mihari 1.1.1 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +4 -1
  3. data/lib/mihari.rb +1 -0
  4. data/lib/mihari/analyzers/otx.rb +74 -0
  5. data/lib/mihari/analyzers/passive_dns.rb +2 -1
  6. data/lib/mihari/cli.rb +10 -0
  7. data/lib/mihari/config.rb +2 -0
  8. data/lib/mihari/version.rb +1 -1
  9. data/mihari.gemspec +1 -0
  10. metadata +17 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5c43df888d661331830b74ecbf097f2bf7f0450850fca0ad8bfe86d58fe5d32f
4
- data.tar.gz: 123d3a13867550f57557472e63819b1bc8a70fd80bb0ef3fa0543d9414fc84a8
3
+ metadata.gz: 901c334bf0485bbb82a422a1900347e77e476143afaef3036c177ceadbb7e6c6
4
+ data.tar.gz: 3fd3663d4d05518b46f9d1a53d9d742b150a84ffba93aaf4d9ebdcbd93505342
5
5
  SHA512:
6
- metadata.gz: 96693d5a7ca81b7a1f6834ffedb7ad9897dba6fe510dc632c204a2497595ae67c6bf7c70895bccc5738d6d83369cafc7f309962e6e29a941a2ccb5f5fc84b68a
7
- data.tar.gz: 9b4d2ccb878b2aec9b82ac158b5da5bea76653b443c3d53c5d4146a4e3900f400680d690cb0ab6becb526f827d1cb482d663719625f10ee6011e598411c29b67
6
+ metadata.gz: b97df59e99c969940ffe54a1ecf1e655f582ed4f2372c4e08feb3572fd7f38e767303911a4ec36151325da78415738a0f952f35dfbd010bd9dc6a1832635c78a
7
+ data.tar.gz: b092fdfa627a2ab2d2e4a71c4e070e1788fa496b3be6f64e038b332632adbdd4d70c2cae239e14814a31f03def374eb215f3cc580695af38d9562e1b2e1da4e1
data/README.md CHANGED
@@ -67,6 +67,7 @@ Mihari supports the following services by default.
67
67
  - [DN Pedia](https://dnpedia.com/)
68
68
  - [dnstwister](https://dnstwister.report/)
69
69
  - [Onyphe](https://onyphe.io)
70
+ - [OTX](https://otx.alienvault.com/)
70
71
  - [PassiveTotal](https://community.riskiq.com/)
71
72
  - [SecurityTrails](https://securitytrails.com/)
72
73
  - [Shodan](https://shodan.io)
@@ -89,6 +90,7 @@ Commands:
89
90
  mihari http_hash # Cross search with search engines by a hash of an HTTP response (SHA256, MD5 and MurmurHash3)
90
91
  mihari import_from_json # Give a JSON input via STDIN
91
92
  mihari onyphe [QUERY] # Onyphe datascan search by a query
93
+ mihari otx [IP|DOMAIN] # OTX lookup by an IP or domain
92
94
  mihari passive_dns [IP|DOMAIN] # Cross search with passive DNS services by an ip or domain
93
95
  mihari passive_ssl [SHA1] # Cross search with passive SSL services by an SHA1 certificate fingerprint
94
96
  mihari passivetotal [IP|DOMAIN|EMAIL|SHA1] # PassiveTotal lookup by an ip, domain, email or SHA1 certificate fingerprint
@@ -116,7 +118,7 @@ You can get aggregated results by using the following commands.
116
118
 
117
119
  | Command | Desc. |
118
120
  |-----------------|---------------------------------------------------------------------------------------------------------|
119
- | passive_dns | Passive DNS lookup with CIRCL passive DNS, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
121
+ | passive_dns | Passive DNS lookup with CIRCL passive DNS, OTX, PassiveTotal, Pulsedive, SecurityTrails and VirusTotal |
120
122
  | passive_ssl | Passive SSL lookup with CIRCL passive SSL and PassiveTotal |
121
123
  | reverse_whois | Revese Whois lookup with PassiveTotal and SecurityTrails |
122
124
  | http_hash | HTTP response hash lookup with BinaryEdge(SHA256), Censys(SHA256), Onyphpe(MD5) and Shodan(MurmurHash3) |
@@ -211,6 +213,7 @@ Configuration can be done via environment variables or a YAML file.
