Do you ever wonder if there is an easier way to retrieve, store, and maintain all your threat intelligence data? Random user, meet Forager. Not all threat intel implementations require a database that is "correlating trillions of data points.." and instead, you just need a simple interface, with simple TXT files, that can pull threat data from other feeds, PDF threat reports, or other data sources, with minimal effort. With 15 pre-configured threat feeds, you can get started with threat intelligence feed management today.. Right now.. Do it!
- Fetch intel from URL's using modular feed functions
- Extract domain, md5, sha1, sha256, IPv4, and YARA indicators
- Search through the current intel set by single IP or with an IOC file
- Generate JSON feeds for consumption by CarbonBlack
- Serves up a Simple HTTP JSON feed server for CarbonBlack
Requires Python 3!
- argparse
- xlrd
- pdfminer3k
- colorama (for pretty colored output)
You can install all requirements with the included requirements.txt file
pip3 install -r requirements.txt
list-- Lists all feeds and allows user to choose a single feed to update.update-- Updates all feed modules listed in Forager
-f [file path]Provides the capability to search through the intel directory results for a specific list of indicators-s [IPv4 address]Searches through intel directory for a single IP address
- Reads in a file and extracts IP addresss, domains, MD5/SHA1/SHA256 hashes, and YARA rules
- Places the extracted indicators into the intel directory
- Currently supported filetypes:
- TXT
- XLS/XLSX
Note:
- Prone to false positives when extracting indicators from PDF as whitepapers with indicators will normally also contain URL references
- Generates JSON feeds of all of the IOCs in the intel dir
- Utilizes an interactive CLI prompt to allow the user to provide feed metadata the first time CBgen is run
- Runs the built-in feed server so that the CarbonBlack server can automatically ingest the JSON feeds that were generated by the CBgen command