structs/config.rb +19 -30
  110. data/lib/mihari/structs/filters.rb +38 -0
  111. data/lib/mihari/structs/fofa.rb +47 -0
  112. data/lib/mihari/structs/google_public_dns.rb +10 -32
  113. data/lib/mihari/structs/greynoise.rb +33 -90
  114. data/lib/mihari/structs/hunterhow.rb +24 -28
  115. data/lib/mihari/structs/ipinfo.rb +14 -37
  116. data/lib/mihari/structs/onyphe.rb +31 -80
  117. data/lib/mihari/structs/shodan.rb +47 -114
  118. data/lib/mihari/structs/urlscan.rb +24 -69
  119. data/lib/mihari/structs/virustotal_intelligence.rb +20 -64
  120. data/lib/mihari/type_checker.rb +4 -0
  121. data/lib/mihari/types.rb +3 -0
  122. data/lib/mihari/version.rb +1 -1
  123. data/lib/mihari/web/api.rb +15 -10
  124. data/lib/mihari/web/app.rb +64 -56
  125. data/lib/mihari/web/endpoints/alerts.rb +127 -85
  126. data/lib/mihari/web/endpoints/artifacts.rb +91 -79
  127. data/lib/mihari/web/endpoints/configs.rb +18 -13
  128. data/lib/mihari/web/endpoints/ip_addresses.rb +35 -15
  129. data/lib/mihari/web/endpoints/rules.rb +236 -187
  130. data/lib/mihari/web/endpoints/tags.rb +42 -35
  131. data/lib/mihari/web/middleware/connection_adapter.rb +16 -9
  132. data/lib/mihari/web/middleware/error_notification_adapter.rb +17 -10
  133. data/lib/mihari/web/public/assets/{index-28d4c79d.js → index-07fafab5.js} +31 -30
  134. data/lib/mihari/web/public/assets/mode-yaml-24faa242.js +8 -0
  135. data/lib/mihari/web/public/index.html +1 -1
  136. data/lib/mihari.rb +24 -6
  137. data/mihari.gemspec +9 -2
  138. data/mkdocs.yml +4 -2
  139. metadata +38 -133
  140. data/docs/alternatives.md +0 -5
  141. data/docs/analyzers/binaryedge.md +0 -26
  142. data/docs/analyzers/censys.md +0 -31
  143. data/docs/analyzers/circl.md +0 -37
  144. data/docs/analyzers/crtsh.md +0 -26
  145. data/docs/analyzers/dnstwister.md +0 -25
  146. data/docs/analyzers/feed.md +0 -73
  147. data/docs/analyzers/greynoise.md +0 -26
  148. data/docs/analyzers/hunterhow.md +0 -33
  149. data/docs/analyzers/index.md +0 -103
  150. data/docs/analyzers/onyphe.md +0 -26
  151. data/docs/analyzers/otx.md +0 -28
  152. data/docs/analyzers/passivetotal.md +0 -52
  153. data/docs/analyzers/pulsedive.md +0 -28
  154. data/docs/analyzers/securitytrails.md +0 -41
  155. data/docs/analyzers/shodan.md +0 -26
  156. data/docs/analyzers/urlscan.md +0 -28
  157. data/docs/analyzers/virustotal.md +0 -43
  158. data/docs/analyzers/virustotal_intelligence.md +0 -33
  159. data/docs/analyzers/zoomeye.md +0 -38
  160. data/docs/configuration.md +0 -35
  161. data/docs/emitters/database.md +0 -22
  162. data/docs/emitters/hive.md +0 -26
  163. data/docs/emitters/index.md +0 -36
  164. data/docs/emitters/misp.md +0 -21
  165. data/docs/emitters/slack.md +0 -21
  166. data/docs/emitters/webhook.md +0 -63
  167. data/docs/enrichers/google_public_dns.md +0 -19
  168. data/docs/enrichers/index.md +0 -35
  169. data/docs/enrichers/ipinfo.md +0 -26
  170. data/docs/enrichers/shodan.md +0 -22
  171. data/docs/enrichers/whois.md +0 -17
  172. data/docs/github_actions.md +0 -43
