RubyGems - mihari - Versions diffs - 0.9.0 → 0.9.1 - Mend

mihari 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml +4 -4
data/README.md +10 -3
data/Rakefile +3 -1
data/docker/Dockerfile +6 -4
data/lib/mihari/analyzers/base.rb +3 -2
data/lib/mihari/analyzers/censys.rb +11 -7
data/lib/mihari/analyzers/crtsh.rb +4 -2
data/lib/mihari/analyzers/onyphe.rb +4 -4
data/lib/mihari/analyzers/securitytrails.rb +4 -2
data/lib/mihari/analyzers/securitytrails_domain_feed.rb +4 -2
data/lib/mihari/analyzers/shodan.rb +4 -2
data/lib/mihari/analyzers/urlscan.rb +4 -2
data/lib/mihari/analyzers/virustotal.rb +20 -12
data/lib/mihari/cli.rb +1 -1
data/lib/mihari/emitters/base.rb +1 -1
data/lib/mihari/emitters/misp.rb +1 -1
data/lib/mihari/status.rb +9 -0
data/lib/mihari/version.rb +1 -1
data/mihari.gemspec +1 -1
data/screenshots/eyecatch.png +0 -0
metadata +4 -5
data/examples/vt_passive_dns.rb +0 -46

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a1801d9d520fb6de9a4a27d17145b775b074f87e7e1ff88fcb7c50d5630d19e4
-  data.tar.gz: 886708647767e1d5d5a7aaaf7bfd9aca8d25bc714f7f2faf72e0c2c2c4b3073f
+  metadata.gz: 4175ef15648358026415714167bb1b0567076ad01c20ecf172def0272610ed02
+  data.tar.gz: 5b001b4a18c211441a753c5325f355028ae7bf426dbe2c51d676be95f267cf48
 SHA512:
-  metadata.gz: 727703b118506f0b310ed1422a757f669748057bd6b4bdb091c638d716209c5ff220088c1396c91924ca275c6fb959e2014f80cb5b9ecbdf72eee23025cf2a7d
-  data.tar.gz: 150c88bac7b129001b109b1966dc527eda5a7e734438507028e5e2a79f74d1884d6cf98d63a4142a8c45f37f501093a7214187aac88265d9a15a9e6f3d24d03e
+  metadata.gz: 351a8537861e52c4d4f5e3eb159d83ee10a699870198736169631c7353726ca6e22cf79c35db827b48b10fef9fc1e6ef236bbb4b07d42dde5452d3316fc051d8
+  data.tar.gz: 1467f8fbbce999eef16a72e430a70a5e40faeb9597f2b6f533a202efe27cce7022598768557b8459d1859c33252311ec63fcbe0005a4225dc076173d4a2b712c

data/README.md CHANGED

@@ -2,6 +2,7 @@
 [![Gem Version](https://badge.fury.io/rb/mihari.svg)](https://badge.fury.io/rb/mihari)
 [![Build Status](https://travis-ci.org/ninoseki/mihari.svg?branch=master)](https://travis-ci.org/ninoseki/mihari)
+[![Docker Cloud Build Status](https://img.shields.io/docker/cloud/build/ninoseki/mihari)](https://hub.docker.com/r/ninoseki/mihari)
 [![Coverage Status](https://coveralls.io/repos/github/ninoseki/mihari/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/mihari?branch=master)
 [![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/mihari/badge)](https://www.codefactor.io/repository/github/ninoseki/mihari)
@@ -26,15 +27,15 @@ You can use mihari without TheHive. But note that mihari depends on TheHive to m
 - TheHive alert example
-![img](./screenshots/alert.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/alert.png)
 - Slack notification example
-![img](./screenshots/slack.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/slack.png)
 - MISP event example
-![img](./screenshots/misp.png)
+![img](https://github.com/ninoseki/mihari/raw/master/screenshots/misp.png)
 ## Installation
@@ -159,6 +160,12 @@ All configuration is done via ENV variables.
 | SHODAN_API_KEY         | Shodan API key         | Optional                       |
 | VIRUSTOTAL_API_KEY     | VirusTotal API key     | Optional                       |
+You can check the configuration status via `status` command.
+```bash
+mihari status
+```
 ## How to create a custom script
 Create a class which extends `Mihari::Analyzers::Base` and implements the following methods.

