CyberRemedy is a self-hosted, Security Information and Event Management (SIEM) system. It provides enterprise-grade threat detection, automated response, and real-time monitoring on a single machine — no cloud subscription, no licence fees, and no external data leaving your network. It was built to give small and medium-sized teams the same capabilities that large security operations centres use, including machine learning anomaly detection, MITRE ATT&CK mapping, SOAR playbooks, honeypots, and full log management.
git clone https://github.com/moon0deva/CyberRemedy.git
cd CyberRemedy
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python main.py
sudo apt install arp-scan nmap # faster asset discovery
sudo setcap cap_net_raw # arp-scan
pip install netifaces==0.11.0 # more accurate network interface detection
pip install yara-python==4.5.1 # native YARA scanning (falls back to pure-Python)
Server starting on http://127.0.0.1:8000
nohup python3 main.py > cyberremedy.log 2>&1 &
echo $! > cyberremedy.pid # save PID for later
kill $(cat cyberremedy.pid) # to kill/stop
sudo nano /etc/systemd/system/cyberremedy.service Paste the following (adjust paths to match your install):
[Unit]
Description=CyberRemedy SOC Platform
After=network.target
[Service]
Type=simple
User=YOUR_USERNAME
WorkingDirectory=/path/to/CyberRemedy-v1 # PATH of the CyberRemedY
ExecStart=/path/to/CyberRemedy-v1/venv/bin/python3 main.py # PATH of the main.py
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
ip addr show | grep 'inet ' | grep -v 127.0.0.1
sudo apt install rsyslog -y # install if missing
echo '*.* @@SERVER_IP:5514' | sudo tee -a /etc/rsyslog.conf
sudo systemctl restart rsyslog sudo apt install syslog-ng -y Add to /etc/syslog-ng/syslog-ng.conf: destination d_cr { tcp("SERVER_IP" port(5514)); }; log { source(s_src); destination(d_cr); };
sudo systemctl restart syslog-ng logger -n SERVER_IP -P 5514 -T "Test from $(hostname)"| Capability | Description |
|---|---|
| Signature-Based Detection | Detects known attack patterns such as port scans, brute-force attacks, C2 beaconing, DNS tunneling, and SQL injection in real time. |
| ML Anomaly Detection | Isolation Forest + Random Forest models learn your network baseline and flag deviations. |
| Attack Chain Correlation | Links related alerts into multi-step attack chains (Recon → Exploit → C2 → Exfil). |
| MITRE ATT&CK Mapping | Automatically tags alerts with techniques and tactics. |
| YARA Scanning | Scans packet payloads with built-in or custom rules. |
| Sigma Rules | Evaluates structured :contentReference detection rules against log streams. |
| UEBA (User & Entity Behavior Analytics) | Tracks per-entity baselines and raises anomaly alerts on deviations. |
| Honeypots | Includes six fake services (SSH, HTTP, FTP, Telnet, SMB, MySQL) that trigger alerts on any connection. |
| SOAR Playbooks | Automated response workflows — block, notify, escalate, run scripts. |
| Case Management | Full ticket lifecycle with SLA tracking and automatic case creation. |
| Asset Discovery | ARP + ping sweep finds all LAN devices; new devices generate rogue alerts. |
| GeoIP Mapping | Visual global map showing inbound alert origins by country. |
| Syslog Ingestion | Receives RFC 3164/5424 syslog via UDP/TCP on port 5514 (compatible with rsyslog and syslog-ng). |
| Windows Event Log Collection | Collects Windows Event Logs via the bundled agent over port 5515. |
| Email Alerting & Reporting | Sends CRITICAL/HIGH alerts and daily PDF reports via SMTP. |
| Firewall Automation | Blocks IPs automatically via iptables, ufw, nftables, or Windows Firewall. |