Lucene search

KitPloitKITPLOIT:914458182851735372

HistoryApr 13, 2022 - 12:30 p.m.

Melody - A Transparent Internet Sensor Built For Threat Intelligence

2022-04-1312:30:00

www.kitploit.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

Melody

Monitor the Internet’s background noise

Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.

Features

Here are some key features of Melody :

Transparent capture
Write detection rules and tag specific packets to analyze them at scale
Mock vulnerable websites using the builtin HTTP/S server
Supports the main internet protocols over IPv4 and IPv6
Handles log rotation for you : Melody is designed to run forever on the smallest VPS
Minimal configuration required
Standalone mode : configure Melody using only the CLI
Easily scalable :
- Statically compiled binary
- Up-to-date Docker image

Wishlist

Since I have to focus on other projects right now, I can’t put much time in Melody’s development.

There is a lot of rom for improvement though, so here are some features that I’d like to implement someday :

~~Dedicated helper program to create, test and manage rules~~ -> Check Meloctl in cmd/meloctl
Centralized rules management
Per port mock application

Use cases

Internet facing sensor

Extract trends and patterns from Internet’s noise
Index malicious activity, exploitation attempts and targeted scanners
Monitor emerging threats exploitation
Keep an eye on specific threats

Stream analysis

Build a background noise profile to make targeted attacks stand out
Replay captures to tag malicious packets in a suspicious stream

Preview

Quickstart

Quickstart details.

TL;DR

Release

Get the latest release at https://github.com/bonjourmalware/melody/releases.

make install               # Set default outfacing interface  
make cap                   # Set network capabilities to start Melody without elevated privileges  
make certs                 # Make self signed certs for the HTTPS fileserver  
make enable_all_rules      # Enable the default rules  
make service               # Create a systemd service to restart the program automatically and launch it at startup   
  
sudo systemctl stop melody  # Stop the service while we're configuring it

Update the filter.bpf file to filter out unwanted packets.

sudo systemctl start melody     # Start Melody  
sudo systemctl status melody    # Check that Melody is running

The logs should start to pile up in /opt/melody/logs/melody.ndjson.

tail -f /opt/melody/logs/melody.ndjson # | jq

From source

git clone https://github.com/bonjourmalware/melody /opt/melody  
cd /opt/melody  
make build

Then continue with the steps from the release TL;DR.

Docker

make certs                           # Make self signed certs for the HTTPS fileserver  
make enable_all_rules                # Enable the default rules  
mkdir -p /opt/melody/logs  
cd /opt/melody/  
  
docker pull bonjourmalware/melody:latest  
  
MELODY_CLI="" # Put your CLI options here. Example : export MELODY_CLI="-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'"  
  
docker run \  
    --net=host \  
    -e "MELODY_CLI=$MELODY_CLI" \  
    --mount type=bind,source="$(pwd)/filter.bpf",target=/app/filter.bpf,readonly \  
    --mount type=bind,source="$(pwd)/config.yml",target=/app/config.yml,readonly \  
    --mount type=bind,source="$(pwd)/var",target=/app/var,readonly \  
    --mount type=bind,source="$(pwd)/rules",target=/app/rules,readonly \  
    --mount type=bind,source="$(pwd)/logs",target=/app/logs/ \  
    bonjourmalware/melody

The logs should start to pile up in /opt/melody/logs/melody.ndjson.

Rules

Rule syntax details.

Example

CVE-2020-14882 Oracle Weblogic Server RCE:  
  layer: http  
  meta:  
    id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e  
    version: 1.0  
    author: BonjourMalware  
    status: stable  
    created: 2020/11/07  
    modified: 2020/20/07  
    description: "Checking or trying to exploit CVE-2020-14882"  
    references:  
      - "https://nvd.nist.gov/vuln/detail/CVE-2020-14882"  
  match:  
    http.uri:  
      startswith|any|nocase:  
        - "/console/css/"  
        - "/console/images"  
      contains|any|nocase:  
        - "console.portal"  
        - "consolejndi.portal?test_handle="  
  tags:  
    cve: "cve-2020-14882"  
    vendor: "oracle"  
    product: "weblogic"  
    impact: "rce"

Logs

Logs content details.

Example

Netcat TCP packet over IPv4 :

{  
  "tcp": {  
    "window": 512,  
    "seq": 1906765553,  
    "ack": 2514263732,  
    "data_offset": 8,  
    "flags": "PA",  
    "urgent": 0,  
    "payload": {  
      "content": "I made a discovery today. I found a computer.\n",  
      "base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",  
      "truncated": false  
    }  
  },  
  "ip": {  
    "version": 4,  
    "ihl": 5,  
    "tos": 0,  
    "length": 99,  
    "id": 39114,  
    "fragbits": "DF",  
    "frag_offset": 0,  
    "ttl": 64,  
    "protocol": 6  
  },  
  "timestamp": "2020-11-16T15:50:01.277828+01:00",  
  "session": "bup9368o4skolf20rt8g",  
  "type": "tcp",  
  "src_ip": "127.0.0.1",  
  "dst_port": 1234,  
  "matches": {},  
  "inline_matches": [],  
  "embedded": {}  
}

Download Melody