mihari 0.5.0 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a78aa76416da5dc139e1fe11ce2d2475a45deda3a82caa1fa21eecd6e291711
-  data.tar.gz: 9958ca0873d55c20525c3fa9186b266bbfba68c957997ae14f73a1d136d2032e
+  metadata.gz: 6409ca38527e133337f4dbe174615e3c84aff5d4d82effcc40d57e63c0a6f80c
+  data.tar.gz: 6814631990a33c3c3363863d7e9c00d8d3d1ca4f48f0862226cc5416e7be1a14
 SHA512:
-  metadata.gz: 4d80e8026601ca12ed90b45d21ef0eb88a53cd1312d6f29f910ded76d7fa76e72c3295051e59a91e159d88cc54b3abec627837bbb6e53eda8a75c4acc52edcb2
-  data.tar.gz: f70660b7da90c4ae9a13cfba050d775283072fbd135d30b58df6d17ae41e6799532038bef16fe76a183e81a07ab188aada365f418a733540ee15436df0b6295f
+  metadata.gz: 5693f87250cd3f23047932adc24a781074038ebaf34c3a2a4aabc921446053df0f426a259b1cc51d49f0dae5e9f6fdf64a8391dcb45f7c323267051b8b2823fd
+  data.tar.gz: d5337291e107b38a69ef4d70900b3c90a2c8f5eba13cdc96efb30ded29ff90fa6f0eec08595045fb3407d094f37d9572a458292686088b74b29a3f8e96888c69

data/lib/mihari/analyzers/base.rb

@@ -29,21 +29,21 @@ module Mihari
         []
       end
 
-      def run(reject_exists_ones: true)
-        artifacts = reject_exists_ones ? unique_artifacts : normalized_artifacts
-
+      def run
         Mihari.emitters.each do |emitter_class|
           emitter = emitter_class.new
           next unless emitter.valid?
 
-          begin
-            emitter.emit(title: title, description: description, artifacts: artifacts, tags: tags)
-          rescue StandardError => e
-            puts "Sending notification by #{emitter.class} is failed: #{e}"
-          end
+          run_emitter emitter
         end
       end
 
+      def run_emitter(emitter)
+        emitter.emit(title: title, description: description, artifacts: unique_artifacts, tags: tags)
+      rescue StandardError => e
+        puts "Emission by #{emitter.class} is failed: #{e}"
+      end
+
       private
 
       # @return [Array<Mihari::Artifact>]

data/lib/mihari/cli.rb

@@ -8,58 +8,70 @@ module Mihari
     desc "censys [QUERY]", "Censys IPv4 lookup by a given query"
     method_option :tags, type: :array, desc: "tags"
     def censys(query)
-      tags = options.dig("tags") || []
-      censys = Analyzers::Censys.new(query, tags: tags)
-      run_analyzer censys
+      with_error_handling do
+        tags = options.dig("tags") || []
+        censys = Analyzers::Censys.new(query, tags: tags)
+        censys.run
+      end
     end
 
     desc "shodan [QUERY]", "Shodan host lookup by a given query"
     method_option :tags, type: :array, desc: "tags"
     def shodan(query)
-      tags = options.dig("tags") || []
-      shodan = Analyzers::Shodan.new(query, tags: tags)
-      run_analyzer shodan
+      with_error_handling do
+        tags = options.dig("tags") || []
+        shodan = Analyzers::Shodan.new(query, tags: tags)
+        shodan.run
+      end
     end
 
     desc "onyphe [QUERY]", "Onyphe datascan lookup by a given query"
     method_option :tags, type: :array, desc: "tags"
     def onyphe(query)
-      tags = options.dig("tags") || []
-      onyphe = Analyzers::Onyphe.new(query, tags: tags)
-      run_analyzer onyphe
+      with_error_handling do
+        tags = options.dig("tags") || []
+        onyphe = Analyzers::Onyphe.new(query, tags: tags)
+        onyphe.run
+      end
     end
 
     desc "urlscan [QUERY]", "urlscan lookup by a given query"
     method_option :tags, type: :array, desc: "tags"
     def urlscan(query)
-      tags = options.dig("tags") || []
-      urlscan = Analyzers::Urlscan.new(query, tags: tags)
-      run_analyzer urlscan
+      with_error_handling do
+        tags = options.dig("tags") || []
+        urlscan = Analyzers::Urlscan.new(query, tags: tags)
+        urlscan.run
+      end
     end
 