  173. data/docs/index.md +0 -11
  174. data/docs/installation.md +0 -31
  175. data/docs/requirements.md +0 -13
  176. data/docs/rule.md +0 -168
  177. data/docs/tags.md +0 -3
  178. data/docs/usage.md +0 -103
  179. data/frontend/.eslintrc.cjs +0 -22
  180. data/frontend/.gitignore +0 -31
  181. data/frontend/.prettierrc.json +0 -8
  182. data/frontend/README.md +0 -3
  183. data/frontend/env.d.ts +0 -5
  184. data/frontend/index.html +0 -21
  185. data/frontend/package-lock.json +0 -7219
  186. data/frontend/package.json +0 -67
  187. data/frontend/public/favicon.ico +0 -0
  188. data/frontend/scripts/swagger_doc_to_yaml.rb +0 -23
  189. data/frontend/src/App.vue +0 -27
  190. data/frontend/src/ace-config.ts +0 -6
  191. data/frontend/src/api-helper.ts +0 -111
  192. data/frontend/src/api.ts +0 -105
  193. data/frontend/src/components/ErrorMessage.vue +0 -31
  194. data/frontend/src/components/Loading.vue +0 -15
  195. data/frontend/src/components/Navbar.vue +0 -42
  196. data/frontend/src/components/Pagination.vue +0 -119
  197. data/frontend/src/components/alert/Alert.vue +0 -87
  198. data/frontend/src/components/alert/Alerts.vue +0 -63
  199. data/frontend/src/components/alert/AlertsWithPagination.vue +0 -90
  200. data/frontend/src/components/alert/AlertsWrapper.vue +0 -128
  201. data/frontend/src/components/alert/Form.vue +0 -182
  202. data/frontend/src/components/artifact/AS.vue +0 -29
  203. data/frontend/src/components/artifact/Artifact.vue +0 -287
  204. data/frontend/src/components/artifact/ArtifactTag.vue +0 -64
  205. data/frontend/src/components/artifact/ArtifactTags.vue +0 -29
  206. data/frontend/src/components/artifact/ArtifactWrapper.vue +0 -57
  207. data/frontend/src/components/artifact/CPEs.vue +0 -23
  208. data/frontend/src/components/artifact/DnsRecords.vue +0 -38
  209. data/frontend/src/components/artifact/Ports.vue +0 -23
  210. data/frontend/src/components/artifact/ReverseDnsNames.vue +0 -31
  211. data/frontend/src/components/artifact/Tags.vue +0 -29
  212. data/frontend/src/components/artifact/WhoisRecord.vue +0 -44
  213. data/frontend/src/components/config/Configs.vue +0 -65
  214. data/frontend/src/components/config/ConfigsWrapper.vue +0 -32
  215. data/frontend/src/components/link/Link.vue +0 -32
  216. data/frontend/src/components/link/Links.vue +0 -42
  217. data/frontend/src/components/rule/EditRule.vue +0 -72
  218. data/frontend/src/components/rule/EditRuleWrapper.vue +0 -48
  219. data/frontend/src/components/rule/Form.vue +0 -158
  220. data/frontend/src/components/rule/InputForm.vue +0 -45
  221. data/frontend/src/components/rule/NewRule.vue +0 -57
  222. data/frontend/src/components/rule/Rule.vue +0 -100
  223. data/frontend/src/components/rule/RuleWrapper.vue +0 -53
  224. data/frontend/src/components/rule/Rules.vue +0 -84
  225. data/frontend/src/components/rule/RulesWrapper.vue +0 -121
  226. data/frontend/src/components/rule/YAML.vue +0 -37
  227. data/frontend/src/components/tag/Tag.vue +0 -65
