Releases: pygrum/siphon
v2.0.0
New Features
Agents
Agents are applications that can be deployed to honeypots to monitor certain folders for file activity. Communication with each agent is done via mutual TLS, and agents store most of their data in protected OS folders, making them harder to detect by attackers or automated scripts.
Agents share the same interface as regular integrations - users can query samples found by the agent, as well as download them over a secure connection.
Changes
- Remove unnecessary Dockerfile
- Changed docker build steps in Makefile to Siphon binary build steps, as well as build steps for the agent generator
v1.0.0
Siphon
Siphon is a cross-platform malware feed designed to enrich
the threat intelligence process. It pulls the latest identified strains from
verified CTI sources into one portal.
I personally use it to keep up to date with the latest threats, and get a head-start
on analysing malicious samples!
A database of basic sample information is built up as often as an un-indexed sample
is found by querying threat intelligence APIs. You can view the most recent samples,
sorted by time, and download them from their source.
Installation
You can either download Siphon from the releases
page, or run the application in a Docker container
Using docker
Dependencies
- Docker
- Make
- Clone the repository:
git clone https://github.com/pygrum/siphon - Enter the cloned repository and run
make build run
Supported Integrations
| Name | Setup instructions |
|---|---|
| MalwareBazaar | MalwareBazaar integration is used to fetch the latest samples seen in the wild. Create an account at https://bazaar.abuse.ch/ and retrieve api key from your account settings. |
For each integration, add an entry into your configuration file using the
sources new command. It should look something like this:
sources new --name MalwareBazaar --api-key <your-api-key> --endpoint https://mb-api.abuse.ch/api/v1/refreshrate: 1
sources:
- name: MalwareBazaar
apikey: <your-api-key>
endpoint: https://mb-api.abuse.ch/api/v1/