maltrail

by stamparm

stamparm / maltrail

Malicious traffic detection system

3.8K Stars 716 Forks Last release: 26 days ago (0.25) MIT License 42.1K Commits 16 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Maltrail

Python 2.6|2.7|3.x License Malware families Malware sinkholes Twitter

Content

Introduction

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g.

zvpprsensinaix.com
for Banjori malware), URL (e.g.
hXXp://109.162.38.120/harsh02.exe
for known malicious executable), IP address (e.g.
185.130.5.231
for known attacker) or HTTP User-Agent header value (e.g.
sqlmap
for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Reporting tool

The following (black)lists (i.e. feeds) are being utilized:

360chinad, 360conficker, 360cryptolocker, 360gameover, 360locky, 360necurs, 
360tofsee, 360virut, abuseipdb, alienvault, atmos, badips, 
bambenekconsultingc2dns, bambenekconsultingdga, bitcoinnodes, blackbook, 
blocklist, botscout, bruteforceblocker, ciarmy, cobaltstrike, cruzit, 
cybercrimetracker, dataplane, dshielddns, dshieldip, emergingthreatsbot, 
emergingthreatscip, emergingthreatsdns, feodotrackerip, greensnow, loki, 
malc0de, malwaredomainlistdns, malwaredomains, maxmind, minerchk, myip, 
openphish, palevotracker, policeman, pony, proxylists, proxyrss, proxyspy, 
ransomwaretrackerdns, ransomwaretrackerip, ransomwaretrackerurl, riproxies, 
rutgers, sblam, socksproxy, sslbl, sslproxies, talosintelligence, torproject, 
trickbot, turris, urlhaus, urlvir, vxvault, zeustrackermonitor, zeustrackerurl,
etc.

As of static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):

