Threat Intel Platform for T-POTs

Last update: Jan 01, 2023

Overview

GreedyBear

The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to prevent and detect attacks.

Official announcement here.

Feeds

Public feeds

There are public feeds provided by The Honeynet Project in this site: greedybear.honeynet.org. Example

Please do not perform too many requests to extract feeds or you will be banned.

If you want to be updated regularly, please download the feeds only once every 10 minutes (this is the time between each internal update).

Available feeds

The feeds are reachable through the following URL:

https://
   
    /api/feeds/
    
     /
     
      /
      
       .

The available feed_type are:

log4j: attacks detected from the Log4pot.
cowrie: attacks detected from the Cowrie Honeypot
all: get all types at once

The available attack_type are:

scanner: IP addresses captured by the honeypots while performing attacks
payload_request: IP addresses and domains extracted from payloads that would have been executed after a speficic attack would have been successful
all: get all types at once

The available age are:

recent: most recent IOCs seen in the last 3 days
persistent: these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.

The available format are:

txt: plain text (just one line for each IOC)
csv: CSV-like file (just one line for each IOC)
json: JSON file with additional information regarding the IOCs

Run Greedybear on your environment

The tool has been created not only to provide the feeds from The Honeynet Project's cluster of TPOTs.

If you manage one or more T-POTs of your own, you can get the code of this application and run Greedybear on your environment. In this way, you are able to provide new feeds of your own.

Comments

Added Basic Testcases
Description

Added Testcases for Views and Models

Related issues

Fixes #21

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue).

[ ] New feature (non-breaking change which adds functionality).

[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

[ ] I have read and understood the rules about how to Contribute to this project

[ ] The pull request is for the branch dev

[ ] The tests gave 0 errors.

[ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

Important Rules

If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem

Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
opened by uzaxirr 11
Create authenticated enrichment service
We could provide a service that could be queried via API key. In this way, it would be possibile to understand if an IOC is in the database of Greedybear without having to download and manage all the feeds from Greedybear.

It would be a simple enrichment service.

We would need:

a basic GUI (#11) to allow people register and get an API key.

limit API usage to avoid abuse.

allow different kind of API usage limits

create new API endpoint (#17)

Integrate it in IntelOwl (https://github.com/intelowlproject/IntelOwl/issues/817)
opened by mlodic 9
Create feeds for other honeypot types

GreedyBear works by extracting the data from the T-Pot logs generated by the honeypots.

As a first alpha release we just integrated log4jpot + cowrie.

We should also integrate all the other available honeypots in the T-PoT. Glutton should be the first

opened by mlodic 8
Fixes #17: Added API for Enrichment
Description

Added Enrichment Endpoint. To get details of an observable my it's name. Endpoint: /api/enrichment?query=<observable_name>

Please ignore the vague changes in settings.py regarding env vars. Did it because of #23 I'll revert them when my PR is good to go.

Added Fake data in DB through admin pannel for testing purpose

Related issues

Fixes and Closes #17

Type of change

Please delete options that are not relevant.

[x] New feature (non-breaking change which adds functionality).

Checklist

[x] I have read and understood the rules about how to Contribute to this project

[x] The pull request is for the branch dev

[ ] The tests gave 0 errors.

[ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

Screenshots

API Response

For a record that exist in DB

For a record that does not exist in DB

Details of the searched observable in DB

All Records in DB
opened by uzaxirr 7
Configured Read the Docs
Description

Configured Read the Docs

Changes I have done :

added .readthedocs.yaml file made some changes to docs/source/conf.py added documentation link in readme

Things to complete :

I created only the empty md files in docs but haven't added any documentation in them need to add doc of openapi and redoc.

Related issues

This PR partially solves issue #27

Type of change

[x] New feature (non-breaking change which adds functionality).

Checklist

[x] I have read and understood the rules about how to Contribute to this project

[x] The pull request is for the branch dev

[x] The tests gave 0 errors.

[x] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

Important Rules

If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem

Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
opened by yaswanthsaivendra 4
Added elasticsearch container for development
Description

Added elasticsearch container for development

Related issues

closes #23

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue).

[X] New feature (non-breaking change which adds functionality).

[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

[X] I have read and understood the rules about how to Contribute to this project

[X] The pull request is for the branch dev

[X] The tests gave 0 errors.

[X] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

Important Rules

If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem

Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
opened by devmrfitz 4
Elasticsearch installation error

i'm encountering some error while setting up GreedyBear locally After doing the docker-compose -p greedybear up cmd. It originates from settings.py where Elasticsearch client is being initialized. The ELASTIC_ENDPOINT variable in my env file is empty

opened by uzaxirr 4
updated feeds view to make use of DRF and added durin authenication
Description

Made changes to feeds View to make use of DRF

Added token authentication of django-rest-durin.

Related issues

This PR solves #26 issue.

Type of change

[ ] New feature (non-breaking change which adds functionality).

Checklist

[ ] I have read and understood the rules about how to Contribute to this project

[ ] The pull request is for the branch dev

[ ] The tests gave 0 errors.

[ ] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[ ] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)
opened by yaswanthsaivendra 3
Rate limiting for admin and API
Description

Rate limiting for admin and API

Related issues

#31

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue).

[X] New feature (non-breaking change which adds functionality).

[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).

Checklist

[X] I have read and understood the rules about how to Contribute to this project

[X] The pull request is for the branch dev

[X] The tests gave 0 errors.

[X] Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.

[X] The commits were squashed into a single one (optional, they will be squashed anyway by the maintainer)

Important Rules

If your changes decrease the overall tests coverage (you will know after the Codecov CI job is done), you should add the required tests to fix the problem

Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review
opened by devmrfitz 2
Add CONTRIBUTING.md file

Can we please add or refer to the URL containing the guidelines for future contributors, I see there's nothing mentioned about it in the readme or docs for this repo.

opened by ManishShah120 2
Integrate GreedyBear inside T-Pot installation
This would require that all of these issues were solved first:

#11 , #12 , #10 , #21 , #27

Plus, we would need to work with the T-Pot team to properly integrate the project there. The goal is to try to reduce the complexity of the overall application to allow an easy integration
opened by mlodic 2
Allow to do customized feeds lookups
We could add more ways to extract data feeds from GB other than "recent" and "persistent" which are free.

These new ways must be protected with authentication to avoid abuse.

We could give the users the chance to:

download the data extracted in the last X hours (customization of "recent")

download the data that was seen more than X times in the last X days (customization of "persistent")
opened by mlodic 0
Filter IP addresses from known scanners

We should periodically download this batch of data: https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt and add those IP to whitelists to reduce number of false positives

opened by mlodic 0
Add the chance to select which honeypot we want to extract data from

Right now there is no chance to do that. GreedyBear would automatically extract data from all the configured honeypots.

We should allow the app administrator from the Django Admin to enable/disable honeypot extraction. In that way we can also filter logs which states that the honeypot is not running.

opened by mlodic 0

Releases(v1.0.2)

v1.0.2(Dec 27, 2022)

please refer to the Changelog
Source code(tar.gz)
Source code(zip)
v1.0.1(Dec 7, 2022)

Source code(tar.gz)
Source code(zip)
v1.0.0(Oct 10, 2022)

Source code(tar.gz)
Source code(zip)
1.0.0(Oct 10, 2022)

Source code(tar.gz)
Source code(zip)
0.2.1(Jul 18, 2022)

Source code(tar.gz)
Source code(zip)
0.2.0(Jun 10, 2022)

Source code(tar.gz)
Source code(zip)
0.1.3(Dec 30, 2021)

Source code(tar.gz)
Source code(zip)
0.1.2(Dec 27, 2021)

Source code(tar.gz)
Source code(zip)
0.1.1(Dec 27, 2021)

Source code(tar.gz)
Source code(zip)
0.1.0(Dec 26, 2021)

Source code(tar.gz)
Source code(zip)
0.0.1(Dec 26, 2021)

Source code(tar.gz)
Source code(zip)

Owner

The Honeynet Project

GitHub Repository

Threat Intel Platform for T-POTs

Related tags

Overview

GreedyBear

Feeds

Public feeds

Available feeds

Run Greedybear on your environment

Comments

Description

Related issues

Type of change

Checklist

Important Rules

Description

Related issues

Type of change

Checklist

Screenshots

API Response

For a record that exist in DB

For a record that does not exist in DB

Details of the searched observable in DB

All Records in DB

Description

Related issues

Type of change

Checklist

Important Rules

Description

Related issues

Type of change

Checklist

Important Rules

Description

Related issues

Type of change

Checklist

Description

Related issues

Type of change

Checklist

Important Rules

Releases(v1.0.2)

v1.0.2(Dec 27, 2022)

v1.0.1(Dec 7, 2022)

v1.0.0(Oct 10, 2022)

1.0.0(Oct 10, 2022)

0.2.1(Jul 18, 2022)

0.2.0(Jun 10, 2022)

0.1.3(Dec 30, 2021)

0.1.2(Dec 27, 2021)

0.1.1(Dec 27, 2021)

0.1.0(Dec 26, 2021)

0.0.1(Dec 26, 2021)

Owner

The Honeynet Project

Facebook account cloning/hacking advanced tool + dictionary attack added | Facebook automation tool

Mips script decompiles MIPS assembly instructions & bot functionality

Confluence OGNL injection

LeLeLe: A tool to simplify the application of Lattice attacks.

IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).

Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

CSAW 2021 writeups

Scan your logs for CVE-2021-44228 related activity and report the attackers

python driver for fingerprint machine (ZKTeco biometrics)

Denial Attacks by Various Methods

This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.

Webpack自动化信息收集

Check for breached passwords with k-anonymity

GitLab CI security tools runner

Generate MIPS reverse shell shellcodes easily !

POC using subprocess lib in Python 🐍

Python Library For Ethical Hacker

HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

Android Malware (Analysis | Scoring) System

A brute Force tool for Facebook