GreedyBear icon indicating copy to clipboard operation
GreedyBear copied to clipboard
verified publisher icon intelowlproject

Collect samples extracted from T-POTs [blocked by T-POT issue]

Open mlodic opened this issue 5 months ago • 0 comments

At this time this is not possible through Elastic. However, there's an issue open for that: https://github.com/telekom-security/tpotce/discussions/1653

At the time of writing, the T-POT collects the downloaded samples in dedicated folders of each of the honeypots that are able to do that.

Example (~/tpotce/data):

  • adbhoney: data/adbhoney/downloads
  • cowrie: data/cowrie/downloads
  • log4pot: data/log4pot/payloads
  • honeytrap: data/honeytrap/[downloads,attacks]

But this data is not indexed into Elastic. When this will be available there, we could collect these samples in GreedyBear too in a new dedicated section. To avoid being flagged as malicious, we shouldn't simply host them for the public, we should keep a separated authenticated API.

Plus, we could send those samples to MalwareBazaar in the same way we do for payload requests for Threatfox.

mlodic avatar Jul 18 '25 18:07 mlodic