RubyGems - mihari - Versions diffs - 0.9.0 → 0.9.1 - Mend

mihari 0.9.0 → 0.9.1

Files changed (22) hide show

checksums.yaml +4 -4
data/README.md +10 -3
data/Rakefile +3 -1
data/docker/Dockerfile +6 -4
data/lib/mihari/analyzers/base.rb +3 -2
data/lib/mihari/analyzers/censys.rb +11 -7
data/lib/mihari/analyzers/crtsh.rb +4 -2
data/lib/mihari/analyzers/onyphe.rb +4 -4
data/lib/mihari/analyzers/securitytrails.rb +4 -2
data/lib/mihari/analyzers/securitytrails_domain_feed.rb +4 -2
data/lib/mihari/analyzers/shodan.rb +4 -2
data/lib/mihari/analyzers/urlscan.rb +4 -2
data/lib/mihari/analyzers/virustotal.rb +20 -12
data/lib/mihari/cli.rb +1 -1
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +1 -1
data/lib/mihari/status.rb +9 -0
data/lib/mihari/version.rb +1 -1
data/mihari.gemspec +1 -1
data/screenshots/eyecatch.png +0 -0
metadata +4 -5
data/examples/vt_passive_dns.rb +0 -46

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a1801d9d520fb6de9a4a27d17145b775b074f87e7e1ff88fcb7c50d5630d19e4
-  data.tar.gz: 886708647767e1d5d5a7aaaf7bfd9aca8d25bc714f7f2faf72e0c2c2c4b3073f
+  metadata.gz: 4175ef15648358026415714167bb1b0567076ad01c20ecf172def0272610ed02
+  data.tar.gz: 5b001b4a18c211441a753c5325f355028ae7bf426dbe2c51d676be95f267cf48
 SHA512:
-  metadata.gz: 727703b118506f0b310ed1422a757f669748057bd6b4bdb091c638d716209c5ff220088c1396c91924ca275c6fb959e2014f80cb5b9ecbdf72eee23025cf2a7d
-  data.tar.gz: 150c88bac7b129001b109b1966dc527eda5a7e734438507028e5e2a79f74d1884d6cf98d63a4142a8c45f37f501093a7214187aac88265d9a15a9e6f3d24d03e
+  metadata.gz: 351a8537861e52c4d4f5e3eb159d83ee10a699870198736169631c7353726ca6e22cf79c35db827b48b10fef9fc1e6ef236bbb4b07d42dde5452d3316fc051d8
+  data.tar.gz: 1467f8fbbce999eef16a72e430a70a5e40faeb9597f2b6f533a202efe27cce7022598768557b8459d1859c33252311ec63fcbe0005a4225dc076173d4a2b712c

data/README.md CHANGED

@@ -2,6 +2,7 @@
 [![Gem Version](https://badge.fury.io/rb/mihari.svg)](https://badge.fury.io/rb/mihari)
 [![Build Status](https://travis-ci.org/ninoseki/mihari.svg?branch=master)](https://travis-ci.org/ninoseki/mihari)
+[![Docker Cloud Build Status](https://img.shields.io/docker/cloud/build/ninoseki/mihari)](https://hub.docker.com/r/ninoseki/mihari)
 [![Coverage Status](https://coveralls.io/repos/github/ninoseki/mihari/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/mihari?branch=master)
 [![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/mihari/badge)](https://www.codefactor.io/repository/github/ninoseki/mihari)
@@ -26,15 +27,15 @@ You can use mihari without TheHive. But note that mihari depends on TheHive to m
 - TheHive alert example
-![img](./screenshots/alert.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/alert.png)
 - Slack notification example
-![img](./screenshots/slack.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/slack.png)
 - MISP event example
-![img](./screenshots/misp.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
 ## Installation
@@ -159,6 +160,12 @@ All configuration is done via ENV variables.
 | SHODAN_API_KEY         | Shodan API key         | Optional                       |
 | VIRUSTOTAL_API_KEY     | VirusTotal API key     | Optional                       |
+You can check the configuration status via `status` command.
+```bash
+mihari status
+```
 ## How to create a custom script
 Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.

