mihari 3.7.2 → 3.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e4ce5b3ce24278b8141bf2078dce45d572846a4838a0dc00c34e695201c36d77
-  data.tar.gz: '0992223bccd1d9732e0cc9cb6063f822efef8f0db34a27a45ad829efc930a60f'
+  metadata.gz: aac91d43689cb53dc0570bfed3cec57a07cbe88de0716530f2ea8bfac8f8d39d
+  data.tar.gz: 0f59bdc53cfa75e56884dd3497fa0492d3a41a3b7540cbdab1345ec5b301c69c
 SHA512:
-  metadata.gz: 26aa441c9e982df2a84e5d3f8cc5bc261b49b9dae618fc73384a116927481125b4a87dac8317a6fb319caf5523398020ebcf8973eee6229d128a377f1054c4db
-  data.tar.gz: bfee6864b187018a6a9f9b5f4c68cfdea496b36ebad0b796425642ed9b80b2f7c70c4d74ef16964838e16b2985acddb11d4b0c0a6c4cca73dfb93d7a1ff83875
+  metadata.gz: 30aef30fb14c7c1a50e75162141d1266b1ec5b847f6329935a221a90f59d37a2bed97c6a8aa4371962ab85b18c5ff23cf0417f08f9dc3320c737721ac1a07602
+  data.tar.gz: 1029878ec85cbdbe0a2c800b6b68cce99d45510818dde6b1d84a826022379cbe21fc57f490e3a77521136dbc22e8112b804d891892ea0a351e0d1db935b28b4b

data/README.md

@@ -46,7 +46,7 @@ Mihari supports the following services by default.
 - [Shodan](https://shodan.io)
 - [Spyse](https://spyse.com)
 - [urlscan.io](https://urlscan.io)
-- [VirusTotal](http://virustotal.com)
+- [VirusTotal](http://virustotal.com) & [VirusTotal Intelligence](https://www.virustotal.com/gui/intelligence-overview)
 - [ZoomEye](https://zoomeye.org)
 
 ## Docs

data/lib/mihari/analyzers/rule.rb

@@ -42,6 +42,7 @@ module Mihari
         "spyse" => Spyse,
         "urlscan" => Urlscan,
         "virustotal" => VirusTotal,
+        "virustotal_intelligence" => VirusTotalIntelligence,
         "zoomeye" => ZoomEye
       }.freeze
 

data/lib/mihari/analyzers/virustotal_intelligence.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "virustotal"
+
+module Mihari
+  module Analyzers
+    class VirusTotalIntelligence < Base
+      param :query
+      option :title, default: proc { "VirusTotal Intelligence search" }
+      option :description, default: proc { "query = #{query}" }
+      option :tags, default: proc { [] }
+
+      def initialize(*args, **kwargs)
+        super
+
+        @query = query
+      end
+
+      def artifacts
+        responses = search_witgh_cursor
+        responses.map do |response|
+          response.data.map(&:value)
+        end.flatten.compact.uniq
+      end
+
+      private
+
+      def configuration_keys
+        %w[virustotal_api_key]
+      end
+
+      #
+      # VT API
+      #
+      # @return [::VirusTotal::API]
+      #
+      def api
+        @api = ::VirusTotal::API.new(key: Mihari.config.virustotal_api_key)
+      end
+
+      #
+      # Search with cursor
+      #
+      # @return [Array<Structs::VirusTotalIntelligence::Response>]
+      #
+      def search_witgh_cursor
+        cursor = nil
+        responses = []
+
+        loop do
+          response = Structs::VirusTotalIntelligence::Response.from_dynamic!(api.intelligence.search(query, cursor: cursor))
+          responses << response
+
+          break if response.meta.cursor.nil?
+
+          cursor = response.meta.cursor
+        end
+
+        responses
+      end
+    end
+  end
+end

data/lib/mihari/cli/analyzer.rb

@@ -14,6 +14,7 @@ require "mihari/commands/securitytrails"
 require "mihari/commands/shodan"
 require "mihari/commands/spyse"
 require "mihari/commands/urlscan"
+require "mihari/commands/virustotal_intelligence"
 require "mihari/commands/virustotal"
 require "mihari/commands/zoomeye"
 
