Merge pull request GreedyBear-Project#1025 from intelowlproject/develop

3.3.0

Author: regulartim

.dockerignore

@@ -3,6 +3,7 @@
 .vscode
 .lgtm.yml
 __pycache__
+.venv/
 venv/
 **/build
 .env
@@ -15,4 +16,6 @@ frontend/dist
 frontend/build
 docker-compose*
 .pre-commit-config.yaml
-.ipython/
+.ipython/
+.github/
+tests/

.github/dependabot.yml

@@ -1,8 +1,8 @@
 version: 2
 
 updates:
-  - package-ecosystem: "pip"
-    directory: "/requirements"
+  - package-ecosystem: "uv"
+    directory: "/"
     schedule:
       interval: "weekly"
       day: "tuesday"

.github/release_template.md

@@ -1,6 +1,6 @@
 # Checklist for creating a new release
 
-- [ ] Change version number in `docker/.version` and in `.env_template`
+- [ ] Change version number in `pyproject.toml`
 - [ ] Verify CI Tests
 - [ ] Verify that the PR is named with a correct version number like x.x.x
 - [ ] Merge the PR to the `main` branch. The release will be done automatically by the CI

.github/workflows/_python.yml

@@ -17,9 +17,9 @@ on:
         type: string
         required: true
       requirements_path:
-        description: Path to the requirements.txt file
+        description: Path to the requirements.txt file (deprecated, unused with uv)
         type: string
-        required: true
+        required: false
       project_dev_requirements_file:
         description: Path to an additional project dev requirements file
         type: string
@@ -264,7 +264,7 @@ jobs:
         id: setup_python
         uses: actions/setup-python@v5
         with:
-          python-version: ${{ matrix.python_version }}
+          python-version-file: "pyproject.toml"
 
       - name: Inject stuff to environment
         run: |
@@ -312,128 +312,19 @@ jobs:
         with:
           apt_requirements_file_path: ${{ inputs.packages_path }}
 
-      - name: Create linter requirements file
-        uses: ./.github/actions/python_requirements/create_linter_requirements_file
-        with:
-          install_from: ${{ inputs.install_from }}
-          django_settings_module: ${{ inputs.django_settings_module }}
-          use_autoflake: ${{ inputs.use_autoflake }}
-          use_bandit: ${{ inputs.use_bandit }}
-          use_black: ${{ inputs.use_black }}
-          use_flake8: ${{ inputs.use_flake8 }}
-          use_isort: ${{ inputs.use_isort }}
-          use_pylint: ${{ inputs.use_pylint }}
-          use_ruff_formatter: ${{ inputs.use_ruff_formatter }}
-          use_ruff_linter: ${{ inputs.use_ruff_linter }}
-
-      - name: Create dev requirements file
-        uses: ./.github/actions/python_requirements/create_dev_requirements_file
-        with:
-          install_from: ${{ inputs.install_from }}
-          project_dev_requirements_file: ${{ inputs.project_dev_requirements_file }}
-
-      - name: Create docs requirements file
-        uses: ./.github/actions/python_requirements/create_docs_requirements_file
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
         with:
-          install_from: ${{ inputs.install_from }}
-          check_docs_directory: ${{ inputs.check_docs_directory }}
-          django_settings_module: ${{ inputs.django_settings_module }}
+          enable-cache: true
+          version: "0.11.1"
 