data/Rakefile CHANGED

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
-task :default => :spec
+task default: :spec

data/docker/Dockerfile CHANGED

@@ -1,10 +1,12 @@
-FROM ruby:2.6
-RUN cd /tmp/ \
+FROM ruby:2.6-alpine3.10
+RUN apk --no-cache add git build-base ruby-dev \
+  && cd /tmp/ \
   && git clone https://github.com/ninoseki/mihari.git \
   && cd mihari \
   && gem build mihari.gemspec -o mihari.gem \
-  && gem install mihari.gem
+  && gem install mihari.gem \
+  && rm -rf /tmp/mihari \
+  && apk del --purge git build-base ruby-dev
 ENTRYPOINT ["mihari"]

data/lib/mihari/analyzers/base.rb CHANGED

@@ -69,10 +69,11 @@ module Mihari
         @unique_artifacts ||= @the_hive.artifact.find_non_existing_artifacts(uncached_artifacts)
       end
-      private
       def set_unique_artifacts
         unique_artifacts
+      rescue ArgumentError => _e
+        klass = self.class.to_s.split("::").last.to_s
+        raise Error, "Please configure #{klass} API settings properly"
       end
     end
   end

data/lib/mihari/analyzers/censys.rb CHANGED

@@ -5,7 +5,6 @@ require "censu"
 module Mihari
   module Analyzers
     class Censys < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -17,9 +16,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        raise ArgumentError, "#{CENSYS_ID_KEY} and #{CENSYS_SECRET_KEY} are required" unless valid?
-        @api = ::Censys::API.new
         @query = query
         @title = title || "Censys lookup"
         @description = description || "query = #{query}"
@@ -36,6 +32,13 @@ module Mihari
         ipv4s
       end
+      # @return [true, false]
+      def valid?
+        censys_id? && censys_secret?
+      end
+      private
       # @return [true, false]
       def censys_id?
         ENV.key? CENSYS_ID_KEY
@@ -46,9 +49,10 @@ module Mihari
         ENV.key? CENSYS_SECRET_KEY
       end
-      # @return [true, false]
-      def valid?
-        censys_id? && censys_secret?
+      def api
+        raise ArgumentError, "#{CENSYS_ID_KEY} and #{CENSYS_SECRET_KEY} are required" unless valid?
+        @api ||= ::Censys::API.new
       end
     end
   end

data/lib/mihari/analyzers/crtsh.rb CHANGED

@@ -5,7 +5,6 @@ require "crtsh"
 module Mihari
   module Analyzers
     class Crtsh < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Crtsh::API.new
         @query = query
         @title = title || "crt.sh lookup"
         @description = description || "query = #{query}"
@@ -28,6 +26,10 @@ module Mihari
       private
+      def api
+        @api ||= ::Crtsh::API.new
+      end
       def search
         api.search(query)
       rescue ::Crtsh::Error => _e

data/lib/mihari/analyzers/onyphe.rb CHANGED

@@ -5,7 +5,6 @@ require "onyphe"
 module Mihari
   module Analyzers
     class Onyphe < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Onyphe::API.new
         @query = query
         @title = title || "Onyphe lookup"
         @description = description || "query = #{query}"
@@ -31,10 +29,12 @@ module Mihari
       private
+      def api
+        @api ||= ::Onyphe::API.new
+      end
       def search
         api.datascan(query)
-      rescue ::Onyphe::Error => _e
-        nil
       end
     end
   end