  228. data/frontend/src/components/tag/Tags.vue +0 -37
  229. data/frontend/src/countries.ts +0 -350
  230. data/frontend/src/index.ts +0 -20
  231. data/frontend/src/links/anyrun.ts +0 -19
  232. data/frontend/src/links/base.ts +0 -14
  233. data/frontend/src/links/censys.ts +0 -20
  234. data/frontend/src/links/crtsh.ts +0 -20
  235. data/frontend/src/links/dnslytics.ts +0 -38
  236. data/frontend/src/links/greynoise.ts +0 -20
  237. data/frontend/src/links/index.ts +0 -40
  238. data/frontend/src/links/intezer.ts +0 -20
  239. data/frontend/src/links/otx.ts +0 -33
  240. data/frontend/src/links/securitytrails.ts +0 -38
  241. data/frontend/src/links/shodan.ts +0 -20
  242. data/frontend/src/links/urlscan.ts +0 -50
  243. data/frontend/src/links/virustotal.ts +0 -72
  244. data/frontend/src/main.ts +0 -41
  245. data/frontend/src/router/index.ts +0 -57
  246. data/frontend/src/rule.ts +0 -14
  247. data/frontend/src/shims-vue.d.ts +0 -6
  248. data/frontend/src/swagger.yaml +0 -771
  249. data/frontend/src/types.ts +0 -188
  250. data/frontend/src/utils.ts +0 -54
  251. data/frontend/src/views/Alerts.vue +0 -20
  252. data/frontend/src/views/Artifact.vue +0 -39
  253. data/frontend/src/views/Configs.vue +0 -20
  254. data/frontend/src/views/EditRule.vue +0 -39
  255. data/frontend/src/views/NewRule.vue +0 -26
  256. data/frontend/src/views/Rule.vue +0 -39
  257. data/frontend/src/views/Rules.vue +0 -20
  258. data/frontend/tests/utils.spec.ts +0 -9
  259. data/frontend/tsconfig.app.json +0 -21
  260. data/frontend/tsconfig.json +0 -14
  261. data/frontend/tsconfig.node.json +0 -13
  262. data/frontend/tsconfig.vitest.json +0 -12
  263. data/frontend/vite.config.ts +0 -24
  264. data/frontend/vitest.config.ts +0 -21
  265. data/lib/mihari/services/alert_proxy.rb +0 -92
  266. data/lib/mihari/templates/rule.yml.erb +0 -5
  267. data/lib/mihari/web/public/assets/mode-yaml-a21faa53.js +0 -8
data/docs/analyzers/feed.md DELETED
@@ -1,73 +0,0 @@
1
- # Feed
2
-
3
- This analyzer can ingest a feed (JSON or CSV) by specifying conditions.
4
-
5
- Note that you should write a selector to get proper IoCs from a feed. A selector is based on [jr](https://github.com/yuya-takeyama/jr).
6
-
7
- ```yaml
8
- analyzer: feed
9
- query: ...
10
- selector: ...
11
- method: ...
12
- headers: ...
13
- params: ...
14
- data: ...
15
- json: ...
16
- ```
17
-
18
- ## Components
19
-
20
- ### Query
21
-
22
- `query` (`string`) is a URL of a feed.
23
-
24
- !!! note
25
-
26
- I know this is a strange naming. It's just for keeping the convention with other analyzers.
27
-
28
- ### Method
29
-
30
- `method` (`string`) is an HTTP method. Defaults to `GET`.
31
-
32
- ### Selector
33
-
34
- `selector` (`string`) is a `jr` selector.
35
-
36
- ### Headers
37
-
38
- `headers` (`hash`) is an HTTP headers. Optional.
39
-
40
- ### Params
41
-
42
- `params` (`hash`) is an HTTP query params. Optional.
43
-
44
- ### Data
45
-
46
- `data` (`hash`) is an HTTP form data. Optional.
47
-
48
- ### JSON
49
-
50
- `json` (`hash`) is an JSON body. Optional.
