Over the last months some new contributors helped us to implement a lot of new stuff in GreedyBear. Because of the huge number of new features and a different structure of the Feeds API responses, we are releasing a new major version in the next week.

Breaking changes

• Feeds API responses do not contain the fields “honeypots”, “cowrie” and “log4j” anymore.
• Log4Pot-specific data handling was removed, because the honeypot is not that relevant anymore.
• The possibility to use legacy extraction with an 11 minute time window has been removed. The LEGACY_EXTRACTION switch in the env_file will be ignored.

Almost four years have passed since the GreedyBear launch in 2021. Much has changed since then, and some of the underlying technologies require an update. That’s why we are releasing a new major version of GreedyBear which comes with the most current versions of Django (5.2) and PostgreSQL (18). These changes will ensure our project remains greedy and up-to-date for years to come but require some manual intervention. You can find a detailed upgrade guide here.

Over the past few months I wrote my Master’s thesis about improving threat intelligence generated from honeypot data. For this purpose I made some changes to the GreedyBear project from Matteo Lodi, who greatly supported my coding work.

GreedyBear is a tool that was created mainly to help to extract Indicators of Compromise from one or more available TPOTs. For those who do not know this tool, we are talking about the most popular all-in-one honeypot available in the community. While the T-POT is great in allowing a fast, easy and reliable installation and collection of data, it struggles in organizing that data in a way that they can be easily collected and disseminated. This is where GreedyBear comes in and becomes the Threat Intelligence Platform for the TPOT.