mihari 5.7.0 → 5.7.1

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 5.7.0
+  version: 5.7.1
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-11-03 00:00:00.000000000 Z
+date: 2023-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -856,133 +856,7 @@ files:
 - bin/setup
 - build_frontend.sh
 - config.ru
-- docs/alternatives.md
-- docs/analyzers/binaryedge.md
-- docs/analyzers/censys.md
-- docs/analyzers/circl.md
-- docs/analyzers/crtsh.md
-- docs/analyzers/dnstwister.md
-- docs/analyzers/feed.md
-- docs/analyzers/fofa.md
-- docs/analyzers/greynoise.md
-- docs/analyzers/hunterhow.md
-- docs/analyzers/index.md
-- docs/analyzers/onyphe.md
-- docs/analyzers/otx.md
-- docs/analyzers/passivetotal.md
-- docs/analyzers/pulsedive.md
-- docs/analyzers/securitytrails.md
-- docs/analyzers/shodan.md
-- docs/analyzers/urlscan.md
-- docs/analyzers/virustotal.md
-- docs/analyzers/virustotal_intelligence.md
-- docs/analyzers/zoomeye.md
-- docs/configuration.md
-- docs/emitters/database.md
-- docs/emitters/hive.md
-- docs/emitters/index.md
-- docs/emitters/misp.md
-- docs/emitters/slack.md
-- docs/emitters/webhook.md
-- docs/enrichers/google_public_dns.md
-- docs/enrichers/index.md
-- docs/enrichers/ipinfo.md
-- docs/enrichers/shodan.md
-- docs/enrichers/whois.md
-- docs/github_actions.md
-- docs/index.md
-- docs/installation.md
-- docs/requirements.md
-- docs/rule.md
-- docs/tags.md
-- docs/usage.md
 - exe/mihari
-- frontend/.eslintrc.cjs
-- frontend/.gitignore
-- frontend/.prettierrc.json
-- frontend/README.md
-- frontend/env.d.ts
-- frontend/index.html
-- frontend/package-lock.json
-- frontend/package.json
-- frontend/public/favicon.ico
-- frontend/scripts/swagger_doc_to_yaml.rb
-- frontend/src/App.vue
-- frontend/src/ace-config.ts
-- frontend/src/api-helper.ts
-- frontend/src/api.ts
-- frontend/src/components/ErrorMessage.vue
-- frontend/src/components/Loading.vue
-- frontend/src/components/Navbar.vue
-- frontend/src/components/Pagination.vue
-- frontend/src/components/alert/Alert.vue
-- frontend/src/components/alert/Alerts.vue
-- frontend/src/components/alert/AlertsWithPagination.vue
-- frontend/src/components/alert/AlertsWrapper.vue
-- frontend/src/components/alert/Form.vue
-- frontend/src/components/artifact/AS.vue
-- frontend/src/components/artifact/Artifact.vue
-- frontend/src/components/artifact/ArtifactTag.vue
-- frontend/src/components/artifact/ArtifactTags.vue
-- frontend/src/components/artifact/ArtifactWrapper.vue
-- frontend/src/components/artifact/CPEs.vue
-- frontend/src/components/artifact/DnsRecords.vue
-- frontend/src/components/artifact/Ports.vue
-- frontend/src/components/artifact/ReverseDnsNames.vue
-- frontend/src/components/artifact/Tags.vue
-- frontend/src/components/artifact/WhoisRecord.vue
-- frontend/src/components/config/Configs.vue
-- frontend/src/components/config/ConfigsWrapper.vue
-- frontend/src/components/link/Link.vue
-- frontend/src/components/link/Links.vue
-- frontend/src/components/rule/EditRule.vue
-- frontend/src/components/rule/EditRuleWrapper.vue
-- frontend/src/components/rule/Form.vue
-- frontend/src/components/rule/InputForm.vue
-- frontend/src/components/rule/NewRule.vue
-- frontend/src/components/rule/Rule.vue
-- frontend/src/components/rule/RuleWrapper.vue
-- frontend/src/components/rule/Rules.vue
-- frontend/src/components/rule/RulesWrapper.vue
-- frontend/src/components/rule/YAML.vue
-- frontend/src/components/tag/Tag.vue
-- frontend/src/components/tag/Tags.vue
-- frontend/src/countries.ts
-- frontend/src/index.ts
-- frontend/src/links/anyrun.ts
-- frontend/src/links/base.ts
-- frontend/src/links/censys.ts
-- frontend/src/links/crtsh.ts
-- frontend/src/links/dnslytics.ts
-- frontend/src/links/greynoise.ts
-- frontend/src/links/index.ts
-- frontend/src/links/intezer.ts
-- frontend/src/links/otx.ts
-- frontend/src/links/securitytrails.ts
-- frontend/src/links/shodan.ts
-- frontend/src/links/urlscan.ts
-- frontend/src/links/virustotal.ts
-- frontend/src/main.ts
-- frontend/src/router/index.ts
-- frontend/src/rule.ts
-- frontend/src/shims-vue.d.ts
-- frontend/src/swagger.yaml
-- frontend/src/types.ts
-- frontend/src/utils.ts
-- frontend/src/views/Alerts.vue
-- frontend/src/views/Artifact.vue
-- frontend/src/views/Configs.vue
-- frontend/src/views/EditRule.vue
-- frontend/src/views/NewRule.vue
-- frontend/src/views/Rule.vue
-- frontend/src/views/Rules.vue
-- frontend/tests/utils.spec.ts
-- frontend/tsconfig.app.json
-- frontend/tsconfig.json
-- frontend/tsconfig.node.json
-- frontend/tsconfig.vitest.json
-- frontend/vite.config.ts
-- frontend/vitest.config.ts
 - lefthook.yml
 - lib/mihari.rb
 - lib/mihari/actor.rb
@@ -1098,7 +972,6 @@ files:
 - lib/mihari/schemas/rule.rb
 - lib/mihari/service.rb
 - lib/mihari/services/alert_builder.rb
-- lib/mihari/services/alert_proxy.rb
 - lib/mihari/services/alert_runner.rb
 - lib/mihari/services/rule_builder.rb
 - lib/mihari/services/rule_runner.rb
@@ -1128,8 +1001,8 @@ files:
 - lib/mihari/web/endpoints/tags.rb
 - lib/mihari/web/middleware/connection_adapter.rb
 - lib/mihari/web/middleware/error_notification_adapter.rb
+- lib/mihari/web/public/assets/index-07fafab5.js
 - lib/mihari/web/public/assets/index-56fc2187.css
-- lib/mihari/web/public/assets/index-821134e2.js
 - lib/mihari/web/public/assets/mode-yaml-24faa242.js
 - lib/mihari/web/public/favicon.ico
 - lib/mihari/web/public/index.html