51
-
52
- ## Examples
53
-
54
- ### ThreatFox
55
-
56
- ```yaml
57
- analyzer: feed
58
- query: "https://threatfox-api.abuse.ch/api/v1/"
59
- method: POST
60
- json:
61
- query: get_iocs
62
- days: 1
63
- headers:
64
- selector: "map(&:data).unwrap.map(&:ioc).map { |v| v.start_with?('http://', 'https://') ? v : v.split(':').first }"
65
- ```
66
-
67
- ### URLhaus
68
-
69
- ```yaml
70
- analyzer: feed
71
- query: "https://urlhaus.abuse.ch/feeds/country/JP/"
72
- selector: "map { |v| v[1] }"
73
- ```
data/docs/analyzers/greynoise.md DELETED
@@ -1,26 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- ---
5
-
6
- # GreyNoise
7
-
8
- - [https://www.greynoise.io/](https://www.greynoise.io/)
9
-
10
- This analyzer uses GreyNoise API (`/v2/experimental/gnql`) to search. Pagination is supported.
11
-
12
- ```yaml
13
- analyzer: greynoise
14
- query: ...
15
- api_key: ...
16
- ```
17
-
18
- ## Components
19
-
20
- ### Query
21
-
22
- `query` (`string`) is a GNQL search query.
23
-
24
- ### API Key
25
-
26
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”GREYNOISE_API_KEY"]`.
data/docs/analyzers/hunterhow.md DELETED
@@ -1,33 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- ---
5
-
6
- # Hunter How
7
-
8
- - [https://hunter.how/](https://hunter.how/)
9
-
10
- This analyzer uses Hunter How API (`https://api.hunter.how/search`) to search. Pagination is supported.
11
-
12
- ```yaml
13
- analyzer: hunterhow
14
- query: ...
15
- api_key: ...
16
- start_time: ...
17
- end_time: ...
18
- ```
19
-
20
- ## Components
21
-
22
- ### Query
23
-
24
- `query` (`string`) is a search query.
25
-
26
- ### Start/End Time
27
-
28
- - `start_time` (`date`): Only show results after the given date.
29
- - `end_time` (`date`): Only show results after the given date.
30
-
31
- ### API key
32
-
33
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”HUNTERHOW_API_KEY"]`.
data/docs/analyzers/index.md DELETED
@@ -1,103 +0,0 @@
1
- # Analyzers
2
-
3
- - [BinaryEdge](binaryedge.md)
4
- - [Censys](censys.md)
5
- - [Circle Passive DNS/SSL](circl.md)
6
- - [crt.sh](crtsh.md)
7
- - [dnstwister](dnstwister.md)
8
- - [Feed](feed.md)
9
- - [GreyNoise](greynoise.md)
10
- - [HunterHow](hunterhow.md)
11
- - [Onyphe](onyphe.md)
12
- - [OTX](otx.md)
13
- - [PassiveTotal](passivetotal.md)
14
- - [PulseDive](pulsedive.md)
15
- - [SecurityTrails](securitytrails.md)
16
- - [Shodan](shodan.md)
17
- - [urlscan.io](urlscan.md)
18
- - [VirusTotal](virustotal.md)
19
- - [VirusTotal Intelligence](virustotal_intelligence.md)
20
-
21
- ## Options
22
-
23
- All the analyzers can have optional `options`.
24
-
25
- ```yaml
26
- analyzer: ...
27
- query: ...
28
- options:
29
- retry_times: ...
30
- retry_interval: ...
31
- retry_exponential_backoff: ...
32
- timeout: ...
33
- ignore_error: ...
34
- ```
35
-
36
- Also the following analyzers can have pagination options.
37
-
38
- - [Shodan](./shodan.md)
39
- - [BinaryEdge](./binaryedge.md)
40
- - [Censys](./censys.md)
41
- - [ZoomEye](./zoomeye.md)
42
- - [urlscan.io](./urlscan.md)
43
- - [VirusTotal Intelligence](./virustotal_intelligence.md)
44
- - [HunterHow](./hunterhow.md)
45
-
46
- ```yaml
47
- options:
48
- pagination_interval: ...
49
- pagination_limit: ...