404, 9002, aboc, ab, acbackdoor, acridrain, activeagent, advisorbot, adwind, 
adylkuzz, adzok, afrodita, agaadex, agenttesla, aldibot, alina, allakore, 
almalocker, almashreq, alpha, alureon, amadey, amavaldo, amend_miner, ammyyrat, 
android_acecard, android_adrd, android_alienspy, android_anubis, 
android_arspam, android_asacub, android_backflash, android_bankbot, 
android_bankun, android_basbanke, android_basebridge, android_besyria, 
android_boxer, android_buhsam, android_busygasper, android_callerspy, 
android_camscanner, android_cerberus, android_chuli, android_claco, 
android_clickfraud, android_cometbot, android_coolreaper, android_copycat, 
android_counterclank, android_cyberwurx, android_dendoroid, android_dougalek, 
android_droidjack, android_droidkungfu, android_enesoluty, android_ewalls, 
android_ewind, android_exodus, android_exprespam, android_fakeapp, 
android_fakebanco, android_fakedown, android_fakeinst, android_fakelog, 
android_fakemart, android_fakemrat, android_fakeneflic, android_fakesecsuit, 
android_fanta, android_feabme, android_flexispy, android_fraudbot, 
android_frogonal, android_funkybot, android_geinimi, android_generic, 
android_geost, android_ghostpush, android_ginmaster, android_gmaster, 
android_godwon, android_golddream, android_goldencup, android_golfspy, 
android_gonesixty, android_gplayed, android_gustuff, android_henbox, 
android_hiddad, android_ibanking, android_joker, android_jsmshider, 
android_kbuster, android_kemoge, android_lockdroid, android_lotoor, 
android_lovetrap, android_malbus, android_maxit, android_mobstspy, 
android_monokle, android_notcompatible, android_oneclickfraud, android_opfake, 
android_ozotshielder, android_pikspam, android_pjapps, android_qdplugin, 
android_ransomware, android_redalert, android_remotecode, android_repane, 
android_riltok, android_roamingmantis, android_roidsec, android_rotexy, 
android_samsapo, android_sandrorat, android_selfmite, android_shadowvoice, 
android_shopper, android_simbad, android_simplocker, android_skullkey, 
android_sndapps, android_spytekcell, android_stels, android_swanalitics, 
android_teelog, android_telerat, android_tetus, android_tonclank, 
android_torec, android_triada, android_uracto, android_usbcleaver, 
android_viceleaker, android_walkinwat, android_windseeker, android_wirex, 
android_xavirad, android_xhelper, android_zertsecurity, android_ztorg, 
andromeda, antefrigus, antibot, anubis, anuna, apt_01, apt_09, apt_12, apt_17, 
apt_18, apt_23, apt_30, apt_33, apt_37, apt_38, apt_aridviper, apt_babar, 
apt_bahamut, apt_barium, apt_bisonal, apt_bitter, apt_blacktech, 
apt_blindeagle, apt_blueprint, apt_bookworm, apt_buhtrap, apt_calypso, 
apt_careto, apt_casper, apt_cdt, apt_chafer, apt_charmingkitten, apt_cleaver, 
apt_cloudatlas, apt_cobaltdickens, apt_commentcrew, apt_copykittens, 
apt_cosmicduke, apt_cyberbit, apt_darkhotel, apt_darkhydrus, apt_deadlykiss, 
apt_deeppanda, apt_desertfalcon, apt_dnspionage, apt_docless, 
apt_domestickitten, apt_donot, apt_dragonok, apt_duke, apt_dustsquad, 
apt_energeticbear, apt_equationgroup, apt_evapiks, apt_ezq, 
apt_familiarfeeling, apt_finfisher, apt_flame, apt_fruityarmor, apt_gallmaker, 
apt_gamaredon, apt_gaza, apt_glasses, apt_goblinpanda, apt_goldenbird, 
apt_goldenrat, apt_goldmouse, apt_gorgon, apt_gothicpanda, apt_gref, 
apt_greyenergy, apt_groundbait, apt_group5, apt_hackingteam, apt_hermit, 
apt_hogfish, apt_icefog, apt_innaput, apt_irn2, apt_irontiger, apt_ke3chang, 
apt_keyboy, apt_kimsuky, apt_lazarus, apt_leafminer, apt_lotusblossom, 
apt_luckymouse, apt_lyceum, apt_machete, apt_magichound, apt_menupass, 
apt_middleeast, apt_miniduke, apt_mudcarp, apt_muddywater, apt_mustangpanda, 
apt_naikon, apt_nettraveler, apt_newsbeef, apt_oceanlotus, apt_oilrig, 
apt_packrat, apt_patchwork, apt_pegasus, apt_pkplug, apt_platinum, 
apt_pokingthebear, apt_potao, apt_quarian, apt_quasar, apt_rancor, apt_reaper, 
apt_redbaldknight, apt_redoctober, apt_rnexus, apt_rocketman, apt_sandworm, 
apt_sauron, apt_scanbox, apt_scarcruft, apt_scarletmimic, apt_scieron, 
apt_sectora05, apt_shamoon, apt_shiqiang, apt_sidewinder, apt_silence, 
apt_simbaa, apt_snowman, apt_sobaken, apt_sofacy, apt_stealthfalcon, 
apt_stolenpencil, apt_stonedrill, apt_strongpity, apt_stuxnet, apt_ta2101, 
apt_ta428, apt_ta555, apt_tajmahal, apt_telebots, apt_tempperiscope, 
apt_temptingcedar, apt_tibet, apt_tick, apt_tortoiseshell, 
apt_transparenttribe, apt_turla, apt_tvrms, apt_unclassified, 
apt_volatilecedar, apt_weakestlink, apt_webky, apt_whitecompany, 
apt_wickedpanda, apt_windshift, apt_wirte, arcane, arec, ares, arkei, artro, 
aspire, asruex, astaroth, astrobot, asyncrat, athenagorat, atilla, 
atm_dispcash, atomlogger, attor, aurora, autoit, avalanche, avemaria, avrecon, 
axpergle, azorult, babybot, babyshark, bachosens, backnet, badblock, badrabbit, 
balamid, baldr, balkanrat, bamital, bandook, bankapol, bankerflux, bankpatch, 
banload, banprox, banwarum, barys, bayrob, beamwinhttp, beapy, bebloh, bedep, 
beebone, belonard, betabot, bezigaterat, biskvit, bitpaymer, bitshifter, 
blackmoon, blacknet, blacknixrat, blackrat, blackshades, blacksquid, blackworm, 
blockbuster, bluebananarat, bluebot, bluecrab, bobax, bolek, bolik, bondat, 
bondnet, borr, bot_mikrotik, bozokrat, bredolab, breut, brushaloader, bubnix, 
bucriv, buer, bulehero, bunitu, buran, buterat, butter, cactustorch, calfbot, 
camerashy, cannibalrat, capturatela, carberp, cardinalrat, casbaneiro, 
ccleaner_backdoor, ceidpagelock, cerber, chainshot, changeup, chanitor, 
chasebot, cheshire, chewbacca, chinachopper, chisbur, chthonic, cirenegrat, 
clientmeshrat, clipsa, cloudatlas, coalabot, cobalt, cobint, cometer, 
conficker, contopee, corebot, cotxrat, couponarific, criakl, cridex, crilock, 
crimsonrat, cryakl, crylocker, cryptbot, cryptfile2, cryptinfinite, 
cryptodefense, cryptolocker, cryptowall, cryptxxx, ctblocker, cutwail, 
cybergaterat, cythosia, dailyscriptlet, damoclis, danabot, dangerous, danji, 
darkcloud, darkcrystalrat, darkgate, darkrat, darkshell, darkware, dcrat, 
defru, delshad, denizkizi, deprimon, destory, dexter, dharma, diamondfoxrat, 
dimnie, dircrypt, dirtjumper, dmalocker, dmsniff, dnsbirthday, dnschanger, 
dnstrojan, dofoil, domen, dorifel, dorkbot, dorshel, dorv, drahma, drapion, 
dridex, dropnak, dualtoy, dupzom, dursg, dyreza, elf_aidra, elf_amnesiark, 
elf_billgates, elf_chalubo, elf_chinaz, elf_coinminer, elf_darlloz, 
elf_ddosman, elf_dofloo, elf_ekoms, elf_emptiness, elf_evilgnome, elf_gafgyt, 
elf_generic, elf_groundhog, elf_hacked_mint, elf_hajime, elf_hellobot, 
elf_hiddenwasp, elf_hideseek, elf_httpsd, elf_iotreaper, elf_kaiten, 
elf_kerberods, elf_lady, elf_mayhem, elf_mirai, elf_mokes, elf_mumblehard, 
elf_openssh_backdoorkit, elf_pacha, elf_pasteminer, elf_pinscan, elf_qbot, 
elf_ransomware, elf_rekoobe, elf_roboto, elf_routex, elf_shelldos, elf_skidmap, 
elf_slexec, elf_sshdoor, elf_sshscan, elf_themoon, elf_torii, elf_tunpot, 
elf_turla, elf_vpnfilter, elf_xbash, elf_xnote, elf_xorddos, elpman, emdivi, 
emogen, emotet, empirerat, eredel, escelar, esfur, evilbunny, evilgrab, 
evilnum, evoltinpos, evrial, expiro, fakben, fakeadobe, fakeav, fakeran, 
fantom, fareit, farseer, fastloader, fbi_ransomware, felixhttp, fiexp, 
fignotok, filespider, fin4, fin6, fin7, fin8, fin9, finderbot, findpos, floxif, 
fnumbot, fobber, formbook, fox, frankenstein, fraudload, fruitfly, ftcode, 
fudcrypt, fynloski, fysna, gamapos, gandcrab, gaudox, gauss, gbot, generic, 
germanwiper, gh0strat, ghostdns, ghost_miner, glitchpos, globeimposter, 
glupteba, gobotkr, gobrut, godzilla, goldbrute, golroted, gootkit, grandoreiro, 
grand, gravityrat, greamerat, gruntstager, gtbot, guildma, hacking_team, 
harnig, hawkball, hawkeye, helompy, heodo, hiddenbeer, hiddenbee, hiddencobra, 
hiddentear, hiloti, hinired, hisoka, hollow_miner, honeybee, hoplight, houdini, 
huntpos, hvncrat, hydracrypt, hydseven, icedid, imminentrat, immortal, 
infinityrat, injecto, innfirat, investimer, invisimole, ios_keyraider, 
ios_muda, ios_oneclickfraud, ios_realtimespy, ios_specter, ios_xcodeghost, 
iron, ismdoor, isodisk, ispy, isr, jackpos, jacksbot, jasperloader, javarat, 
jigsaw, jrat, jripbot, jsoutprox, jssloader, karkoff, kasidet, kazy, kbot, 
kegotip, keitaro, kelihos, keybase, khrat, killrabbit, killua, king_miner, 
kingslayer, kjw0rm, kolab, konni, koobface, korgo, korplug, kovter, kpot, 
kradellsh, kromagent, kronos, krown, krugbot, krypton, kuago_miner, kulekmoko, 
l0rdix, ladon, lampion, latentbot, legion_loader, limerat, litehttp, 
loadpcbanker, lockbit, locked, locky, loda, lokibot, lollipop, loocipher, 
loopbackrat, lostdoorrat, loud_miner, lucifer, luckycat, lucky, 
luminositylinkrat, luoxk, luxnetrat, mado_miner, magicpos, magniber, majikpos, 
mambashim, mamo, manabot, mancsyn, mandaph, maplebot, marap, mariposa, 
marmoolak, marsjoke, marut, masad, mastermana, matrix, matsnu, maze, mdrop, 
mebroot, medbot, medusahttp, megacortex, megalodonhttprat, megaopac, megumin, 
mekotio, mercurybot, mestep, metamorfo, midie, milkyboy, millionware, minedoor, 
minotaur, misogow, mispadu, miuref, modirat, modpos, monero_backdoor, 
monsterinstall, moonlight, moreeggs, morto, morty, mozart, muhstik, 
mysticalnet, nampohyu, nanocore, nbot, necurs, neko, nemeot, nemty, nemucod, 
neonwallet, neshuta, nestrat, netsupport, netwire, neutrinopos, newddosbot, 
newpos, nexlogger, ngioweb, nigelthorn, nionspy, nitol, nivdort, njrat, 
nodersok, nonbolqu, notpetya, notrobin, novaloader, novel_miner, novobot, 
novter, nozelesn, nucleartor, nuqel, nwt, nymaim, nymeria, obliquerat, odcodc, 
oficla, onkods, optima, orcusrat, oski, ostap, osx_bundlore, osx_coinminer, 
osx_coldroot, osx_generic, osx_gmera, osx_imuler, osx_keranger, osx_keydnap, 
osx_linker, osx_lol, osx_loselose, osx_macspy, osx_mami, osx_mokes, 
osx_mughthesec, osx_proton, osx_salgorea, osx_shlayer, osx_trikster, 
osx_wirelurker, padcrypt, pandabanker, paradoxrat, parallax, parasitehttprat, 
patchbrowse, paycrypt, pcastle, pcshare, pdfjsc, pepperat, peppyrat, 
perl_shellbot, perseusrat, petya, pghost, phoenix, phorpiex, photo_miner, 
phpstudyghost, phytob, picgoo, pift, pinkslipbot, pipka, piratematryoshka, 
piritebot, plasmarat, plead, plugx, plurox, poisonivy, poisonrat, ponmocup, 
poshcoder, pots, powelike, powerpool, powershell_injector, predatory, proced, 
propagate, prorat, proslikefan, prostoclipper, prostoloader, protonbot, prowli, 
proxyback, psixbot, punisherrat, pupyrat, purplefox, pushdo, pykspa, pyleet, 
pylocky, pypi_backdoor, pyrogenic, python_brost, python_injector, python_xwo, 
pyxierat, qakbot, qeallerrat, qrat, quadagent, quantloader, quasarrat, qulab, 
qwertminer, raasberry, raccoon, ragnarok, rajump, rakhni, ramdo, ramnit, 
ranion, ransirac, ransomed, rarog, razy, reactorbot, reaver, redaman, 
rediswannamine, redsip, reductor, remcos, remexirat, renocide, revcoderat, 
revengerat, reveton, revetrat, rincux, rmsrat, rombertik, rovnix, rozena, rtm, 
rubella, ruby_backdoor, ruftar, runforestrun, rustock, ryuk, saefkorat, sage, 
sakabota, sakari, sakurel, sality, samsam, sanny, satana, sathurbot, scanbox, 
scarcruft, scranos, sdbot, seaduke, sectoprat, sefnit, selfdel, severe, 
shadownet, shadowtechrat, shelma, shifu, shimrat, shiotob, shurl0ckr, shylock, 
siesta, silentbrute, silly, simda, sinkhole_360netlab, sinkhole_abuse, 
sinkhole_arbor, sinkhole_bitdefender, sinkhole_bitsight, sinkhole_blacklab, 
sinkhole_bomccss, sinkhole_botnethunter, sinkhole_certgovau, sinkhole_certpl, 
sinkhole_changeip, sinkhole_checkpoint, sinkhole_cirtdk, sinkhole_cncert, 
sinkhole_collector, sinkhole_conficker, sinkhole_cryptolocker, 
sinkhole_dnssinkhole, sinkhole_doombringer, sinkhole_drweb, sinkhole_dynadot, 
sinkhole_dyre, sinkhole_farsight, sinkhole_fbizeus, sinkhole_fireeye, 
sinkhole_fitsec, sinkhole_fnord, sinkhole_fraunhofer, sinkhole_gamaredon, 
sinkhole_gameoverzeus, sinkhole_georgiatech, sinkhole_gladtech, sinkhole_hyas, 
sinkhole_infosecjp, sinkhole_kaspersky, sinkhole_kryptoslogic, 
sinkhole_menupass, sinkhole_microsoft, sinkhole_noip, sinkhole_nowdns, 
sinkhole_oceanlotus, sinkhole_opendns, sinkhole_rsa, sinkhole_secureworks, 
sinkhole_securityscorecard, sinkhole_shadowserver, sinkhole_sidnlabs, 
sinkhole_sinkdns, sinkhole_sobaken, sinkhole_sofacy, sinkhole_spamandabuse, 
sinkhole_sugarbucket, sinkhole_supportintel, sinkhole_switch, sinkhole_tech, 
sinkhole_torpig, sinkhole_tsway, sinkhole_turla, sinkhole_unknown, 
sinkhole_vicheck, sinkhole_virustracker, sinkhole_vittalia, 
sinkhole_wapacklabs, sinkhole_xaayda, sinkhole_yourtrap, sinkhole_zinkhole, 
skeeyah, skidrat, skynet, skyper, slenfbot, sload, slserver, smallnetrat, 
smokebot, smokeloader, smominru, smsfakesky, snatch, snifula, snslocker, 
sockrat, sodinokibi, sohanad, sonoko, sorano, spideybot, spybotpos, spyeye, 
spygaterat, stabuniq, stantinko, stealzilla, strictor, supremebot, surtr, 
susafone, svproxy, swamprat, symmi, syndicasec, synolocker, syscon, sysrat, 
systembc, systemd_miner, sysworm, t1087, ta505, tables, taskmasters, tdss, 
teambot, teamspy, teerac, telebots, telegrab, terracotta, teslacrypt, tflower, 
tinba, tinynuke, tinypos, tofsee, tor_backdoor, torpig, torrentlocker, 
tovkater, travle, treasurehunter, trickbot, troldesh, tron, tscookie, tuhkit, 
tupym, turkojanrat, tvrat, tvspy, udpos, unruy, up007, upatre, urausy, urlzone, 
ursnif, vaimalandra, varenyky, vawtrak, vbcheman, vbrat, vidar, viknok, 
vinderuf, virobot, virtum, virusrat, virut, vittalia, vjw0rm, vobfus, 
vssdestroy, vundo, wacatac, waledac, wallyshack, wannacry, wannamine, waprox, 
warezov, webcobra, wecorl, wecoym, weecnaw, whiteshadow, wildfire, winnti, 
wndred, wofeksad, wolfresearch, wp-vcd, xadupi, xenotix, xpay, xshark, xtbl, 
xtrat, yenibot, yimfoca, yoursqldumps, zaletelly, zcrypt, zegost, zemot, 
zeroaccess, zeropadypt, zeus, zherotee, zlader, zloader, zlob, zombieboy, 
zombrari, zonidel, zusy, zxshell, zyklon, etc.

Architecture

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e.

LOG_DIR
described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e.
LOG_SERVER
described in the Configuration section).

Architecture diagram

Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.

Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.

Quick start

The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):

  • For Debian/Ubuntu
sudo apt-get install git python-pcapy
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py
  • For SUSE/openSUSE
sudo zypper install gcc gcc-c++ git libpcap-devel python-devel python2-pip
sudo pip2 install pcapy
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py

Sensor

To start the (optional) Server on same machine, open a new terminal and execute the following:

[[ -d maltrail ]] || git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
python server.py

Server

To test that everything is up and running execute the following:

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Test

Also, to test the capturing of DNS traffic you can try the following:

nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Test2

To stop Sensor and Server instances (if running in background) execute the following:

sudo pkill -f sensor.py
pkill -f server.py

Access the reporting interface (i.e. Client) by visiting the http://127.0.0.1:8338 (default credentials:

admin:changeme!
) from your web browser:

Reporting interface

Administrator's guide

Sensor

Sensor's configuration can be found inside the

maltrail.conf
file's section
[Sensor]
:

Sensor's configuration

If option

USE_MULTIPROCESSING
is set to
true
then all CPU cores will be used. One core will be used only for packet capture (with appropriate affinity, IO priority and nice level settings), while other cores will be used for packet processing. Otherwise, everything will be run on a single core. Option
USE_FEED_UPDATES
can be used to turn off the trail updates from feeds altogether (and just use the provided static ones). Option
UPDATE_PERIOD
contains the number of seconds between each automatic trails update (Note: default value is set to
86400
(i.e. one day)) by using definitions inside the
trails
directory (Note: both Sensor and Server take care of the trails update). Option
CUSTOM_TRAILS_DIR
can be used by user to provide location of directory containing the custom trails (
*.txt
) files. Option
USE_HEURISTICS
turns on heuristic mechanisms (e.g.
long domain name (suspicious)
,
excessive no such domain name (suspicious)
,
direct .exe download (suspicious)
, etc.), potentially introducing false positives. Option
CAPTURE_BUFFER
presents a total memory (in bytes of percentage of total physical memory) to be used in case of multiprocessing mode for storing packet capture in a ring buffer for further processing by non-capturing processes. Option
MONITOR_INTERFACE
should contain the name of the capturing interface. Use value
any
to capture from all interfaces (if OS supports this). Option
CAPTURE_FILTER
should contain the network capture (
tcpdump
) filter to skip the uninteresting packets and ease the capturing process. Option
SENSOR_NAME
contains the name that should be appearing inside the events
sensor_name
value, so the event from one sensor could be distinguished from the other. If option
LOG_SERVER
is set, then all events are being sent remotely to the Server, otherwise they are stored directly into the logging directory set with option
LOG_DIR
, which can be found inside the
maltrail.conf
file's section
[All]
. In case that the option
UPDATE_SERVER
is set, then all the trails are being pulled from the given location, otherwise they are being updated from trails definitions located inside the installation itself.

When running the sensor (e.g.

sudo python sensor.py
) for the first time and/or after a longer period of non-running, it will automatically update the trails from trail definitions (Note: stored inside the
trails
directory). After the initialization, it will start monitoring the configured interface (option
MONITOR_INTERFACE
inside the
maltrail.conf
) and write the events to either the configured log directory (option
LOG_DIR
inside the
maltrail.conf
file's section
[All]
) or send them remotely to the logging/reporting Server (option
LOG_SERVER
).

Sensor run

Detected events are stored inside the Server's logging directory (i.e. option

LOG_DIR
inside the
maltrail.conf
file's section
[All]
) in easy-to-read CSV format (Note: whitespace ' ' is used as a delimiter) as single line entries consisting of:
time
sensor
src_ip
src_port
dst_ip
dst_port
proto
trail_type
trail
trail_info
reference
(e.g.
"2015-10-19 15:48:41.152513" beast 192.168.5.33 32985 8.8.8.8 53 UDP DNS 0000mps.webpreview.dsl.net malicious siteinspector.comodo.com
):

Sample log

Server

Server's configuration can be found inside the

maltrail.conf
section
[Server]
:

Server's configuration

Option

HTTP_ADDRESS
contains the web server's listening address (Note: use
0.0.0.0
to listen on all interfaces). Option
HTTP_PORT
contains the web server's listening port. Default listening port is set to
8338
. If option
USE_SSL
is set to
true
then
SSL/TLS
will be used for accessing the web server (e.g.
https://192.168.6.10:8338/
). In that case, option
SSL_PEM
should be pointing to the server's private/cert PEM file.

Subsection

USERS
contains user's configuration settings. Each user entry consists of the
username:sha256(password):UID:filter_netmask(s)
. Value
UID
represents the unique user identifier, where it is recommended to use values lower than 1000 for administrative accounts, while higher value for non-administrative accounts. The part
filter_netmask(s)
represents the comma-delimited hard filter(s) that can be used to filter the shown events depending on the user account(s). Default entry is as follows:

Configuration users

Option

UDP_ADDRESS
contains the server's log collecting listening address (Note: use
0.0.0.0
to listen on all interfaces), while option
UDP_PORT
contains listening port value. If turned on, when used in combination with option
LOG_SERVER
, it can be used for distinct (multiple) Sensor <-> Server architecture.

Option

FAIL2BAN_REGEX
contains the regular expression (e.g.
attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code)
) to be used in
/fail2ban
web calls for extraction of today's attacker source IPs. This allows the usage of IP blocking mechanisms (e.g.
fail2ban
,
iptables
or
ipset
) by periodic pulling of blacklisted IP addresses from remote location. Example usage would be the following script (e.g. run as a
root
cronjob on a minute basis):
#!/bin/bash
ipset -q flush maltrail
ipset -q create maltrail hash:net
for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done
iptables -I INPUT -m set --match-set maltrail src -j DROP

Same as for Sensor, when running the Server (e.g.

python server.py
) for the first time and/or after a longer period of non-running, if option
USE_SERVER_UPDATE_TRAILS
is set to
true
, it will automatically update the trails from trail definitions (Note: stored inside the
trails
directory). Its basic function is to store the log entries inside the logging directory (i.e. option
LOG_DIR
inside the
maltrail.conf
file's section
[All]
) and provide the web reporting interface for presenting those same entries to the end-user (Note: there is no need install the 3rd party web server packages like Apache):

Server run

User's guide

Reporting interface

When entering the Server's reporting interface (i.e. via the address defined by options

HTTP_ADDRESS
and
HTTP_PORT
), user will be presented with the following authentication dialog. User has to enter the proper credentials that have been set by the server's administrator inside the configuration file
maltrail.conf
(Note: default credentials are
admin:changeme!
):

User login

Once inside, user will be presented with the following reporting interface:

Reporting interface

The top part holds a sliding timeline (Note: activated after clicking the current date label and/or the calendar icon Calendar icon) where user can select logs for past events (Note: mouse over event will trigger display of tooltip with approximate number of events for current date). Dates are grouped by months, where 4 month period of data are displayed inside the widget itself. However, by using the provided slider (i.e. Timeline slider) user can easily access events from previous months.

Timeline

Once clicking the date, all events for that particular date should be loaded and represented by the client's web browser. Depending on number of events and the network connection speed, loading and display of logged events could take from couple of seconds, up to several minutes (e.g. 100,000 events takes around 5 seconds in total). For the whole processing time, animated loader will be displayed across the disabled user interface:

Loader

Middle part holds a summary of displayed events.

Events
box represents total number of events in a selected 24-hour period, where red line represents IP-based events, blue line represents DNS-based events and yellow line represents URL-based events.
Sources
box represents number of events per top sources in form of a stacked column chart, with total number of sources on top.
Threats
box represents percentage of top threats in form of a pie chart (Note: gray area holds all threats having each <1% in total events), with total number of threats on top.
Trails
box represents percentage of top trails in form of a pie chart (Note: gray area holds all trails having each <1% in total events), with total number of trails on top. Each of those boxes are active, hence the click on one of those will result with a more detailed graph.

Summary

Bottom part holds a condensed representation of logged events in form of a paginated table. Each entry holds details for a single threat (Note: uniquely identified by a pair

(src_ip, trail)
or
(dst_ip, trail)
if the
src_ip
is the same as the
trail
as in case of attacks coming from the outside):

Single threat

Column

threat
holds threat's unique ID (e.g.
85fdb08d
) and color (Note: extruded from the threat's ID),
sensor
holds sensor name(s) where the event has been triggered (e.g.
blitvenica
),
events
holds total number of events for a current threat,
severity
holds evaluated severity of threat (Note: calculated based on values in
info
and
reference
columns, prioritizing malware generated traffic),
first_seen
holds time of first event in a selected (24h) period (e.g.
06th 08:21:54
),
last_seen
holds time of last event in a selected (24h) period (e.g.
06th 15:21:23
),
sparkline
holds a small sparkline graph representing threat's activity in selected period,
src_ip
holds source IP(s) of a threat (e.g.
99.102.41.102
),
src_port
holds source port(s) (e.g.
44556, 44589, 44601
),
dst_ip
holds destination IP(s) (e.g.
213.202.100.28
),
dst_port
holds destination port(s) (e.g.
80 (HTTP)
),
proto
holds protocol(s), (e.g.
TCP
),
trail
holds a blacklisted (or heuristic) entry that triggered the event(s),
info
holds more information about the threat/trail (e.g.
known attacker
for known attacker's IP addresses or
ipinfo
for known IP information service commonly used by malware during a startup),
reference
holds a source of the blacklisted entry (e.g.
(static)
for static trails or
myip.ms
for a dynamic feed retrieved from that same source) and
tags
holds user defined tags for a given trail (e.g.
APT28
).

When moving mouse over

src_ip
and
dst_ip
table entries, information tooltip is being displayed with detailed reverse DNS and WHOIS information (Note: RIPE is the information provider):

On mouse over IP

Event details (e.g.

src_port
,
dst_port
,
proto
, etc.) that differ inside same threat entry are condensed in form of a bubble icon (i.e. Ellipsis). This is performed to get an usable reporting interface with as less rows as possible. Moving mouse over such icon will result in a display of an information tooltip with all items held (e.g. all port numbers being scanned by
attacker
):

On mouse over bubble

Clicking on one such icon will open a new dialog containing all stored items (Note: in their uncondensed form) ready to be Copy-Paste(d) for further analysis:

Ctrl-C dialog

When hovering mouse pointer over the threat's trail for couple of seconds it will result in a frame consisted of results using the trail as a search term performed against DuckDuckGo search engine. In lots of cases, this provides basic information about the threat itself, eliminating the need for user to do the manual search for it. In upper right corner of the opened frame window there are two extra buttons. By clicking the first one (i.e. New tab icon), the resulting frame will be opened inside the new browser's tab (or window), while by clicking the second one (i.e. Close icon) will immediately close the frame (Note: the same action is achieved by moving the mouse pointer outside the frame borders):

On mouse over trail

For each threat there is a column

tag
that can be filled with arbitrary "tags" to closely describe all threats sharing the same trail. Also, it is a great way to describe threats individually, so all threats sharing the same tag (e.g.
yahoo
) could be grouped out later:

Tags

Real-life cases

In the following section some of the "usual suspects" scenarios will be described through the real-life cases.

Mass scans

Mass scans is a fairly common phenomenon where individuals and/or organizations give themselves a right to scan the whole 0.0.0.0/0 IP range (i.e. whole Internet) on a daily basis, with disclaimer where they say that if you don't like it then you should contact them privately to be skipped from future scans.

Shodan FileZilla results

To make stuff worse, organizations as Shodan and ZoomEye give all results freely available (to other potential attackers) through their search engine. In the following screenshots you'll see details of Shodan scans in one single day.

Here is a reverse DNS and WHOIS lookup of the "attacker"'s address:

Shodan 1

When hovering mouse pointer over the

trail
column's content (IP address), you'll be presented with the search results from DuckDuckGo where you'll be able to find more information about the "attacker" (i.e. Shodan):

Shodan 2

In the

dst_ip
column, if you have a large organization, you'll be presented with large list of scanned IP addresses: Shodan 3

In the

dst_port
column you'll be able to see all ports that have been scanned by such mass scans:

Shodan 4

In other similar situations you'll see the same behaviour, coming from blacklisted individual attacker(s) (in this case by cinsscore.com):

Known attacker

One more common behaviour is scanning of the whole 0.0.0.0/0 IP range (i.e. Internet) in search for one particular port (e.g. TCP port 443 when Heartbleed has been found). In the following screenshot you'll find one such case for previously blacklisted attacker(s) (in this case by alienvault.com and two other blacklists) targeting the UDP port 5060 (i.e. SIP) in search for misconfigured VoIP devices:

SIP scan

Anonymous attackers

To spot the potential attackers hidden behind the Tor anonymity network, Maltrail utilizes publicly available lists of Tor exit nodes. In the following screenshot you'll see a case where potential attacker has been utilizing the Tor network to access the web target (over HTTP) in our organization's range in suspicious way (total 171 connection requests in 10 minutes):

Tor attacker

Service attackers

Fairly similar case to the previous one is when previously blacklisted attacker tries to access particular (e.g. non-HTTP(s)) service in our organization's range in rather suspicious way (i.e. total 1513 connection attempts in less than 15 minutes):

RDP brute force

If we enter the

ssh attacker
to the
Filter
field, we'll be able to see all similar occurrences for that day, but in this case for port 22 (i.e. SSH):

SSH attackers filter

Malware

In case of connection attempts coming from infected computers inside our organization toward already known C&C servers, you'll be able to find threats similar to the following (in this case Beebone):

beebone malware

In case of DNS requests containing known DGA domain names, threat will be shown like (in this case Necurs):

necurs malware

In the following case file downloads from blacklisted (in this case by malwarepatrol.net) URL(s) have occurred:

malware download

If we enter the particular malware name (in this case Ramnit) into the

Filter
field, only threats that are known to be linked to this malware will be filtered in (showing you all affected internal computers):

ramnit malware

More generally, if we enter the

malware
into the
Filter
field, all threats that have been found by malware(-related) trails (e.g.
IP
addresses) will be filtered in:

malware filter

Suspicious domain lookups

Maltrail uses the static list of TLD domains that are known to be commonly involved in suspicious activities. Most such TLD domains are coming from free domain registrars (e.g. Freenom), hence they should be under greater scrutiny. In the following screenshot we can find a case where one such TLD domain

.cm
has been used by unknown malware using the DGA algorithm to contact its C&C server(s):

cm DGA

There are also cases when perfectly valid TLD domains (e.g.

.ru
) are used for suspicious activities, such in this case (e.g.
long domain name (suspicious)
) where the domains are obviously DGA generated by unknown malware:

Suspicious long domains

Maltrail uses static list of so-called "dynamic domains" that are often used in suspicious activities (e.g. for malware C&C servers that often change the destination's IP addresses):

Suspicious dynamic domains

Also, Maltrail uses static list of "onion"-related domains that are also often used in suspicious activities (e.g. malware contacting C&C servers by using Tor2Web service(s)):

Suspicious onion

In case of old and/or obsolete malware that sits undetected on organization's infected internal computers, there is often a "phenomenon" where malware continuously tries to contact the long dead C&C server's domain without any DNS resolution. Hence, those kind of (potential) threats will be marked as

excessive no such domain (suspicious)
:

Excessive no such domain name

In case that one trail is responsible for too many threats (e.g. in case of fake source IPs like in DNS amplification attacks), all similar threats will be grouped under a single

flood
threat (Note: threat's ID will be marked with suffix
F0
), like in the following example:

Flood

Suspicious ipinfo requests

Lots of malware uses some kind of

ipinfo
service (e.g. ipinfo.io) to find out the victim's Internet IP address. In case of regular and especially in out-of-office hours, those kind of requests should be closely monitored, like in the following example:

suspicious ipinfo

By using filter

ipinfo
all potentially infected computers in our organization's range can be listed that share this kind of suspicious behaviour:

ipinfo filter

Suspicious direct file downloads

Maltrail tracks all suspicious direct file download attempts (e.g.

.apk
,
.bin
,
.class
, .
chm
,
.dll
,
.egg
,
.exe
,
.hta
,
.hwp
,
.ps1
,
.scr
,
.sct
and
.xpi
file extensions). This can trigger lots of false positives, but eventually could help in reconstruction of the chain of infection (Note: legitimate service providers, like Google, usually use encrypted HTTPS to perform this kind of downloads):

Direct .exe download

Suspicious HTTP requests

In case of suspicious requests coming from outer web application security scanners (e.g. searching for SQLi, XSS, LFI, etc. vulnerabilities) and/or the internal user malicious attempts toward unknown web sites, threats like the following could be found (real case of attackers trying to exploit Joomla! CMS CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 vulnerabilities):

SQLi com_contenthistory

In following example, web application vulnerability scan has been marked as "suspicious":

Vulnerability scan

If we click on the bubble icon (i.e. Ellipsis) for details and copy paste the whole content to a textual file, we'll be able to see all suspicious HTTP requests:

Vulnerability scan requests

In the following screenshot, a run of popular SQLi vulnerability tool sqlmap can be found inside our logs:

sqlmap scan requests

Port scanning

In case of too many connection attempts toward considerable amount of different TCP ports, Maltrail will warn about the potential port scanning, as a result of its heuristic mechanism detection. It the following screenshot such warning(s) can be found for a run of popular port scanning tool nmap:

nmap scan

DNS resource exhaustion

One popular DDoS attack against the web server(s) infrastructure is the resource exhaustion of its (main) DNS server by making valid DNS recursion queries for (pseudo)random subdomain names (e.g.

abpdrsguvjkyz.www.dedeni.com
):

DNS resource exhaustion

Data leakage

Miscellaneous programs (especially mobile-based) present malware(-like) behaviour where they send potentially sensitive data to the remote beacon posts. Maltrail will try to capture such behaviour like in the following example:

Data leakage

False positives

Like in all other security solutions, Maltrail is prone to "false positives". In those kind of cases, Maltrail will (especially in case of

suspicious
threats) record a regular user's behaviour and mark it as malicious and/or suspicious. In the following example it can be seen that a blacklist feed provider
blocklist.de
marked regular Google server as
attacker
(s), resulting with the following threat:

Google false positive 1

By hovering mouse over the trail, frame with results from DuckDuckGo search show that this is a regular Google's server:

Google false positive 2

As another example, access to regular

.work
domains (popular TLD for malicious purposes) resulted with the following threat:

Suspicious domain false positive

Nevertheless, administrator(s) should invest some extra time and check (with other means) whether the "suspicious" means malicious or not, as in the following example:

Suspicious .ws

Requirements

To properly run the Maltrail, Python 2.6, 2.7 or 3.x is required, together with pcapy (e.g.

sudo apt-get install python-pcapy
). There are no other requirements, other than to run the Sensor component with the administrative/root privileges.

Best practice(s)

  1. Install Maltrail:
  • On Debian/Ubuntu Linux OS

    sudo apt-get install git python-pcapy
    cd /tmp
    git clone --depth 1 https://github.com/stamparm/maltrail.git
    sudo mv /tmp/maltrail /opt
    sudo chown -R $USER:$USER /opt/maltrail
    
  • On SUSE/openSUSE Linux OS

   sudo zypper install gcc gcc-c++ git libpcap-devel python-devel python2-pip
   sudo pip2 install pcapy
   cd /tmp
   git clone --depth 1 https://github.com/stamparm/maltrail.git
   sudo mv /tmp/maltrail /opt
   sudo chown -R $USER:$USER /opt/maltrail
  1. Set working environment:

    sudo mkdir -p /var/log/maltrail
    sudo mkdir -p /etc/maltrail
    sudo cp /opt/maltrail/maltrail.conf /etc/maltrail
    sudo nano /etc/maltrail/maltrail.conf
    
  2. Set running environment:

* `crontab -e  # autostart server & periodic update`

*/5 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'server.py')" ]; then : ; else python /opt/maltrail/server.py -c /etc/maltrail/maltrail.conf; fi
0 1 * * * cd /opt/maltrail &amp;&amp; git pull
  • sudo crontab -e # autostart sensor &amp; periodic restart
*/1 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'sensor.py')" ]; then : ; else python /opt/maltrail/sensor.py -c /etc/maltrail/maltrail.conf; fi
2 1 * * * /usr/bin/pkill -f maltrail

License

This software is provided under a MIT License. See the accompanying LICENSE file for more information.

Developers

Presentations

  • 47th TF-CSIRT Meeting, Prague (Czech Republic), 2016 (slides)

Blacklist

  • Maltrail's daily updated blacklist of malware-related domains can be found here. It is based on trails found at trails/static/malware and can be used for DNS traffic blocking purposes.

Thank you

  • Thomas Kristner
  • Eduardo Arcusa Les
  • James Lay
  • Ladislav Baco (@laciKE)
  • John Kristoff (@jtkdpu)
  • Michael Münz (@mimugmail)
  • David Brush
  • @Godwottery

Third-party integrations

1 Using (only) trails

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.