Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.
Here are some key features of Melody :
Since I have to focus on other projects right now, I can’t put much time in Melody’s development.
There is a lot of rom for improvement though, so here are some features that I’d like to implement someday :
cmd/meloctlGet the latest release at https://github.com/bonjourmalware/melody/releases.
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup
sudo systemctl stop melody # Stop the service while we’re configuring it
Update the filter.bpf file to filter out unwanted packets
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
The logs should start to pile up in /opt/melody/logs/melody.ndjson.
tail -f /opt/melody/logs/melody.ndjson # | jq
From source
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
Then continue with the steps from the release TL;DR.
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/
docker pull bonjourmalware/melody:latest
MELODY_CLI=”” # Put your CLI options here. Example : export MELODY_CLI=”-s -i ‘lo’ -F ‘dst port 5555’ -o ‘server.http.port: 5555′”
docker run \
–net=host \
-e “MELODY_CLI=$MELODY_CLI” \
–mount type=bind,source=”$(pwd)/filter.bpf”,target=/app/filter.bpf,readonly \
–mount type=bind,source=”$(pwd)/config.yml”,target=/app/config.yml,readonly \
–mount type=bind,source=”$(pwd)/var”,target=/app/var,readonly \
–mount type=bind,source=”$(pwd)/rules”,target=/app/rules,readonly \
–mount type=bind,source=”$(pwd)/logs”,target=/app/logs/ \
bonjourmalware/melody
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: “Checking or trying to exploit CVE-2020-14882”
references:
– “https://nvd.nist.gov/vuln/detail/CVE-2020-14882”
match:
http.uri:
startswith|any|nocase:
– “/console/css/”
– “/console/images”
contains|any|nocase:
– “console.portal”
– “consolejndi.portal?test_handle=”
tags:
cve: “cve-2020-14882”
vendor: “oracle”
product: “weblogic”
impact: “rce”
Netcat TCP packet over IPv4 :
{
“tcp”: {
“window”: 512,
“seq”: 1906765553,
“ack”: 2514263732,
“data_offset”: 8,
“flags”: “PA”,
“urgent”: 0,
“payload”: {
“content”: “I made a discovery today. I found a computer.\n”,
“base64”: “SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=”,
“truncated”: false
}
},
“ip”: {
“version”: 4,
“ihl”: 5,
“tos”: 0,
“length”: 99,
“id”: 39114,
“fragbits”: “DF”,
“frag_offset”: 0,
“ttl”: 64,
“protocol”: 6
},
“timestamp”: “2020-11-16T15:50:01.277828+01:00”,
“session”: “bup9368o4skolf20rt8g”,
“type”: “tcp”,
“src_ip”: “127.0.0.1”,
“dst_port”: 1234,
“matches”: {},
“inline_matches”: [],
“embedded”: {}
}
Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity, designed to…
A large-scale malware campaign leveraging AI-assisted development techniques has been uncovered, revealing how attackers are…
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
People trying to securely connect to work are being tricked into doing the exact opposite.…
A newly disclosed Android vulnerability is making noise for a good reason. Researchers showed that…
In MySQL Server 5.5 and earlier versions, the MyISAM was the default storage engine. So,…