50
- ```
51
-
52
- ### Retry Times
53
-
54
- `retry_times` (`integer`) is a number of times of retry when something goes wrong. Optional. Defaults to 3.
55
-
56
- ### Retry Interval
57
-
58
- `retry_interval` (`integer`) is an interval in seconds between retries. Optional. Defaults to 5.
59
-
60
- ### Retry Exponential Backoff
61
-
62
- `retry_exponential_backoff` (`bool`) controls whether to do exponential backoff. Optional. Defaults to `true`.
63
-
64
- ### Timeout
65
-
66
- `timeout` (`integer`) is an HTTP timeout in seconds. Optional.
67
-
68
- ### Ignore Error
69
-
70
- `ignore_error` (`bool`) controls whether to ignore an error or not. Optional. Defaults to `false`.
71
-
72
- Mihari uses fail-fast approach. For example, if Shodan returns an error, the Censys query next is not triggered because Mihari raises an error before it.
73
-
74
- ```yaml
75
- queries:
76
- - analyzer: shodan
77
- query: ip:1.1.1.1
78
- - analyzer: censys
79
- query: ip:8.8.8.8
80
- ```
81
-
82
- You can set `ignore_error` option to make it fault tolerance.
83
-
84
- ```yaml
85
- queries:
86
- - analyzer: shodan
87
- query: ip:1.1.1.1
88
- options:
89
- ignore_error: true
90
- - analyzer: censys
91
- query: ip:8.8.8.8
92
- ```
93
-
94
- ### Pagination Interval
95
-
96
- `pagination_interval` (`integer`) is an interval in seconds between pagination. Optional. Defaults to 0.
97
-
98
- ### Pagination Limit
99
-
100
- `pagination_limit` (`integer`) is an limit for pagination. Optional. Defaults to 100.
101
-
102
- In the worst case, if something wrong with Mihari or a service, Mihari can drain API quota by doing pagination forever.
103
- `pagination_limit` is a safety valve for that. A number of pagination is limited as `pagination_limit` times.
data/docs/analyzers/onyphe.md DELETED
@@ -1,26 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- ---
5
-
6
- # ONYPHE
7
-
8
- - [https://www.onyphe.io/](https://www.onyphe.io/)
9
-
10
- This analyzer uses ONYPHE API v2 (`/api/v2/simple/datascan`) to search.
11
-
12
- ```yaml
13
- analyzer: onyphe
14
- query: ...
15
- api_key: ...
16
- ```
17
-
18
- ## Components
19
-
20
- ### Query
21
-
22
- `query` (`string`) is a search query.
23
-
24
- ### API Key
25
-
26
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”ONYPHE_API_KEY”"]`.
data/docs/analyzers/otx.md DELETED
@@ -1,28 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Passive DNS
6
- ---
7
-
8
- # OTX
9
-
10
- - [https://otx.alienvault.com/](https://otx.alienvault.com/dashboard/new)
11
-
12
- This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API to search.
13
-
14
- ```yaml
15
- analyzer: otx
16
- query: ...
17
- api_key: ...
18
- ```
19
-
20
- ## Components
21
-
22
- ### Query
23
-
24
- `query` (`string`) is a passive DNS search query. Domain or IP address.
25
-
26
- ### API Key
27
-
28
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”OTX_API_KEY”"]`.
data/docs/analyzers/passivetotal.md DELETED
@@ -1,52 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Passive DNS
6
- - Passive SSL
7
- - Reverse Whois
8
- ---
9
-
10
- # PassiveTotal
11
-
12
- - [https://community.riskiq.com/](https://community.riskiq.com/home)
13
-
14
- This analyzer uses [PassvieTotal API](https://api.passivetotal.org/index.html).
15
-
16
- An API endpoint to use is changed based on a type of a query.
17
-
18
- | Query | API endpoint | Artifact |
19
- | --------------------------------------- | ----------------------------- | ---------- |
20
- | IP address | `/v2/dns/passive` | Domain |
21
- | Domain | `/v2/dns/passive` | IP address |
22
- | Mail | `/v2/whois/search` | Domain |
23
- | Hash (SSL certificate SHA1 fingerprint) | `/v2/ssl-certificate/history` | IP address |
24
-
25
- ```yaml
26
- analyzer: passivetotal
27
- query: ...
