Mazey is an early-stage CLI reconnaissance tool for threat triage. It takes inbound noise such as automated scans, bots, misconfigured devices and enriches them using various threat intelligence API's like Virus Total, Shodan, etc...
Mazey can be used with static mock data or integrated into an automated threat-intel pipeline (see below for an example 🛠).
Mazey is named in tribute to my cat. This is a personal project with long-term goals! 🐈
mazey <COMMAND> <ARGUMENT> [FLAGS]blacklist [COUNT]Get a pool of IPs from the blacklist API (default 10)ipreport <IP_ADDRESS>Get an IP address reportfilereport <FILE_HASH>Get a file hash reporthelp [COMMAND]Show help for a command
- Go + Cobra + Fang (CLI framework / UX)
API_ENDPOINT=http://localhost:8080/blacklist
VT_API_KEY=your-virustotal-api-key
make build
mazey filereport 9b97edcbd8099796015c78bbf1723b35make help- list available targetsmake build- build binarymake run ARGS="..."- run CLI with argsmake fmt- format Go codemake tidy- clean module dependencies
- Finish
blacklist's functionality, not totally wired up yet - Actually a "NOT TODO!" do not add more commands. Focus on making the existing ones better.
Click to see how Mazey automates threat intelligence gathering
[VPS cron job @ 03:00]
parse /var/log/auth.log for failed SSH attempts
|
v
write /tmp/blacklist.json (deduped IPs)
|
v
[Local sync script]
scp -> validate JSON -> atomic replace
/home/user/ip-blacklist/blacklist.json
|
v
[Go HTTP server]
GET /blacklist -> serves local JSON
|
v
[Mazey CLI]
reads API_ENDPOINT and enriches IPs
Purpose: generate a blacklist JSON from failed SSH login attempts.
- Input:
/var/log/auth.log - Filters:
Failed passwordandInvalid user - Output:
/tmp/blacklist.json - Schedule: daily at
03:00
Reference cron entry:
0 3 * * * /usr/bin/grep -E "Failed password|Invalid user" /var/log/auth.log | /usr/bin/grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | /usr/bin/sort -u | /usr/bin/jq -Rsc 'split("\n") | map(select(length > 0)) | {blacklist: .}' > /tmp/blacklist.jsonJSON structure example:
{"blacklist": ["1.2.3.4", "5.6.7.8"]}Purpose: pull the JSON from VPS and safely update a local copy.
- Uses
flockto prevent overlapping runs - Uses
scpto pull remote file - Uses
jqto verify.blacklistexists and is an array - Uses atomic replace (
mv) after validation
#!/usr/bin/env bash
set -euo pipefail
# ---- config ----
REMOTE=<user>@<vps-ip>:/tmp/blacklist.json
TARGET=<path-to-local>/blacklist.json
TMP="${TARGET}.tmp"
LOCK="${TARGET}.lock"
# ---- prevent overlapping runs ----
exec 9>"$LOCK"
flock -n 9 || exit 0
# ---- fetch -> validate -> atomic replace ----
scp -q "$REMOTE" "$TMP"
jq -e '.blacklist and (.blacklist | type == "array")' "$TMP" >/dev/null
mv "$TMP" "$TARGET"
echo "$(date '+%Y-%m-%d %H:%M:%S') sync ok"
Purpose: serve the local JSON file via a REST API for the Mazey CLI to consume.
A lightweight Go service that monitors the local JSON file and exposes it via a REST endpoint. This decouples the CLI from the filesystem and allows for future expansion (like a Web Dashboard).
- Port:
:8080 - Endpoint:
/blacklist - Logic: Decodes the local
blacklist.jsonand streams it to the Mazey CLI.