data/docs/alternatives.md

@@ -1,5 +0,0 @@
-# Alternatives
-
-- [InQuest/ThreatIngestor](https://github.com/InQuest/ThreatIngestor) - Extract and aggregate threat intelligence.
-- [thalesgroup-cert/Watcher](https://github.com/thalesgroup-cert/Watcher) - Watcher - Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS.
-- [projectdiscovery/uncover](https://github.com/projectdiscovery/uncover) - Quickly discover exposed hosts on the internet using multiple search engines.

data/docs/analyzers/binaryedge.md

@@ -1,26 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# BinaryEdge
-
-- [https://www.binaryedge.io/](https://www.binaryedge.io/)
-
-This analyzer uses [BinaryEdge API V2](https://docs.binaryedge.io/api-v2/) (`/v2/query/search`) to search. Pagination is supported.
-
-```yaml
-analyzer: binaryedge
-query: ...
-api_key: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### API Key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”BINARYEDGE_API_KEY"]`.

data/docs/analyzers/censys.md

@@ -1,31 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# Censys
-
-- [https://censys.io/](https://censys.io/)
-
-This analyzer uses [Censys Search 2.0 REST API](https://search.censys.io/api) to search. Pagination is supported.
-
-```yaml
-analyzer: censys
-query: ...
-id: ...
-secret: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### ID
-
-`id` (`string`) is a Cencys ID. Optional. Defaults to `ENV[”CENSYS_ID”]`.
-
-### Secret
-
-`secret` (`string`) is a Cencys secret. Optional. Defaults to `ENV[”CENSYS_SECRET”]`.

data/docs/analyzers/circl.md

@@ -1,37 +0,0 @@
----
-tags:
-  - Artifact:IP
-  - Passive DNS
-  - Passive SSL
----
-
-# CIRCL Passive DNS/SSL
-
-- [https://www.circl.lu/services/passive-dns/](https://www.circl.lu/services/passive-dns/)
-- [https://www.circl.lu/services/passive-ssl/](https://www.circl.lu/services/passive-ssl/)
-
-This analyzer uses CIRCL passive DNS API or passive SSL API:
-
-- Use passive DNS API if a query(input) is a domain
-- Use passive SSL API if a query(input) is a SHA1 certificate fingerprint
-
-```yaml
-analyzer: circl
-query: ...
-password: ...
-username: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a domain or SHA1 certificate fingerprint.
-
-### Username
-
-`username` (`string`) is a username. Optional. Defaults to `ENV[”CIRCL_PASSIVE_USERNAME”]`.
-
-### Password
-
-`password` (`string`) is a password. Optional. Defaults to `ENV[”CIRCL_PASSIVE_PASSWORD”]`.

