Melody - A Transparent Internet Sensor Built For Threat Intelligence

Melody – A Transparent Internet Sensor Built For Threat Intelligence


Monitor the Internet’s background noise

Melody is a transparent internet sensor built for threat intelligence and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.


Here are some key features of Melody :

  • Transparent capture
  • Write detection rules and tag specific packets to analyze them at scale
  • Mock vulnerable websites using the builtin HTTP/S server
  • Supports the main internet protocols over IPv4 and IPv6
  • Handles log rotation for you : Melody is designed to run forever on the smallest VPS
  • Minimal configuration required
  • Standalone mode : configure Melody using only the CLI
  • Easily scalable :
    • Statically compiled binary
    • Up-to-date Docker image


Since I have to focus on other projects right now, I can’t put much time in Melody’s development.

There is a lot of rom for improvement though, so here are some features that I’d like to implement someday :

  • Dedicated helper program to create, test and manage rules -> Check Meloctl in cmd/meloctl
  • Centralized rules management
  • Per port mock application

Use cases

Internet facing sensor

  • Extract trends and patterns from Internet’s noise
  • Index malicious activity, exploitation attempts and targeted scanners
  • Monitor emerging threats exploitation
  • Keep an eye on specific threats

Stream analysis

  • Build a background noise profile to make targeted attacks stand out
  • Replay captures to tag malicious packets in a suspicious stream



Quickstart details.



Get the latest release at

make install               # Set default outfacing interface
make cap # Set network capabilities to start Melody without elevated privileges
make certs # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
make service # Create a systemd service to restart the program automatically and launch it at startup

sudo systemctl stop melody # Stop the service while we're configuring it

Update the filter.bpf file to filter out unwanted packets.

sudo systemctl start melody     # Start Melody
sudo systemctl status melody # Check that Melody is running

The logs should start to pile up in /opt/melody/logs/melody.ndjson.

tail -f /opt/melody/logs/melody.ndjson # | jq

From source

git clone /opt/melody
cd /opt/melody
make build

Then continue with the steps from the release TL;DR.


make certs                           # Make self signed certs for the HTTPS fileserver
make enable_all_rules # Enable the default rules
mkdir -p /opt/melody/logs
cd /opt/melody/

docker pull bonjourmalware/melody:latest

MELODY_CLI="" # Put your CLI options here. Example : export MELODY_CLI="-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'"

docker run
--mount type=bind,source="$(pwd)/filter.bpf",target=/app/filter.bpf,readonly
--mount type=bind,source="$(pwd)/config.yml",target=/app/config.yml,readonly
--mount type=bind,source="$(pwd)/var",target=/app/var,readonly
--mount type=bind,source="$(pwd)/rules",target=/app/rules,readonly
--mount type=bind,source="$(pwd)/logs",target=/app/logs/

The logs should start to pile up in /opt/melody/logs/melody.ndjson.


Rule syntax details.


CVE-2020-14882 Oracle Weblogic Server RCE:
layer: http
id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e
version: 1.0
author: BonjourMalware
status: stable
created: 2020/11/07
modified: 2020/20/07
description: "Checking or trying to exploit CVE-2020-14882"
- ""
- "/console/css/"
- "/console/images"
- "console.portal"
- "consolejndi.portal?test_handle="
cve: "cve-2020-14882"
vendor: "oracle"
product: "weblogic"
impact: "rce"


Logs content details.


Netcat TCP packet over IPv4 :

"tcp": {
"window": 512,
"seq": 1906765553,
"ack": 2514263732,
"data_offset": 8,
"flags": "PA",
"urgent": 0,
"payload": {
"content": "I made a discovery today. I found a computer.n",
"base64": "SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=",
"truncated": false
"ip": {
"version": 4,
"ihl": 5,
"tos": 0,
"length": 99,
"id": 39114,
"fragbits": "DF",
"frag_offset": 0,
"ttl": 64,
"protocol": 6
"timestamp": "2020-11-16T15:50:01.277828+01:00",
"session": "bup9368o4skolf20rt8g",
"type": "tcp",
"src_ip": "",
"dst_port": 1234,
"matches": {},
"inline_matches": [],
"embedded": {}

Leave a Reply

Your email address will not be published. Required fields are marked *

Special Offer for Hackers!Sign up to get your $5 Coupon code, weekly deals and latest hacking tools straight to your inbox!