2.0.0 (GreedyBear-Project#583)

* Include mass scanners in advanced API by default. Closes GreedyBear-Project#580 (GreedyBear-Project#581)

* Partly revert "added mass scanner exclusion as default"

This reverts commit f953887.

* adapt tests

* add "tor exit nodes" to default excludes

* add test case for tor exit node inclusion

* add test case for tor exit node inclusion (ii)

* fix syntax

* rename method

* Upgrade Django to 5.2. Closes GreedyBear-Project#502 (GreedyBear-Project#579)

* bump django-rest-email-auth

* bump django to 5.2

* bump postgres to 18
(this requires manual manual intervention when upgrading GreedyBear)

* Link to admin interface for staff users. Closes GreedyBear-Project#529 (GreedyBear-Project#582)

* remove restriction to only show link to superusers

* fix indentation

* bump 2.0.0

* adapt CI

Author: regulartim

.env_template

@@ -13,4 +13,4 @@ COMPOSE_FILE=docker/default.yml:docker/local.override.yml
 #COMPOSE_FILE=docker/default.yml:docker/local.override.yml:docker/elasticsearch.yml
 
 # If you want to run a specific version, populate this
-# REACT_APP_INTELOWL_VERSION="1.6.8"
+# REACT_APP_INTELOWL_VERSION="2.0.0"

.github/workflows/pull_request_automation.yml

@@ -70,7 +70,7 @@ jobs:
       postgres_db: greedybear_db
       postgres_user: user
       postgres_password: password
-      postgres_version: 13
+      postgres_version: 18
       use_memcached: false
       use_elastic_search: false
       use_rabbitmq: true

api/views/feeds.py

@@ -26,16 +26,16 @@ def feeds(request, feed_type, attack_type, prioritize, format_):
         prioritize (str): Prioritization mechanism to use (e.g., recent, persistent).
         format_ (str): Desired format of the response (e.g., json, csv, txt).
         include_mass_scanners (bool): query parameter flag to include IOCs that are known mass scanners.
+        include_tor_exit_nodes (bool): query parameter flag to include IOCs that are known tor exit nodes.
 
     Returns:
         Response: The HTTP response with formatted IOC data.
     """
     logger.info(f"request /api/feeds with params: feed type: {feed_type}, " f"attack_type: {attack_type}, prioritization: {prioritize}, format: {format_}")
 
     feed_params = FeedRequestParams({"feed_type": feed_type, "attack_type": attack_type, "format_": format_})
+    feed_params.apply_default_filters(request.query_params)
     feed_params.set_prioritization(prioritize)
-    if request.query_params and "include_mass_scanners" in request.query_params:
-        feed_params.include_mass_scanners()
 
     valid_feed_types = get_valid_feed_types()
     iocs_queryset = get_queryset(request, feed_params, valid_feed_types)
@@ -58,9 +58,8 @@ def feeds_pagination(request):
 
     feed_params = FeedRequestParams(request.query_params)
     feed_params.format = "json"
+    feed_params.apply_default_filters(request.query_params)
     feed_params.set_prioritization(request.query_params.get("prioritize"))
-    if request.query_params and "include_mass_scanners" in request.query_params:
-        feed_params.include_mass_scanners()
 
     valid_feed_types = get_valid_feed_types()
     iocs_queryset = get_queryset(request, feed_params, valid_feed_types)
@@ -83,8 +82,8 @@ def feeds_advanced(request):
         attack_type (str): Type of attack to filter. (supported: `scanner`, `payload_request`, `all`; default: `all`)
         max_age (int): Maximum number of days since last occurrence. E.g. an IOC that was last seen 4 days ago is excluded by default. (default: 3)
         min_days_seen (int): Minimum number of days on which an IOC must have been seen. (default: 1)
-        include_reputation (str): `;`-separated list of reputation values to include, e.g. `known attacker` or `known attacker;` to include IOCs without reputation. (default: include all) this has precedence over exclusion
-        exclude_reputation (str): `;`-separated list of reputation values to exclude, e.g. `mass scanner` or `mass scanner;bot, crawler`. (default: exclude mass scanners)
+        include_reputation (str): `;`-separated list of reputation values to include, e.g. `known attacker` or `known attacker;` to include IOCs without reputation. (default: include all)
+        exclude_reputation (str): `;`-separated list of reputation values to exclude, e.g. `mass scanner` or `mass scanner;bot, crawler`. (default: exclude none)
         feed_size (int): Number of IOC items to return. (default: 5000)
         ordering (str): Field to order results by, with optional `-` prefix for descending. (default: `-last_seen`)
         verbose (bool): `true` to include IOC properties that contain a lot of data, e.g. the list of days it was seen. (default: `false`)

api/views/utils.py

@@ -75,10 +75,14 @@ def __init__(self, query_params: dict):
         self.paginate = query_params.get("paginate", "false").lower()
         self.format = query_params.get("format_", "json").lower()
         self.feed_type_sorting = None
-        self.exclude_reputation.append("mass scanner")
 
