Threat Intel Platform for T-POTs

Related tags

Security related resourcespythonopen-sourceiochoneypotcybersecuritythreatinteltpotthreat-intelligencecyber-threat-intelligence
Overview

GreedyBear

GitHub release (latest by date) GitHub Repo stars

CodeFactor Code style: black Imports: isort Pull request automation

The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to prevent and detect attacks.

Official announcement here.

Feeds

Public feeds

There are public feeds provided by The Honeynet Project in this site: greedybear.honeynet.org. Example

Please do not perform too many requests to extract feeds or you will be banned.

If you want to be updated regularly, please download the feeds only once every 10 minutes (this is the time between each internal update).

Available feeds

The feeds are reachable through the following URL:

https://
   
    /api/feeds/
    
     /
     
      /
      
       .

The available feed_type are:

  • log4j: attacks detected from the Log4pot.
  • cowrie: attacks detected from the Cowrie Honeypot
  • all: get all types at once

The available attack_type are:

  • scanner: IP addresses captured by the honeypots while performing attacks
  • payload_request: IP addresses and domains extracted from payloads that would have been executed after a speficic attack would have been successful
  • all: get all types at once

The available age are:

  • recent: most recent IOCs seen in the last 3 days
  • persistent: these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.

The available format are:

  • txt: plain text (just one line for each IOC)
  • csv: CSV-like file (just one line for each IOC)
  • json: JSON file with additional information regarding the IOCs

Run Greedybear on your environment

The tool has been created not only to provide the feeds from The Honeynet Project's cluster of TPOTs.

If you manage one or more T-POTs of your own, you can get the code of this application and run Greedybear on your environment. In this way, you are able to provide new feeds of your own.

Comments
  • Added Basic Testcases

    Added Basic Testcases

    Description

    Added Testcases for Views and Models

    Related issues

    Fixes #21

    Type of change

    Please delete options that are not relevant.

    • [ ] Bug fix (non-breaking change which fixes an issue).
    • [ ] New feature (non-breaking change which adds functionality).
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

    Checklist

    • [ ] I have read and understood the rules about how to Contribute to this project
    • [ ] The pull request is for the branch dev
    • [ ] The tests gave 0 errors.
    • [ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

    Important Rules

    • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
    • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
    opened by uzaxirr 11
  • Create authenticated enrichment service

    Create authenticated enrichment service

    We could provide a service that could be queried via API key. In this way, it would be possibile to understand if an IOC is in the database of Greedybear without having to download and manage all the feeds from Greedybear.

    It would be a simple enrichment service.

    We would need:

    • a basic GUI (#11) to allow people register and get an API key.
    • limit API usage to avoid abuse.
    • allow different kind of API usage limits
    • create new API endpoint (#17)
    • Integrate it in IntelOwl (https://github.com/intelowlproject/IntelOwl/issues/817)
    opened by mlodic 9
  • Create feeds for other honeypot types

    Create feeds for other honeypot types

    GreedyBear works by extracting the data from the T-Pot logs generated by the honeypots.

    As a first alpha release we just integrated log4jpot + cowrie.

    We should also integrate all the other available honeypots in the T-PoT. Glutton should be the first

    opened by mlodic 8
  • Fixes #17: Added API for Enrichment

    Fixes #17: Added API for Enrichment

    Description

    Added Enrichment Endpoint. To get details of an observable my it's name. Endpoint: /api/enrichment?query=<observable_name>

    Please ignore the vague changes in settings.py regarding env vars. Did it because of #23 I'll revert them when my PR is good to go.

    Added Fake data in DB through admin pannel for testing purpose

    Related issues

    Fixes and Closes #17

    Type of change

    Please delete options that are not relevant.

    • [x] New feature (non-breaking change which adds functionality).

    Checklist

    • [x] I have read and understood the rules about how to Contribute to this project
    • [x] The pull request is for the branch dev
    • [ ] The tests gave 0 errors.
    • [ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

    Screenshots

    API Response

    For a record that exist in DB

    Screenshot from 2022-01-05 21-41-55

    For a record that does not exist in DB

    Screenshot from 2022-01-05 21-42-07

    Details of the searched observable in DB

    Screenshot from 2022-01-02 23-24-40

    All Records in DB

    Screenshot from 2022-01-02 23-24-27

    opened by uzaxirr 7
  • Configured Read the Docs

    Configured Read the Docs

    Description

    Configured Read the Docs

    Changes I have done :

    added .readthedocs.yaml file made some changes to docs/source/conf.py added documentation link in readme

    Things to complete :

    I created only the empty md files in docs but haven't added any documentation in them need to add doc of openapi and redoc.

