Need help with Forager?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

140 Stars 26 Forks MIT License 115 Commits 3 Opened issues


Multithreaded threat Intelligence gathering built with Python3

Services available


Need anything else?

Contributors list

# 86,274
3 commits
# 658,300
1 commit

Forager alt tag

Build Status


Do you ever wonder if there is an easier way to retrieve, store, and maintain all your threat intelligence data? Random user, meet Forager. Not all threat intel implementations require a database that is "correlating trillions of data points.." and instead, you just need a simple interface, with simple TXT files, that can pull threat data from other feeds, PDF threat reports, or other data sources, with minimal effort. With 15 pre-configured threat feeds, you can get started with threat intelligence feed management today.. Right now.. Do it!

Features At A Glance
  • Fetch intel from URL's using modular feed functions
  • Extract domain, md5, sha1, sha256, IPv4, and YARA indicators
  • Search through the current intel set by single IP or with an IOC file
  • Generate JSON feeds for consumption by CarbonBlack
  • Serves up a Simple HTTP JSON feed server for CarbonBlack


Requires Python 3! * argparse * xlrd * pdfminer3k * colorama (for pretty colored output)

You can install all requirements with the included requirements.txt file

pip3 install -r requirements.txt


  • list
    -- Lists all feeds and allows user to choose a single feed to update.
  • update
    -- Updates all feed modules listed in Forager


  • -f [file path]
    Provides the capability to search through the intel directory results for a specific list of indicators
  • -s [IPv4 address]
    Searches through intel directory for a single IP address


  • Reads in a file and extracts IP addresss, domains, MD5/SHA1/SHA256 hashes, and YARA rules
  • Places the extracted indicators into the intel directory
  • Currently supported filetypes:
    • TXT
    • PDF
    • XLS/XLSX


  • Prone to false positives when extracting indicators from PDF as whitepapers with indicators will normally also contain URL references

CarbonBlack Feed Generator

  • Generates JSON feeds of all of the IOCs in the intel dir
  • Utilizes an interactive CLI prompt to allow the user to provide feed metadata the first time CBgen is run

CarbonBlack Feed Server

  • Runs the built-in feed server so that the CarbonBlack server can automatically ingest the JSON feeds that were generated by the CBgen command

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.