Maltrail is an open-source malicious traffic detection system developed by Marin Kaluža. Designed for network administrators and security analysts, it helps detect and analyze network anomalies, including suspicious or malicious traffic patterns. Maltrail uses threat intelligence from a variety of sources, including public blacklists, malicious domains, IP addresses, and behavioral signatures, to identify potential threats within network traffic.
Maltrail is typically deployed on a network sensor, such as a server that monitors traffic through a network tap or SPAN port. It analyzes raw traffic and compares it against its threat intelligence sources and behavior-based signatures. When suspicious or known malicious traffic is detected, Maltrail generates alerts that are accessible through the web-based UI or as JSON logs.
To set up Maltrail, you’ll need:
To start Maltrail, simply clone the repository and run the main script:
# Clone the repository
git clone https://github.com/stamparm/maltrail.git
cd maltrail
# Start the server
sudo python3 sensor.py
For the server, you can access the Maltrail dashboard by starting the server.py
script:
sudo python3 server.py
You can then access the dashboard via a web browser at http://<your_server_ip>:8338
.
In the context of Maltrail, sensor.py
and server.py
are core scripts responsible for data collection and user interface management:
sensor.py
The sensor.py
script functions as the network traffic monitor and analyzer. It acts as the sensor component in the Maltrail architecture, capturing network packets, analyzing them for potential threats, and logging suspicious activity.
Key Responsibilities:
sensor.py
captures network packets from specified interfaces (e.g., Ethernet) and analyzes the traffic for malicious or suspicious patterns.server.py
to display them on the web interface.Usage:
You run sensor.py
on a device within the network that has access to monitor traffic. This device could be a server connected to a mirror (SPAN) port on a switch, allowing it to passively analyze traffic from other devices in the network.
sensor.py
:sudo python3 sensor.py
sensor.py
eth0
).server.py
The server.py
script is the server component in the Maltrail architecture. It provides a web-based user interface and handles the backend for log management and alert visualization.
Key Responsibilities:
http://<server_ip>:8338
.sensor.py
and displays them in a structured format, showing information about detected threats and suspicious activities.Usage:
After running sensor.py
to collect and log data, you run server.py
on the same or a different machine that has access to these logs. Users can then access the Maltrail web dashboard to analyze the detected threats.
server.py
:sudo python3 server.py
server.py
8338
, but this can be changed in the configuration file (maltrail.conf
) if needed.admin:admin
.sensor.py
and server.py
Work Togethersensor.py
captures network packets, analyzes them for threats, and logs detected anomalies in a JSON format.server.py
reads these logs and aggregates the data, making it accessible to users.server.py
hosts a dashboard where users can view and interact with logs, filter by date, threat type, and severity, and gain insights into the security status of their network.This modular design allows Maltrail to be flexible; you can deploy multiple sensors across different network segments while using a single server instance to manage alerts and monitor traffic across your network.
The maltrail.conf
file configures Maltrail’s sensor and server components for monitoring, detection, and reporting. Let’s break down each section and key parameter to understand how it influences Maltrail’s operation:
The [Server]
section configures settings for the reporting server, which hosts the Maltrail web interface, manages user authentication, and handles log collection.
HTTP_ADDRESS: Defines the IP address on which the Maltrail server listens. The default setting (0.0.0.0
) allows it to accept connections from any network interface.
::
, or a specific interface).HTTP_PORT: Specifies the port for the HTTP server, with a default of 8338
.
USE_SSL: When set to true
, it enables SSL/TLS for encrypted connections. false
means the server runs without encryption.
SSL_PEM: Location of the SSL certificate (PEM file) if SSL is enabled.
USERS: Defines user accounts for accessing the Maltrail web interface. Users are defined by:
admin
.UID=0
; non-admin users (UID>=1000
) can only view results.ENABLE_MASK_CUSTOM: When true
, hides custom trail names for non-admin users, providing additional privacy for custom monitoring rules.
UDP_ADDRESS and UDP_PORT: These (if enabled) allow the server to accept logs from remote sensors via UDP. Default is commented out.
USE_SERVER_UPDATE_TRAILS: When true
, lets the server download trail updates, which sensors can then access.
IP_ALIASES: Allows defining aliases for specific IP addresses to make logs easier to interpret, e.g., naming 8.8.8.8
as google
.
HEADER_LOGO: Allows customizing the top-left logo in the web interface with an image or text.
FAIL2BAN_REGEX: A regex pattern used for Fail2Ban integration to identify attacker IPs.
BLACKLIST: Provides rules for custom blacklists, e.g., blocking specific IPs or traffic based on IP ranges and ports.
The [Sensor]
section defines parameters for traffic monitoring and detection, specifying how and what Maltrail sensors capture and analyze.
PROCESS_COUNT: Number of processes used for packet capture and analysis. Increasing this number can improve performance on multi-core systems.
DISABLE_CPU_AFFINITY: When true
, prevents the sensor from setting CPU affinity, which can be useful on systems with multiple high-demand processes.