data/Rakefile CHANGED

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
-task :default => :spec
+task default: :spec

data/docker/Dockerfile CHANGED

@@ -1,10 +1,12 @@
-FROM ruby:2.6
-RUN cd /tmp/ \
+FROM ruby:2.6-alpine3.10
+RUN apk --no-cache add git build-base ruby-dev \
+  && cd /tmp/ \
   && git clone https://github.com/ninoseki/mihari.git \
   && cd mihari \
   && gem build mihari.gemspec -o mihari.gem \
-  && gem install mihari.gem
+  && gem install mihari.gem \
+  && rm -rf /tmp/mihari \
+  && apk del --purge git build-base ruby-dev
 ENTRYPOINT ["mihari"]

data/lib/mihari/analyzers/base.rb CHANGED

@@ -69,10 +69,11 @@ module Mihari
         @unique_artifacts ||= @the_hive.artifact.find_non_existing_artifacts(uncached_artifacts)
       end
-      private
       def set_unique_artifacts
         unique_artifacts
+      rescue ArgumentError => _e
+        klass = self.class.to_s.split("::").last.to_s
+        raise Error, "Please configure #{klass} API settings properly"
       end
     end
   end

data/lib/mihari/analyzers/censys.rb CHANGED

@@ -5,7 +5,6 @@ require "censu"
 module Mihari
   module Analyzers
     class Censys < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -17,9 +16,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        raise ArgumentError, "#{CENSYS_ID_KEY} and #{CENSYS_SECRET_KEY} are required" unless valid?
-        @api = ::Censys::API.new
         @query = query
         @title = title || "Censys lookup"
         @description = description || "query = #{query}"
@@ -36,6 +32,13 @@ module Mihari
         ipv4s
       end
+      # @return [true, false]
+      def valid?
+        censys_id? && censys_secret?
+      end
+      private
       # @return [true, false]
       def censys_id?
         ENV.key? CENSYS_ID_KEY
@@ -46,9 +49,10 @@ module Mihari
         ENV.key? CENSYS_SECRET_KEY
       end
-      # @return [true, false]
-      def valid?
-        censys_id? && censys_secret?
+      def api
+        raise ArgumentError, "#{CENSYS_ID_KEY} and #{CENSYS_SECRET_KEY} are required" unless valid?
+        @api ||= ::Censys::API.new
       end
     end
   end

data/lib/mihari/analyzers/crtsh.rb CHANGED

@@ -5,7 +5,6 @@ require "crtsh"
 module Mihari
   module Analyzers
     class Crtsh < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Crtsh::API.new
         @query = query
         @title = title || "crt.sh lookup"
         @description = description || "query = #{query}"
@@ -28,6 +26,10 @@ module Mihari
       private
+      def api
+        @api ||= ::Crtsh::API.new
+      end
       def search
         api.search(query)
       rescue ::Crtsh::Error => _e

data/lib/mihari/analyzers/onyphe.rb CHANGED

@@ -5,7 +5,6 @@ require "onyphe"
 module Mihari
   module Analyzers
     class Onyphe < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Onyphe::API.new
         @query = query
         @title = title || "Onyphe lookup"
         @description = description || "query = #{query}"
@@ -31,10 +29,12 @@ module Mihari
       private
+      def api
+        @api ||= ::Onyphe::API.new
+      end
       def search
         api.datascan(query)
-      rescue ::Onyphe::Error => _e
-        nil
       end
     end
   end

data/lib/mihari/analyzers/securitytrails.rb CHANGED

@@ -5,7 +5,6 @@ require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrails < Base
-      attr_reader :api
       attr_reader :indicator
       attr_reader :type
@@ -16,7 +15,6 @@ module Mihari
       def initialize(indicator, title: nil, description: nil, tags: [])
         super()
-        @api = ::SecurityTrails::API.new
         @indicator = indicator
         @type = TypeChecker.type(indicator)
@@ -31,6 +29,10 @@ module Mihari
       private
+      def api
+        @api ||= ::SecurityTrails::API.new
+      end
       def valid_type?
         %w(ip domain).include? type
       end

