Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.
Here are some key features of Melody :
Since I have to focus on other projects right now, I can’t put much time in Melody’s development.
There is a lot of rom for improvement though, so here are some features that I’d like to implement someday :
cmd/meloctlGet the latest release at https://github.com/bonjourmalware/melody/releases.
make install # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup
sudo systemctl stop melody # Stop the service while we’re configuring it
Update the filter.bpf file to filter out unwanted packets
sudo systemctl start melody # Start Melody
sudo systemctl status melody # Check that Melody is running
The logs should start to pile up in /opt/melody/logs/melody.ndjson.
tail -f /opt/melody/logs/melody.ndjson # | jq
From source
git clone https://github.com/bonjourmalware/melody /opt/melody
cd /opt/melody
make build
Then continue with the steps from the release TL;DR.
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/
docker pull bonjourmalware/melody:latest
MELODY_CLI=”” # Put your CLI options here. Example : export MELODY_CLI=”-s -i ‘lo’ -F ‘dst port 5555’ -o ‘server.http.port: 5555′”
docker run \
–net=host \
-e “MELODY_CLI=$MELODY_CLI” \
–mount type=bind,source=”$(pwd)/filter.bpf”,target=/app/filter.bpf,readonly \
–mount type=bind,source=”$(pwd)/config.yml”,target=/app/config.yml,readonly \
–mount type=bind,source=”$(pwd)/var”,target=/app/var,readonly \
–mount type=bind,source=”$(pwd)/rules”,target=/app/rules,readonly \
–mount type=bind,source=”$(pwd)/logs”,target=/app/logs/ \
bonjourmalware/melody
CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
meta:
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: “Checking or trying to exploit CVE-2020-14882”
references:
– “https://nvd.nist.gov/vuln/detail/CVE-2020-14882”
match:
http.uri:
startswith|any|nocase:
– “/console/css/”
– “/console/images”
contains|any|nocase:
– “console.portal”
– “consolejndi.portal?test_handle=”
tags:
cve: “cve-2020-14882”
vendor: “oracle”
product: “weblogic”
impact: “rce”
Netcat TCP packet over IPv4 :
{
“tcp”: {
“window”: 512,
“seq”: 1906765553,
“ack”: 2514263732,
“data_offset”: 8,
“flags”: “PA”,
“urgent”: 0,
“payload”: {
“content”: “I made a discovery today. I found a computer.\n”,
“base64”: “SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=”,
“truncated”: false
}
},
“ip”: {
“version”: 4,
“ihl”: 5,
“tos”: 0,
“length”: 99,
“id”: 39114,
“fragbits”: “DF”,
“frag_offset”: 0,
“ttl”: 64,
“protocol”: 6
},
“timestamp”: “2020-11-16T15:50:01.277828+01:00”,
“session”: “bup9368o4skolf20rt8g”,
“type”: “tcp”,
“src_ip”: “127.0.0.1”,
“dst_port”: 1234,
“matches”: {},
“inline_matches”: [],
“embedded”: {}
}
Redis is an open-source, in-memory data structure store used as a database, cache, and message broker.…
Ubuntu 18.04 LTS (Bionic Beaver) was released on April 26, 2018, with five years of official…
Apache Virtual Hosts let you run multiple websites on a single server. Each site gets its…
Django is a free, open-source Python web framework built for developing secure, scalable, and maintainable web…
MySQL replication is the process of automatically copying data from one database server to one or…
Joomla is one of the most popular open-source content management systems in the world. It is…