data/docs/analyzers/crtsh.md

@@ -1,26 +0,0 @@
----
-tags:
-  - Artifact:Domain
----
-
-# crt.sh
-
-- [https://crt.sh/](https://crt.sh/)
-
-This analyzer uses [crt.sh](http://crt.sh)'s (unofficial?) REST API.
-
-```yaml
-analyzer: crtsh
-query: ...
-exclude_expired: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### Exclude Expired
-
-`exclude_expired` (`boolean`) determines whether to exclude expired domains or not. Optional. Defaults to `true`.

data/docs/analyzers/dnstwister.md

@@ -1,25 +0,0 @@
----
-tags:
-  - Artifact:Domain
----
-
-# dnstwister
-
-- [https://dnstwister.report/](https://dnstwister.report/)
-
-This analyzer uses [dnstwister API](https://dnstwister.report/api/) to search.
-
-```yaml
-analyzer: dnstwister
-query: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-!!! tip
-
-    There is no need to input a domain in hexadecimal format. This analyzer automatically converts a domain (in string format) into a hexadecimal value.

data/docs/analyzers/feed.md

@@ -1,73 +0,0 @@
-# Feed
-
-This analyzer can ingest a feed (JSON or CSV) by specifying conditions.
-
-Note that you should write a selector to get proper IoCs from a feed. A selector is based on [jr](https://github.com/yuya-takeyama/jr).
-
-```yaml
-analyzer: feed
-query: ...
-selector: ...
-method: ...
-headers: ...
-params: ...
-data: ...
-json: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a URL of a feed.
-
-!!! note
-
-    I know this is a strange naming. It's just for keeping the convention with other analyzers.
-
-### Method
-
-`method` (`string`) is an HTTP method. Defaults to `GET`.
-
-### Selector
-
-`selector` (`string`) is a `jr` selector.
-
-### Headers
-
-`headers` (`hash`) is an HTTP headers. Optional.
-
-### Params
-
-`params` (`hash`) is an HTTP query params. Optional.
-
-### Data
-
-`data` (`hash`) is an HTTP form data. Optional.
-
-### JSON
-
-`json` (`hash`) is an JSON body. Optional.
-
-## Examples
-
-### ThreatFox
-
-```yaml
-analyzer: feed
-query: "https://threatfox-api.abuse.ch/api/v1/"
-method: POST
-json:
-  query: get_iocs
-  days: 1
-headers:
-selector: "map(&:data).unwrap.map(&:ioc).map { |v| v.start_with?('http://', 'https://') ? v :  v.split(':').first }"
-```
-
-### URLhaus
-
-```yaml
-analyzer: feed
-query: "https://urlhaus.abuse.ch/feeds/country/JP/"
-selector: "map { |v| v[1] }"
-```

data/docs/analyzers/fofa.md

@@ -1,31 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# Fofa
-
-- https://en.fofa.info/
-
-This analyzer uses Fofa API (`/api/v1/search/all`) to search. Pagination is supported.
-
-```yaml
-analyzer: fofa
-query: ...
-api_key: ...
-email: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### API Key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”FOFA_API_KEY"]`.
-
-### Email
-
-`email` (`string`) is an email. Optional. Defaults to `ENV[”FOFA_EMAIL"]`.

data/docs/analyzers/greynoise.md

@@ -1,26 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# GreyNoise
-
-- [https://www.greynoise.io/](https://www.greynoise.io/)
-
-This analyzer uses GreyNoise API (`/v2/experimental/gnql`) to search. Pagination is supported.
-
-```yaml
-analyzer: greynoise
-query: ...
-api_key: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a GNQL search query.
-
-### API Key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”GREYNOISE_API_KEY"]`.

data/docs/analyzers/hunterhow.md

@@ -1,33 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# Hunter How
-
-- [https://hunter.how/](https://hunter.how/)
-
-This analyzer uses Hunter How API (`https://api.hunter.how/search`) to search. Pagination is supported.
-
-```yaml
-analyzer: hunterhow
-query: ...
-api_key: ...
-start_time: ...
-end_time: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### Start/End Time
-
-- `start_time` (`date`): Only show results after the given date.
-- `end_time` (`date`): Only show results after the given date.
-
-### API key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”HUNTERHOW_API_KEY"]`.