data/lib/mihari/analyzers/securitytrails_domain_feed.rb CHANGED

@@ -5,7 +5,6 @@ require "securitytrails"
 module Mihari
   module Analyzers
     class SecurityTrailsDomainFeed < Base
-      attr_reader :api
       attr_reader :type
       attr_reader :title
@@ -15,7 +14,6 @@ module Mihari
       def initialize(regexp, type: "registered", title: nil, description: nil, tags: [])
         super()
-        @api = ::SecurityTrails::API.new
         @_regexp = regexp
         @type = type
@@ -33,6 +31,10 @@ module Mihari
       private
+      def api
+        @api ||= ::SecurityTrails::API.new
+      end
       def valid_type?
         %w(all new registered).include? type
       end

data/lib/mihari/analyzers/shodan.rb CHANGED

@@ -5,7 +5,6 @@ require "shodan"
 module Mihari
   module Analyzers
     class Shodan < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -14,7 +13,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [])
         super()
-        @api = ::Shodan::API.new
         @query = query
         @title = title || "Shodan lookup"
         @description = description || "query = #{query}"
@@ -33,6 +31,10 @@ module Mihari
       private
+      def api
+        @api ||= ::Shodan::API.new
+      end
       def search
         api.host.search(query)
       rescue ::Shodan::Error => _e

data/lib/mihari/analyzers/urlscan.rb CHANGED

@@ -5,7 +5,6 @@ require "urlscan"
 module Mihari
   module Analyzers
     class Urlscan < Base
-      attr_reader :api
       attr_reader :title
       attr_reader :description
       attr_reader :query
@@ -15,7 +14,6 @@ module Mihari
       def initialize(query, title: nil, description: nil, tags: [], target_type: "url")
         super()
-        @api = ::UrlScan::API.new
         @query = query
         @title = title || "urlscan lookup"
         @description = description || "query = #{query}"
@@ -37,6 +35,10 @@ module Mihari
       private
+      def api
+        @api ||= ::UrlScan::API.new
+      end
       def search
         api.search(query)
       rescue ::UrlScan::ResponseError => _e

data/lib/mihari/analyzers/virustotal.rb CHANGED

@@ -5,7 +5,6 @@ require "virustotal"
 module Mihari
   module Analyzers
     class VirusTotal < Base
-      attr_reader :api
       attr_reader :indicator
       attr_reader :type
@@ -16,7 +15,6 @@ module Mihari
       def initialize(indicator, title: nil, description: nil, tags: [])
         super()
-        @api = ::VirusTotal::API.new
         @indicator = indicator
         @type = TypeChecker.type(indicator)
@@ -31,6 +29,10 @@ module Mihari
       private
+      def api
+        @api = ::VirusTotal::API.new
+      end
       def valid_type?
         %w(ip domain).include? type
       end
@@ -49,22 +51,28 @@ module Mihari
       end
       def domain_lookup
-        report = api.domain.report(indicator)
-        return nil unless report
+        begin
+          res = api.domain.resolutions(indicator)
+        rescue ::VirusTotal::Error => _e
+          return nil
+        end
-        resolutions = report.dig("resolutions") || []
-        resolutions.map do |resolution|
-          resolution.dig("ip_address")
+        data = res.dig("data") || []
+        data.map do |item|
+          item.dig("attributes", "ip_address")
         end.compact.uniq
       end
       def ip_lookup
-        report = api.ip_address.report(indicator)
-        return nil unless report
+        begin
+          res = api.ip_address.resolutions(indicator)
+        rescue ::VirusTotal::Error => _e
+          return nil
+        end
-        resolutions = report.dig("resolutions") || []
-        resolutions.map do |resolution|
-          resolution.dig("hostname")
+        data = res.dig("data") || []
+        data.map do |item|
+          item.dig("attributes", "host_name")
         end.compact.uniq
       end
     end

