bonjourmalware / Melody
Licence: mit
Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation.
Stars: ✭ 41
Programming Languages
go
31211 projects - #10 most used programming language
Labels
Projects that are alternatives of or similar to Melody
Patrowlmanager
PatrOwl - Open Source, Smart and Scalable Security Operations Orchestration Platform
Stars: ✭ 363 (+785.37%)
Mutual labels: threat-intelligence
Harpoon
CLI tool for open source and threat intelligence
Stars: ✭ 679 (+1556.1%)
Mutual labels: threat-intelligence
Dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
Stars: ✭ 3,124 (+7519.51%)
Mutual labels: threat-intelligence
Misp
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Stars: ✭ 3,485 (+8400%)
Mutual labels: threat-intelligence
Gosint
The GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs).
Stars: ✭ 482 (+1075.61%)
Mutual labels: threat-intelligence
SyntheticSun
SyntheticSun is a defense-in-depth security automation and monitoring framework which utilizes threat intelligence, machine learning, managed AWS security services and, serverless technologies to continuously prevent, detect and respond to threats.
Stars: ✭ 49 (+19.51%)
Mutual labels: threat-intelligence
Besafe
BeSafe is robust threat analyzer which help to protect your desktop environment and know what's happening around you
Stars: ✭ 21 (-48.78%)
Mutual labels: threat-intelligence
Watcher
Watcher - Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS.
Stars: ✭ 324 (+690.24%)
Mutual labels: threat-intelligence
Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
Stars: ✭ 6,882 (+16685.37%)
Mutual labels: threat-intelligence
Misp Galaxy
Clusters and elements to attach to MISP events or attributes (like threat actors)
Stars: ✭ 276 (+573.17%)
Mutual labels: threat-intelligence
Python Iocextract
Defanged Indicator of Compromise (IOC) Extractor.
Stars: ✭ 300 (+631.71%)
Mutual labels: threat-intelligence
Mitaka
A browser extension for OSINT search
Stars: ✭ 483 (+1078.05%)
Mutual labels: threat-intelligence
Stalkphish
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
Stars: ✭ 256 (+524.39%)
Mutual labels: threat-intelligence
Vfeed
The Correlated CVE Vulnerability And Threat Intelligence Database API
Stars: ✭ 826 (+1914.63%)
Mutual labels: threat-intelligence
MalwareHashDB
Malware hashes for open source projects.
Stars: ✭ 31 (-24.39%)
Mutual labels: threat-intelligence
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+970.73%)
Mutual labels: threat-intelligence
Malcom
Malcom - Malware Communications Analyzer
Stars: ✭ 988 (+2309.76%)
Mutual labels: threat-intelligence
Melody
Monitor the Internet's background noise
Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.
Table of Contents
Features
Here are some key features of Melody :
- Transparent capture
- Write detection rules and tag specific packets to analyze them at scale
- Mock vulnerable websites using the builtin HTTP/S server
- Supports the main internet protocols over IPv4 and IPv6
- Handles log rotation for you : Melody is designed to run forever on the smallest VPS
- Minimal configuration required
- Standalone mode : configure Melody using only the CLI
- Easily scalable :
- Statically compiled binary
- Up-to-date Docker image
Wishlist
Since I have to focus on other projects right now, I can't put much time in Melody's development.
There is a lot of rom for improvement though, so here are some features that I'd like to implement someday :
- Dedicated helper program to create, test and manage rules
- Centralized rules management
- Per port mock application
Use cases
Internet facing sensor
- Extract trends and patterns from Internet's noise
- Index malicious activity, exploitation attempts and targeted scanners
- Monitor emerging threats exploitation
- Keep an eye on specific threats
Stream analysis
- Build a background noise profile to make targeted attacks stand out
- Replay captures to tag malicious packets in a suspicious stream
Preview
Quickstart
TL;DR
Release
Get the latest release at https://github.com/bonjourmalware/melody/releases.
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make default_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup
sudo systemctl stop melody # Stop the service while we're configuring it
Update the filter.bpf file to filter out unwanted packets.
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
The logs should start to pile up in /opt/melody/logs/melody.ndjson.
tail -f /opt/melody/logs/melody.ndjson # | jq
From source
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
Then continue with the steps from the release TL;DR.
Docker
make certs # Make self signed certs for the HTTPS fileserver
make default_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/
docker pull bonjourmalware/melody:latest
MELODY_CLI="" # Put your CLI options here. Example : export MELODY_CLI="-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'"
docker run \
--net=host \
-e "MELODY_CLI=$MELODY_CLI" \
--mount type=bind,source="$(pwd)/filter.bpf",target=/app/filter.bpf,readonly \
--mount type=bind,source="$(pwd)/config.yml",target=/app/config.yml,readonly \
--mount type=bind,source="$(pwd)/var",target=/app/var,readonly \
--mount type=bind,source="$(pwd)/rules",target=/app/rules,readonly \
--mount type=bind,source="$(pwd)/logs",target=/app/logs/ \
bonjourmalware/melody
The logs should start to pile up in /opt/melody/logs/melody.ndjson.
Rules
Example
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: "Checking or trying to exploit CVE-2020-14882"
references:
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14882"
match:
http.uri:
startswith|any|nocase:
- "/console/css/"
- "/console/images"
contains|any|nocase:
- "console.portal"
- "consolejndi.portal?test_handle="
tags:
cve: "cve-2020-14882"
vendor: "oracle"
product: "weblogic"
impact: "rce"
Logs
Example
Netcat TCP packet over IPv4 :
{
"tcp": {
"window": 512,
"seq": 1906765553,
"ack": 2514263732,
"data_offset": 8,
"flags": "PA",
"urgent": 0,
"payload": {
"content": "I made a discovery today. I found a computer.\n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",
"truncated": false
}
},
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 99,
"id": 39114,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 6
},
"timestamp": "2020-11-16T15:50:01.277828+01:00",
"session": "bup9368o4skolf20rt8g",
"type": "tcp",
"src_ip": "127.0.0.1",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}
}
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].