Giters

ninoseki / mihari

A query aggregator for OSINT based threat hunting

Home Page:https://ninoseki.github.io/mihari/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] PassiveTotal analyzer not returning IPs while searching using SHA1 of a certificate

r0ny123 opened this issue · comments

commented

Describe the bug:

According to documentation, searching using Hash (SSL certificate SHA1 fingerprint) will return IP addresses associated with it. In this case, PassiveTotal analyzer not returning IPs while searching using sha1 of a certificate.

Steps to reproduce:

  • create example a rule mentioned below:
title: Ip's associated with cert c00a42e59d32acf2344a153c6de91896cde2a1c1(SHA1)
description: Ip's associated with cert c00a42e59d32acf2344a153c6de91896cde2a1c1(SHA1)
queries:
- analyzer: passivetotal
  query: c00a42e59d32acf2344a153c6de91896cde2a1c1
  • save it and run mihari search example.yml

Expected behavior

This should return some IP's associated with it.
Per RiskIQ, the cert has some IP's linked with it.
image

Actual behavior:

The search doesn't return any results. (IP addresses) and prints the following output Mihari -- There is no new artifact.

System Information:

  • OS: Ubuntu 20.04
  • Ruby version: 3.0
  • Mihari version: 4.3.0

Additional context

I also verified the above mentioned rule using mihari validate rule command and It said Valid Format.