This release includes many major and minor changes over the previous release. Here are some of the major changes:
New features
Threat Feed:
- Record the date each IP is added to the threat feed.
- Add the ability to serve the threat feed in JSON format.
- Use
http://localhost:9000/jsonfor all threat feed details. - Use
http://localhost:9000/json/ipsfor just the IP addresses.
- Use
- Add the ability to serve the threat feed in CSV format.
- Use
http://localhost:9000/csvfor all threat feed details - Use
http://localhost:9000/csv/ipsfor just the IP addresses.
- Use
- Add the ability to serve the threat feed in STIX 2.1 format.
- Use
http://localhost:9000/stix2to retrieve as STIXindicators. - Use
http://localhost:9000/stix2/ipsto retrieve as STIXobservables.
- Use
- Add the ability to serve the threat feed as a TAXII 2.1 server.
- The TAXII discovery URL is
http://localhost:9000/taxii2/. - The TAXII API root URL is
http://localhost:9000/taxii2/api/. This is the URL TAXII clients will likely want. - There are 2 collections:
deceptifeed-indicatorsanddeceptifeed-observables. - To test without a TAXII client, use
curl http://localhost:9000/taxii2/api/collections/deceptifeed-indicators/objects/
- The TAXII discovery URL is
HTTP/HTTPS honeypot server:
- Add the ability to define rules to control when HTTP requests are sent to the threat feed. This is defined using the
<rules>element in the configuration. - Add the ability to specify an HTTP header to use as the source IP when updating the threat feed. This is defined using the
<sourceIpHeader>element in the configuration. - Normalize header names to lowercase when logging.
- Add
<headers>element to the configuration for setting custom HTTP response headers. - Add the ability to serve a custom error page using the
<errorPagePath>element. - Rename
<htmlPath>to<homePagePath>in the configuration.
Other:
- Change the default SSH honeypot port from
2022to2222. - Change the default threat feed server port from
8081to9000.
Full Changelog: v0.9.0...v0.16.0