mihari 4.4.1 → 4.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15a224f944350480b79957d50a30742b9c4a0597c6dc8765e80269104175cab5
-  data.tar.gz: d873df7d4c4d30f39f62674a34bd1a28a4737d2183f92acc0f4243de2dd9eacf
+  metadata.gz: dfd4bafdc33911546dce3477184426c581b9e3a40a762f32d1944870589ffcc9
+  data.tar.gz: 8765422118bcc6fe914439b416e6362551c9de0492397ce90c2c5bf7487d982a
 SHA512:
-  metadata.gz: 9f538f70afd329f84c3962c8ec6c7693d8656fc105dcf0f9f30145ec5e74337c9414fdd5804255a7105105a14246e223bc5d8660980af2407db1c0595b4b40aa
-  data.tar.gz: ce2bec572a183d29c184b188f9314f714446a67c7599ba4855de566120351b2041c6b9f5a98b7b972aa4aa960a6ea233ac7c6509b1fdbbb081a5a08e22ab51c2
+  metadata.gz: a0788f87ab0ef4838243e25ca71496408187add826900d0428af6f4a8e7f81093e81944d809425b2c716c778c35b725f757b656cec046adc2294b4a07d764b4f
+  data.tar.gz: 3c0c001e91aaec0090daeb117a7595a84172a355d527af0dab7f81dfee557b271697a0fbcf75c8a44d5e33b6fb1ff1f8b82e0c057dff91e85b4fb4a0a30d69ca

data/lib/mihari/commands/web.rb

@@ -8,7 +8,7 @@ module Mihari
           desc "web", "Launch the web app"
           method_option :port, type: :numeric, default: 9292, desc: "Hostname to listen on"
           method_option :host, type: :string, default: "localhost", desc: "Port to listen on"
-          method_option :threads, type: :string, default: "0:16", desc: "min:max threads to use"
+          method_option :threads, type: :string, default: "1:1", desc: "min:max threads to use"
           method_option :verbose, type: :boolean, default: true, desc: "Report each request"
           def web
             port = options["port"]

data/lib/mihari/database.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+# Make possible to use upper case acronyms in class names
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym "CPE"
+end
+
 def env
   ENV["APP_ENV"] || ENV["RACK_ENV"]
 end
@@ -118,6 +123,20 @@ class AddYAMLToRulesSchema < ActiveRecord::Migration[7.0]
   end
 end
 
+class EnrichmentsV45Schema < ActiveRecord::Migration[7.0]
+  def change
+    create_table :cpes, if_not_exists: true do |t|
+      t.string :cpe, null: false
+      t.belongs_to :artifact, foreign_key: true
+    end
+
+    create_table :ports, if_not_exists: true do |t|
+      t.integer :port, null: false
+      t.belongs_to :artifact, foreign_key: true
+    end
+  end
+end
+
 def adapter
   return "postgresql" if Mihari.config.database.start_with?("postgresql://", "postgres://")
   return "mysql2" if Mihari.config.database.start_with?("mysql2://")
@@ -147,7 +166,9 @@ module Mihari
           RuleSchema,
           AddeMetadataToArtifactSchema,
           # v4.4
-          AddYAMLToRulesSchema
+          AddYAMLToRulesSchema,
+          # v4.5
+          EnrichmentsV45Schema
         ].each { |schema| schema.migrate direction }
       end
       memoize :migrate unless test_env?

data/lib/mihari/enrichers/shodan.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "net/https"
+
+module Mihari
+  module Enrichers
+    class Shodan < Base
+      # @return [Boolean]
+      def valid?
+        true
+      end
+
+      class << self
+        include Memist::Memoizable
+
+        #
+        # Query Shodan Internet DB
+        #
+        # @param [String] ip
+        #
+        # @return [Mihari::Structs::Shodan::InternetDBResponse, nil]
+        #
+        def query(ip)
+          url = "https://internetdb.shodan.io/#{ip}"
+          res = HTTP.get(url)
+          data = JSON.parse(res.body.to_s)
+
+          Structs::Shodan::InternetDBResponse.from_dynamic! data
+        rescue HttpError
+          nil
+        end
+        memoize :query
+      end
+    end
+  end
+end

