{"id":13398251,"url":"https://github.com/stamparm/maltrail","last_synced_at":"2026-03-01T01:01:08.991Z","repository":{"id":24170696,"uuid":"27561102","full_name":"stamparm/maltrail","owner":"stamparm","description":"Malicious traffic detection system","archived":false,"fork":false,"pushed_at":"2026-02-25T16:10:59.000Z","size":29811,"stargazers_count":8243,"open_issues_count":88,"forks_count":1245,"subscribers_count":233,"default_branch":"master","last_synced_at":"2026-02-25T17:55:38.315Z","etag":null,"topics":["attack-detection","intrusion-detection","malware","network-monitoring","python","security","sensor"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stamparm.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2014-12-04T21:33:46.000Z","updated_at":"2026-02-25T16:15:55.000Z","dependencies_parsed_at":"2023-09-27T20:04:42.346Z","dependency_job_id":"5a5083c6-4bcf-4679-9aa1-2dd6219b0e87","html_url":"https://github.com/stamparm/maltrail","commit_stats":{"total_commits":78172,"total_committers":46,"mean_commits":1699.391304347826,"dds":0.04615463337256309,"last_synced_commit":"7020b0bbfbaa4eb0c938ab78d8bb64b66f0290c1"},"previous_names":[],"tags_count":80,"template":false,"template_full_name":null,"purl":"pkg:github/stamparm/maltrail","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fmaltrail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fmaltrail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fmaltrail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fmaltrail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stamparm","download_url":"https://codeload.github.com/stamparm/maltrail/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fmaltrail/sbom","scorecard":{"id":571847,"data":{"date":"2025-08-11","repo":{"name":"github.com/stamparm/maltrail","commit":"bf5b36fddf759fcbd300f50106d314ae207b7423"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/docker-release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-release.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/stamparm/maltrail/docker-release.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/stamparm/maltrail/docker-release.yml/master?enable=pin","Warn: containerImage not pinned by hash: docker/Dockerfile:1: pin your Docker image by updating python:3 to python:3@sha256:3b2f1b9c9948e9dc96e1a2f4668ba9870ff43ab834f91155697476142b3bc299","Warn: pipCommand not pinned by hash: docker/Dockerfile:20","Info:   0 out of   1 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-20T16:33:09.633Z","repository_id":24170696,"created_at":"2025-08-20T16:33:09.633Z","updated_at":"2025-08-20T16:33:09.633Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29957128,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T22:53:01.873Z","status":"ssl_error","status_checked_at":"2026-02-28T22:52:50.699Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attack-detection","intrusion-detection","malware","network-monitoring","python","security","sensor"],"created_at":"2024-07-30T19:00:21.032Z","updated_at":"2026-03-01T01:01:08.931Z","avatar_url":"https://github.com/stamparm.png","language":"Python","funding_links":[],"categories":["Tools","Python","\u003ca id=\"tag-dev\" href=\"#tag-dev\"\u003eDev\u003c/a\u003e","Network","\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具","Links","Python (1887)","Other Lists","Others","security","安全监控","Security monitoring","Repos","扫描器_资产收集_子域名","🚀 DevOps \u0026 Infrastructure"],"sub_categories":["Traffic","\u003ca id=\"tag-dev.security\" href=\"#tag-dev.security\"\u003eSecurity\u003c/a\u003e","Other Resources","\u003ca id=\"99398a5a8aaf99228829dadff48fb6a7\"\u003e\u003c/a\u003e未分类-Network","\u003ca id=\"471c124b012dbde8ea3288f35667efc8\"\u003e\u003c/a\u003e流量检测","Incident Response","LAB","🧪 LAB","网络安全监控（NSM）","IDS / IPS / Host IDS / Host IPS","Network Security Monitoring (NSM)","资源传输下载"],"readme":"![Maltrail](https://i.imgur.com/3xjInOD.png)\n\n[![Python 2.6|2.7|3.x](https://img.shields.io/badge/python-2.6|2.7|3.x-yellow.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-MIT-red.svg)](https://github.com/stamparm/maltrail#license) [![X](https://img.shields.io/badge/X-%40maltrail-black.svg)](https://x.com/maltrail)\n\n## Content\n\n- [Introduction](#introduction)\n- [Architecture](#architecture)\n- [Demo pages](#demo-pages)\n- [Requirements](#requirements)\n- [Quick start](#quick-start)\n- [Administrator's guide](#administrators-guide)\n - [Sensor](#sensor)\n - [Server](#server)\n- [User's guide](#users-guide)\n - [Reporting interface](#reporting-interface)\n- [Real-life cases](#real-life-cases)\n - [Mass scans](#mass-scans)\n - [Anonymous attackers](#anonymous-attackers)\n - [Service attackers](#service-attackers)\n - [Malware](#malware)\n - [Suspicious domain lookups](#suspicious-domain-lookups)\n - [Suspicious ipinfo requests](#suspicious-ipinfo-requests)\n - [Suspicious direct file downloads](#suspicious-direct-file-downloads)\n - [Suspicious HTTP requests](#suspicious-http-requests)\n - [Port scanning](#port-scanning)\n - [DNS resource exhaustion](#dns-resource-exhaustion)\n - [Data leakage](#data-leakage)\n - [False positives](#false-positives)\n- [Best practice(s)](#best-practices)\n- [License](#license)\n- [Sponsors](#sponsors)\n- [Developers](#developers)\n- [Presentations](#presentations)\n- [Publications](#publications)\n- [Blacklist](#blacklist)\n- [Thank you](#thank-you)\n- [Third-party integrations](#third-party-integrations)\n\n## Introduction\n\n**Maltrail** is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where a trail can be anything from a domain name (e.g. `zvpprsensinaix.com` for [Banjori](https://bin.re/blog/the-dga-of-banjori/) malware), URL (e.g. `hXXp://109.162.38.120/harsh02.exe` for known malicious [executable](https://www.virustotal.com/en/file/61f56f71b0b04b36d3ef0c14bbbc0df431290d93592d5dd6e3fffcc583ec1e12/analysis/)), IP address (e.g. `185.130.5.231` for known attacker) or HTTP User-Agent header value (e.g. `sqlmap` for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware).\n\n![Reporting tool](https://i.imgur.com/Sd9eqoa.png)\n\nThe following (black)lists (i.e. feeds) are being utilized:\n\n```\n360bigviktor, 360chinad, 360conficker, 360cryptolocker, 360gameover, \n360locky, 360necurs, 360suppobox, 360tofsee, 360virut, abuseipdb, alienvault, \natmos, badips, bitcoinnodes, blackbook, blocklist, botscout, \nbruteforceblocker, ciarmy, cobaltstrike, cruzit, cybercrimetracker, \ndataplane, dshieldip, emergingthreatsbot, emergingthreatscip, \nemergingthreatsdns, feodotrackerip, gpfcomics, greensnow, ipnoise,\nkriskinteldns, kriskintelip, malc0de, malwaredomainlistdns, malwaredomains,\nmaxmind, minerchk, myip, openphish, palevotracker, policeman, pony,\nproxylists, proxyrss, proxyspy, ransomwaretrackerdns, ransomwaretrackerip, \nransomwaretrackerurl, riproxies, rutgers, sblam, socksproxy, sslbl, \nsslproxies, talosintelligence, torproject, trickbot, turris, urlhaus, \nviriback, vxvault, zeustrackermonitor, zeustrackerurl, etc.\n```\n\nAs for static entries, the trails for the following malicious entities (e.g. malware C\u0026Cs or sinkholes) have been manually included (from various AV reports and personal research):\n\n```\n1ms0rry, 404, 9002, aboc, absent, ab, acbackdoor, acridrain, activeagent, \nadrozek, advisorbot, adwind, adylkuzz, adzok, afrodita, agaadex, agenttesla, \naldibot, alina, allakore, almalocker, almashreq, alpha, alureon, amadey, \namavaldo, amend_miner, ammyyrat, android_acecard, android_actionspy, \nandroid_adrd, android_ahmythrat, android_alienspy, android_andichap, \nandroid_androrat, android_anubis, android_arspam, android_asacub, \nandroid_backflash, android_bankbot, android_bankun, android_basbanke, \nandroid_basebridge, android_besyria, android_blackrock, android_boxer, \nandroid_buhsam, android_busygasper, android_calibar, android_callerspy, \nandroid_camscanner, android_cerberus, android_chuli, android_circle, \nandroid_claco, android_clickfraud, android_cometbot, android_cookiethief, \nandroid_coolreaper, android_copycat, android_counterclank, android_cyberwurx, \nandroid_darkshades, android_dendoroid, android_dougalek, android_droidjack, \nandroid_droidkungfu, android_enesoluty, android_eventbot, android_ewalls, \nandroid_ewind, android_exodus, android_exprespam, android_fakeapp, \nandroid_fakebanco, android_fakedown, android_fakeinst, android_fakelog, \nandroid_fakemart, android_fakemrat, android_fakeneflic, android_fakesecsuit, \nandroid_fanta, android_feabme, android_flexispy, android_fobus, \nandroid_fraudbot, android_friend, android_frogonal, android_funkybot, \nandroid_gabas, android_geinimi, android_generic, android_geost, \nandroid_ghostpush, android_ginmaster, android_ginp, android_gmaster, \nandroid_gnews, android_godwon, android_golddream, android_goldencup, \nandroid_golfspy, android_gonesixty, android_goontact, android_gplayed, \nandroid_gustuff, android_gypte, android_henbox, android_hiddad, \nandroid_hydra, android_ibanking, android_joker, android_jsmshider, \nandroid_kbuster, android_kemoge, android_ligarat, android_lockdroid, \nandroid_lotoor, android_lovetrap, android_malbus, android_mandrake, \nandroid_maxit, android_mobok, android_mobstspy, android_monokle, \nandroid_notcompatible, android_oneclickfraud, android_opfake, \nandroid_ozotshielder, android_parcel, android_phonespy, android_pikspam, \nandroid_pjapps, android_qdplugin, android_raddex, android_ransomware, \nandroid_redalert, android_regon, android_remotecode, android_repane, \nandroid_riltok, android_roamingmantis, android_roidsec, android_rotexy, \nandroid_samsapo, android_sandrorat, android_selfmite, android_shadowvoice, \nandroid_shopper, android_simbad, android_simplocker, android_skullkey, \nandroid_sndapps, android_spynote, android_spytekcell, android_stels, \nandroid_svpeng, android_swanalitics, android_teelog, android_telerat, \nandroid_tetus, android_thiefbot, android_tonclank, android_torec, \nandroid_triada, android_uracto, android_usbcleaver, android_viceleaker, \nandroid_vmvol, android_walkinwat, android_windseeker, android_wirex, \nandroid_wolfrat, android_xavirad, android_xbot007, android_xerxes, \nandroid_xhelper, android_xploitspy, android_z3core, android_zertsecurity, \nandroid_ztorg, andromeda, antefrigus, antibot, anubis, anuna, apocalypse, \napt_12, apt_17, apt_18, apt_23, apt_27, apt_30, apt_33, apt_37, apt_38, \napt_aridviper, apt_babar, apt_bahamut, etc.\n```\n\n## Architecture\n\nMaltrail is based on the **Traffic** -\u0026gt; **Sensor** \u0026lt;-\u0026gt; **Server** \u0026lt;-\u0026gt; **Client** architecture. **Sensor**(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it \"monitors\" the passing **Traffic** for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) **Server** where they are being stored inside the appropriate logging directory (i.e. `LOG_DIR` described in the *Configuration* section). If **Sensor** is being run on the same machine as **Server** (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. `LOG_SERVER` described in the *Configuration* section).\n\n![Architecture diagram](https://i.imgur.com/2IP9Mh2.png)\n\n**Server**'s primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the [\"Fat client\"](https://en.wikipedia.org/wiki/Fat_client) architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the **Client**, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.\n\nNote: **Server** component can be skipped altogether, and just use the standalone **Sensor**. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.\n\n## Demo pages\n\nFully functional demo pages with collected real-life threats can be found [here](https://maltraildemo.github.io/).\n\n## Requirements\n\nTo run Maltrail properly, [Python](https://www.python.org/download/) **2.6**, **2.7** or **3.x** is required on \\*nix/BSD system, together with installed [pcapy-ng](https://pypi.org/project/pcapy-ng/) package.\n\n**NOTE:** Please use ```pcapy-ng```. The older ```pcapy``` library is deprecated and causes issues in Python 3 environments. [Examples](https://github.com/stamparm/maltrail/issues?q=label%3Apcapy-ng-related+is%3Aclosed).\n\n- **Sensor** component requires at least 1GB of RAM to run in single-process mode or more if run in multiprocessing mode, depending on the value used for option `CAPTURE_BUFFER`. Additionally, **Sensor** component (in the general case) requires administrative/root privileges.