data/lib/mihari/analyzers/securitytrails.rb CHANGED

@@ -5,7 +5,6 @@ require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrails < Base
-      attr_reader :api
       attr_reader :indicator
       attr_reader :type
@@ -16,7 +15,6 @@ module Mihari
       def initialize(indicator, title: nil, description: nil, tags: [])
         super()
-        @api = ::SecurityTrails::API.new
         @indicator = indicator
         @type = TypeChecker.type(indicator)
@@ -31,6 +29,10 @@ module Mihari
       private
+      def api
+        @api ||= ::SecurityTrails::API.new
+      end
       def valid_type?
         %w(ip domain).include? type
       end

data/lib/mihari/analyzers/securitytrails_domain_feed.rb CHANGED

@@ -5,7 +5,6 @@ require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrailsDomainFeed < Base
-      attr_reader :api
       attr_reader :type
       attr_reader :title
@@ -15,7 +14,6 @@ module Mihari
       def initialize(regexp, type: "registered", title: nil, description: nil, tags: [])
         super()
-        @api = ::SecurityTrails::API.new
         @_regexp = regexp
         @type = type
@@ -33,6 +31,10 @@ module Mihari
       private
+      def api
+        @api ||= ::SecurityTrails::API.new
+      end
       def valid_type?
         %w(all new registered).include? type
       end

data/lib/mihari/analyzers/shodan.rb CHANGED

@@ -5,7 +5,6 @@ require "shodan"
 module Mihari
   module Analyzers
     class Shodan < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Shodan::API.new
         @query = query
         @title = title || "Shodan lookup"
         @description = description || "query = #{query}"
@@ -33,6 +31,10 @@ module Mihari
       private
+      def api
+        @api ||= ::Shodan::API.new
+      end
       def search
         api.host.search(query)
       rescue ::Shodan::Error => _e

data/lib/mihari/analyzers/urlscan.rb CHANGED

@@ -5,7 +5,6 @@ require "urlscan"
 module Mihari
   module Analyzers
     class Urlscan < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -15,7 +14,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [], target_type: "url")
         super()
-        @api = ::UrlScan::API.new
         @query = query
         @title = title || "urlscan lookup"
         @description = description || "query = #{query}"
@@ -37,6 +35,10 @@ module Mihari
       private
+      def api
+        @api ||= ::UrlScan::API.new
+      end
       def search
         api.search(query)
       rescue ::UrlScan::ResponseError => _e

data/lib/mihari/analyzers/virustotal.rb CHANGED

@@ -5,7 +5,6 @@ require "virustotal"
 module Mihari
   module Analyzers
     class VirusTotal < Base
-      attr_reader :api
       attr_reader :indicator
       attr_reader :type
@@ -16,7 +15,6 @@ module Mihari
       def initialize(indicator, title: nil, description: nil, tags: [])
         super()
-        @api = ::VirusTotal::API.new
         @indicator = indicator
         @type = TypeChecker.type(indicator)
@@ -31,6 +29,10 @@ module Mihari
       private
+      def api
+        @api = ::VirusTotal::API.new
+      end
       def valid_type?
         %w(ip domain).include? type
       end
@@ -49,22 +51,28 @@ module Mihari
       end
       def domain_lookup
-        report = api.domain.report(indicator)
-        return nil unless report
+        begin
+          res = api.domain.resolutions(indicator)
+        rescue ::VirusTotal::Error => _e
+          return nil
+        end
-        resolutions = report.dig("resolutions") || []
-        resolutions.map do |resolution|
-          resolution.dig("ip_address")
+        data = res.dig("data") || []
+        data.map do |item|
+          item.dig("attributes", "ip_address")
         end.compact.uniq
       end
       def ip_lookup
-        report = api.ip_address.report(indicator)
-        return nil unless report
+        begin
+          res = api.ip_address.resolutions(indicator)
+        rescue ::VirusTotal::Error => _e
+          return nil
+        end
-        resolutions = report.dig("resolutions") || []
-        resolutions.map do |resolution|
-          resolution.dig("hostname")
+        data = res.dig("data") || []
+        data.map do |item|
+          item.dig("attributes", "host_name")
         end.compact.uniq
       end
     end

