Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bonjourmalware/melody

Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
https://github.com/bonjourmalware/melody

internet-noise internet-sensor melody tag-packets threat-intelligence threat-monitoring

Last synced: 21 days ago
JSON representation

Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.

Awesome Lists containing this project

README

        


Melody


Monitor the Internet's background noise


Go Report Card
Coverage Status
Docker build status
Docker image size


Latest release
Documentation
Installation
Quickstart
Go Report Card

---

Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.

# Table of Contents

* [Melody](#melody)
* [Table of contents](#table-of-contents)
* [Features](#features)
* [Wishlist](#wishlist)
* [Use cases](#use-cases)
* [Internet facing sensor](#internet-facing-sensor)
* [Stream analysis](#stream-analysis)
* [Preview](#preview)
* [Quickstart](#quickstart)
* [TL;DR](#tldr)
* [Release](#release)
* [From source](#from-source)
* [Docker](#docker)
* [Rules](#rules)
* [Rule example](#rule-example)
* [Logs](#logs)

# Features
Here are some key features of Melody :

+ Transparent capture
+ Write detection rules and tag specific packets to analyze them at scale
+ Mock vulnerable websites using the builtin HTTP/S server
+ Supports the main internet protocols over IPv4 and IPv6
+ Handles log rotation for you : Melody is designed to run forever on the smallest VPS
+ Minimal configuration required
+ Standalone mode : configure Melody using only the CLI
+ Easily scalable :
+ Statically compiled binary
+ Up-to-date Docker image

# Wishlist
Since I have to focus on other projects right now, I can't put much time in Melody's development.

There is a lot of rom for improvement though, so here are some features that I'd like to implement someday :
+ ~~Dedicated helper program to create, test and manage rules~~ -> Check Meloctl in `cmd/meloctl`
+ Centralized rules management
+ Per port mock application

# Use cases
## Internet facing sensor

+ Extract trends and patterns from Internet's noise
+ Index malicious activity, exploitation attempts and targeted scanners
+ Monitor emerging threats exploitation
+ Keep an eye on specific threats

## Stream analysis
+ Build a background noise profile to make targeted attacks stand out
+ Replay captures to tag malicious packets in a suspicious stream

# Preview




# Quickstart
[Quickstart details.](https://bonjourmalware.github.io/melody/installation)

## TL;DR
### Release
Get the latest release at `https://github.com/bonjourmalware/melody/releases`.

```bash
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup

sudo systemctl stop melody # Stop the service while we're configuring it
```

Update the `filter.bpf` file to filter out unwanted packets.

```bash
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
```

The logs should start to pile up in `/opt/melody/logs/melody.ndjson`.

```bash
tail -f /opt/melody/logs/melody.ndjson # | jq
```

### From source

```bash
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
```

Then continue with the steps from the [release](#release) TL;DR.

### Docker

```bash
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/

docker pull bonjourmalware/melody:latest

MELODY_CLI="" # Put your CLI options here. Example : export MELODY_CLI="-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'"

docker run \
--net=host \
-e "MELODY_CLI=$MELODY_CLI" \
--mount type=bind,source="$(pwd)/filter.bpf",target=/app/filter.bpf,readonly \
--mount type=bind,source="$(pwd)/config.yml",target=/app/config.yml,readonly \
--mount type=bind,source="$(pwd)/var",target=/app/var,readonly \
--mount type=bind,source="$(pwd)/rules",target=/app/rules,readonly \
--mount type=bind,source="$(pwd)/logs",target=/app/logs/ \
bonjourmalware/melody
```

The logs should start to pile up in `/opt/melody/logs/melody.ndjson`.

# Rules

[Rule syntax details.](https://bonjourmalware.github.io/melody/installation)

## Example

```yaml
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: "Checking or trying to exploit CVE-2020-14882"
references:
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14882"
match:
http.uri:
startswith|any|nocase:
- "/console/css/"
- "/console/images"
contains|any|nocase:
- "console.portal"
- "consolejndi.portal?test_handle="
tags:
cve: "cve-2020-14882"
vendor: "oracle"
product: "weblogic"
impact: "rce"
```

# Logs

[Logs content details.](https://bonjourmalware.github.io/melody/layers)

## Example

Netcat TCP packet over IPv4 :

```json
{
"tcp": {
"window": 512,
"seq": 1906765553,
"ack": 2514263732,
"data_offset": 8,
"flags": "PA",
"urgent": 0,
"payload": {
"content": "I made a discovery today. I found a computer.\n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",
"truncated": false
}
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 99,
"id": 39114,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 6
},
"timestamp": "2020-11-16T15:50:01.277828+01:00",
"session": "bup9368o4skolf20rt8g",
"type": "tcp",
"src_ip": "127.0.0.1",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}
}
```