@@ -42,6 +43,7 @@ module Mihari
       include Mihari::Commands::Spyse
       include Mihari::Commands::Urlscan
       include Mihari::Commands::VirusTotal
+      include Mihari::Commands::VirusTotalIntelligence
       include Mihari::Commands::ZoomEye
     end
   end

data/lib/mihari/commands/passivetotal.rb

@@ -14,6 +14,7 @@ module Mihari
               run_analyzer Analyzers::PassiveTotal, query: indicator, options: options
             end
           end
+          map "pt" => :passivetotal
         end
       end
     end

data/lib/mihari/commands/virustotal.rb

@@ -14,6 +14,7 @@ module Mihari
               run_analyzer Analyzers::VirusTotal, query: indiactor, options: options
             end
           end
+          map "vt" => :virustotal
         end
       end
     end

data/lib/mihari/commands/virustotal_intelligence.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module VirusTotalIntelligence
+      def self.included(thor)
+        thor.class_eval do
+          desc "virustotal_intelligence [QUERY]", "VirusTotal Intelligence search"
+          method_option :title, type: :string, desc: "title"
+          method_option :description, type: :string, desc: "description"
+          method_option :tags, type: :array, desc: "tags"
+          def virustotal_intelligence(query)
+            with_error_handling do
+              run_analyzer Analyzers::VirusTotalIntelligence, query: query, options: options
+            end
+          end
+          map "vt_intel" => :virustotal_intelligence
+        end
+      end
+    end
+  end
+end

data/lib/mihari/structs/virustotal_intelligence.rb

@@ -0,0 +1,75 @@
+require "json"
+require "dry/struct"
+
+module Mihari
+  module Structs
+    module VirusTotalIntelligence
+      class ContextAttributes < Dry::Struct
+        attribute :url, Types.Array(Types::String).optional
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            url: d["url"]
+          )
+        end
+      end
+
+      class Datum < Dry::Struct
+        attribute :type, Types::String
+        attribute :id, Types::String
+        attribute :context_attributes, ContextAttributes.optional
+
+        def value
+          case type
+          when "file"
+            id
+          when "url"
+            (context_attributes.url || []).first
+          when "domain"
+            id
+          when "ip_address"
+            id
+          end
+        end
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+
+          context_attributes = nil
+          context_attributes = ContextAttributes.from_dynamic!(d.fetch("context_attributes")) if d.key?("context_attributes")
+
+          new(
+            type: d.fetch("type"),
+            id: d.fetch("id"),
+            context_attributes: context_attributes
+          )
+        end
+      end
+
+      class Meta < Dry::Struct
+        attribute :cursor, Types::String.optional
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            cursor: d["cursor"]
+          )
+        end
+      end
+
+      class Response < Dry::Struct
+        attribute :meta, Meta
+        attribute :data, Types.Array(Datum)
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            meta: Meta.from_dynamic!(d.fetch("meta")),
+            data: d.fetch("data").map { |x| Datum.from_dynamic!(x) }
+          )
+        end
+      end
+    end
+  end
+end

data/lib/mihari/types.rb

@@ -13,9 +13,19 @@ module Mihari
     DataTypes = Types::String.enum(*ALLOWED_DATA_TYPES)
 
     AnalyzerTypes = Types::String.enum(
-      "binaryedge", "censys", "circl", "dnpedia", "dnstwister",
-      "onyphe", "otx", "passivetotal", "pulsedive", "securitytrails",
-      "shodan", "virustotal"
+      "binaryedge",
+      "censys",
+      "circl",
+      "dnpedia",
+      "dnstwister",
+      "onyphe",
+      "otx",
+      "passivetotal",
+      "pulsedive",
+      "securitytrails",
+      "shodan",
+      "virustotal_intelligence",
+      "virustotal"
     )
   end
 end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "3.7.2"
+  VERSION = "3.8.0"
 end

data/lib/mihari.rb

@@ -112,6 +112,7 @@ require "mihari/structs/censys"
 require "mihari/structs/ipinfo"
 require "mihari/structs/onyphe"
 require "mihari/structs/shodan"
+require "mihari/structs/virustotal_intelligence"
 
 # Schemas
 require "mihari/schemas/analyzer"
@@ -163,9 +164,9 @@ require "mihari/analyzers/securitytrails"
 require "mihari/analyzers/shodan"
 require "mihari/analyzers/spyse"
 require "mihari/analyzers/urlscan"
+require "mihari/analyzers/virustotal_intelligence"
 require "mihari/analyzers/virustotal"
 require "mihari/analyzers/zoomeye"
-
 require "mihari/analyzers/rule"
 