data/lib/mihari/cli.rb CHANGED

@@ -135,7 +135,7 @@ module Mihari
       def parse_as_json(input)
         JSON.parse input
-      rescue JSON::ParserError => e
+      rescue JSON::ParserError => _e
         nil
       end

data/lib/mihari/emitters/base.rb CHANGED

@@ -12,7 +12,7 @@ module Mihari
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
-      def emit(title:, description:, artifacts:)
+      def emit(*)
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
     end

data/lib/mihari/emitters/misp.rb CHANGED

@@ -11,7 +11,7 @@ module Mihari
         api_endpoint? && api_key? && ping?
       end
-      def emit(title:, description:, artifacts:, tags: [])
+      def emit(title:, artifacts:, tags: [], **_options)
         event = ::MISP::Event.new(info: title)
         artifacts.each do |artifact|

data/lib/mihari/status.rb CHANGED

@@ -5,6 +5,7 @@ module Mihari
     def check
       {
         censys: { status: censys?, message: censys },
+        misp: { status: misp?, message: misp },
         onyphe: { status: onyphe?, message: onyphe },
         securitytrails: { status: securitytrails?, message: securitytrails },
         shodan: { status: shodan?, message: shodan },
@@ -84,5 +85,13 @@ module Mihari
     def the_hive
       the_hive? ? "THEHIVE_API_ENDPOINT and THEHIVE_API_KEY are found" : "THEHIVE_API_ENDPOINT and THEHIVE_API_KEY are are missing"
     end
+    def misp?
+      ENV.key?("MISP_API_ENDPOINT") && ENV.key?("MISP_API_KEY")
+    end
+    def misp
+      misp? ? "MISP_API_ENDPOINT and MISP_API_KEY are found" : "MISP_API_ENDPOINT and MISP_API_KEY are are missing"
+    end
   end
 end

data/lib/mihari/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "0.9.0"
+  VERSION = "0.9.1"
 end

data/mihari.gemspec CHANGED

@@ -50,5 +50,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency "slack-notifier", "~> 2.3"
   spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency "urlscan", "~> 0.4"
-  spec.add_dependency "virustotalx", "~> 0.1"
+  spec.add_dependency "virustotalx", "~> 1.0"
 end

data/screenshots/eyecatch.png CHANGED

Binary file

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.1
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-09-24 00:00:00.000000000 Z
+date: 2019-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -366,14 +366,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '1.0'
 description: A framework for continuous malicious hosts monitoring.
 email:
 - manabu.niseki@gmail.com
@@ -393,7 +393,6 @@ files:
 - bin/setup
 - docker/Dockerfile
 - examples/ipinfo_hosted_domains.rb
-- examples/vt_passive_dns.rb
 - exe/mihari
 - lib/mihari.rb
 - lib/mihari/alert_viewer.rb

data/examples/vt_passive_dns.rb DELETED

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-$LOAD_PATH.unshift("#{__dir__}/../lib")
-require "mihari"
-require "virustotal_api"
-module Mihari
-  module Analyzers
-    class VTPassiveDNS < Base
-      attr_reader :ip
-      def initialize(ip, api_key: nil)
-        @ip = ip
-        @api_key = api_key
-      end
-      def title
-        "VT passive DNS"
-      end
-      def description
-        "VT passive DNS: #{ip}"
-      end
-      def api_key
-        ENV["VT_API_KEY"] || @api_key
-      end
-      def artifacts
-        ip_report = VirustotalAPI::IPReport.find(ip, api_key)
-        return [] unless ip_report.exists?
-        report = ip_report.report
-        report.dig("resolutions")&.map do |resolution|
-          resolution.dig("hostname")
-        end&.compact
-      end
-    end
-  end
-end
-ip = "TARGET_IP"
-analyzer = Mihari::Analyzers::VTPassiveDNS.new(ip)
-analyzer.run