-      - name: Restore Python virtual environment related to PR event
-        id: restore_python_virtual_environment_pr
-        uses: ./.github/actions/python_requirements/restore_virtualenv/
-        with:
-          requirements_paths: "${{ inputs.requirements_path }} requirements-linters.txt requirements-dev.txt requirements-docs.txt"
-          python_version: ${{ steps.setup_python.outputs.python-version }}
-
-      - name: Restore Python virtual environment related to target branch
-        id: restore_python_virtual_environment_target_branch
-        if: steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/restore_virtualenv/
-        with:
-          requirements_paths: ${{ inputs.requirements_path }}
-          git_reference: ${{ github.base_ref }}
-          python_version: ${{ steps.setup_python.outputs.python-version }}
-
-      - name: Create Python virtual environment
-        if: >
-         steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true' && 
-         steps.restore_python_virtual_environment_target_branch.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/create_virtualenv
-
-      - name: Restore pip cache related to PR event
-        id: restore_pip_cache_pr
-        if: > 
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true' && 
-          steps.restore_python_virtual_environment_target_branch.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/restore_pip_cache
-
-      - name: Restore pip cache related to target branch
-        id: restore_pip_cache_target_branch
-        if: >
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true' &&
-          steps.restore_python_virtual_environment_target_branch.outputs.cache-hit != 'true' &&
-          steps.restore_pip_cache_pr.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/restore_pip_cache
-        with:
-          git_reference: ${{ github.base_ref }}
-      
-      - name: Install project requirements
-        if: >
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true' &&
-          steps.restore_python_virtual_environment_target_branch.outputs.cache-hit != 'true'
-        run: pip install -r ${{ inputs.requirements_path }}
-        shell: bash
-        working-directory: ${{ inputs.install_from }}
-
-      - name: Install other requirements
-        if: >
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true'
+      - name: Install dependencies
         run: |
-          pip install -r requirements-dev.txt
-          pip install -r requirements-linters.txt
-          pip install -r requirements-docs.txt
+          uv sync --frozen --all-groups
+          echo "${{ github.workspace }}/${{ inputs.install_from }}/.venv/bin" >> $GITHUB_PATH
         shell: bash
         working-directory: ${{ inputs.install_from }}
 
-      - name: Check requirements licenses
-        if: >
-            inputs.check_requirements_licenses && 
-            steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true'
-        id: license_check_report
-        continue-on-error: true
-        uses: pilosus/action-pip-license-checker@v2
-        with:
-          requirements: ${{ inputs.install_from }}/${{ inputs.requirements_path }}
-          exclude: ${{ inputs.ignore_requirements_licenses_regex }}
-          headers: true
-          fail: 'StrongCopyleft,NetworkCopyleft,Error'
-          fails-only: true
-
-      - name: Print wrong licenses
-        if: steps.license_check_report.outcome == 'failure'
-        run: |
-          echo "License check failed"
-          echo "===================="
-          echo "${{ steps.license_check_report.outputs.report }}"
-          echo "===================="
-          exit 1
-        shell: bash
-
-      - name: Save Python virtual environment related to PR event
-        if: >
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/save_virtualenv
-        with:
-          requirements_paths: "${{ inputs.requirements_path }} requirements-linters.txt requirements-dev.txt requirements-docs.txt"
-          python_version: ${{ steps.setup_python.outputs.python-version }}
-
-      - name: Save pip cache related to PR event
-        if: >
-          steps.restore_python_virtual_environment_pr.outputs.cache-hit != 'true' &&
-          steps.restore_pip_cache_pr.outputs.cache-hit != 'true'
-        uses: ./.github/actions/python_requirements/save_pip_cache
-
       - name: Run linters
         uses: ./.github/actions/python_linter
         if: > 

.github/workflows/dependency_review.yml

@@ -13,4 +13,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4

.github/workflows/pull_request_automation.yml

@@ -62,8 +62,6 @@ jobs:
       use_ruff_formatter: true
       use_ruff_linter: true
 
-      requirements_path: requirements/project-requirements.txt
-      project_dev_requirements_file: requirements/dev-requirements.txt
       packages_path: packages.txt
       django_settings_module: greedybear.settings
 

api/serializers.py

@@ -5,8 +5,9 @@
 from django.core.exceptions import FieldDoesNotExist
 from rest_framework import serializers
 
