Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.
Here are some key features of Melody :
Since I have to focus on other projects right now, I can’t put much time in Melody’s development.
There is a lot of rom for improvement though, so here are some features that I’d like to implement someday :
cmd/meloctlGet the latest release at https://github.com/bonjourmalware/melody/releases.
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup
sudo systemctl stop melody # Stop the service while we’re configuring it
Update the filter.bpf file to filter out unwanted packets
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
The logs should start to pile up in /opt/melody/logs/melody.ndjson.
tail -f /opt/melody/logs/melody.ndjson # | jq
From source
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
Then continue with the steps from the release TL;DR.
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/
docker pull bonjourmalware/melody:latest
MELODY_CLI=”” # Put your CLI options here. Example : export MELODY_CLI=”-s -i ‘lo’ -F ‘dst port 5555’ -o ‘server.http.port: 5555′”
docker run \
–net=host \
-e “MELODY_CLI=$MELODY_CLI” \
–mount type=bind,source=”$(pwd)/filter.bpf”,target=/app/filter.bpf,readonly \
–mount type=bind,source=”$(pwd)/config.yml”,target=/app/config.yml,readonly \
–mount type=bind,source=”$(pwd)/var”,target=/app/var,readonly \
–mount type=bind,source=”$(pwd)/rules”,target=/app/rules,readonly \
–mount type=bind,source=”$(pwd)/logs”,target=/app/logs/ \
bonjourmalware/melody
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: “Checking or trying to exploit CVE-2020-14882”
references:
– “https://nvd.nist.gov/vuln/detail/CVE-2020-14882”
match:
http.uri:
startswith|any|nocase:
– “/console/css/”
– “/console/images”
contains|any|nocase:
– “console.portal”
– “consolejndi.portal?test_handle=”
tags:
cve: “cve-2020-14882”
vendor: “oracle”
product: “weblogic”
impact: “rce”
Netcat TCP packet over IPv4 :
{
“tcp”: {
“window”: 512,
“seq”: 1906765553,
“ack”: 2514263732,
“data_offset”: 8,
“flags”: “PA”,
“urgent”: 0,
“payload”: {
“content”: “I made a discovery today. I found a computer.\n”,
“base64”: “SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=”,
“truncated”: false
}
},
“ip”: {
“version”: 4,
“ihl”: 5,
“tos”: 0,
“length”: 99,
“id”: 39114,
“fragbits”: “DF”,
“frag_offset”: 0,
“ttl”: 64,
“protocol”: 6
},
“timestamp”: “2020-11-16T15:50:01.277828+01:00”,
“session”: “bup9368o4skolf20rt8g”,
“type”: “tcp”,
“src_ip”: “127.0.0.1”,
“dst_port”: 1234,
“matches”: {},
“inline_matches”: [],
“embedded”: {}
}
The OSINT Framework official website is one of the easiest places to start open-source intelligence…
The OSINT Framework website is one of the most popular starting points for open-source intelligence…
Internet-facing servers are constantly targeted by bots searching for weak passwords and vulnerable services. A…
Managing user accounts is one of the most important administrative tasks on any Linux system.…
Install Slack Ubuntu systems quickly and start collaborating with your team from a powerful communication…
If you're looking for a flexible and customizable code editor, Install Atom Ubuntu is a…