     desc "virustotal [IP|DOMAIN]", "VirusTotal resolutions lookup by a given ip or domain"
     method_option :tags, type: :array, desc: "tags"
     def virustotal(indiactor)
-      tags = options.dig("tags") || []
-      virustotal = Analyzers::VirusTotal.new(indiactor, tags: tags)
-      run_analyzer virustotal
+      with_error_handling do
+        tags = options.dig("tags") || []
+        virustotal = Analyzers::VirusTotal.new(indiactor, tags: tags)
+        virustotal.run
+      end
     end
 
     desc "import_from_json", "Give a JSON input via STDIN"
     def import_from_json(input = nil)
-      json = input || STDIN.gets.chomp
-      raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
+      with_error_handling do
+        json = input || STDIN.gets.chomp
+        raise ArgumentError, "Input not found: please give an input in a JSON format" unless json
 
-      json = parse_as_json(json)
-      raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
+        json = parse_as_json(json)
+        raise ArgumentError, "Invalid input format: an input JSON data should have title, description and artifacts key" unless valid_json?(json)
 
-      title = json.dig("title")
-      description = json.dig("description")
-      artifacts = json.dig("artifacts")
-      tags = json.dig("tags") || []
+        title = json.dig("title")
+        description = json.dig("description")
+        artifacts = json.dig("artifacts")
+        tags = json.dig("tags") || []
 
-      basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
-      run_analyzer basic
+        basic = Analyzers::Basic.new(title: title, description: description, artifacts: artifacts, tags: tags)
+        basic.run
+      end
     end
 
     desc "alerts", "Show the alerts on TheHive"
@@ -75,15 +87,9 @@ module Mihari
     no_commands do
       def with_error_handling
         yield
-      rescue ArgumentError, Hachi::Error, Censys::ResponseError, Error => e
-        puts "Warning: #{e}"
       rescue StandardError => e
-        puts "Warning: #{e}"
-        puts e.backtrace.join('\n')
-      end
-
-      def run_analyzer(analyzer)
-        with_error_handling { analyzer.run }
+        notifier = Notifiers::ExceptionNotifier.new
+        notifier.notify e
       end
 
       def parse_as_json(input)

data/lib/mihari/emitters/slack.rb

@@ -100,23 +100,12 @@ module Mihari
     end
 
     class Slack < Base
-      SLACK_WEBHOOK_URL_KEY = "SLACK_WEBHOOK_URL"
-      SLACK_CHANNEL_KEY = "SLACK_CHANNEL"
-
-      def slack_channel
-        ENV.fetch SLACK_CHANNEL_KEY, "#general"
-      end
-
-      def slack_webhook_url
-        ENV.fetch SLACK_WEBHOOK_URL_KEY
-      end
-
-      def slack_webhook_url?
-        ENV.key? SLACK_WEBHOOK_URL_KEY
+      def notifier
+        @notifier ||= Notifiers::Slack.new
       end
 
       def valid?
-        slack_webhook_url?
+        notifier.valid?
       end
 
       def to_attachments(artifacts)
@@ -130,9 +119,9 @@ module Mihari
 
         attachments = to_attachments(artifacts)
         tags = ["N/A"] if tags.empty?
+        text = "#{title} (desc.: #{description} / tags: #{tags.join(', ')})"
 
-        notifier = ::Slack::Notifier.new(slack_webhook_url, channel: slack_channel)
-        notifier.post(text: "#{title} (desc.: #{description} / tags: #{tags.join(', ')})", attachments: attachments)
+        notifier.notify(text: text, attachments: attachments)
       end
     end
   end

data/lib/mihari/notifiers/base.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Notifiers
+    class Base
+      # @return [true, false]
+      def valid?
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+
+      def notify
+        raise NotImplementedError, "You must implement #{self.class}##{__method__}"
+      end
+    end
+  end
+end