-from greedybear.consts import REGEX_DOMAIN, REGEX_IP
-from greedybear.models import IOC, GeneralHoneypot
+from greedybear.consts import REGEX_DOMAIN
+from greedybear.models import IOC, GeneralHoneypot, Sensor, Tag
+from greedybear.utils import is_ip_address
 
 logger = logging.getLogger(__name__)
 
@@ -19,8 +20,22 @@ def to_representation(self, value):
         return value.name
 
 
+class TagSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Tag
+        fields = ["key", "value", "source"]
+
+
+class SensorSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Sensor
+        fields = ["address", "label"]
+
+
 class IOCSerializer(serializers.ModelSerializer):
     general_honeypot = GeneralHoneypotSerializer(many=True, read_only=True)
+    tags = TagSerializer(many=True, read_only=True)
+    sensors = SensorSerializer(many=True, read_only=True)
 
     class Meta:
         model = IOC
@@ -36,22 +51,38 @@ class EnrichmentSerializer(serializers.Serializer):
 
     def validate(self, data):
         """
-        Check a given observable against regex expression
+        Validate that the query is a valid IP address (IPv4/IPv6) or domain.
         """
-        observable = data["query"]
-        if re.match(r"^[\d\.]+$", observable) and not re.match(REGEX_IP, observable):
-            raise serializers.ValidationError("Observable is not a valid IP")
-        if not re.match(REGEX_IP, observable) and not re.match(REGEX_DOMAIN, observable):
-            raise serializers.ValidationError("Observable is not a valid IP or domain")
+        observable = data["query"].strip()
+        data["query"] = observable
+
+        # A valid domain must match the domain regex AND contain at least one alphabetic character
+        is_domain = bool(re.match(REGEX_DOMAIN, observable)) and any(c.isalpha() for c in observable)
+
+        if not is_ip_address(observable) and not is_domain:
+            raise serializers.ValidationError("Observable is not a valid IP address or domain")
+
         try:
-            required_object = IOC.objects.get(name=observable)
+            required_object = IOC.objects.prefetch_related("tags", "sensors").get(name=observable)
             data["found"] = True
             data["ioc"] = required_object
         except IOC.DoesNotExist:
             data["found"] = False
         return data
 
 
+def parse_feed_types(feed_type_str: str) -> list:
+    """Split a comma-separated feed type string into a stripped list of individual feed types.
+
+    Args:
+        feed_type_str (str): Comma-separated feed type string (e.g. "cowrie,adbhoney").
+
+    Returns:
+        list[str]: List of non-empty, stripped feed type tokens.
+    """
+    return [ft.strip() for ft in feed_type_str.split(",") if ft.strip()]
+
+
 def feed_type_validation(feed_type: str, valid_feed_types: frozenset) -> str:
     """Validates that a given feed type exists in the set of valid feed types.
 
@@ -96,7 +127,7 @@ def ordering_validation(ordering: str) -> str:
 
 
 class FeedsRequestSerializer(serializers.Serializer):
-    feed_type = serializers.CharField(max_length=120)
+    feed_type = serializers.CharField()
     attack_type = serializers.ChoiceField(choices=["scanner", "payload_request", "all"])
     ioc_type = serializers.ChoiceField(choices=["ip", "domain", "all"])
     max_age = serializers.IntegerField(min_value=1)
@@ -107,11 +138,28 @@ class FeedsRequestSerializer(serializers.Serializer):
     ordering = serializers.CharField(max_length=120)
     verbose = serializers.ChoiceField(choices=["true", "false"])
     paginate = serializers.ChoiceField(choices=["true", "false"])
-    format = serializers.ChoiceField(choices=["csv", "json", "txt"])
+    format = serializers.ChoiceField(choices=["csv", "json", "txt", "stix21"])
+    asn = serializers.IntegerField(min_value=1, required=False, allow_null=True)
+    min_score = serializers.FloatField(min_value=0, max_value=1, required=False, allow_null=True)
+    port = serializers.IntegerField(min_value=1, max_value=65535, required=False, allow_null=True)
+    start_date = serializers.DateField(format="%Y-%m-%d", required=False, allow_null=True)
+    end_date = serializers.DateField(format="%Y-%m-%d", required=False, allow_null=True)
+    tag_key = serializers.CharField(max_length=128, required=False, allow_blank=True)
+    tag_value = serializers.CharField(max_length=256, required=False, allow_blank=True)
 