28
- username: ...
29
- api_key: ...
30
- ```
31
-
32
- ## Components
33
-
34
- ### Analyzer
35
-
36
- `analyzer` (`string`) should be either of `passivetotal` and `pt`.
37
-
38
- ### Query
39
-
40
- `query` (`string`) is a passive DNS/SSL or reverse whois search query. Domain, IP address, mail or SHA1 certificate fingerprint.
41
-
42
- - Passive DNS: Domain, IP Address
43
- - Passive SSL: SHA1 certificate fingerprint
44
- - Reverse whois: mail
45
-
46
- ### Username
47
-
48
- `username` (`string`) is a username. Optional. Defaults to `ENV[”PASSIVETOTAL_USERNAME"]`.
49
-
50
- ### API Key
51
-
52
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”PASSIVETOTAL_API_KEY"]`.
data/docs/analyzers/pulsedive.md DELETED
@@ -1,28 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Passive DNS
6
- ---
7
-
8
- # Pulsedive
9
-
10
- - [https://pulsedive.com/](https://pulsedive.com/)
11
-
12
- This analyzer uses [Pulsedive API](https://pulsedive.com/api/) (`/api/info.php`) to search.
13
-
14
- ```yaml
15
- analyzer: pulsedive
16
- query: ...
17
- api_key: ...
18
- ```
19
-
20
- ## Components
21
-
22
- ### Query
23
-
24
- `query` (`string`) is a passive DNS search query. Domain or IP address.
25
-
26
- ### API Key
27
-
28
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”PULSEDIVE_API_KEY"]`.
data/docs/analyzers/securitytrails.md DELETED
@@ -1,41 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Passive DNS
6
- - Reverse Whois
7
- ---
8
-
9
- # SecurityTrails
10
-
11
- - [https://securitytrails.com/](https://securitytrails.com/)
12
-
13
- This analyzer uses [SecurityTrails API](https://docs.securitytrails.com/docs).
14
-
15
- An API endpoint to use is changed based on a type of a query.
16
-
17
- | Query type | API endpoint | Artifact |
18
- | ---------- | ------------------ | ---------- |
19
- | IP address | `/v1/domains/list` | Domain |
20
- | Domain | `/v1/history/` | IP address |
21
- | Mail | `/v1/domains/list` | Domain |
22
-
23
- ```yaml
24
- analyzer: securitytrails
25
- query: ...
26
- api_key: ...
27
- ```
28
-
29
- ## Components
30
-
31
- ### Analyzer
32
-
33
- `analyzer` (`string`) should be either of `securitytrails` and `st`.
34
-
35
- ### Query
36
-
37
- `query` (`string`) is a passive DNS search/reverse whois query. Domain, IP address or mail.
38
-
39
- ### API Key
40
-
41
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”SECURITYTRAILS_API_KEY"]`.
data/docs/analyzers/shodan.md DELETED
@@ -1,26 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- ---
5
-
6
- # Shodan
7
-
8
- - [https://shodan.io/](https://shodan.io/)
9
-
10
- This analyzer uses [Shodan REST AP](https://developer.shodan.io/api) (`/shodan/host/search`) API to search. Pagination is supported.
11
-
12
- ```yaml
13
- analyzer: shodan
14
- query: ...
15
- api_key: ...
16
- ```
17
-
18
- ## Components
19
-
20
- ### Query
21
-
22
- `query` (`string`) is a search query.
23
-
24
- ### API Key
25
-
26
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”SHODAN_API_KEY"]`.
data/docs/analyzers/urlscan.md DELETED
@@ -1,28 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Artifact:URL
6
- ---
7
-
8
- # urlscan.io
9
-
10
- - [https://urlscan.io/](https://urlscan.io/)
11
-
12
- This analyzer uses [urlscan.io](http://urlscan.io) API (`/api/v1/search`) to search. Pagination is supported.
