External monitoring for organization assets
Crossfeed is a tool that blends external asset information with known vulnerabilities from the VDP in order to better secure DoD systems. Crossfeed continually scans for public facing assets using a number of OSINT and minimally invasive techniques. This information is then used in scans to discover indicators of vulnerabilities.
Current features:
- Continually tracked database of DoD assets
- Database of vulnerability reports from VDP
- Passive scans for open ports utilizing Rapid7's Project Sonar
- Host fingerprinting using Wappalyzer
- Recurring vulnerability scans based on past vulnerabilities
- Slack notifications when new ports and vulnerabilities found
Crossfeed Web (this repository) sits as the user-facing end of Crossfeed. This displays all information and allows scheduling scans.
Crossfeed Agent is the backend scanner, which launches and coordinates scans.
Scans are queued via Amazon SQS and dispatched by crossfeed agent. This is designed for a multi-host environment, where backend scanners process incoming scan requests asynchronously.
To get started, first copy relevent config files:
- Run
cp .env.example .env - Run
cp config/config.example.json config/config.json - In the agent, run
cp config.example.json config.json
- Install Docker.
Configure the Postgres database information in .env on web and config.json for the agent. Likewise, configure the SQS information in .env for web and config.json for the agent.
Crossfeed integrates with several APIs. Configure the following API keys to make full use of the tool:
SONAR_API_KEY(agent) - The Rapid7 Project Sonar API key, used to download port scan dataSLACK_WEBHOOK_URL(agent) - A Slack incoming webhook url, used to post alerts to SlackBD_API_KEY(web, optional) - A BitDiscovery API key, optionally used for importing data
- Run
docker-compose up