Today we had a meeting with our three Google Summer of Code participants, who will implement their projects in the next couple of months. They are already quite familiar with the project and the maintainers, as they have been contributing since December last year. It was a pleasure to meet in person after only knowing them from PR reviews and issue discussions. We look forward to working with them on the projects, which will add exciting new functionality to GreedyBear:

• A pipeline to extract payload files from T-Pot instances.
• A new API for injecting events into GreedyBear.
• A major overhaul of the Dashboard, making it extensible and modular.

Over the last months some new contributors helped us to implement a lot of new stuff in GreedyBear. Because of the huge number of new features and a different structure of the Feeds API responses, we are releasing a new major version in the next week.

Breaking changes

• Feeds API responses do not contain the fields “honeypots”, “cowrie” and “log4j” anymore.
• Log4Pot-specific data handling was removed, because the honeypot is not that relevant anymore.
• The possibility to use legacy extraction with an 11 minute time window has been removed. The LEGACY_EXTRACTION switch in the env_file will be ignored.

Almost four years have passed since the GreedyBear launch in 2021. Much has changed since then, and some of the underlying technologies require an update. That’s why we are releasing a new major version of GreedyBear which comes with the most current versions of Django (5.2) and PostgreSQL (18). These changes will ensure our project remains greedy and up-to-date for years to come but require some manual intervention. You can find a detailed upgrade guide here.

Over the past few months I wrote my Master’s thesis about improving threat intelligence generated from honeypot data. For this purpose I made some changes to the GreedyBear project from Matteo Lodi, who greatly supported my coding work.

GreedyBear is a tool that was created mainly to help to extract Indicators of Compromise from one or more available TPOTs. For those who do not know this tool, we are talking about the most popular all-in-one honeypot available in the community. While the T-POT is great in allowing a fast, easy and reliable installation and collection of data, it struggles in organizing that data in a way that they can be easily collected and disseminated. This is where GreedyBear comes in and becomes the Threat Intelligence Platform for the TPOT.