Mihari has own DSL (which is inspired by 3c7/infrastructure-tracking-schema) to write a rule in YAML.
You can combine multiple search queries into single rule.
For example, if you want to find hots which serve an html as same as http://example.com you can write a rule like following:
id: 75c05d98-2245-4d7d-8ea0-fee8d15afa52
title: example.com HTML
description: A rule to find hosts serve an HTML same as example.com
queries:
- analyzer: binaryedge
query: web.body.sha256:ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9
- analyzer: censys
query: services.http.response.body_hash:"sha1:4a3ce8ee11e091dd7923f4d8c6e5b5e41ec7c047"
- analyzer: shodan
query: http.html_hash:-2087618365
- analyzer: urlscan
query: hash:ea8fac7c65fb589b0d53560f5251f74f9e9b243478dcb6b3ea79b5e36449c8d9
id: ...
title: ...
description: ...
queries:
- analyzer: ...
query: ...
emitters:
- emitter: ...
enrichrers:
- enricher: ...
data_types: []
falepositives: []
artifact_lifetime: ...
tags: ...
author: ...
references: ...
related: ...
status: ...
created_on: ...
updated_on: ...
| Name | Type | Required? | Default | Desc. |
|---|---|---|---|---|
| id | String | Yes | ||
| title | String | Yes | ||
| description | String | Yes | ||
| queries | Array<Analyzer> | Yes | ||
| emitters | Array<Emitter> | No | database, misp, the_hive, slack and webhook | |
| enrichers | Array<Enricher> | No | whois, ipinfo, shodan, google_public_dns | |
| tags | Array<String> | No | [] | |
| author | String | No | ||
| references | Array<String> | No | ||
| related | Array<String> | No | ||
| status | String | No | ||
| created_on | Date | No | ||
| updated_on | Date | No | ||
| data_types | Array<String> | No | hash, ip, domain, url and mail | Data types to be allowed |
| falsepositives | Array<String> | No | [] | Data values to be ignored. |
| You can use a regex as a value by surrounding a string with / (e.g. /^.+\.example\.com/) | ||||
| artifact_lifetime | Integer | No | true | Artifact lifetime/TTL in seconds. |
artifact_lifetime controls time-to-live (TTL) of an artifact.
For example,
artifact_lifetime is set as none/nil, an artifact is never decayed (An artifact with the same value will not be created by a next search)artifact_lifetime is set as 60, an artifact is decayed in 60 secs (An artifact with the same value will be created by a next search)Each schema of Analyzer and Emitter is described in Services.
You can create a new rule with CLI.
mihari init
You can validate a rule with CLI.
mihari validate /path/to/rule.yml