13
-
14
- ```yaml
15
- analyzer: urlscan
16
- query: ...
17
- api_key: ...
18
- ```
19
-
20
- ## Components
21
-
22
- ### Query
23
-
24
- `query` (`string`) is a search query.
25
-
26
- ### API Key
27
-
28
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”URLSCAN_API_KEY"]`.
data/docs/analyzers/virustotal.md DELETED
@@ -1,43 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Passive DNS
6
- ---
7
-
8
- # VirusTotal
9
-
10
- - [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
11
-
12
- This analyzer uses VirusTotal API v3.
13
-
14
- An API endpoint to use is changed based on a type of a query.
15
-
16
- ::: top
17
-
18
- Note that this analyzer only checks passive DNS data of a given query (domain or IP address).
19
-
20
- | Query | API endpoint | Artifact |
21
- | ---------- | ----------------------- | ---------- |
22
- | IP address | `/api/v3/ip_addresses/` | Domain |
23
- | Domain | `/api/v3/domains/` | IP address |
24
-
25
- ```yaml
26
- analyzer: virustotal
27
- query: ...
28
- api_key: ...
29
- ```
30
-
31
- ## Components
32
-
33
- ### Analyzer
34
-
35
- `analyzer` (`string`) should be either of `virustoal` and `vt`.
36
-
37
- ### Query
38
-
39
- `query` (`string`) is a passive DNS search query. Domain or IP address.
40
-
41
- ### API Key
42
-
43
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
data/docs/analyzers/virustotal_intelligence.md DELETED
@@ -1,33 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- - Artifact:Domain
5
- - Artifact:URL
6
- - Artifact:Hash
7
- ---
8
-
9
- # VirusTotal Intelligence
10
-
11
- - [https://www.virustotal.com](https://www.virustotal.com/gui/home/search)
12
-
13
- This analyzer uses VirusTotal Intelligence API. Pagination is supported.
14
-
15
- ```yaml
16
- analyzer: virustotal_intelligence
17
- query: ...
18
- api_key: ...
19
- ```
20
-
21
- ## Components
22
-
23
- ### Analyzer
24
-
25
- `analyzer` (`string`) should be either of `virustotal_intelligence` and ``.
26
-
27
- ### Query
28
-
29
- `query` (`string`) is a search query.
30
-
31
- ### API Key
32
-
33
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”VIRUSTOTAL_API_KEY"]`.
data/docs/analyzers/zoomeye.md DELETED
@@ -1,38 +0,0 @@
1
- ---
2
- tags:
3
- - Artifact:IP
4
- ---
5
-
6
- # ZoomEye
7
-
8
- - [https://zoomeye.org/](https://zoomeye.org/)
9
-
10
- This analyzer uses ZoomEye API v3. Pagination is supported.
11
-
12
- An API endpoint to use is changed based on a `type` option.
13
-
14
- | Type | API endpoint | Artifact type |
15
- | ---- | -------------- | ------------- |
16
- | web | `/web/search` | IP address |
17
- | host | `/host/search` | IP address |
18
-
19
- ```yaml
20
- analyzer: zoomeye
21
- query: ...
22
- type: ...
23
- api_key: ...
24
- ```
25
-
26
- ## Components
27
-
28
- ### Query
29
-
30
- `query` (`string`) is a search query.
31
-
32
- ### Type
33
-
34
- `type` (`string`) determines a search type. `web` or `host`.
35
-
36
- ### API Key
37
-
38
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”ZOOMEYE_API_KEY"]`.
data/docs/configuration.md DELETED
@@ -1,35 +0,0 @@
1
- # Configuration
2
-
3
- Configuration can be done via environment variables.
