feat: add ST reverse WHOIS lookup

Add ST reverse WHOIS lookup (by email)

lib/mihari/analyzers/securitytrails.rb

@@ -5,21 +5,21 @@
 module Mihari
   module Analyzers
     class SecurityTrails < Base
-      attr_reader :indicator
+      attr_reader :query
       attr_reader :type
 
       attr_reader :title
       attr_reader :description
       attr_reader :tags
 
-      def initialize(indicator, title: nil, description: nil, tags: [])
+      def initialize(query, title: nil, description: nil, tags: [])
         super()
 
-        @indicator = indicator
-        @type = TypeChecker.type(indicator)
+        @query = query
+        @type = TypeChecker.type(query)
 
         @title = title || "SecurityTrails lookup"
-        @description = description || "indicator = #{indicator}"
+        @description = description || "query = #{query}"
         @tags = tags
       end
 
@@ -38,7 +38,7 @@ def api
       end
 
       def valid_type?
-        %w(ip domain).include? type
+        %w(ip domain mail).include? type
       end
 
       def lookup
@@ -47,28 +47,33 @@ def lookup
           domain_lookup
         when "ip"
           ip_lookup
+        when "mail"
+          mail_lookup
         else
-          raise ArgumentError, "#{indicator}(type: #{type || 'unknown'}) is not supported." unless valid_type?
+          raise ArgumentError, "#{query}(type: #{type || 'unknown'}) is not supported." unless valid_type?
         end
       rescue ::SecurityTrails::Error => _e
         nil
       end
 
       def domain_lookup
-        result = api.history.get_all_dns_history(indicator, "a").to_h
-        records = result.dig(:records) || []
+        result = api.history.get_all_dns_history(query, "a")
+        records = result.records || []
         records.map do |record|
-          values = record.dig(:values) || []
-          values.map { |value| value.dig(:ip) }
-        end.compact.flatten.uniq
+          (record.values || []).map(&:ip)
+        end.flatten.compact.uniq
       end
 
       def ip_lookup
-        result = api.domains.search( filter: { ipv4: indicator }).to_h
-        records = result.dig(:records) || []
-        records.map do |record|
-          record.dig(:hostname)
-        end.compact.uniq
+        result = api.domains.search( filter: { ipv4: query })
+        records = result.records || []
+        records.map(&:hostname).compact.uniq
+      end
+
+      def mail_lookup
+        result = api.domains.search( filter: { whois_email: query })
+        records = result.records || []
+        records.map(&:hostname).compact.uniq
       end
     end
   end

lib/mihari/cli.rb

@@ -56,7 +56,7 @@ def virustotal(indiactor)
       end
     end
 
-    desc "securitytrails [IP|DOMAIN]", "SecurityTrails resolutions lookup by a given ip or domain"
+    desc "securitytrails [IP|DOMAIN|EMAIL]", "SecurityTrails lookup by a given ip, domain or email"
     method_option :title, type: :string, desc: "title"
     method_option :description, type: :string, desc: "description"
     method_option :tags, type: :array, desc: "tags"

spec/analyzers/securitytrails_spec.rb

@@ -3,10 +3,10 @@
 RSpec.describe Mihari::Analyzers::SecurityTrails, :vcr do
   let(:tags) { %w(test) }
 
-  context "ipv4" do
-    subject { described_class.new(indicator, tags: tags) }
+  context "when given an ipv4" do
+    subject { described_class.new(query, tags: tags) }
 
-    let(:indicator) { "89.35.39.84" }
+    let(:query) { "89.35.39.84" }
 
     describe "#title" do
       it do
@@ -16,7 +16,7 @@
 
     describe "#description" do
       it do
-        expect(subject.description).to eq("indicator = #{indicator}")
+        expect(subject.description).to eq("query = #{query}")
       end
     end
 
@@ -33,10 +33,22 @@
     end
   end
 
-  context "domain" do
-    subject { described_class.new(indicator, tags: tags) }
+  context "when given a domain" do
+    subject { described_class.new(query, tags: tags) }
 
-    let(:indicator) { "jppost-tu.top" }
+    let(:query) { "jppost-tu.top" }
+
+    describe "#artifacts" do
+      it do
+        expect(subject.artifacts).to be_an(Array)
+      end
+    end
+  end
+
+  context "when given a mail" do
+    subject { described_class.new(query, tags: tags) }
+
+    let(:query) { "test@test.com" }
 
     describe "#artifacts" do
       it do
@@ -46,9 +58,9 @@
   end
 
   context "when given an invalid input" do
-    subject { described_class.new(indicator, tags: tags) }
+    subject { described_class.new(query, tags: tags) }
 
-    let(:indicator) { "foo bar" }
+    let(:query) { "foo bar" }
 
     describe "#artifacts" do
       it do