-    def include_mass_scanners(self):
-        self.exclude_reputation.remove("mass scanner")
+    def apply_default_filters(self, query_params):
+        if not query_params:
+            query_params = dict()
+        if "include_mass_scanners" not in query_params:
+            self.exclude_reputation.append("mass scanner")
+        if "include_tor_exit_nodes" not in query_params:
+            self.exclude_reputation.append("tor exit node")
 
     def set_prioritization(self, prioritize: str):
         match prioritize:
@@ -90,7 +94,7 @@ def set_prioritization(self, prioritize: str):
                     self.ordering = "-last_seen"
             case "persistent":
                 self.max_age = "14"
-                self.min_days_seen: "10"
+                self.min_days_seen = "10"
                 if "feed_type" in self.ordering:
                     self.feed_type_sorting = self.ordering
                     self.ordering = "-attack_count"
@@ -155,14 +159,11 @@ def get_queryset(request, feed_params, valid_feed_types):
         query_dict["number_of_days_seen__gte"] = int(feed_params.min_days_seen)
     if feed_params.include_reputation:
         query_dict["ip_reputation__in"] = feed_params.include_reputation
-        for reputation_type in feed_params.include_reputation:
-            if reputation_type in feed_params.exclude_reputation:
-                feed_params.exclude_reputation.remove(reputation_type)
 
     iocs = (
         IOC.objects.filter(**query_dict)
         .filter(Q(cowrie=True) | Q(log4j=True) | Q(general_honeypot__active=True))
-        .exclude(Q() if "nothing" in feed_params.exclude_reputation else Q(ip_reputation__in=feed_params.exclude_reputation))
+        .exclude(ip_reputation__in=feed_params.exclude_reputation)
         .annotate(value=F("name"))
         .annotate(honeypots=ArrayAgg("general_honeypot__name"))
         .order_by(feed_params.ordering)[: int(feed_params.feed_size)]

docker/.version

@@ -1 +1 @@
-REACT_APP_GREEDYBEAR_VERSION="1.6.8"
+REACT_APP_GREEDYBEAR_VERSION="2.0.0"

docker/default.yml

@@ -4,7 +4,7 @@ x-no-healthcheck: &no-healthcheck
 
 services:
   postgres:
-    image: library/postgres:13-alpine
+    image: library/postgres:18-alpine
     container_name: greedybear_postgres
     volumes:
       - postgres_data:/var/lib/postgresql/data/

frontend/src/layouts/widget/UserMenu.jsx

@@ -29,11 +29,9 @@ function UserMenu(props) {
         </DropdownItem>
         <DropdownItem divider />
         {/* Django Admin Interface */}
-        {isSuperuser && (
-          <DropdownNavLink to="/admin/" target="_blank">
-            <IoMdSettings className="me-2" /> Django Admin Interface
-          </DropdownNavLink>
-        )}
+        <DropdownNavLink to="/admin/" target="_blank">
+          <IoMdSettings className="me-2" /> Django Admin Interface
+        </DropdownNavLink>
         {/* API Access/Sessions */}
         <DropdownNavLink to="/me/sessions">
           <IoMdKey className="me-2" /> API Access / Sessions

requirements/project-requirements.txt

@@ -3,9 +3,9 @@ celery==5.5.3
 # if you change this, update the documentation
 elasticsearch-dsl==8.18.0
 
-Django==4.2.24
+Django==5.2.7
 djangorestframework==3.16.1
-django-rest-email-auth==4.0.3
+django-rest-email-auth==5.0.0
 django-ses==4.4.0
 
 psycopg2-binary==2.9.10

tests/__init__.py

@@ -59,6 +59,28 @@ def setUpTestData(cls):
             expected_interactions=11.1,
         )
 
+        cls.ioc_3 = IOC.objects.create(
+            name="100.100.100.100",
+            type=iocType.IP.value,
+            first_seen=cls.current_time,
+            last_seen=cls.current_time,
+            days_seen=[cls.current_time],
+            number_of_days_seen=1,
+            attack_count=1,
+            interaction_count=1,
+            log4j=False,
+            cowrie=True,
+            scanner=True,
+            payload_request=True,
+            related_urls=[],
+            ip_reputation="tor exit node",
+            asn="12345",
+            destination_ports=[22, 23, 24],
+            login_attempts=1,
+            recurrence_probability=0.1,
+            expected_interactions=11.1,
+        )
+
         cls.ioc.general_honeypot.add(cls.heralding)  # FEEDS
         cls.ioc.general_honeypot.add(cls.ciscoasa)  # FEEDS
         cls.ioc.save()

tests/test_scoring_utils.py

@@ -78,7 +78,7 @@ class TestFeatExtraction(CustomTestCase):
     def test_data_retrieval(self):
         """Test with sample IoCs"""
         data = get_current_data()
-        self.assertEqual(len(data), 2)
+        self.assertEqual(len(data), 3)
 
     def test_feature_extraction(self):
         """Test with sample IoCs"""
@@ -92,8 +92,9 @@ def test_feature_extraction(self):
             self.assertEqual(len(feature["days_seen"]), 1)
             self.assertEqual(str(feature["days_seen"][0]), today)
             self.assertEqual(feature["asn"], "12345")
-            self.assertEqual(set(feature["honeypots"]), set(["heralding", "ciscoasa", "log4j", "cowrie"]))
-            self.assertEqual(feature["honeypot_count"], 4)
+            self.assertTrue(len(feature["honeypots"]) > 0)
+            self.assertTrue(set(feature["honeypots"]).issubset({"heralding", "ciscoasa", "log4j", "cowrie"}))
+            self.assertEqual(feature["honeypot_count"], len(feature["honeypots"]))
             self.assertEqual(feature["destination_port_count"], 3)
             self.assertEqual(feature["days_seen_count"], 1)
             self.assertEqual(feature["active_timespan"], 1)