4
-
5
- | Environmental Variable | Description | Default |
6
- | ---------------------- | ------------------------------- | ---------------------- |
7
- | DATABASE_URL | Database URL | `sqlite3:///mihari.db` |
8
- | BINARYEDGE_API_KEY | BinaryEdge API key | |
9
- | CENSYS_ID | Censys API ID | |
10
- | CENSYS_SECRET | Censys secret | |
11
- | CIRCL_PASSIVE_PASSWORD | CIRCL passive DNS/SSL password | |
12
- | CIRCL_PASSIVE_USERNAME | CIRCL passive DNS/SSL username, | |
13
- | IPINFO_API_KEY | IPInfo API key (token) | |
14
- | MISP_URL | MISP URL | |
15
- | MISP_API_KEY | MISP API key | |
16
- | ONYPHE_API_KEY | Onyphe API key | |
17
- | OTX_API_KEY | OTX API key | |
18
- | PASSIVETOTAL_API_KEY | PassiveTotal API key | |
19
- | PASSIVETOTAL_USERNAME | PassiveTotal username | |
20
- | PULSEDIVE_API_KEY | Pulsedive API key | |
21
- | SECURITYTRAILS_API_KEY | SecurityTrails API key | |
22
- | SHODAN_API_KEY | Shodan API key | |
23
- | SLACK_CHANNEL | Slack channel name | `#general` |
24
- | SLACK_WEBHOOK_URL | Slack Webhook URL | |
25
- | THEHIVE_URL | TheHive URL, | |
26
- | THEHIVE_API_KEY | TheHive API key, | |
27
- | URLSCAN_API_KEY | urlscan.io API key, | |
28
- | VIRUSTOTAL_API_KEY | VirusTotal API key | |
29
- | ZOOMEYE_API_KEY | ZoomEye API key | |
30
- | SENTRY_DSN | Sentry DSN | |
31
- | RETRY_INTERVAL | Retry interval | 5 |
32
- | RETRY_TIMES | Retry times | 3 |
33
- | PAGINATION_LIMIT | Pagination limit | 100 |
34
-
35
- Or you can set values through `.env` file. Values in `.env` file will be automatically loaded.
data/docs/emitters/database.md DELETED
@@ -1,22 +0,0 @@
1
- # Database
2
-
3
- This emitter stores data in a database. This emitter uses SQLite3 by default but you can change to use MySQL or PostgreSQL. The database is a primary database of Mihari. Each data generated by Mihari is stored in the database. You can view the data via the built-in web app.
4
-
5
- Mihari loads a database URL via environment variable `DATABASE_URL`. Defaults to `sqlite3:///mihari.db"` (SQLite3).
6
-
7
- If you want to use MySQL or PostgreSQL, please set a database URL for that.
8
-
9
- - MySQL: `mysql2://username:password@host:3306/database` (+ `gem install mysql2`)
10
- - PostgreSQL: `postgres://username:password@host:5432/database` (+ `gem install pg`)
11
-
12
- ```yaml
13
- emitter: database
14
- ```
15
-
16
- !!! note
17
-
18
- You have to initialize the database by `mihari db migrate`.
19
-
20
- ## ER Diagram
21
-
22
- ![](https://imgur.com/krhoSgh.png)
data/docs/emitters/hive.md DELETED
@@ -1,26 +0,0 @@
1
- # TheHive
2
-
3
- - [https://thehive-project.org/](https://thehive-project.org/)
4
-
5
- This emitter creates an alert on TheHive. TheHive v4 & v5 are supported.
6
-
7
- ```yaml
8
- emitter: thehive
9
- url: ...
10
- api_key: ...
11
- api_version: ...
12
- ```
13
-
14
- ## Components
15
-
16
- ### URL
17
-
18
- `url` (`string`) is a TheHive URL. Optional. Defaults to `ENV[”THEHIVE_URL”]`.
19
-
20
- ### API Key
21
-
22
- `api_key` (`string`) is an API key. Optional. Defaults to `ENV[”THEHIVE_API_KEY”]`.
23
-
24
- ### API Version
25
-
26
- `api_version` (`string`) is a version of The Hive API. Optional. `v4` or `v5`. Defaults to `ENV[”THEHIVE_API_VERSION”]`.