\n\n- **Server** component does not have any special requirements.\n\n## Quick start\n\nThe following set of commands should get your Maltrail **Sensor** up and running (out of the box with default settings and monitoring interface \"any\"):\n\n- For **Ubuntu/Debian**\n\n```sh\nsudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool\nsudo pip3 install pcapy-ng\ngit clone --depth 1 https://github.com/stamparm/maltrail.git\ncd maltrail\nsudo python3 sensor.py\n```\n\n- For **SUSE/openSUSE**\n\n```sh\nsudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool\nsudo pip3 install pcapy-ng\ngit clone --depth 1 https://github.com/stamparm/maltrail.git\ncd maltrail\nsudo python3 sensor.py\n```\n\nDon't forget to put interfaces in promiscuous mode as needed: \n\n```sh\nfor dev in $(ifconfig | grep mtu | grep -Eo '^\\w+'); do ifconfig $dev promisc; done\n```\n\n![Sensor](https://i.imgur.com/E9tt2ek.png)\n\nTo start the (optional) **Server** on same machine, open a new terminal and execute the following:\n\n```sh\n[[ -d maltrail ]] || git clone --depth 1 https://github.com/stamparm/maltrail.git\ncd maltrail\npython server.py\n```\n\n![Server](https://i.imgur.com/loGW6GA.png)\n\n- For **Docker**\n\nCurrently only the server is available as a container image.\n\nStart the container with `docker run`: \n\n```sh\n# Build image\n# Start the server\ndocker run -d --name maltrail --restart=unless-stopped -p 8338:8338/tcp -p 8337:8337/udp -v /etc/maltrail.conf:/opt/maltrail/maltrail.conf:ro ghcr.io/stamparm/maltrail:latest\n# Update the image regularly\ndocker stop maltrail\ndocker pull ghcr.io/stamparm/maltrail:latest\ndocker start maltrail\n```\n\nIf you need a fixed version, change the `docker run` command to not start `ghcr.io/stamparm/maltrail:latest` but for example `ghcr.io/stamparm/maltrail:0.84`\n\n... or with `docker compose`:\n\n```sh\n# For both\ndocker compose up -d\n# Update image regularly\ndocker compose down --remove-orphans\ndocker compose build\ndocker compose up -d\n```\n\nDon't edit the `docker-compose.yml` file directly, as this will be overwritten by `git pull`.  Instead, copy it to `docker-compose.override.yml` and edit that file; it is included in this repo's `.gitignore`.  \n\nTo test that everything is up and running execute the following:\n\n```sh\nping -c 1 136.161.101.53\ncat /var/log/maltrail/$(date +\"%Y-%m-%d\").log\n```\n\n![Test](https://i.imgur.com/NYJg6Kl.png)\n\nAlso, to test the capturing of DNS traffic you can try the following:\n\n```sh\nnslookup morphed.ru\ncat /var/log/maltrail/$(date +\"%Y-%m-%d\").log\n```\n\n![Test2](https://i.imgur.com/62oafEe.png)\n\nTo stop **Sensor** and **Server** instances (if running in background) execute the following:\n\n```sh\nsudo pkill -f sensor.py\npkill -f server.py\n```\n\nAccess the reporting interface (i.e. **Client**) by visiting the http://127.0.0.1:8338 (default credentials: `admin:changeme!`) from your web browser:\n\n![Reporting interface](https://i.imgur.com/VAsq8cs.png)\n\n## Administrator's guide\n\n### Sensor\n\nSensor's configuration can be found inside the `maltrail.conf` file's section `[Sensor]`:\n\n![Sensor's configuration](https://i.imgur.com/8yZKH14.png)\n\nIf option `USE_MULTIPROCESSING` is set to `true` then all CPU cores will be used. One core will be used only for packet capture (with appropriate affinity, IO priority and nice level settings), while other cores will be used for packet processing. Otherwise, everything will be run on a single core. Option `USE_FEED_UPDATES` can be used to turn off the trail updates from feeds altogether (and just use the provided static ones). Option `UPDATE_PERIOD` contains the number of seconds between each automatic trails update (Note: default value is set to `86400` (i.e. one day)) by using definitions inside the `trails` directory (Note: both **Sensor** and **Server** take care of the trails update). Option `CUSTOM_TRAILS_DIR` can be used by user to provide location of directory containing the custom trails (`*.txt`) files.\n\nOption `USE_HEURISTICS` turns on heuristic mechanisms (e.g. `long domain name (suspicious)`, `excessive no such domain name (suspicious)`, `direct .exe download (suspicious)`, etc.), potentially introducing false positives. Option `CAPTURE_BUFFER` presents a total memory (in bytes or percentage of total physical memory) to be used in case of multiprocessing mode for storing packet capture in a ring buffer for further processing by non-capturing processes. Option `MONITOR_INTERFACE` should contain the name of the capturing interface. Use value `any` to capture from all interfaces (if OS supports this). Option `CAPTURE_FILTER` should contain the network capture (`tcpdump`) filter to skip the uninteresting packets and ease the capturing process. Option `SENSOR_NAME` contains the name that should be appearing inside the events `sensor_name` value, so the event from one sensor could be distinguished from the other. If option `LOG_SERVER` is set, then all events are being sent remotely to the **Server**, otherwise they are stored directly into the logging directory set with option `LOG_DIR`, which can be found inside the `maltrail.conf` file's section `[All]`. In case that the option `UPDATE_SERVER` is set, then all the trails are being pulled from the given location, otherwise they are being updated from trails definitions located inside the installation itself.\n\nOptions `SYSLOG_SERVER` and/or `LOGSTASH_SERVER` can be used to send sensor events (i.e. log data) to non-Maltrail servers. In case of `SYSLOG_SERVER`, event data will be sent in CEF (*Common Event Format*) format to UDP (e.g. Syslog) service listening at the given address (e.g. `192.168.2.107:514`), while in case of `LOGSTASH_SERVER` event data will be sent in JSON format to UDP (e.g. Logstash) service listening at the given address (e.g. `192.168.2.107:5000`).