USE_FEED_UPDATES: If true
, enables automatic trail updates from various feeds (blacklists, known malware IPs, etc.).
DISABLED_FEEDS: Lists feeds that Maltrail won’t use, as they might generate excessive false positives (e.g., turris
, ciarmy
).
IP_MINIMUM_FEEDS: Controls the minimum number of feeds an IP must appear on to be flagged, which reduces false positives.
UPDATE_PERIOD: Frequency of trail updates in seconds, with 86400
(24 hours) as the default.
CUSTOM_TRAILS_URL and CUSTOM_TRAILS_DIR: Specifies URLs or directories for custom trails, allowing custom monitoring rules or sources.
CAPTURE_BUFFER: Defines the ring buffer size for network capture, set as a percentage of system memory or bytes, e.g., 10%
.
MONITOR_INTERFACE: Specifies the network interface for monitoring (e.g., eth0
, or any
for all interfaces).
CAPTURE_FILTER: Packet capture filter to reduce data to only relevant traffic types. Current setting focuses on UDP
, ICMP
, and specific TCP
flags or ports.
SENSOR_NAME: Sets the sensor’s name in logs; $HOSTNAME
auto-fills the device hostname.
LOG_SERVER, SYSLOG_SERVER, LOGSTASH_SERVER: Configures remote servers for log storage (using UDP, Syslog, or JSON formats), useful in distributed setups.
REMOTE_SEVERITY_REGEX: Regular expression defining log severity levels for external log storage.
DISABLE_LOCAL_LOG_STORAGE: When true
, disables local log storage and sends logs exclusively to remote servers.
USE_HEURISTICS: Enables heuristic-based detection methods for enhanced threat identification.
CHECK_MISSING_HOST and CHECK_HOST_DOMAINS: If enabled, checks HTTP Host
headers for anomalies, which can increase detection rates but may lead to more false positives.
USER_WHITELIST and USER_IGNORELIST: Paths to files with whitelisted entries or ignored events, allowing selective filtering of specific IPs or events.
Applies configurations globally across the sensor and server.
SHOW_DEBUG: When true
, enables detailed console output for debugging purposes.
LOG_DIR: Specifies the directory for log storage; $SYSTEM_LOG_DIR/maltrail
is a system path variable.
PROXY_ADDRESS: Optional proxy for external connections (e.g., fetching trails).
DISABLE_CHECK_SUDO: When true
, skips the check for sudo/administrator privileges, useful if permissions are set through CAP_NET_RAW
or similar.
TRAILS_FILE: Sets a custom path for trail storage, defaulting to ~/.maltrail/trails.csv
.
In Maltrail, you can configure it to display only malicious IPs or to include all IPs, depending on your needs. By default, Maltrail is designed to highlight suspicious or known malicious activities based on its trails (feeds) of IPs associated with malware, scanners, spam, and other types of unwanted activity. Here’s how to manage the display options:
To focus on malicious IPs, you can adjust the trail and filter configurations to only show IPs with identified malicious activity. Here are steps to configure it accordingly:
Filter Results for Non-Admin Users:
In the [Server]
section, use the ENABLE_MASK_CUSTOM
directive, which is already set to true
in your configuration. This masks custom trail names for non-admin users (UID >= 1000), so only malicious and suspicious IPs are shown. Ensure all users who should see all IPs are set with a UID lower than 1000.
ENABLE_MASK_CUSTOM true
Customizing Trail Filters:
Use the CAPTURE_FILTER
option to limit traffic to specific protocols or malicious traffic:
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
This filter restricts the capture to specific protocols commonly associated with suspicious traffic.
Blacklist Rules:
Use BLACKLIST
rules if you want to further refine what IPs are considered malicious by creating filters that only log certain types of IPs or ports. For example:
BLACKLIST
src_ip !~ ^192.168. and dst_port ~ ^22$
This configuration restricts results to exclude internal network IPs (e.g., 192.168.x.x) and includes only those with suspicious destination ports (like SSH on port 22).
If you want to see all IPs, including those without malicious activity, you can:
Remove Filters:
Adjust the CAPTURE_FILTER
to capture all IPs without filtering:
CAPTURE_FILTER ip or ip6
Disable Specific Trails:
If you want to log all traffic but don’t want specific feeds marked as malicious, you can add them to DISABLED_FEEDS
:
DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
This prevents trails from these specific feeds from flagging IPs as suspicious.
User-Specific Views:
Grant users the ability to see all IPs by setting their UID to less than 1000. This way, all IPs are displayed without the filtering applied for non-admins.
To focus on only malicious IPs, keep the ENABLE_MASK_CUSTOM
as true
, set appropriate CAPTURE_FILTER
and BLACKLIST
rules, and limit trails to those with confirmed malicious activity. For all IPs, relax the filtering options, disable trail-specific feeds if needed, and set user UIDs accordingly.