Multithreaded threat Intelligence gathering built with Python3
Latest commit 71c1d21 Apr 12, 2016 @byt3smith Merge pull request #8 from byt3smith/fix_for_issue_7
Fix for issue 7
Failed to load latest commit information.
forager cleanup Apr 12, 2016
img Refactor Apr 20, 2015
.gitignore Ported to python3 Jan 31, 2016
.travis.yml Adding CI config Jan 31, 2016 Fixing issue by decoding pattern matching Feb 17, 2016
LICENSE Changed to MIT License Apr 20, 2015 Update Feb 27, 2016
requirements.txt Ported to python3 Jan 31, 2016

Forager alt tag

Build Status


Do you ever wonder if there is an easier way to retrieve, store, and maintain all your threat intelligence data? Random user, meet Forager. Not all threat intel implementations require a database that is "correlating trillions of data points.." and instead, you just need a simple interface, with simple TXT files, that can pull threat data from other feeds, PDF threat reports, or other data sources, with minimal effort. With 15 pre-configured threat feeds, you can get started with threat intelligence feed management today.. Right now.. Do it!

Features At A Glance
  • Fetch intel from URL's using modular feed functions
  • Extract domain, md5, sha1, sha256, IPv4, and YARA indicators
  • Search through the current intel set by single IP or with an IOC file
  • Generate JSON feeds for consumption by CarbonBlack
  • Serves up a Simple HTTP JSON feed server for CarbonBlack


Requires Python 3!

  • argparse
  • xlrd
  • pdfminer3k
  • colorama (for pretty colored output)

You can install all requirements with the included requirements.txt file

pip3 install -r requirements.txt


(Invoked with --feeds)

  • 'list' -- Lists all feeds and allows user to choose a single feed to update.
  • 'update' -- Updates all feed modules listed in Forager


(Invoked with --hunt)

  • '-f [file path]' Provides the capability to search through the intel directory results for a specific list of indicators
  • '-s [IPv4 address]' Searches through intel directory for a single IP address


(Invoked with --extract)

  • Reads in a file and extracts IP addresss, domains, MD5/SHA1/SHA256 hashes, and YARA rules
  • Places the extracted indicators into the intel directory
  • Currently supported filetypes:
    • TXT
    • PDF
    • XLS/XLSX


  • Prone to false positives when extracting indicators from PDF as whitepapers with indicators will normally also contain URL references

CarbonBlack Feed Generator

(Invoked with --cbgen)

  • Generates JSON feeds of all of the IOCs in the intel dir
  • Utilizes an interactive CLI prompt to allow the user to provide feed metadata the first time CBgen is run

CarbonBlack Feed Server

(Invoked with --srv)

  • Runs the built-in feed server so that the CarbonBlack server can automatically ingest the JSON feeds that were generated by the CBgen command