Maltrail Documentation

Maltrail is an open-source malicious traffic detection system developed by Marin Kaluža. Designed for network administrators and security analysts, it helps detect and analyze network anomalies, including suspicious or malicious traffic patterns.

Key Features

Threat Intelligence Sources: Utilizes various threat intelligence feeds from public blacklists and custom rules
Traffic Monitoring: Real-time monitoring of network traffic
Behavioral Analysis: Tracks suspicious behaviors like IP scanning, DDoS attacks
Web-Based Interface: Intuitive dashboard for alerts and visualization
Anomaly Detection: Detects unknown threats using heuristic methods

Components

1. sensor.py

The network traffic monitor and analyzer component:

Captures and analyzes network packets
Uses multiple data sources to check for IOCs
Logs detected threats in JSON format
Regularly updates malicious indicators from feeds

Running sensor.py

sudo python3 sensor.py

2. server.py

The web interface and log management component:

Provides web dashboard at http://<server_ip>:8338
Aggregates and displays logs from sensors
Includes user authentication
Filters and sorts alerts by severity

Running server.py

sudo python3 server.py

Configuration

[Server] Section

Configures the reporting server and web interface:

HTTP_ADDRESS: Listening IP (0.0.0.0 for all interfaces)
HTTP_PORT: Web interface port (default: 8338)
USERS: Defines user accounts (admin/non-admin)
ENABLE_MASK_CUSTOM: Hides custom trail names for non-admins
IP_ALIASES: Assigns names to IPs for readability

[Sensor] Section

Configures traffic monitoring and detection:

PROCESS_COUNT: Number of analysis processes
MONITOR_INTERFACE: Network interface to monitor
CAPTURE_FILTER: BPF filter for traffic capture
USE_HEURISTICS: Enables behavior-based detection
USER_WHITELIST: Path to whitelist file

[All] Section

Global configurations:

LOG_DIR: Directory for log storage
PROXY_ADDRESS: Proxy for external connections
TRAILS_FILE: Path for trail storage

Display Options

Show Only Malicious IPs

Set ENABLE_MASK_CUSTOM true
Configure appropriate CAPTURE_FILTER
Use BLACKLIST rules to refine detection

Show All IPs

Use broad capture filter: CAPTURE_FILTER ip or ip6
Disable specific feeds in DISABLED_FEEDS
Set admin UIDs to see all IPs

Note: The default username/password for the web interface is admin:admin - change this in production!