    Related issues

    This PR partially solves issue #27

    Type of change

    • [x] New feature (non-breaking change which adds functionality).

    Checklist

    • [x] I have read and understood the rules about how to Contribute to this project
    • [x] The pull request is for the branch dev
    • [x] The tests gave 0 errors.
    • [x] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

    Important Rules

    • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
    • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
    opened by yaswanthsaivendra 4
  • Added elasticsearch container for development

    Added elasticsearch container for development

    Description

    Added elasticsearch container for development

    Related issues

    closes #23

    Type of change

    Please delete options that are not relevant.

    • [ ] Bug fix (non-breaking change which fixes an issue).
    • [X] New feature (non-breaking change which adds functionality).
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

    Checklist

    • [X] I have read and understood the rules about how to Contribute to this project
    • [X] The pull request is for the branch dev
    • [X] The tests gave 0 errors.
    • [X] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

    Important Rules

    • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
    • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
    opened by devmrfitz 4
  • Elasticsearch installation error

    Elasticsearch installation error

    i'm encountering some error while setting up GreedyBear locally After doing the docker-compose -p greedybear up cmd. It originates from settings.py where Elasticsearch client is being initialized. The ELASTIC_ENDPOINT variable in my env file is empty Screenshot from 2022-01-02 19-51-22

    opened by uzaxirr 4
  • updated feeds view to make use of DRF and added durin authenication

    updated feeds view to make use of DRF and added durin authenication

    Description

    • Made changes to feeds View to make use of DRF
    • Added token authentication of django-rest-durin.

    Related issues

    This PR solves #26 issue.

    Type of change

    • [ ] New feature (non-breaking change which adds functionality).

    Checklist

    • [ ] I have read and understood the rules about how to Contribute to this project
    • [ ] The pull request is for the branch dev
    • [ ] The tests gave 0 errors.
    • [ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)
    opened by yaswanthsaivendra 3
  • Rate limiting for admin and API

    Rate limiting for admin and API

    Description

    Rate limiting for admin and API

    Related issues

    #31

    Type of change

    Please delete options that are not relevant.

    • [ ] Bug fix (non-breaking change which fixes an issue).
    • [X] New feature (non-breaking change which adds functionality).
    • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

    Checklist

    • [X] I have read and understood the rules about how to Contribute to this project
    • [X] The pull request is for the branch dev
    • [X] The tests gave 0 errors.
    • [X] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
    • [X] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

    Important Rules

    • If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem
    • Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
    opened by devmrfitz 2
  • Add CONTRIBUTING.md file

    Add CONTRIBUTING.md file

    Can we please add or refer to the URL containing the guidelines for future contributors, I see there's nothing mentioned about it in the readme or docs for this repo.

    opened by ManishShah120 2
  • Integrate GreedyBear inside T-Pot installation

    Integrate GreedyBear inside T-Pot installation

    This would require that all of these issues were solved first:

    • #11 , #12 , #10 , #21 , #27

    Plus, we would need to work with the T-Pot team to properly integrate the project there. The goal is to try to reduce the complexity of the overall application to allow an easy integration

    opened by mlodic 2
  • Allow to do customized feeds lookups

    Allow to do customized feeds lookups

    We could add more ways to extract data feeds from GB other than "recent" and "persistent" which are free.

    These new ways must be protected with authentication to avoid abuse.

    We could give the users the chance to:

    • download the data extracted in the last X hours (customization of "recent")
    • download the data that was seen more than X times in the last X days (customization of "persistent")
    opened by mlodic 0
  • Filter IP addresses from known scanners

    Filter IP addresses from known scanners

    We should periodically download this batch of data: https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt and add those IP to whitelists to reduce number of false positives

    opened by mlodic 0
  • Add the chance to select which honeypot we want to extract data from

    Add the chance to select which honeypot we want to extract data from

    Right now there is no chance to do that. GreedyBear would automatically extract data from all the configured honeypots.

