first version (#1)

* Django skeleton

* Create LICENSE

* draft first version

* +x entrypoint

* support for elastic endpoint backups

* support for elastic endpoint backups

* psycopg

* mkdir -p

* nginx cache

* psycopg2-binary

* psycopg-binary

* psycopg-binary

* psycopg

* buster?

* psycopg2

* psycopg2

* added basic feeds API

* adjusts

* admin adjust

* added initial migration

* add init to migrations

* logs fix

* adjust tests

* debug log

* elasticsearch logs

* fixed honeypot name

* fixed honeypot name

* fix attacks extraction

* first

* adjusts

* managed unique fields

* adjusts to web server

* adjust

* adjust

* removed unique constraint

* adjustments fks

* sensors initialization

* correct now

* added wait-for-it.sh

* waitforit

* fix dockerfile

* typo

* added inits

* removing time zones

* adjusted urls

* added nginx logrotate

* more log

* adjusted celery

* correlation id

* urls

* fix urls

* fix view

* fix view

* fix models and apis

* adjust admin

* adjusted url

* adjust favicon

* favicon

* fix

* adjust celery and dates

* adjust date and logs

* adjust logs

* trying fixing arrays

* removed migration + readded logger

* added migration

* again trying to fix array fields

* manage arrays

* m-2-m + readme

* added new migration

* fix

* watched log file + fix m2m

* fixed model

* corrected migration

* adjust again

* removing many to many rels

* admin fix

* added migration

* adjusted view

* adjusted json output

Author: mlodic

.env_template

@@ -0,0 +1 @@
+COMPOSE_FILE=docker/default.yml

.flake8

@@ -0,0 +1,11 @@
+[flake8]
+max-line-length = 105
+ignore =
+    W503, # line break before binary operator
+    E231, # missing whitespace after ',' (caused by black style)
+    W605, # invalid escape sequence (caused by regex)
+exclude =
+    docker,
+    venv,
+    docs,
+    greedybear/regex.py

.github/workflows/pull_request_automation.yml

@@ -0,0 +1,34 @@
+name: Pull request automation
+
+on:
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.9
+
+    - name: Install Dependencies
+      run: |
+        pip3 install --upgrade pip
+        pip3 install -r test-requirements.txt
+
+    - name: Black formatter
+      run: |
+        black . --check --diff
+
+    - name: Lint with flake8 (PEP8 enforcer + linter)
+      run: |
+        flake8 . --config=.flake8 --show-source
+
+    - name: isort
+      run: |
+        isort . --profile black --filter-files --check-only --diff --skip venv

.gitignore

@@ -0,0 +1,5 @@
+venv/
+docs/build
+docker/env_file
+docker/env_file_postgres
+.env

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+-   repo: https://github.com/psf/black
+    rev: 21.11b1
+    hooks:
+    - id: black
+-   repo: https://gitlab.com/pycqa/flake8
+    rev: 4.0.1
+    hooks:
+    - id: flake8
+-   repo: https://github.com/pycqa/isort
+    rev: 5.10.1
+    hooks:
+      - id: isort
+        args: ["--profile", "black", "--filter-files", "--skip", "venv", "--skip", "configuration/ldap_config.py"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 The Honeynet Project
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1 +1,36 @@
 # GreedyBear
+
+The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to prevent and detect attacks.
+
+## Available Feeds
+The feeds are reachable through the following URL: 
+```
+https://<greedybear_site>/api/feeds/<feed_type>/<attack_type>/<age>.<format>
+```
+
+The available `feed_type` are:
+
+* `log4j`: attacks detected from the Log4pot.
+
+The available `attack_type` are:
+
+* `scanner`: IP addresses captured by the honeypots while performing attacks
+* `payload_request`: IP addresses and domains extracted from payloads that would have been executed after a speficic attack would have been successful
+
+The available `age` are:
+
+* `recent`: most recent IOCs seen in the last 3 days
+* `persistent`: these IOCs are the ones that were seen regularly by the honeypots. This feeds will start empty once no prior data was collected and will become bigger over time.
+
+The available `format` are:
+
+* `csv`: CSV-like file (just one line for each IOC)
+* `json`: JSON file with additional information regarding the IOCs
+
+## Public feeds
+
+There are public feeds provided by The Honeynet Project in this site: greedybear.honeynet.org. [Example](https://greedybear.honeynet.org/api/feeds/log4j/all/recent.csv)
+
+Please do not perform too many requests to extract feeds or you will be banned.
+
+If you want to be updated regularly, please download the feeds only once every 10 minutes (this is the time between each internal update).

api/__init__.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class ApiConfig(AppConfig):
+    name = "api"

api/apps.py

@@ -0,0 +1,7 @@
+from django.urls import path
+
+from api.views import feeds
+
+urlpatterns = [
+    path("feeds/<str:feed_type>/<str:attack_type>/<str:age>.<str:format_>", feeds),
+]