\n\nExample of event data being sent over UDP is as follows:\n\n- For option `SYSLOG_SERVER` (Note: `LogSeverity` values are 0 (for low), 1 (for medium) and 2 (for high)):\n\n```Dec 24 15:05:55 beast CEF:0|Maltrail|sensor|0.27.68|2020-12-24|andromeda (malware)|2|src=192.168.5.137 spt=60453 dst=8.8.8.8 dpt=53 trail=morphed.ru ref=(static)```\n\n- For option `LOGSTASH_SERVER`:\n\n```{\"timestamp\": 1608818692, \"sensor\": \"beast\", \"severity\": \"high\", \"src_ip\": \"192.168.5.137\", \"src_port\": 48949, \"dst_ip\": \"8.8.8.8\", \"dst_port\": 53, \"proto\": \"UDP\", \"type\": \"DNS\", \"trail\": \"morphed.ru\", \"info\": \"andromeda (malware)\", \"reference\": \"(static)\"}```\n\nWhen running the sensor (e.g. `sudo python sensor.py`) for the first time and/or after a longer period of non-running, it will automatically update the trails from trail definitions (Note: stored inside the `trails` directory). After the initialization, it will start monitoring the configured interface (option `MONITOR_INTERFACE` inside the `maltrail.conf`) and write the events to either the configured log directory (option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) or send them remotely to the logging/reporting **Server** (option `LOG_SERVER`).\n\n![Sensor run](https://i.imgur.com/A0qROp8.png)\n\nDetected events are stored inside the **Server**'s logging directory (i.e. option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) in easy-to-read CSV format (Note: whitespace ' ' is used as a delimiter) as single line entries consisting of: `time` `sensor` `src_ip` `src_port` `dst_ip` `dst_port` `proto` `trail_type` `trail` `trail_info` `reference` (e.g. `\"2015-10-19 15:48:41.152513\" beast 192.168.5.33 32985 8.8.8.8 53 UDP DNS 0000mps.webpreview.dsl.net malicious siteinspector.comodo.com`):\n\n![Sample log](https://i.imgur.com/RycgVru.png)\n\n### Server\n\nServer's configuration can be found inside the `maltrail.conf` section `[Server]`:\n\n![Server's configuration](https://i.imgur.com/TiUpLX8.png)\n\nOption `HTTP_ADDRESS` contains the web server's listening address (Note: use `0.0.0.0` to listen on all interfaces). Option `HTTP_PORT` contains the web server's listening port. Default listening port is set to `8338`. If option `USE_SSL` is set to `true` then `SSL/TLS` will be used for accessing the web server (e.g. `https://192.168.6.10:8338/`). In that case, option `SSL_PEM` should be pointing to the server's private/cert PEM file. \n\nSubsection `USERS` contains user's configuration settings. Each user entry consists of the `username:sha256(password):UID:filter_netmask(s)`. Value `UID` represents the unique user identifier, where it is recommended to use values lower than 1000 for administrative accounts, while higher value for non-administrative accounts. The part `filter_netmask(s)` represents the comma-delimited hard filter(s) that can be used to filter the shown events depending on the user account(s). Default entry is as follows:\n\n![Configuration users](https://i.imgur.com/PYwsZkn.png)\n\nOption `UDP_ADDRESS` contains the server's log collecting listening address (Note: use `0.0.0.0` to listen on all interfaces), while option `UDP_PORT` contains listening port value. If turned on, when used in combination with option `LOG_SERVER`, it can be used for distinct (multiple) **Sensor** \u003c-\u003e **Server** architecture.\n\nOption `FAIL2BAN_REGEX` contains the regular expression (e.g. `attacker|reputation|potential[^\"]*(web scan|directory traversal|injection|remote code|iot-malware download|spammer|mass scanner`) to be used in `/fail2ban` web calls for extraction of today's attacker source IPs. This allows the usage of IP blocking mechanisms (e.g. `fail2ban`, `iptables` or `ipset`) by periodic pulling of blacklisted IP addresses from remote location. Example usage would be the following script (e.g. run as a `root` cronjob on a minute basis):\n\n```sh\n#!/bin/bash\nipset -q flush maltrail\nipset -q create maltrail hash:net\nfor ip in $(curl http://127.0.0.1:8338/fail2ban 2\u003e/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done\niptables -I INPUT -m set --match-set maltrail src -j DROP\n```\n\nOption `BLACKLIST` allows to build regular expressions to apply on one field. For each rule, the syntax is : `\u003cfield\u003e \u003ccontrol\u003e \u003cregexp\u003e` where :\n* `field` indicates the field to compare, it can be: `src_ip`,`src_port`,`dst_ip`,`dst_port`,`protocol`,`type`,`trail` or `filter`.\n* `control` can be either `~` for *matches* or `!~` for *doesn't match*\n* `regexp` is the regular expression to apply to the field.\nChain another rule with the `and` keyword (the `or` keyword is not supported, just add a line for this).\n\nYou can use the keyword `BLACKLIST` alone or add a name : `BLACKLIST_NAME`. In the latter case, the url will be : `/blacklist/name`\n\nFor example, the following will build an out blacklist for all traffic from another source than `192.168.0.0/16` to destination port `SSH` or matching the filters `scan` or `known attacker`\n```\nBLACKLIST_OUT\n    src_ip !~ ^192.168. and dst_port ~ ^22$\n    src_ip !~ ^192.168. and filter ~ scan\n    src_ip !~ ^192.168. and filter ~ known attacker\n\nBLACKLIST_IN\n    src_ip ~ ^192.168. and filter ~ malware\n```\nThe way to build ipset blacklist is the same (see above) except that URLs will be `/blacklist/in` and `/blacklist/out` in our example.\n\nSame as for **Sensor**, when running the **Server** (e.g. `python server.py`) for the first time and/or after a longer period of non-running, if option `USE_SERVER_UPDATE_TRAILS` is set to `true`, it will automatically update the trails from trail definitions (Note: stored inside the `trails` directory). Its basic function is to store the log entries inside the logging directory (i.e. option `LOG_DIR` inside the `maltrail.conf` file's section `[All]`) and provide the web reporting interface for presenting those same entries to the end-user (Note: there is no need to install the 3rd party web server packages like Apache):\n\n![Server run](https://i.imgur.com/GHdGPw7.png)\n\n## User's guide\n\n### Reporting interface\n\nWhen entering the **Server**'s reporting interface (i.e. via the address defined by options `HTTP_ADDRESS` and `HTTP_PORT`), user will be presented with the following authentication dialog. User has to enter the proper credentials that have been set by the server's administrator inside the configuration file `maltrail.conf` (Note: default credentials are `admin:changeme!`):\n\n![User login](https://i.imgur.com/WVpASAI.png)\n\nOnce inside, user will be presented with the following reporting interface:\n\n![Reporting interface](https://i.imgur.com/PZY8JEC.png)\n\nThe top part holds a sliding timeline (Note: activated after clicking the current date label and/or the calendar icon ![Calendar icon](https://i.imgur.com/NfNore9.png)) where user can select logs for past events (Note: mouse over event will trigger display of tooltip with approximate number of events for current date). Dates are grouped by months, where 4 month period of data are displayed inside the widget itself. However, by using the provided slider (i.e. ![Timeline slider](https://i.imgur.com/SNGVSaP.png)) user can easily access events from previous months.\n\n![Timeline](https://i.imgur.com/RnIROcn.png)\n\nOnce clicking the date, all events for that particular date should be loaded and represented by the client's web browser. Depending on number of events and the network connection speed, loading and display of logged events could take from couple of seconds, up to several minutes (e.g. 100,000 events takes around 5 seconds in total). For the whole processing time, animated loader will be displayed across the disabled user interface:\n\n![Loader](https://i.imgur.com/oX7Rtjo.png)\n\nMiddle part holds a summary of displayed events. `Events` box represents total number of events in a selected 24-hour period, where red line represents IP-based events, blue line represents DNS-based events and yellow line represents URL-based events. `Sources` box represents number of events per top sources in form of a stacked column chart, with total number of sources on top. `Threats` box represents percentage of top threats in form of a pie chart (Note: gray area holds all threats having each \u0026lt;1% in total events), with total number of threats on top. `Trails` box represents percentage of top trails in form of a pie chart (Note: gray area holds all trails having each \u0026lt;1% in total events), with total number of trails on top. Each of those boxes are active, hence the click on one of those will result with a more detailed graph.\n\n![Summary](https://i.imgur.com/5NFbqCb.png)\n\nBottom part holds a condensed representation of logged events in form of a paginated table. Each entry holds details for a single threat (Note: uniquely identified by a pair `(src_ip, trail)` or `(dst_ip, trail)` if the `src_ip` is the same as the `trail` as in case of attacks coming from the outside):\n\n![Single threat](https://i.imgur.com/IxPwKKZ.png)\n\nColumn `threat` holds threat's unique ID (e.g. `85fdb08d`) and color (Note: extruded from the threat's ID), `sensor` holds sensor name(s) where the event has been triggered (e.g. `blitvenica`), `events` holds total number of events for a current threat, `severity` holds evaluated severity of threat (Note: calculated based on values in `info` and `reference` columns, prioritizing malware generated traffic), `first_seen` holds time of first event in a selected (24h) period (e.g. `06th 08:21:54`), `last_seen` holds time of last event in a selected (24h) period (e.g. `06th 15:21:23`), `sparkline` holds a small sparkline graph representing threat's activity in selected period, `src_ip` holds source IP(s) of a threat (e.g. `99.102.41.102`), `src_port` holds source port(s) (e.g. `44556, 44589, 44601`), `dst_ip` holds destination IP(s) (e.g. `213.202.100.28`), `dst_port` holds destination port(s) (e.g. `80 (HTTP)`), `proto` holds protocol(s), (e.g. `TCP`), `trail` holds a blacklisted (or heuristic) entry that triggered the event(s), `info` holds more information about the threat/trail (e.g. `known attacker` for known attacker's IP addresses or `ipinfo` for known IP information service commonly used by malware during a startup), `reference` holds a source of the blacklisted entry (e.g. `(static)` for static trails or `myip.ms` for a dynamic feed retrieved from that same source) and `tags` holds user defined tags for a given trail (e.g. `APT28`).\n\nWhen moving mouse over `src_ip` and `dst_ip` table entries, information tooltip is being displayed with detailed reverse DNS and WHOIS information (Note: [RIPE](http://www.ripe.net/) is the information provider):\n\n![On mouse over IP](https://i.imgur.com/BgKchAX.png)\n\nEvent details (e.g. `src_port`, `dst_port`, `proto`, etc.) that differ inside same threat entry are condensed in form of a bubble icon (i.e. ![Ellipsis](https://raw.githubusercontent.com/stamparm/maltrail/master/html/images/ellipsis.png)). This is performed to maintain a usable reporting interface with as few rows as possible. Moving mouse over such icon will result in a display of an information tooltip with all items held (e.g. all port numbers being scanned by `attacker`):\n\n![On mouse over bubble](https://i.imgur.com/BfYT2u7.png)\n\nClicking on one such icon will open a new dialog containing all stored items (Note: in their uncondensed form) ready to be Copy-Paste(d) for further analysis:\n\n![Ctrl-C dialog](https://i.imgur.com/9pgMpiR.png)\n\nWhen hovering mouse pointer over the threat's trail for couple of seconds it will result in a frame consisted of results using the trail as a search term performed against [searX](https://searx.nixnet.services/) search engine. In lots of cases, this provides basic information about the threat itself, eliminating the need for user to do the manual search for it. In upper right corner of the opened frame window there are two extra buttons. By clicking the first one (i.e. ![New tab icon](https://raw.githubusercontent.com/stamparm/maltrail/master/html/images/newtab.png)), the resulting frame will be opened inside the new browser's tab (or window), while by clicking the second one (i.e. ![Close icon](https://raw.githubusercontent.com/stamparm/maltrail/master/html/images/close.png)) will immediately close the frame (Note: the same action is achieved by moving the mouse pointer outside the frame borders):\n\n![On mouse over trail](https://i.imgur.com/ZxnHn1N.png)\n\nFor each threat there is a column `tag` that can be filled with arbitrary \"tags\" to closely describe all threats sharing the same trail. Also, it is a great way to describe threats individually, so all threats sharing the same tag (e.g. `yahoo`) could be grouped out later:\n\n![Tags](https://i.imgur.com/u5Z4752.png)\n\n### Real-life cases\n\nIn the following section some of the \"usual suspects\" scenarios will be described through the real-life cases.\n\n#### Mass scans\n\nMass scans are a fairly common phenomenon where individuals and/or organizations give themselves a right to scan the whole 0.0.0.0/0 IP range (i.e. whole Internet) on a daily basis, with disclaimer where they say that if you don't like it then you should contact them privately to be skipped from future scans. \n\n![Shodan FileZilla results](https://i.imgur.com/nwOwLP9.png)\n\nTo make stuff worse, organizations as [Shodan](https://www.shodan.io/) and [ZoomEye](http://www.zoomeye.org) give all results freely available (to other potential attackers) through their search engine. In the following screenshots you'll see details of Shodan scans in one single day.\n\nHere is a reverse DNS and WHOIS lookup of the \"attacker\"'s address:\n\n![Shodan 1](https://i.imgur.com/LQ6Vu00.png)\n\nWhen hovering mouse pointer over the `trail` column's content (IP address), you'll be presented with the search results from [searX](https://searx.nixnet.services/) where you'll be able to find more information about the \"attacker\":\n\n![Shodan 2](https://i.imgur.com/vIzB8bA.png)\n\nIn the `dst_ip` column, if you have a large organization, you'll be presented with large list of scanned IP addresses:\n![Shodan 3](https://i.imgur.com/EhAtXs7.png)\n\nIn the `dst_port` column you'll be able to see all ports that have been scanned by such mass scans:\n\n![Shodan 4](https://i.imgur.com/Wk8Xjhq.png)\n\nIn other similar situations you'll see the same behaviour, coming from blacklisted individual attacker(s) (in this case by [cinsscore.com](http://cinsscore.com/)):\n\n![Known attacker](https://i.imgur.com/wSOOnQM.png)\n\nOne more common behaviour is scanning of the whole 0.0.0.0/0 IP range (i.e. Internet) in search for one particular port (e.g. TCP port 443 when [Heartbleed](http://heartbleed.com/) has been found). In the following screenshot you'll find one such case for previously blacklisted attacker(s) (in this case by [alienvault.com](http://alienvault.com) and two other blacklists) targeting the UDP port 5060 (i.e. SIP) in search for [misconfigured VoIP devices](https://isc.sans.edu/diary/Targeting+VoIP%3A+Increase+in+SIP+Connections+on+UDP+port+5060/9193):\n\n![SIP scan](https://i.imgur.com/dkJfU86.png)\n\n#### Anonymous attackers\n\nTo spot the potential attackers hidden behind the [Tor](https://www.torproject.org/) anonymity network, Maltrail utilizes publicly available lists of Tor exit nodes. In the following screenshot you'll see a case where potential attacker has been utilizing the Tor network to access the web target (over HTTP) in our organization's range in suspicious way (total 171 connection requests in 10 minutes):\n\n![Tor attacker](https://i.imgur.com/dXF8r2K.png)\n\n#### Service attackers\n\nFairly similar case to the previous one is when previously blacklisted attacker tries to access particular (e.g. non-HTTP(s)) service in our organization's range in rather suspicious way (i.e. total 1513 connection attempts in less than 15 minutes):\n\n![RDP brute force](https://i.imgur.com/Oo2adCf.png)\n\nIf we enter the `ssh attacker` to the `Filter` field, we'll be able to see all similar occurrences for that day, but in this case for port 22 (i.e. SSH):\n\n![SSH attackers filter](https://i.imgur.com/oCv42jd.png)\n\n#### Malware\n\nIn case of connection attempts coming from infected computers inside our organization toward already known C\u0026C servers, you'll be able to find threats similar to the following (in this case [Beebone](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Beebone)):\n\n![beebone malware](https://i.imgur.com/GBLWISo.png)\n\nIn case of DNS requests containing known [DGA](https://en.wikipedia.org/wiki/Domain_generation_algorithm) domain names, threat will be shown like (in this case [Necurs](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Necurs)):\n\n![necurs malware](https://i.imgur.com/8tWj2pm.png)\n\nIn the following case file downloads from blacklisted (in this case by [malwarepatrol.net](https://malwarepatrol.net/)) URL(s) have occurred:\n\n![malware download](https://i.imgur.com/g2NH7sT.png)\n\nIf we enter the particular malware name (in this case [Ramnit](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRamnit)) into the `Filter` field, only threats that are known to be linked to this malware will be filtered in (showing you all affected internal computers):\n\n![ramnit malware](https://i.imgur.com/zcoPnZk.png)\n\nMore generally, if we enter the `malware` into the `Filter` field, all threats that have been found by malware(-related) trails (e.g. `IP` addresses) will be filtered in:\n\n![malware filter](https://i.imgur.com/gVYAfSU.png)\n\n#### Suspicious domain lookups\n\nMaltrail uses the static list of TLD [domains](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/domain.txt) that are known to be commonly involved in suspicious activities. Most such [TLD](https://en.wikipedia.org/wiki/Top-level_domain) domains are coming from free domain registrars (e.g. [Freenom](http://www.freenom.com)), hence they should be under greater scrutiny. In the following screenshot we can find a case where one such TLD domain `.cm` has been used by unknown malware using the [DGA](https://en.wikipedia.org/wiki/Domain_generation_algorithm) algorithm to contact its [C\u0026C](https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-%28c-c%29-server) server(s):\n\n![cm DGA](https://i.imgur.com/JTGdtJ0.png)\n\nThere are also cases when perfectly valid TLD domains (e.g. `.ru`) are used for suspicious activities, such in this case (e.g. `long domain name (suspicious)`) where the domains are obviously DGA generated by unknown malware:\n\n![Suspicious long domains](https://i.imgur.com/EJOS5Qb.png)\n\nMaltrail uses static [list](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/dynamic_domain.txt) of so-called \"dynamic domains\" that are often used in suspicious activities (e.g. for malware C\u0026C servers that often change the destination's IP addresses):\n\n![Suspicious dynamic domains](https://i.imgur.com/1WVLMf9.png)\n\nAlso, Maltrail uses static [list](https://github.com/stamparm/maltrail/blob/master/trails/static/suspicious/onion.txt) of \"onion\"-related domains that are also often used in suspicious activities (e.g. malware contacting C\u0026amp;C servers by using Tor2Web service(s)):\n\n![Suspicious onion](https://i.imgur.com/QdoAY0w.png)\n\nIn case of old and/or obsolete malware that sits undetected on organization's infected internal computers, there is often a \"phenomenon\" where malware continuously tries to contact the long dead C\u0026amp;C server's domain without any DNS resolution. Hence, those kind of (potential) threats will be marked as `excessive no such domain (suspicious)`:\n\n![Excessive no such domain name](https://i.imgur.com/KPwNOM8.png)\n\nIn case that one trail is responsible for too many threats (e.g. in case of fake source IPs like in DNS amplification attacks), all similar threats will be grouped under a single `flood` threat (Note: threat's ID will be marked with suffix `F0`), like in the following example:\n\n![Flood](https://i.imgur.com/ZtpMR3d.png)\n\n#### Suspicious ipinfo requests\n\nLots of malware uses some kind of `ipinfo` service (e.g. [ipinfo.io](http://ipinfo.io)) to find out the victim's Internet IP address. In case of regular and especially in out-of-office hours, those kind of requests should be closely monitored, like in the following example:\n\n![suspicious ipinfo](https://i.imgur.com/3THOoWW.png)\n\nBy using filter `ipinfo` all potentially infected computers in our organization's range can be listed that share this kind of suspicious behaviour:\n\n![ipinfo filter](https://i.imgur.com/6SMN0at.png)\n\n#### Suspicious direct file downloads\n\nMaltrail tracks all suspicious direct file download attempts (e.g. `.apk`, `.bin`, `.class`, `.chm`, `.dll`, `.egg`, `.exe`, `.hta`, `.hwp`, `.lnk`, `.ps1`, `.scr`, `.sct`, `.wbk` and `.xpi` file extensions). This can trigger lots of false positives, but eventually could help in reconstruction of the chain of infection (Note: legitimate service providers, like Google, usually use encrypted HTTPS to perform this kind of downloads):\n\n![Direct .exe download](https://i.imgur.com/jr5BS1h.png)\n\n#### Suspicious HTTP requests\n\nIn case of suspicious requests coming from outer web application security scanners (e.g. searching for SQLi, XSS, LFI, etc. vulnerabilities) and/or the internal user malicious attempts toward unknown web sites, threats like the following could be found (real case of attackers trying to exploit Joomla! CMS CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 [vulnerabilities](https://blog.sucuri.net/2015/10/joomla-3-4-5-released-fixing-a-serious-sql-injection-vulnerability.html)):\n\n![SQLi com_contenthistory](https://i.imgur.com/pZuGXpr.png)\n\nIn following example, web application vulnerability scan has been marked as \"suspicious\":\n\n![Vulnerability scan](https://i.imgur.com/QzcaEsG.png)\n\nIf we click on the bubble icon (i.e. ![Ellipsis](https://raw.githubusercontent.com/stamparm/maltrail/master/html/images/ellipsis.png)) for details and copy paste the whole content to a textual file, we'll be able to see all suspicious HTTP requests:\n\n![Vulnerability scan requests](https://i.imgur.com/XY9K01o.png)\n\nIn the following screenshot, a run of popular SQLi vulnerability tool [sqlmap](https://github.com/sqlmapproject/sqlmap/) can be found inside our logs:\n\n![sqlmap scan requests](https://i.imgur.com/mHZmM7t.png)\n\n#### Port scanning\n\nIn case of too many connection attempts toward considerable amount of different TCP ports, Maltrail will warn about the potential port scanning, as a result of its heuristic mechanism detection. In the following screenshot such warning(s) can be found for a run of popular port scanning tool [nmap](https://nmap.org/):\n\n![nmap scan](https://i.imgur.com/VS7L2A3.png)\n\n#### DNS resource exhaustion\n\nOne popular DDoS attack against the web server(s) infrastructure is the resource exhaustion of its (main) DNS server by making valid DNS recursion queries for (pseudo)random subdomain names (e.g. `abpdrsguvjkyz.www.dedeni.com`):\n\n![DNS resource exhaustion](https://i.imgur.com/RujhnKW.png)\n\n#### Data leakage\n\nMiscellaneous programs (especially mobile-based) present malware(-like) behaviour where they send potentially sensitive data to the remote beacon posts. Maltrail will try to capture such behaviour like in the following example:\n\n![Data leakage](https://i.imgur.com/6zt2gXg.png)\n\n#### False positives\n\nLike in all other security solutions, Maltrail is prone to \"[false positives](https://en.wikipedia.org/wiki/False_positives_and_false_negatives)\". In those kind of cases, Maltrail will (especially in case of `suspicious` threats) record a regular user's behaviour and mark it as malicious and/or suspicious. In the following example it can be seen that a blacklist feed provider `blocklist.de` marked regular Google server as `attacker`(s), resulting with the following threat:\n\n![Google false positive 1](https://i.imgur.com/HFvCNNK.png)\n\nBy hovering mouse over the trail, frame with results from [searX](https://searx.nixnet.services/) search show that this is (most probably) a regular Google's server:\n\n![Google false positive 2](https://i.imgur.com/i3oydv6.png)\n\nAs another example, access to regular `.work` domains (popular TLD for malicious purposes) resulted with the following threat:\n\n![Suspicious domain false positive](https://i.imgur.com/Msq8HgH.png)\n\nNevertheless, administrator(s) should invest some extra time and check (with other means) whether the \"suspicious\" means malicious or not, as in the following example:\n\n![Suspicious .ws](https://i.imgur.com/bOLmXUE.png)\n\n## Best practice(s)\n\n1. Install Maltrail:\n\n- On **Ubuntu/Debian**\n\n    ```sh\n    sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool\n    sudo pip3 install pcapy-ng\n    cd /tmp\n    git clone --depth 1 https://github.com/stamparm/maltrail.git\n    sudo mv /tmp/maltrail /opt\n    sudo chown -R $USER:$USER /opt/maltrail\n    ```\n    \n- On **SUSE/openSUSE**\n\n   ```sh\n   sudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool\n   sudo pip3 install pcapy-ng\n   cd /tmp\n   git clone --depth 1 https://github.com/stamparm/maltrail.git\n   sudo mv /tmp/maltrail /opt\n   sudo chown -R $USER:$USER /opt/maltrail\n   ```\n\n2. Set working environment:\n\n    ```sh\n    sudo mkdir -p /var/log/maltrail\n    sudo mkdir -p /etc/maltrail\n    sudo cp /opt/maltrail/maltrail.conf /etc/maltrail\n    sudo nano /etc/maltrail/maltrail.conf\n    ```\n\n3. Set running environment:\n\n    * `crontab -e  # autostart server \u0026 periodic update`\n\n    ```\n    */5 * * * * if [ -n \"$(ps -ef | grep -v grep | grep 'server.py')\" ]; then : ; else python3 /opt/maltrail/server.py -c /etc/maltrail/maltrail.conf; fi\n    0 1 * * * cd /opt/maltrail \u0026\u0026 git pull\n    ```\n\n    * `sudo crontab -e  # autostart sensor \u0026 periodic restart`\n\n    ```\n    */1 * * * * if [ -n \"$(ps -ef | grep -v grep | grep 'sensor.py')\" ]; then : ; else python3 /opt/maltrail/sensor.py -c /etc/maltrail/maltrail.conf; fi\n    2 1 * * * /usr/bin/pkill -f maltrail\n    ```\n\n4. Enable as systemd services (Linux only):\n\n    ```sh\n    sudo cp /opt/maltrail/maltrail-sensor.service /etc/systemd/system/maltrail-sensor.service\n    sudo cp /opt/maltrail/maltrail-server.service /etc/systemd/system/maltrail-server.service\n    sudo systemctl daemon-reload\n    sudo systemctl start maltrail-server.service\n    sudo systemctl start maltrail-sensor.service\n    sudo systemctl enable maltrail-server.service\n    sudo systemctl enable maltrail-sensor.service\n    systemctl status maltrail-server.service \u0026\u0026 systemctl status maltrail-sensor.service\n    \n    ```\n    \n  **Note**: ```/maltrail-sensor.service``` can be started as dedicated service without pre-started ```/maltrail-server.service```. This is useful for case, when ```/maltrail-server.service``` is installed and works on another machine in you network environment.\n\n\n## License\n\nThis software is provided under a MIT License. See the accompanying [LICENSE](https://github.com/stamparm/maltrail/blob/master/LICENSE) file for more information.\n\n## Sponsors\n\n* [Sansec](https://sansec.io/) (2024-2025)\n* [Sansec](https://sansec.io/) (2020-2021)\n\n## Developers\n\n* Miroslav Stampar ([@stamparm](https://github.com/stamparm))\n* Mikhail Kasimov ([@MikhailKasimov](https://github.com/MikhailKasimov))\n\n## Presentations\n\n* 47th TF-CSIRT Meeting, Prague (Czech Republic), 2016 ([slides](https://www.terena.org/activities/tf-csirt/meeting47/M.Stampar-Maltrail.pdf))\n\n## Publications\n\n* Detect attacks on your network with Maltrail, Linux Magazine, 2022 ([Annotation](https://www.linux-magazine.com/Issues/2022/258/Maltrail))\n* Best Cyber Threat Intelligence Feeds ([SilentPush Review, 2022](https://www.silentpush.com/blog/best-cyber-threat-intelligence-feeds))\n* Research on Network Malicious Traffic Detection System Based on Maltrail ([Nanotechnology Perceptions, ISSN 1660-6795, 2024](https://nano-ntp.com/index.php/nano/article/view/1915/1497))\n\n## Blacklist\n\n* Maltrail's daily updated blacklist of malware-related domains can be found [here](https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt). It is based on trails found at [trails/static/malware](trails/static/malware) and can be safely used for DNS traffic blocking purposes.\n\n## Thank you\n\n* Thomas Kristner\n* Eduardo Arcusa Les\n* James Lay\n* Ladislav Baco (@laciKE)\n* John Kristoff (@jtkdpu)\n* Michael M\u0026uuml;nz (@mimugmail)\n* David Brush\n* @Godwottery\n* Chris Wild (@briskets)\n* Keith Irwin (@ki9us)\n* Simon Szustkowski (@simonszu)\n\n## Third-party integrations\n\n* [FreeBSD Port](https://www.freshports.org/security/maltrail)\n* [OPNSense Gateway Plugin](https://github.com/opnsense/plugins/pull/1257)\n* [D4 Project](https://www.d4-project.org/2019/09/25/maltrail-integration.html)\n* [BlackArch Linux](https://github.com/BlackArch/blackarch/blob/master/packages/maltrail/PKGBUILD)\n* [Validin LLC](https://x.com/ValidinLLC/status/1719666086390517762)\n* [Maltrail Add-on for Splunk](https://splunkbase.splunk.com/app/7211)\n* [Maltrail decoder and rules for Wazuh](https://github.com/MikhailKasimov/maltrail-wazuh-decoder-and-rules)\n* [GScan](https://github.com/grayddq/GScan) \u003csup\u003e1\u003c/sup\u003e\n* [MalwareWorld](https://www.malwareworld.com/) \u003csup\u003e1\u003c/sup\u003e\n* [oisd | domain blocklist](https://oisd.nl/?p=inc) \u003csup\u003e1\u003c/sup\u003e\n* [NextDNS](https://github.com/nextdns/metadata/blob/e0c9c7e908f5d10823b517ad230df214a7251b13/security/threat-intelligence-feeds.json) \u003csup\u003e1\u003c/sup\u003e\n* [NoTracking](https://github.com/notracking/hosts-blocklists/blob/master/SOURCES.md) \u003csup\u003e1\u003c/sup\u003e\n* [OWASP Mobile Audit](https://github.com/mpast/mobileAudit#environment-variables) \u003csup\u003e1\u003c/sup\u003e\n* [Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/12b07370674238fa4281fc7989b34decc2e08876) \u003csup\u003e1\u003c/sup\u003e\n* [pfBlockerNG-devel](https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_feeds.json) \u003csup\u003e1\u003c/sup\u003e\n* [Sansec eComscan](https://sansec.io/kb/about-ecomscan/ecomscan-license)\u003csup\u003e1\u003c/sup\u003e\n* [Palo Alto Networks Cortex XSOAR](https://xsoar.pan.dev/docs/reference/integrations/github-maltrail-feed)\u003csup\u003e2\u003c/sup\u003e\n \n\u003csup\u003e1\u003c/sup\u003e Using (only) trails\n\n\u003csup\u003e2\u003c/sup\u003e Connector to trails (only)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Fmaltrail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstamparm%2Fmaltrail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Fmaltrail/lists"}