Maltrail Documentation

Malicious Traffic Detection System

Open-source network security monitoring tool

Maltrail is an open-source malicious traffic detection system developed by Marin Kaluža. Designed for network administrators and security analysts, it helps detect and analyze network anomalies, including suspicious or malicious traffic patterns.

Key Features

  • Threat Intelligence Sources: Utilizes various threat intelligence feeds from public blacklists and custom rules
  • Traffic Monitoring: Real-time monitoring of network traffic
  • Behavioral Analysis: Tracks suspicious behaviors like IP scanning, DDoS attacks
  • Web-Based Interface: Intuitive dashboard for alerts and visualization
  • Anomaly Detection: Detects unknown threats using heuristic methods

Components

1. sensor.py

The network traffic monitor and analyzer component:

  • Captures and analyzes network packets
  • Uses multiple data sources to check for IOCs
  • Logs detected threats in JSON format
  • Regularly updates malicious indicators from feeds

Running sensor.py

sudo python3 sensor.py

2. server.py

The web interface and log management component:

  • Provides web dashboard at http://<server_ip>:8338
  • Aggregates and displays logs from sensors
  • Includes user authentication
  • Filters and sorts alerts by severity

Running server.py

sudo python3 server.py

Configuration

[Server] Section

Configures the reporting server and web interface:

  • HTTP_ADDRESS: Listening IP (0.0.0.0 for all interfaces)
  • HTTP_PORT: Web interface port (default: 8338)
  • USERS: Defines user accounts (admin/non-admin)
  • ENABLE_MASK_CUSTOM: Hides custom trail names for non-admins
  • IP_ALIASES: Assigns names to IPs for readability

[Sensor] Section

Configures traffic monitoring and detection:

  • PROCESS_COUNT: Number of analysis processes
  • MONITOR_INTERFACE: Network interface to monitor
  • CAPTURE_FILTER: BPF filter for traffic capture
  • USE_HEURISTICS: Enables behavior-based detection
  • USER_WHITELIST: Path to whitelist file

[All] Section

Global configurations:

  • LOG_DIR: Directory for log storage
  • PROXY_ADDRESS: Proxy for external connections
  • TRAILS_FILE: Path for trail storage

Display Options

Show Only Malicious IPs

  1. Set ENABLE_MASK_CUSTOM true
  2. Configure appropriate CAPTURE_FILTER
  3. Use BLACKLIST rules to refine detection

Show All IPs

  1. Use broad capture filter: CAPTURE_FILTER ip or ip6
  2. Disable specific feeds in DISABLED_FEEDS
  3. Set admin UIDs to see all IPs
Note: The default username/password for the web interface is admin:admin - change this in production!