    We should allow the app administrator from the Django Admin to enable/disable honeypot extraction. In that way we can also filter logs which states that the honeypot is not running.

    opened by mlodic 0
Releases(v1.0.2)
Owner
The Honeynet Project
The Honeynet Project
GitHub Repository
Exploit for GitLab CVE-2021-22205 Unauthenticated Remote Code Execution

Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files tha

Hendrik Agung 2 Dec 30, 2021
A fast sub domain brute tool for pentesters

subDomainsBrute 1.4 A fast sub domain brute tool for pentesters. It works with P

Oliver 2 Oct 18, 2022
Scanner for Intranet

cthun3是集成端口扫描,服务识别,netbios扫描,网站识别,暴力破解和漏洞扫描的工具. cthun(克苏恩)是魔兽世界电子游戏中一位上古之神 截图 cthun3结合viper使用时截图 使用方法 端口扫描 -ps-ip 端口扫描的ip地址范围,例如可以输入 -ps-ip 192.168.14

rootkit 18 Sep 03, 2022
Visibility and Mitigation for Log4J vulnerabilities

Visibility and Mitigation for Log4J vulnerabilities Several scripts for the visibility and mitigation of Log4J vulnerabilities. Static Scanner - Linux

SentinelLabs 15 May 21, 2022
A secure way of storing your passwords.

StrongBox 🔐 A secure way of storing your passwords. 🔑 Why to use StrongBox? StrongBox makes it possible to have a random generated strong password i

Dylan Tintenfich 5 Dec 25, 2021
BOF-Roaster is an automated buffer overflow exploit machine which is begin written with Python 3.

BOF-Roaster is an automated buffer overflow exploit machine which is begin written with Python 3. On first release it was able to successfully break many of the most well-known buffer overflow exampl

Kaan Caglan 5 Nov 23, 2021
A OSINT tool coded in python

Argus Welcome to Argus, a OSINT tool coded in python. Disclaimer I Am not responsible what you do with the information that is given to you by my tool

Aidan 2 Mar 20, 2022
Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p

Zahir Tariq 12 Nov 09, 2022
Enhancing Twin Delayed Deep Deterministic Policy Gradient with Cross-Entropy Method

Enhancing Twin Delayed Deep Deterministic Policy Gradient with Cross-Entropy Method Hieu Trung Nguyen, Khang Tran and Ngoc Hoang Luong Setup Clone thi

Evolutionary Learning & Optimization (ELO) Lab 6 Jun 29, 2022
Dependency injection in python with autoconfiguration

The base is a DynamicContainer to autoconfigure services using the decorators @services for regular services and @command_handler for using command pattern.

Sergio Gómez 2 Jan 17, 2022
Phishing-Crack tools to punish friends

Phishing-Crack Phishing Tool Version 1.0.0 Created By temirovazat A Phishing Tool With PHP and Python3 Features Fake Instagram Phishing Page Fake Face

3 Oct 04, 2022
Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Log4jScanner Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains. Disc

Pushpender Singh 35 Dec 12, 2022
Auerswald COMpact 8.0B Backdoors exploit

CVE-2021-40859 Auerswald COMpact 8.0B Backdoors exploit About Backdoors were discovered in Auerswald COMpact 5500R 7.8A and 8.0B devices, that allow a

6 Sep 22, 2022
Python lib to automate basic QFT calculations like Wick-contractions.

QFTools Python lib to automate basic QFT calculations like Wick-contractions. Features Wick contractions for real scalar fields Wick contractions for

2 Aug 21, 2022
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
Tool ini berfungsi untuk membuat virus secara instan

vbug (ID) Tool ini berfungsi untuk membuat virus secara instan. Dengan begitu pengguna vbug maker dapat menggunakannya dengan mudah dan cepat. Di dala

OneTXz 3 Jun 05, 2022
A piece of software that shows a traceroute of a URL redirect path

Tracing URL redirects has never been easier! Usage • Download 🚩 Use Cases To see where an affiliate link ends up To see what affiliate network is bei

41 Nov 22, 2022
APKLeaks - Scanning APK file for URIs, endpoints & secrets.

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

dw1 3.5k Jan 09, 2023
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including P

neeraj 95 Dec 26, 2022