 # Notifiers

data/mihari.gemspec

@@ -92,7 +92,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thread_safe", "~> 0.3"
   spec.add_dependency "urlscan", "~> 0.7"
   spec.add_dependency "uuidtools", "~> 2.2"
-  spec.add_dependency "virustotalx", "~> 1.1"
+  spec.add_dependency "virustotalx", "~> 1.2"
   spec.add_dependency "whois", "~> 5.0"
   spec.add_dependency "whois-parser", "~> 1.2"
   spec.add_dependency "zoomeye-rb", "~> 0.2"

data/sig/lib/mihari/analyzers/virustotal_intelligence.rbs

@@ -0,0 +1,32 @@
+module Mihari
+  module Analyzers
+    class VirusTotalIntelligence < Base
+      attr_reader query: String
+      attr_reader title: String
+      attr_reader description: String
+      attr_reader tags: Array[String]
+
+      def initialize: (*untyped args, **untyped kwargs) -> void
+
+      def artifacts: () -> (Array[String] | Array[Mihari::Artifact])
+
+      private
+
+      def configuration_keys: () -> ::Array["virustotal_api_key"]
+
+      #
+      # VT API
+      #
+      # @return [::VirusTotal::API]
+      #
+      def api: () -> untyped
+
+      #
+      # Search with cursor
+      #
+      # @return [Array<Mihari::Structs::VirusTotalIntelligence::Response>]
+      #
+      def search_witgh_cursor: () -> Array[Mihari::Structs::VirusTotalIntelligence::Response]
+    end
+  end
+end

data/sig/lib/mihari/structs/virustotal_intelligence.rbs

@@ -0,0 +1,33 @@
+module Mihari
+  module Structs
+    module VirusTotalIntelligence
+      class ContextAttributes
+        attr_reader url: Array[String]?
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::VirusTotalIntelligence::ContextAttributes
+      end
+
+      class Datum
+        attr_reader type: String
+        attr_reader context_attributes: Mihari::Structs::VirusTotalIntelligence::ContextAttributes?
+
+        def value: () -> String?
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::VirusTotalIntelligence::Datum
+      end
+
+      class Meta
+        attr_reader cursor: String?
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::VirusTotalIntelligence::Meta
+      end
+
+      class Response
+        attr_reader meta: Mihari::Structs::VirusTotalIntelligence::Meta
+        attr_reader data: Array[Mihari::Structs::VirusTotalIntelligence::Datum]
+
+        def self.from_dynamic!: (Hash[(String | Symbol), untyped] d) -> Mihari::Structs::VirusTotalIntelligence::Response
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mihari
 version: !ruby/object:Gem::Version
-  version: 3.7.2
+  version: 3.8.0
 platform: ruby
 authors:
 - Manabu Niseki
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-09-16 00:00:00.000000000 Z
+date: 2021-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -940,14 +940,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: whois
   requirement: !ruby/object:Gem::Requirement
@@ -1046,6 +1046,7 @@ files:
 - lib/mihari/analyzers/spyse.rb
 - lib/mihari/analyzers/urlscan.rb
 - lib/mihari/analyzers/virustotal.rb
+- lib/mihari/analyzers/virustotal_intelligence.rb
 - lib/mihari/analyzers/zoomeye.rb
 - lib/mihari/cli/analyzer.rb
 - lib/mihari/cli/base.rb
@@ -1072,6 +1073,7 @@ files:
 - lib/mihari/commands/urlscan.rb
 - lib/mihari/commands/validator.rb
 - lib/mihari/commands/virustotal.rb
+- lib/mihari/commands/virustotal_intelligence.rb
 - lib/mihari/commands/web.rb
 - lib/mihari/commands/zoomeye.rb
 - lib/mihari/constants.rb
@@ -1123,6 +1125,7 @@ files:
 - lib/mihari/structs/ipinfo.rb
 - lib/mihari/structs/onyphe.rb
 - lib/mihari/structs/shodan.rb
+- lib/mihari/structs/virustotal_intelligence.rb
 - lib/mihari/templates/rule.yml.erb
 - lib/mihari/type_checker.rb
 - lib/mihari/types.rb
@@ -1204,6 +1207,7 @@ files:
 - sig/lib/mihari/analyzers/spyse.rbs
 - sig/lib/mihari/analyzers/urlscan.rbs
 - sig/lib/mihari/analyzers/virustotal.rbs
+- sig/lib/mihari/analyzers/virustotal_intelligence.rbs
 - sig/lib/mihari/analyzers/zoomeye.rbs
 - sig/lib/mihari/cli/analyzer.rbs
 - sig/lib/mihari/cli/base.rbs
@@ -1269,6 +1273,7 @@ files:
 - sig/lib/mihari/structs/ipinfo.rbs
 - sig/lib/mihari/structs/onyphe.rbs
 - sig/lib/mihari/structs/shodan.rbs
+- sig/lib/mihari/structs/virustotal_intelligence.rbs
 - sig/lib/mihari/type_checker.rbs
 - sig/lib/mihari/types.rbs
 - sig/lib/mihari/version.rbs