Shomon – Shodan Monitoring Integration For TheHive

Main / Shomon – Shodan Monitoring Integration For TheHive

Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEgjClDByJ9QQiFUJZ_-xUpZls5SfT306n0T9ozOyWCKH4JuXxvltmWO8NLk3jiKh44VaeR8NSe8NcEida0EDlyGRHdp2l2o68wBYYaZI7ElhoZHyDyB_OaZf-qMVs_7PwD3GsBGNuGUb-223fO9CRYDXAtZKsscPk27sj4UvbxeSYFAgp3sgZeixZSv2g=w640-h224)]()

ShoMon is a Shodan alert feeder for TheHive written in GoLang. With version 2.0, it is more powerful than ever!

# Functionalities

* Can be used as Webhook OR Stream listener

* Webhook [listener]( “listener” ) opens a restful API endpoint for Shodan to send alerts. This means you need to make this endpoint available to public net
* Stream listener connects to Shodan and fetches/parses the alert stream
* Utilizes [shadowscatcher/shodan]( “shadowscatcher/shodan” ) (fantastic work) for Shodan interaction.

* Console logs are in JSON format and can be ingested by any other further log [management]( “management” ) tools

* CI/CD via Github Actions ensures that a proper Release with changelogs, artifacts, images on ghcr and [dockerhub]( “dockerhub” ) will be provided

* Provides a working [docker-compose file]( “docker-compose file” ) file for TheHive, dependencies

* Super fast and Super mini in size

* Complete code refactoring in v2.0 resulted in more modular, maintainable code

* Via conf file or environment variables alert specifics including tags, type, alert-template can be dynamically adjusted. See [config file]( “config file” ).

* Full banner can be included in Alert with direct link to Shodan Finding.

[]( “Shodan Monitoring integration for TheHive. (11)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhUPQS0lUK_vmMl6aWVvDER5K6ZcDavgV6xCdd7DLlv8Qe6R_4cVTSbTARxdft3Zn1uET88Cingo2SU_n9Husrrsk2irFdK7piRLFoJNCgMjgQ_sj-j8VpR_wfT4I6ps4Ojk1mezNdgZXWfWdj7g55BDPY8wrk4EZ_RBFrHP83j6Tc6DvN8dVXGILydeg=w640-h462)]()

* IP is added to observables

[]( “Shodan Monitoring integration for TheHive. (12)” )[![](https://blogger.googleusercontent.com/img/a/AVvXsEjUzET2VUKKHBQZyD4yDQpDs9EluR_J8o2qTyHA-mDcHvKXk3kvwjnLcT4jww79fTWTfpv84c39774Wgcy_gFIZos2PsiXAcsRawbiO8R0kxL1jDWXqeol1yiQBQnG14dY3DZ8Y-4oZolZS25iliNsp6UVXL7pZEZwmVhWBWnIHYILD4v0zTEZnt_Dn_Q=w640-h152)]()

# Usage

* Parameters should be provided via `conf.yaml` or environment variables. Please see [config file]( “config file” ) and [docker-compose file]( “docker-compose file” )

* After conf or environment variables are set simply issue command:

`./shomon`

## Notes

* Alert reference is first 6 chars of md5(“ip:port”)
* Only 1 mod can be active at a time. Webhook and Stream listener can not be activated together.

# Setup & Compile Instructions

## Get latest compiled binary from releases

1. Check [Releases]( “Releases” ) section.

## Compile from source code

1. Make sure that you have a working Golang workspace.
2. `go build .`
* `go build -ldflags=”-s -w” .` could be used to customize compilation and produce smaller binary.

## Using Public [Container]( “Container” ) Registries

1. Thanks to new CI/CD integration, latest versions of built images are pushed to ghcr, DockerHub and can be utilized via:
* `docker pull ghcr.io/kaansk/shomon`
* `docker pull kaansk/shomon`

## Using [Dockerfile]( “Dockerfile” )

1. Edit [config file]( “config file” ) or provide environment variables to commands bellow
2. `docker build -t shomon .`
3. `docker run -it shomon`

## Using [docker-compose file]( “docker-compose file” )

1. Edit environment variables and configurations in [docker-compose file]( “docker-compose file” )
2. `docker-compose run -d`

# Credits

* Logo Made via LogoMakr.com
* [shadowscatcher/shodan]( “shadowscatcher/shodan” )
* [Dockerfile Reference]( “Dockerfile Reference” )
* Release management with [GoReleaser]( “GoReleaser” )

**[Download Shomon]( “Download Shomon” )**Read More

References

Back to Main

Subscribe for the latest news: