-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Maltrail trails structure
Mikhail Kasimov edited this page Oct 2, 2022
·
1 revision
The article describes Maltrail trails structure.
Globally Maltrail contains two types of its trails bases:
-
baseline
, which contain information (IoCs) of malicious network activity; -
auxiliary
, which contain additional information, that helps to identify suspicious network behavior.
This type of trails is placed in /maltrail/trails/
folder by default.
-
custom
-- contains all static user-side manual trails, that are not included into Maltrail's upstream. -
feeds
-- contains scripts, that manage utilizing publicly available (black)lists with malicious and/or generally suspicious trails. -
static
-- contains Maltrail's regulary updated static files with IoCs of malicious network activity.
In its turn all static
trails are classified as malicious
, malware
and suspicious
:
-
malicious
-- contains information about networks IOCs, related to script-based attacks, compromised content management systems (CMS), specific frameworks, which can be used as a part of entire network attack, control panels connections, etc. -
malware
-- contains information about networks IOCs, related to various of malware-based attacks: command centre (C&C) connections for stealers, worms, trojans, etc. -
suspicious
-- contains information about networks IOCs, related to potential unwanted applications (PUA), adware, crypto-mining connections, unusual domain connections, etc.
Informational static trails: mass_scanner.txt
and mass_scanner_cidr.txt
globally are not related to any of listed classes.
-
mass_scanner.txt
-- contains information about IP-addresses, registered for scanning service purposes in the Internet. -
mass_scanner_cidr.txt
-- contains information about classless inter-domain routing (CIDR) IP-ranges, registered for scanning service purposes in the Internet.
This type of trails is placed in /maltrail/misc/
folder by default.
-
bogon_ranges.txt
-- contains information about bogon ranges of IP-addresses, that not assigned to any entity by Internet Assigned Numbers Authority (IANA) and RIR (Regional Internet Resgistry). -
cdn_ranges.txt
-- -- contains information about IP-ranges for content delivery networks (CDN). -
ua.txt
-- contains information for detection the unusual strings inUser-Agent
field of HTTP-requests. -
whitelist.txt
-- contains whitelisted trails. Helps to avoid false positives. -
worst_asns.txt
-- contains information about IP-ranges autonomous system number (ASN), which have bad reputation based on the amount of malicious activity hosted on the AS.
- FAQ - Frequently Asked Questions
- Trail classes - Information about different classes of trails
- Specific detections - Information about Maltrail specific detections
- Maltrail trails structure - Information about Maltrail trails structure
- Maltrail trails base format - Information about Maltrail trails base format
- Maltrail trails contribution - Information about Maltrail trails contribution
- Maltrail detection nuances - Information about Maltrail detection nuances
- Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform - Information about Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform
- UI tips and tricks - Brief list of user interface features
- CLI management for Maltrail - Information about CLI management for Maltrail
- Miscellaneous - Miscellaneous HOWTOs