data/lib/mihari/notifiers/exception_notifier.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Mihari
+  module Notifiers
+    class ExceptionNotifier
+      def initialize
+        @backtrace_lines = 10
+        @color = 'danger'
+
+        @slack = Notifiers::Slack.new
+      end
+
+      def valid?
+        @slack.valid?
+      end
+
+      def notify(exception)
+        notify_to_stdout exception
+
+        clean_message = exception.message.tr('`', "'")
+        attachments = to_attachments(exception, clean_message)
+        notify_to_slack(text: clean_message, attachments: attachments) if @slack.valid?
+      end
+
+      def notify_to_slack(text:, attachments:)
+        @slack.notify(text: text, attachments: attachments)
+      end
+
+      def notify_to_stdout(exception)
+        text = to_text(exception.class).chomp
+        message = "#{text}: #{exception.message}"
+        puts message
+        puts format_backtrace(exception.backtrace) if exception.backtrace
+      end
+
+      def to_attachments(exception, clean_message)
+        text = to_text(exception.class)
+        backtrace = exception.backtrace
+        fields = to_fields(clean_message, backtrace)
+
+        [color: @color, text: text, fields: fields, mrkdwn_in: %w[text fields]]
+      end
+
+      def to_text(exception_class)
+        measure_word = /^[aeiou]/i.match?(exception_class.to_s) ? 'An' : 'A'
+        exception_name = "*#{measure_word}* `#{exception_class}`"
+        "#{exception_name} *occured in background*\n"
+      end
+
+      def to_fields(clean_message, backtrace)
+        fields = [
+          { title: 'exception', value: clean_message },
+          { title: 'Hostname', value: hostname }
+        ]
+
+        if backtrace
+          formatted_backtrace = format_backtrace(backtrace)
+          fields << { title: 'Backtrace', value: formatted_backtrace }
+        end
+        fields
+      end
+
+      def hostname
+        Socket.gethostname
+      rescue StandardError => _e
+        "N/A"
+      end
+
+      def format_backtrace(backtrace)
+        return nil unless backtrace
+
+        "```#{backtrace.first(@backtrace_lines).join("\n")}```"
+      end
+    end
+  end
+end

data/lib/mihari/notifiers/slack.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Notifiers
+    class Slack < Base
+      SLACK_WEBHOOK_URL_KEY = "SLACK_WEBHOOK_URL"
+      SLACK_CHANNEL_KEY = "SLACK_CHANNEL"
+
+      def slack_channel
+        ENV.fetch SLACK_CHANNEL_KEY, "#general"
+      end
+
+      def slack_webhook_url
+        ENV.fetch SLACK_WEBHOOK_URL_KEY
+      end
+
+      def slack_webhook_url?
+        ENV.key? SLACK_WEBHOOK_URL_KEY
+      end
+
+      def valid?
+        slack_webhook_url?
+      end
+
+      def notify(text:, attachments: [])
+        notifier = ::Slack::Notifier.new(slack_webhook_url, channel: slack_channel)
+        notifier.post(text: text, attachments: attachments)
+      end
+    end
+  end
+end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "0.5.0"
+  VERSION = "0.5.1"
 end

data/lib/mihari.rb

@@ -33,6 +33,10 @@ require "mihari/analyzers/shodan"
 require "mihari/analyzers/urlscan"
 require "mihari/analyzers/virustotal"
 
+require "mihari/notifiers/base"
+require "mihari/notifiers/slack"
+require "mihari/notifiers/exception_notifier"
+
 require "mihari/emitters/base"
 require "mihari/emitters/slack"
 require "mihari/emitters/stdout"

data/mihari.gemspec

@@ -41,7 +41,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "public_suffix", "~> 3.1"
   spec.add_dependency "shodanx", "~> 0.1"
   spec.add_dependency "slack-notifier", "~> 2.3"
-  spec.add_dependency "thor", "~> 0.19"
+  spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency "urlscan", "~> 0.2"
   spec.add_dependency "virustotalx", "~> 0.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.1
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-12 00:00:00.000000000 Z
+date: 2019-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -240,14 +240,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
+        version: '0.20'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.19'
+        version: '0.20'
 - !ruby/object:Gem::Dependency
   name: urlscan
   requirement: !ruby/object:Gem::Requirement
@@ -312,6 +312,9 @@ files:
 - lib/mihari/emitters/stdout.rb
 - lib/mihari/emitters/the_hive.rb
 - lib/mihari/errors.rb
+- lib/mihari/notifiers/base.rb
+- lib/mihari/notifiers/exception_notifier.rb
+- lib/mihari/notifiers/slack.rb
 - lib/mihari/the_hive.rb
 - lib/mihari/the_hive/alert.rb
 - lib/mihari/the_hive/artifact.rb