Detect malicious traffic with MalTrail in Linux


Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).

Features

  • Uses multiple public blacklists (alientvault, autoshun, badips, sblam etc)
  • Has extensive static trails for identification (domain names, URLs, IPaddresses or User-Agent values)
  • Optional heuristic mechanisms for detection of unknown threats
  • Based on Traffic -> Sensor <-> Server <-> Client Architecture
  • Web reporting interface

MalTrail needs Python Pcapy; install it first and then clone the repository:

For Debian/Ubuntu distro’s:

sudo apt install python-pcapy

Foe RedHat/Fedora distro’s:

sudo dnf install pcapy

Now clone the repository from github.

git clone https://github.com/stamparm/maltrail.git

Start the sensor:

cd maltrail; sudo python sensor.py
It updates its data on first run.

Lets gear up the server!

You can install MalTrail on another computer to act as the server or you can use the same computer for both services.

Start the server with:

sudo python server.py
Your computer will be listening on TCP port 8338.

Lets get started with interface!

Open your browser and navigate to http://127.0.0.1:8338;

Oh yeah!!! make sure to change the default ‘admin:changeme!’ credentials. Any malicious traffic detected by the sensor will be automatically logged and shown here.

You are ready to keep an eye on your system now!

Use your computer in the usual way for a while, making sure the sensor is running. Connect to the reporting interface from time to time to see if anything is triggered.

Have Phun!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.