Shodan Monitoring Integration For TheHive

ShoMon is a Shodan alert feeder for TheHive written in GoLang. With version 2.0, it is more powerful than ever!

Can be used as Webhook OR Stream listener

Webhook listener opens a restful API endpoint for Shodan to send alerts. This means you need to make this endpoint available to public net

Stream listener connects to Shodan and fetches/parses the alert stream
Utilizes shadowscatcher/shodan (fantastic work) for Shodan interaction.
Console logs are in JSON format and can be ingested by any other further log management tools
CI/CD via Github Actions ensures that a proper Release with changelogs, artifacts, images on ghcr and dockerhub will be provided
Provides a working docker-compose file file for TheHive, dependencies
Super fast and Super mini in size
Complete code refactoring in v2.0 resulted in more modular, maintainable code
Via conf file or environment variables alert specifics including tags, type, alert-template can be dynamically adjusted. See config file.
Full banner can be included in Alert with direct link to Shodan Finding.
IP is added to observables

Parameters should be provided via conf.yaml or environment variables. Please see config file and docker-compose file
After conf or environment variables are set simply issue command:

./shomon

Notes

Alert reference is first 6 chars of md5(“ip:port”)
Only 1 mod can be active at a time. Webhook and Stream listener can not be activated together.

Make sure that you have a working Golang workspace.
go build .
- go build -ldflags="-s -w" . could be used to customize compilation and produce smaller binary.

Thanks to new CI/CD integration, latest versions of built images are pushed to ghcr, DockerHub and can be utilized via:
- docker pull ghcr.io/kaansk/shomon
- docker pull kaansk/shomon