Skip to content

Naagaram/threat-intel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
backend
backend
 
 
frontend
frontend
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

Threat-Intel

Threat-Intel is a free OSINT threat intelligence aggregator that analyzes URLs, domains, IP addresses, hashes, and uploaded files by correlating open threat feeds.

Features

  • FastAPI backend with modular architecture
  • SQLite threat intelligence datastore
  • Daily feed ingestion service (no API keys)
  • Risk scoring and verdict engine
  • Passive enrichment for domains and IPs
  • React frontend dashboard
  • Dockerized backend/frontend/updater stack

Project Structure

backend/
  app/
    api/
    services/
    collectors/
    parsers/
    scoring/
    database/
    utils/
    config/
frontend/

Supported Indicator Types

  • URL
  • Domain
  • IP address
  • File hash (MD5/SHA1/SHA256)
  • File upload (SHA256 auto-generated)

Threat Feeds Included

  • URLHaus
  • OpenPhish
  • ThreatFox
  • MalwareBazaar
  • Maltrail malware domains
  • FireHOL IP lists
  • Spamhaus DROP
  • blocklist.de
  • EmergingThreats compromised IPs
  • Newly registered domains feed
  • Tor exit node list

Feed configuration is stored in backend/app/config/feeds.json.

API Endpoints

  • POST /analyze
  • POST /upload
  • GET /health

Example request:

{
  "indicator": "example.com",
  "type": "domain"
}

Risk Scoring

Signals used:

  • Found in malware feed: +50
  • Found in phishing feed: +40
  • Found in IP blacklist: +35
  • Domain age < 30 days: +20
  • Suspicious TLD (.xyz, .top, .ru): +10
  • Tor exit node: +15

Verdict thresholds:

  • 0-29: Safe
  • 30-59: Suspicious
  • 60+: Malicious

Run With Docker

docker compose up --build

Services:

  • Frontend: http://localhost:3000
  • Backend API: http://localhost:8000

Local Development

Backend

cd backend
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
uvicorn app.main:app --reload --host 0.0.0.0 --port 8000

Run feed update once:

python -m app.services.feed_updater

Frontend

cd frontend
npm install
npm run dev

Set API URL if needed:

export VITE_API_BASE_URL=http://localhost:8000

Optional VirusTotal Enrichment

You can enable VirusTotal checks by setting:

export VIRUSTOTAL_API_KEY=your_api_key_here

When enabled, analysis responses include enrichment.virustotal and can add a VirusTotal match to scoring when VT reports malicious/suspicious detections.

Notes

  • SQLite database file is created at backend/threat_intel.db.
  • Feed downloader is resilient and logs per-source failures in feed_metadata.
  • Some enrichment data depends on public network availability and can be partially empty.

About

Threat Intel checks

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages