Skip to content

Releases: r-smith/deceptifeed

0.18.0

09 Dec 18:26
@r-smith r-smith
v0.18.0
3d727ff
Compare
Choose a tag to compare
0.18.0 Latest
Latest

New Features

Threat Feed

  • Add query parameters to all endpoints:
    • sort to select the sort field. Values: added, ip, last_seen, threat_score. Example: curl http://10.0.0.1:9000/json?sort=last_seen
    • direction to specify the sort direction. Values: asc, desc. Example: curl http://10.0.0.1:9000/json?sort=last_seen&direction=desc
    • last_seen_hours to return IPs seen within the last number of specified hours. Example: curl http://10.0.0.1:9000/json?last_seen_hours=24
  • Add /html endpoint to retrieve the threat feed as a user-friendly web page. Example: http://10.0.0.1:9000/html
  • Add default landing page for the threat feed with instructions for accessing the feed.

Changes

  • Include fractional seconds when storing threat feed data.
  • If -config parameter is not provided, default to using config.xml in the current directory, if it exists.
  • Renamed configuration XML element isPrivateIncluded to includePrivateIPs.

Full Changelog: v0.16.0...v0.18.0

Assets 5
Loading

0.16.0

18 Nov 03:04
@r-smith r-smith
v0.16.0
6d98f7c
Compare
Choose a tag to compare
0.16.0

This release includes many major and minor changes over the previous release. Here are some of the major changes:

New features

Threat Feed:

  • Record the date each IP is added to the threat feed.
  • Add the ability to serve the threat feed in JSON format.
    • Use http://localhost:9000/json for all threat feed details.
    • Use http://localhost:9000/json/ips for just the IP addresses.
  • Add the ability to serve the threat feed in CSV format.
    • Use http://localhost:9000/csv for all threat feed details
    • Use http://localhost:9000/csv/ips for just the IP addresses.
  • Add the ability to serve the threat feed in STIX 2.1 format.
    • Use http://localhost:9000/stix2 to retrieve as STIX indicators.
    • Use http://localhost:9000/stix2/ips to retrieve as STIX observables.
  • Add the ability to serve the threat feed as a TAXII 2.1 server.
    • The TAXII discovery URL is http://localhost:9000/taxii2/.
    • The TAXII API root URL is http://localhost:9000/taxii2/api/. This is the URL TAXII clients will likely want.
    • There are 2 collections: deceptifeed-indicators and deceptifeed-observables.
    • To test without a TAXII client, use curl http://localhost:9000/taxii2/api/collections/deceptifeed-indicators/objects/

HTTP/HTTPS honeypot server:

  • Add the ability to define rules to control when HTTP requests are sent to the threat feed. This is defined using the <rules> element in the configuration.
  • Add the ability to specify an HTTP header to use as the source IP when updating the threat feed. This is defined using the <sourceIpHeader> element in the configuration.
  • Normalize header names to lowercase when logging.
  • Add <headers> element to the configuration for setting custom HTTP response headers.
  • Add the ability to serve a custom error page using the <errorPagePath> element.
  • Rename <htmlPath> to <homePagePath> in the configuration.

Other:

  • Change the default SSH honeypot port from 2022 to 2222.
  • Change the default threat feed server port from 8081 to 9000.

Full Changelog: v0.9.0...v0.16.0

Assets 5
Loading

v0.9.0

28 Oct 22:51
@r-smith r-smith
v0.9.0
2ba09f7
Compare
Choose a tag to compare
v0.9.0

Initial public release.

Assets 4
Loading