data/lib/mihari/cli.rb CHANGED

@@ -135,7 +135,7 @@ module Mihari
       def parse_as_json(input)
         JSON.parse input
-      rescue JSON::ParserError => e
+      rescue JSON::ParserError => _e
         nil
       end

data/lib/mihari/emitters/base.rb CHANGED

@@ -12,7 +12,7 @@ module Mihari
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
-      def emit(title:, description:, artifacts:)
+      def emit(*)
         raise NotImplementedError, "You must implement #{self.class}##{__method__}"
       end
     end

data/lib/mihari/emitters/misp.rb CHANGED

@@ -11,7 +11,7 @@ module Mihari
         api_endpoint? && api_key? && ping?
       end
-      def emit(title:, description:, artifacts:, tags: [])
+      def emit(title:, artifacts:, tags: [], **_options)
         event = ::MISP::Event.new(info: title)
         artifacts.each do |artifact|

data/lib/mihari/status.rb CHANGED

@@ -5,6 +5,7 @@ module Mihari
     def check
       {
         censys: { status: censys?, message: censys },
+        misp: { status: misp?, message: misp },
         onyphe: { status: onyphe?, message: onyphe },
         securitytrails: { status: securitytrails?, message: securitytrails },
         shodan: { status: shodan?, message: shodan },
@@ -84,5 +85,13 @@ module Mihari
     def the_hive
       the_hive? ? "THEHIVE_API_ENDPOINT and THEHIVE_API_KEY are found" : "THEHIVE_API_ENDPOINT and THEHIVE_API_KEY are are missing"
     end
+    def misp?
+      ENV.key?("MISP_API_ENDPOINT") && ENV.key?("MISP_API_KEY")
+    end
+    def misp
+      misp? ? "MISP_API_ENDPOINT and MISP_API_KEY are found" : "MISP_API_ENDPOINT and MISP_API_KEY are are missing"
+    end
   end
 end

data/lib/mihari/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mihari
-  VERSION = "0.9.0"
+  VERSION = "0.9.1"
 end

data/mihari.gemspec CHANGED

@@ -50,5 +50,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency "slack-notifier", "~> 2.3"
   spec.add_dependency "thor", "~> 0.20"
   spec.add_dependency "urlscan", "~> 0.4"
-  spec.add_dependency "virustotalx", "~> 0.1"
+  spec.add_dependency "virustotalx", "~> 1.0"
 end

data/screenshots/eyecatch.png CHANGED

Binary file

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.9.1
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-09-24 00:00:00.000000000 Z
+date: 2019-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -366,14 +366,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.1'
+        version: '1.0'
 description: A framework for continuous malicious hosts monitoring.
 email:
 - manabu.niseki@gmail.com
@@ -393,7 +393,6 @@ files:
 - bin/setup
 - docker/Dockerfile
 - examples/ipinfo_hosted_domains.rb
-- examples/vt_passive_dns.rb
 - exe/mihari
 - lib/mihari.rb
 - lib/mihari/alert_viewer.rb

data/examples/vt_passive_dns.rb DELETED

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-$LOAD_PATH.unshift("#{__dir__}/../lib")
-require "mihari"
-require "virustotal_api"
-module Mihari
-  module Analyzers
-    class VTPassiveDNS < Base
-      attr_reader :ip
-      def initialize(ip, api_key: nil)
-        @ip = ip
-        @api_key = api_key
-      end
-      def title
-        "VT passive DNS"
-      end
-      def description
-        "VT passive DNS: #{ip}"
-      end
-      def api_key
-        ENV["VT_API_KEY"] || @api_key
-      end
-      def artifacts
-        ip_report = VirustotalAPI::IPReport.find(ip, api_key)
-        return [] unless ip_report.exists?
-        report = ip_report.report
-        report.dig("resolutions")&.map do |resolution|
-          resolution.dig("hostname")
-        end&.compact
-      end
-    end
-  end
-end
-ip = "TARGET_IP"
-analyzer = Mihari::Analyzers::VTPassiveDNS.new(ip)
-analyzer.run