Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bonjourmalware/melody
Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
https://github.com/bonjourmalware/melody
internet-noise internet-sensor melody tag-packets threat-intelligence threat-monitoring
Last synced: 21 days ago
JSON representation
Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
- Host: GitHub
- URL: https://github.com/bonjourmalware/melody
- Owner: bonjourmalware
- License: mit
- Archived: true
- Created: 2020-04-23T20:33:27.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-09-10T16:16:13.000Z (over 3 years ago)
- Last Synced: 2024-08-05T17:29:45.809Z (4 months ago)
- Topics: internet-noise, internet-sensor, melody, tag-packets, threat-intelligence, threat-monitoring
- Language: Go
- Homepage: https://bonjourmalware.github.io/melody/
- Size: 11.8 MB
- Stars: 138
- Watchers: 8
- Forks: 22
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - bonjourmalware/melody - Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation. (Go)
README
Melody
Monitor the Internet's background noise
---
Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.
# Table of Contents
* [Melody](#melody)
* [Table of contents](#table-of-contents)
* [Features](#features)
* [Wishlist](#wishlist)
* [Use cases](#use-cases)
* [Internet facing sensor](#internet-facing-sensor)
* [Stream analysis](#stream-analysis)
* [Preview](#preview)
* [Quickstart](#quickstart)
* [TL;DR](#tldr)
* [Release](#release)
* [From source](#from-source)
* [Docker](#docker)
* [Rules](#rules)
* [Rule example](#rule-example)
* [Logs](#logs)# Features
Here are some key features of Melody :+ Transparent capture
+ Write detection rules and tag specific packets to analyze them at scale
+ Mock vulnerable websites using the builtin HTTP/S server
+ Supports the main internet protocols over IPv4 and IPv6
+ Handles log rotation for you : Melody is designed to run forever on the smallest VPS
+ Minimal configuration required
+ Standalone mode : configure Melody using only the CLI
+ Easily scalable :
+ Statically compiled binary
+ Up-to-date Docker image# Wishlist
Since I have to focus on other projects right now, I can't put much time in Melody's development.There is a lot of rom for improvement though, so here are some features that I'd like to implement someday :
+ ~~Dedicated helper program to create, test and manage rules~~ -> Check Meloctl in `cmd/meloctl`
+ Centralized rules management
+ Per port mock application# Use cases
## Internet facing sensor+ Extract trends and patterns from Internet's noise
+ Index malicious activity, exploitation attempts and targeted scanners
+ Monitor emerging threats exploitation
+ Keep an eye on specific threats## Stream analysis
+ Build a background noise profile to make targeted attacks stand out
+ Replay captures to tag malicious packets in a suspicious stream# Preview
# Quickstart
[Quickstart details.](https://bonjourmalware.github.io/melody/installation)## TL;DR
### Release
Get the latest release at `https://github.com/bonjourmalware/melody/releases`.```bash
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startupsudo systemctl stop melody # Stop the service while we're configuring it
```Update the `filter.bpf` file to filter out unwanted packets.
```bash
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
```The logs should start to pile up in `/opt/melody/logs/melody.ndjson`.
```bash
tail -f /opt/melody/logs/melody.ndjson # | jq
```### From source
```bash
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
```Then continue with the steps from the [release](#release) TL;DR.
### Docker
```bash
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/docker pull bonjourmalware/melody:latest
MELODY_CLI="" # Put your CLI options here. Example : export MELODY_CLI="-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'"
docker run \
--net=host \
-e "MELODY_CLI=$MELODY_CLI" \
--mount type=bind,source="$(pwd)/filter.bpf",target=/app/filter.bpf,readonly \
--mount type=bind,source="$(pwd)/config.yml",target=/app/config.yml,readonly \
--mount type=bind,source="$(pwd)/var",target=/app/var,readonly \
--mount type=bind,source="$(pwd)/rules",target=/app/rules,readonly \
--mount type=bind,source="$(pwd)/logs",target=/app/logs/ \
bonjourmalware/melody
```The logs should start to pile up in `/opt/melody/logs/melody.ndjson`.
# Rules
[Rule syntax details.](https://bonjourmalware.github.io/melody/installation)
## Example
```yaml
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: "Checking or trying to exploit CVE-2020-14882"
references:
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14882"
match:
http.uri:
startswith|any|nocase:
- "/console/css/"
- "/console/images"
contains|any|nocase:
- "console.portal"
- "consolejndi.portal?test_handle="
tags:
cve: "cve-2020-14882"
vendor: "oracle"
product: "weblogic"
impact: "rce"
```# Logs
[Logs content details.](https://bonjourmalware.github.io/melody/layers)
## Example
Netcat TCP packet over IPv4 :
```json
{
"tcp": {
"window": 512,
"seq": 1906765553,
"ack": 2514263732,
"data_offset": 8,
"flags": "PA",
"urgent": 0,
"payload": {
"content": "I made a discovery today. I found a computer.\n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",
"truncated": false
}
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 99,
"id": 39114,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 6
},
"timestamp": "2020-11-16T15:50:01.277828+01:00",
"session": "bup9368o4skolf20rt8g",
"type": "tcp",
"src_ip": "127.0.0.1",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}
}
```