data/lib/mihari/entities/artifact.rb

@@ -21,6 +21,12 @@ module Mihari
       expose :dns_records, using: Entities::DnsRecord, documentation: { type: Entities::DnsRecord, is_array: true, required: false }, as: :dnsRecords do |status, _options|
         status.dns_records.empty? ? nil : status.dns_records
       end
+      expose :ceps, using: Entities::CPE, documentation: { type: Entities::CPE, is_array: true, required: false }, as: :cpes do |status, _options|
+        status.cpes.empty? ? nil : status.cpes
+      end
+      expose :ports, using: Entities::Port, documentation: { type: Entities::Port, is_array: true, required: false }, as: :ports do |status, _options|
+        status.ports.empty? ? nil : status.ports
+      end
     end
   end
 end

data/lib/mihari/entities/cpe.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Entities
+    class CPE < Grape::Entity
+      expose :cpe, documentation: { type: String, required: true }
+    end
+  end
+end

data/lib/mihari/entities/port.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Entities
+    class Port < Grape::Entity
+      expose :port, documentation: { type: Integer, required: true }
+    end
+  end
+end

data/lib/mihari/models/alert.rb

@@ -35,7 +35,9 @@ module Mihari
               :geolocation,
               :whois_record,
               :dns_records,
-              :reverse_dns_names
+              :reverse_dns_names,
+              :cpes,
+              :ports
             ]
           },
           :tags

data/lib/mihari/models/artifact.rb

@@ -16,7 +16,9 @@ module Mihari
     has_one :geolocation, dependent: :destroy
     has_one :whois_record, dependent: :destroy
 
+    has_many :cpes, dependent: :destroy
     has_many :dns_records, dependent: :destroy
+    has_many :ports, dependent: :destroy
     has_many :reverse_dns_names, dependent: :destroy
 
     include ActiveModel::Validations
@@ -94,7 +96,7 @@ module Mihari
     end
 
     #
-    # Enrich(add) geolocation
+    # Enrich AS
     #
     def enrich_autonomous_system
       return unless can_enrich_autonomous_system?
@@ -102,6 +104,24 @@ module Mihari
       self.autonomous_system = AutonomousSystem.build_by_ip(data)
     end
 
+    #
+    # Enrich ports
+    #
+    def enrich_ports
+      return unless can_enrich_ports?
+
+      self.ports = Port.build_by_ip(data)
+    end
+
+    #
+    # Enrich CPEs
+    #
+    def enrich_cpes
+      return unless can_enrich_cpes?
+
+      self.cpes = CPE.build_by_ip(data)
+    end
+
     #
     # Enrich all the enrichable relationships of the artifact
     #
@@ -111,6 +131,8 @@ module Mihari
       enrich_geolocation
       enrich_reverse_dns
       enrich_whois
+      enrich_ports
+      enrich_cpes
     end
 
     private
@@ -140,5 +162,13 @@ module Mihari
     def can_enrich_autonomous_system?
       data_type == "ip" && autonomous_system.nil?
     end
+
+    def can_enrich_ports?
+      data_type == "ip" && ports.empty?
+    end
+
+    def can_enrich_cpes?
+      data_type == "ip" && cpes.empty?
+    end
   end
 end

data/lib/mihari/models/cpe.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mihari
+  class CPE < ActiveRecord::Base
+    belongs_to :artifact
+
+    class << self
+      #
+      # Build CPEs
+      #
+      # @param [String] ip
+      #
+      # @return [Array<Mihari::CPE>]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::Shodan.query(ip)
+        return if res.nil?
+
+        res.cpes.map { |cpe| new(cpe: cpe) }
+      end
+    end
+  end
+end