211
213
  | MISP_API_ENDPOINT | MISP URL | |
212
214
  | MISP_API_KEY | MISP API key | |
213
215
  | ONYPHE_API_KEY | Onyphe API key | |
216
+ | OTX_API_KEY | OTX API key | |
214
217
  | PASSIVETOTAL_API_KEY | PassiveTotal API key | |
215
218
  | PASSIVETOTAL_USERNAME | PassiveTotal username | |
216
219
  | PULSEDIVE_API_KEY | Pulsedive API key | |
data/lib/mihari.rb CHANGED
@@ -50,6 +50,7 @@ require "mihari/analyzers/crtsh"
50
50
  require "mihari/analyzers/dnpedia"
51
51
  require "mihari/analyzers/dnstwister"
52
52
  require "mihari/analyzers/onyphe"
53
+ require "mihari/analyzers/otx"
53
54
  require "mihari/analyzers/passivetotal"
54
55
  require "mihari/analyzers/pulsedive"
55
56
  require "mihari/analyzers/securitytrails_domain_feed"
data/lib/mihari/analyzers/otx.rb ADDED
@@ -0,0 +1,74 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "otx_ruby"
4
+
5
+ module Mihari
6
+ module Analyzers
7
+ class OTX < Base
8
+ attr_reader :query
9
+ attr_reader :type
10
+
11
+ attr_reader :title
12
+ attr_reader :description
13
+ attr_reader :tags
14
+
15
+ def initialize(query, title: nil, description: nil, tags: [])
16
+ super()
17
+
18
+ @query = query
19
+ @type = TypeChecker.type(query)
20
+
21
+ @title = title || "OTX lookup"
22
+ @description = description || "query = #{query}"
23
+ @tags = tags
24
+ end
25
+
26
+ def artifacts
27
+ lookup || []
28
+ end
29
+
30
+ private
31
+
32
+ def config_keys
33
+ %w(otx_api_key)
34
+ end
35
+
36
+ def domain_client
37
+ @domain_client ||= ::OTX::Domain.new(Mihari.config.otx_api_key)
38
+ end
39
+
40
+ def ip_client
41
+ @ip_client ||= ::OTX::IP.new(Mihari.config.otx_api_key)
42
+ end
43
+
44
+ def valid_type?
45
+ %w(ip domain).include? type
46
+ end
47
+
48
+ def lookup
49
+ case type
50
+ when "domain"
51
+ domain_lookup
52
+ when "ip"
53
+ ip_lookup
54
+ else
55
+ raise InvalidInputError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
56
+ end
57
+ end
58
+
59
+ def domain_lookup
60
+ records = domain_client.get_passive_dns(query)
61
+ records.map do |record|
62
+ record.address if record.record_type == "A"
63
+ end.compact.uniq
64
+ end
65
+
66
+ def ip_lookup
67
+ records = ip_client.get_passive_dns(query)
68
+ records.map do |record|
69
+ record.hostname if record.record_type == "A"
70
+ end.compact.uniq
71
+ end
72
+ end
73
+ end
74
+ end
data/lib/mihari/analyzers/passive_dns.rb CHANGED
@@ -14,6 +14,7 @@ module Mihari
14
14
 
15
15
  ANALYZERS = [
16
16
  Mihari::Analyzers::CIRCL,
17
+ Mihari::Analyzers::OTX,
17
18
  Mihari::Analyzers::PassiveTotal,
18
19
  Mihari::Analyzers::Pulsedive,
19
20
  Mihari::Analyzers::SecurityTrails,
@@ -55,7 +56,7 @@ module Mihari
55
56
  analyzer.artifacts
56
57
  rescue ArgumentError, InvalidInputError => _e
57
58
  nil
58
- rescue ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
59
+ rescue Faraday::Error, ::PassiveCIRCL::Error, ::PassiveTotal::Error, ::Pulsedive::ResponseError, ::SecurityTrails::Error, ::VirusTotal::Error => _e
59
60
  nil
60
61
  end
61
62
  end
data/lib/mihari/cli.rb CHANGED
@@ -164,6 +164,16 @@ module Mihari
164
164
  end
165
165
  end
166
166
 
167
+ desc "otx [IP|DOMAIN]", "OTX lookup by an IP or domain"
168