data/docs/analyzers/index.md

@@ -1,104 +0,0 @@
-# Analyzers
-
-- [BinaryEdge](binaryedge.md)
-- [Censys](censys.md)
-- [Circle Passive DNS/SSL](circl.md)
-- [crt.sh](crtsh.md)
-- [dnstwister](dnstwister.md)
-- [Feed](feed.md)
-- [Fofa](fofa.md)
-- [GreyNoise](greynoise.md)
-- [HunterHow](hunterhow.md)
-- [Onyphe](onyphe.md)
-- [OTX](otx.md)
-- [PassiveTotal](passivetotal.md)
-- [PulseDive](pulsedive.md)
-- [SecurityTrails](securitytrails.md)
-- [Shodan](shodan.md)
-- [urlscan.io](urlscan.md)
-- [VirusTotal](virustotal.md)
-- [VirusTotal Intelligence](virustotal_intelligence.md)
-
-## Options
-
-All the analyzers can have optional `options`.
-
-```yaml
-analyzer: ...
-query: ...
-options:
-  retry_times: ...
-  retry_interval: ...
-  retry_exponential_backoff: ...
-  timeout: ...
-  ignore_error: ...
-```
-
-Also the following analyzers can have pagination options.
-
-- [Shodan](./shodan.md)
-- [BinaryEdge](./binaryedge.md)
-- [Censys](./censys.md)
-- [ZoomEye](./zoomeye.md)
-- [urlscan.io](./urlscan.md)
-- [VirusTotal Intelligence](./virustotal_intelligence.md)
-- [HunterHow](./hunterhow.md)
-
-```yaml
-options:
-  pagination_interval: ...
-  pagination_limit: ...
-```
-
-### Retry Times
-
-`retry_times` (`integer`) is a number of times of retry when something goes wrong. Optional. Defaults to 3.
-
-### Retry Interval
-
-`retry_interval` (`integer`) is an interval in seconds between retries. Optional. Defaults to 5.
-
-### Retry Exponential Backoff
-
-`retry_exponential_backoff` (`bool`) controls whether to do exponential backoff. Optional. Defaults to `true`.
-
-### Timeout
-
-`timeout` (`integer`) is an HTTP timeout in seconds. Optional.
-
-### Ignore Error
-
-`ignore_error` (`bool`) controls whether to ignore an error or not. Optional. Defaults to `false`.
-
-Mihari uses fail-fast approach. For example, if Shodan returns an error, the Censys query next is not triggered because Mihari raises an error before it.
-
-```yaml
-queries:
-  - analyzer: shodan
-    query: ip:1.1.1.1
-  - analyzer: censys
-    query: ip:8.8.8.8
-```
-
-You can set `ignore_error` option to make it fault tolerance.
-
-```yaml
-queries:
-  - analyzer: shodan
-    query: ip:1.1.1.1
-    options:
-      ignore_error: true
-  - analyzer: censys
-    query: ip:8.8.8.8
-```
-
-### Pagination Interval
-
-`pagination_interval` (`integer`) is an interval in seconds between pagination. Optional. Defaults to 0.
-
-### Pagination Limit
-
-`pagination_limit` (`integer`) is an limit for pagination. Optional. Defaults to 100.
-
-In the worst case, if something wrong with Mihari or a service, Mihari can drain API quota by doing pagination forever.
-`pagination_limit` is a safety valve for that. A number of pagination is limited as `pagination_limit` times.

data/docs/analyzers/onyphe.md

@@ -1,26 +0,0 @@
----
-tags:
-  - Artifact:IP
----
-
-# ONYPHE
-
-- [https://www.onyphe.io/](https://www.onyphe.io/)
-
-This analyzer uses ONYPHE API v2 (`/api/v2/simple/datascan`) to search.
-
-```yaml
-analyzer: onyphe
-query: ...
-api_key: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a search query.
-
-### API Key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”ONYPHE_API_KEY”"]`.

data/docs/analyzers/otx.md

@@ -1,28 +0,0 @@
----
-tags:
-  - Artifact:IP
-  - Artifact:Domain
-  - Passive DNS
----
-
-# OTX
-
-- [https://otx.alienvault.com/](https://otx.alienvault.com/dashboard/new)
-
-This analyzer uses [OTX API v1](https://otx.alienvault.com/api) (`/api/v1/indicators/`) API to search.
-
-```yaml
-analyzer: otx
-query: ...
-api_key: ...
-```
-
-## Components
-
-### Query
-
-`query` (`string`) is a passive DNS search query. Domain or IP address.
-
-### API Key
-
-`api_key` (`string`) is an API key. Optional. Defaults to `ENV[”OTX_API_KEY”"]`.