data/lib/mihari/models/port.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Mihari
+  class Port < ActiveRecord::Base
+    belongs_to :artifact
+
+    class << self
+      #
+      # Build ports
+      #
+      # @param [String] ip
+      #
+      # @return [Array<Mihari::Port>]
+      #
+      def build_by_ip(ip)
+        res = Enrichers::Shodan.query(ip)
+        return if res.nil?
+
+        res.ports.map { |port| new(port: port) }
+      end
+    end
+  end
+end

data/lib/mihari/models/reverse_dns.rb

@@ -13,10 +13,10 @@ module Mihari
       # @return [Array<Mihari::ReverseDnsName>]
       #
       def build_by_ip(ip)
-        names = Resolv.getnames(ip)
-        names.map { |name| new(name: name) }
-      rescue Resolv::ResolvError
-        []
+        res = Enrichers::Shodan.query(ip)
+        return if res.nil?
+
+        res.hostnames.map { |name| new(name: name) }
       end
     end
   end

data/lib/mihari/structs/shodan.rb

@@ -57,6 +57,31 @@ module Mihari
           )
         end
       end
+
+      class InternetDBResponse < Dry::Struct
+        attribute :ip, Types::String
+        attribute :ports, Types.Array(Types::Int)
+        attribute :cpes, Types.Array(Types::String)
+        attribute :hostnames, Types.Array(Types::String)
+        attribute :tags, Types.Array(Types::String)
+        attribute :vulns, Types.Array(Types::String)
+
+        def self.from_dynamic!(d)
+          d = Types::Hash[d]
+          new(
+            ip: d.fetch("ip"),
+            ports: d.fetch("ports"),
+            cpes: d.fetch("cpes"),
+            hostnames: d.fetch("hostnames"),
+            tags: d.fetch("tags"),
+            vulns: d.fetch("vulns")
+          )
+        end
+
+        def self.from_json!(json)
+          from_dynamic!(JSON.parse(json))
+        end
+      end
     end
   end
 end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "4.4.1"
+  VERSION = "4.5.0"
 end

data/lib/mihari/web/api.rb

@@ -3,7 +3,6 @@
 # Endpoints
 require "mihari/web/endpoints/alerts"
 require "mihari/web/endpoints/artifacts"
-require "mihari/web/endpoints/command"
 require "mihari/web/endpoints/configs"
 require "mihari/web/endpoints/ip_addresses"
 require "mihari/web/endpoints/rules"
@@ -17,7 +16,6 @@ module Mihari
 
     mount Endpoints::Alerts
     mount Endpoints::Artifacts
-    mount Endpoints::Command
     mount Endpoints::Configs
     mount Endpoints::IPAddresses
     mount Endpoints::Rules

data/lib/mihari/web/endpoints/artifacts.rb

@@ -54,7 +54,9 @@ module Mihari
               :geolocation,
               :whois_record,
               :dns_records,
-              :reverse_dns_names
+              :reverse_dns_names,
+              :cpes,
+              :ports
             ).find(id)
           rescue ActiveRecord::RecordNotFound
             error!({ message: "ID:#{id} is not found" }, 404)

data/lib/mihari/web/public/index.html

@@ -1 +1 @@
-<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.3bdbaffb.js"></script><script defer="defer" type="module" src="/static/js/app.40749592.js"></script><link href="/static/css/chunk-vendors.da2a7bfc.css" rel="stylesheet"><link href="/static/css/app.de5845d8.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.d6b76c57.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.f550d6ae.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="/static/favicon.ico"/><title>Mihari</title><script defer="defer" type="module" src="/static/js/chunk-vendors.3bdbaffb.js"></script><script defer="defer" type="module" src="/static/js/app.afd5025f.js"></script><link href="/static/css/chunk-vendors.da2a7bfc.css" rel="stylesheet"><link href="/static/css/app.2a5d3d21.css" rel="stylesheet"><script defer="defer" src="/static/js/chunk-vendors-legacy.d6b76c57.js" nomodule></script><script defer="defer" src="/static/js/app-legacy.c3595dce.js" nomodule></script></head><body><noscript><strong>We're sorry but Mihari doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div></body></html>