+ method_option :title, type: :string, desc: "title"
169
+ method_option :description, type: :string, desc: "description"
170
+ method_option :tags, type: :array, desc: "tags"
171
+ def otx(domain)
172
+ with_error_handling do
173
+ run_analyzer Analyzers::OTX, query: refang(domain), options: options
174
+ end
175
+ end
176
+
167
177
  desc "passive_dns [IP|DOMAIN]", "Cross search with passive DNS services by an ip or domain"
168
178
  method_option :title, type: :string, desc: "title"
169
179
  method_option :description, type: :string, desc: "description"
data/lib/mihari/config.rb CHANGED
@@ -12,6 +12,7 @@ module Mihari
12
12
  attr_accessor :misp_api_endpoint
13
13
  attr_accessor :misp_api_key
14
14
  attr_accessor :onyphe_api_key
15
+ attr_accessor :otx_api_key
15
16
  attr_accessor :passivetotal_api_key
16
17
  attr_accessor :passivetotal_username
17
18
  attr_accessor :pulsedive_api_key
@@ -40,6 +41,7 @@ module Mihari
40
41
  @misp_api_endpoint = ENV["MISP_API_ENDPOINT"]
41
42
  @misp_api_key = ENV["MISP_API_KEY"]
42
43
  @onyphe_api_key = ENV["ONYPHE_API_KEY"]
44
+ @otx_api_key = ENV["OTX_API_KEY"]
43
45
  @passivetotal_api_key = ENV["PASSIVETOTAL_API_KEY"]
44
46
  @passivetotal_username = ENV["PASSIVETOTAL_USERNAME"]
45
47
  @pulsedive_api_key = ENV["PULSEDIVE_API_KEY"]
data/lib/mihari/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Mihari
4
- VERSION = "1.1.1"
4
+ VERSION = "1.2.0"
5
5
  end
data/mihari.gemspec CHANGED
@@ -52,6 +52,7 @@ Gem::Specification.new do |spec|
52
52
  spec.add_dependency "murmurhash3", "~> 0.1"
53
53
  spec.add_dependency "net-ping", "~> 2.0"
54
54
  spec.add_dependency "onyphe", "~> 2.0"
55
+ spec.add_dependency "otx_ruby", "~> 0.9"
55
56
  spec.add_dependency "parallel", "~> 1.19"
56
57
  spec.add_dependency "passive_circl", "~> 0.1"
57
58
  spec.add_dependency "passivetotalx", "~> 0.1"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mihari
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.1
4
+ version: 1.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Manabu Niseki
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-07-19 00:00:00.000000000 Z
11
+ date: 2020-08-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -388,6 +388,20 @@ dependencies:
388
388
  - - "~>"
389
389
  - !ruby/object:Gem::Version
390
390
  version: '2.0'
391
+ - !ruby/object:Gem::Dependency
392
+ name: otx_ruby
393
+ requirement: !ruby/object:Gem::Requirement
394
+ requirements:
395
+ - - "~>"
396
+ - !ruby/object:Gem::Version
397
+ version: '0.9'
398
+ type: :runtime
399
+ prerelease: false
400
+ version_requirements: !ruby/object:Gem::Requirement
401
+ requirements:
402
+ - - "~>"
403
+ - !ruby/object:Gem::Version
404
+ version: '0.9'
391
405
  - !ruby/object:Gem::Dependency
392
406
  name: parallel
393
407
  requirement: !ruby/object:Gem::Requirement
@@ -619,6 +633,7 @@ files:
619
633
  - lib/mihari/analyzers/free_text.rb
620
634
  - lib/mihari/analyzers/http_hash.rb
621
635
  - lib/mihari/analyzers/onyphe.rb
636
+ - lib/mihari/analyzers/otx.rb
622
637
  - lib/mihari/analyzers/passive_dns.rb
623
638
  - lib/mihari/analyzers/passive_ssl.rb
624
639
  - lib/mihari/analyzers/passivetotal.rb