We could add more ways to extract data feeds from GB other than "recent" and "persistent" which are free.

These new ways must be protected with authentication to avoid abuse.

We could give the users the chance to:

• download the data extracted in the last X hours (customization of "recent")
• download the data that was seen more than X times in the last X days (customization of "persistent")

We should periodically download this batch of data: https://raw.githubusercontent.com/stamparm/maltrail/master/trails/static/mass_scanner.txt
and add those IP to whitelists to reduce number of false positives

In the most recent version in develop, with the new GUI, there is a possible hidden bug in the rendering of the frontend code.

AppHeaders is rendered multiple times, maybe due to some problem in handling the status in React. Same things happen for other parts of the code in other sections. To be investigated (first step, check output in the console log)

We should properly mock the query to ElasticSearch to have the tests work in Github Actions. Please refer to IntelOwl to get an example

Approved by @mlodic.

Use how these packages are integrated in IntelOwl for reference.

Hi

Setup a couple of extinsting T-Pots, and looked to add GreedyBear with the /installer_on_tpot.sh script.

Following execuution of script, I can load up a page at http://Address:8008 to get the homescreen spash.
When I go for Dashboard.. I get

When I try Logon, with the credentials entered in the .sh script, I get "login failed"

Any advice please

Thanks

A bear holding a honeypot

What all points would you like to see in templates for PR and Issue?
Similar to IntelOwl?

Same as implemented in IntelOwl

related to #12

in that way we would align that API to the other available endpoint, the enrichment one

Right now there is no chance to do that. GreedyBear would automatically extract data from all the configured honeypots.

We should allow the app administrator from the Django Admin to enable/disable honeypot extraction. In that way we can also filter logs which states that the honeypot is not running.

Can we please add or refer to the URL containing the guidelines for future contributors, I see there's nothing mentioned about it in the readme or docs for this repo.

Right now there is no way from the GUI to understand which feeds are available and where they are located

Like implemented in IntelOwl

We could add a Dashboard with some generic statistics about the GB services. This dashboard would be public so no authentication is required to access it.

We could look at how the IntelOwl Dashboard is done and do something similar:

• number of downloads of the feeds per month/week/day/hour and from how many sources (don't show the sources, just the count) (2 graphs, SimpleAreaCharts?)
• count of successful requests to the enrichment service per month/week/day/hour and from how many sources (don't show the sources, just the count) (2 graphs)
• count of extracted IOCs from each feed type (cowrie, log4j, all) per month/week/day/hour
• ...

This would require that all of these issues were solved first:

• #11 , #12 , #10 , #21 , #27

Plus, we would need to work with the T-Pot team to properly integrate the project there. The goal is to try to reduce the complexity of the overall application to allow an easy integration

We can use the same format already used for IntelOwl and move all the documentation there.

This should show also other honeypots data added in v1.0.1

Like implementend in IntelOwl.

Checklist for creating a new release

• Update CHANGELOG.md for the new version
• Change version number in docs/source/schema.yml, docker/.version
• Verify CI Tests
• Merge the PR to the main branch

Note: Only use "Merge and commit" as the merge strategy and not "Squash and merge". Using "Squash and merge" makes history between branches misaligned.

• Create release for the branch main.

Write the following statement there (change the version number):

please refer to the [Changelog](https://github.com/intelowlproject/GreedyBear/blob/develop/.github/CHANGELOG.md#v102)

This is to protect admin/APIs from abuse

See: https://www.django-rest-framework.org/api-guide/throttling/#api-reference

Similar to how specified here for IntelOwl: intelowlproject/IntelOwl#1285

Right now, there are 2 feeds available based on the age of the indicator:

• recent: most recent IOCs seen in the last 3 days
• persistent: these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.

But they are really simple. Maybe we could think about creating different kind of lists based on more reliable values.
This issue will need a complex research analysis.
Starting point could be the Stratosphere's research: https://www.stratosphereips.org/aip-tool

Adding CodeQL workflow in repo.

If this seems fine please assign this to me

i'm encountering some error while setting up GreedyBear locally
After doing the docker-compose -p greedybear up cmd.
It originates from settings.py where Elasticsearch client is being initialized. The ELASTIC_ENDPOINT variable in my env file is empty

Related to intelowlproject/IntelOwl#1284

We could provide a service that could be queried via API key. In this way, it would be possibile to understand if an IOC is in the database of Greedybear without having to download and manage all the feeds from Greedybear.

It would be a simple enrichment service.

We would need:

• a basic GUI (#11) to allow people register and get an API key.
• limit API usage to avoid abuse.
• allow different kind of API usage limits
• create new API endpoint (#17)
• Integrate it in IntelOwl (intelowlproject/IntelOwl#817)

GreedyBear works by extracting the data from the T-Pot logs generated by the honeypots.

As a first alpha release we just integrated log4jpot + cowrie.

We should also integrate all the other available honeypots in the T-PoT.
Glutton should be the first