     def validate_feed_type(self, feed_type):
         logger.debug(f"FeedsRequestSerializer - validation feed_type: '{feed_type}'")
-        return feed_type_validation(feed_type, self.context["valid_feed_types"])
+        feed_types = parse_feed_types(feed_type)
+        if not feed_types:
+            raise serializers.ValidationError("Invalid feed_type: must not be empty")
+        valid_feed_types = self.context["valid_feed_types"]
+        if len(feed_types) > len(valid_feed_types):
+            raise serializers.ValidationError(f"Invalid feed_type: too many types specified (max {len(valid_feed_types)})")
+        if "all" in feed_types and len(feed_types) > 1:
+            raise serializers.ValidationError("Invalid feed_type: 'all' cannot be combined with other feed types")
+        for ft in feed_types:
+            feed_type_validation(ft, valid_feed_types)
+        return feed_type
 
     def validate_ordering(self, ordering):
         logger.debug(f"FeedsRequestSerializer - validation ordering: '{ordering}'")
@@ -122,6 +170,7 @@ class ASNFeedsOrderingSerializer(FeedsRequestSerializer):
     ALLOWED_ORDERING_FIELDS = frozenset(
         {
             "asn",
+            "as_name",
             "ioc_count",
             "total_attack_count",
             "total_interaction_count",
@@ -183,6 +232,8 @@ class FeedsResponseSerializer(serializers.Serializer):
     login_attempts = serializers.IntegerField(min_value=0)
     recurrence_probability = serializers.FloatField(min_value=0, max_value=1)
     expected_interactions = serializers.FloatField(min_value=0)
+    attacker_country = serializers.CharField(allow_null=True, allow_blank=True, max_length=120)
+    tags = TagSerializer(many=True, required=False, default=list)
 
     def validate_feed_type(self, feed_type):
         logger.debug(f"FeedsResponseSerializer - validation feed_type: '{feed_type}'")

api/throttles.py

@@ -0,0 +1,47 @@
+# This file is a part of GreedyBear https://github.com/honeynet/GreedyBear
+# See the file 'LICENSE' for copying permission.
+from rest_framework.throttling import SimpleRateThrottle
+
+
+class FeedsThrottle(SimpleRateThrottle):
+    """Rate-limit for public (unauthenticated) feeds endpoints."""
+
+    scope = "feeds"
+
+    def get_cache_key(self, request, view):
+        return self.cache_format % {
+            "scope": self.scope,
+            "ident": self.get_ident(request),
+        }
+
+
+class FeedsAdvancedThrottle(SimpleRateThrottle):
+    """Rate-limit for authenticated feeds endpoints (advanced, asn)."""
+
+    scope = "feeds_advanced"
+
+    def get_cache_key(self, request, view):
+        if request.user and request.user.is_authenticated:
+            ident = request.user.pk
+        else:
+            ident = self.get_ident(request)
+
+        return self.cache_format % {
+            "scope": self.scope,
+            "ident": ident,
+        }
+
+
+class SharedFeedRateThrottle(SimpleRateThrottle):
+    """
+    Rate throttle for the public shared feed consume endpoint.
+
+    Limits unauthenticated access to prevent abuse.
+    Rate is configurable via the ``FEEDS_SHARED_THROTTLE_RATE`` environment variable
+    (key: ``feeds_shared`` in DEFAULT_THROTTLE_RATES). Default: 10/minute.
+    """
+
+    scope = "feeds_shared"
+
+    def get_cache_key(self, request, view):
+        return self.cache_format % {"scope": self.scope, "ident": self.get_ident(request)}