Miscellaneous
Basically, Maltrail is designed as an Intrusion Detection System (IDS). This means, that Maltrail just detects threats only with no further actions on blocking them.
Nevertheless, Maltrail provides a mechanism, which allows it to be used as an Intrusion Prevention System (IPS) too.
In [Server] section of configuration file maltrail.conf user can find option FAIL2BAN_REGEX.
This option contains the regular expression (e.g. attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download|spammer|mass scanner) to be used in /fail2ban web calls for extraction of today's attacker source IPs.
This allows the usage of IP blocking mechanisms (e.g. fail2ban, iptables or ipset) by periodic pulling of blacklisted IP addresses from a remote location.
- Example (works in Linux systems only):
#!/bin/bash
ipset -q flush maltrail
ipset -q create maltrail hash:net
for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done
iptables -I INPUT -m set --match-set maltrail src -j DROP
Save this script as, for example, as /opt/maltrail/maltrail-ips.sh and make it executable by chmod +x /opt/maltrail/maltrail-ips.sh command.
This script could be run as a root cronjob on a minute basis:
- Open bash-shell terminal and do
sudo crontab -eu rootcommand. - Put
* * * * * root /opt/maltrail/maltrail-ips.shand save current configuration forcrontabfile.
systemd-way for periodical run of /opt/maltrail/maltrail-ips.sh described here.
Given: One system with installed Maltrail server and couple of client machines with Maltrail sensor to be run.
- Maltrail server is installed on a machine with IP
192.168.10.1. - Maltrail sensors are on machines with IP
192.168.10.2,192.168.10.3and192.168.10.4respectively.
Task: To build centralized log collecting from all client machines with Maltrail sensor installed to Maltrail server.
Solution:
- On server side
192.168.10.1do:
- In
[Server]section of/maltrail.confconfiguration file activate optionUDP_PORT 8337by removing commenting sign#and set default#UDP_ADDRESS 0.0.0.0parameter toUDP_ADDRESS 192.168.10.1. - Save changes in
/maltrail.confconfiguration file and (re-)run Maltrail server withpython server.pycommand.
- On client side
192.168.10.2,192.168.10.3and192.168.10.4do:
- In
[Sensor]section of/maltrail.confconfiguration file activateLOG_SERVER 192.168.10.1:8337option. - Save changes in
/maltrail.confconfiguration file and (re-)run Maltrail sensor withpython sensor.pycommand on each machine.
Note: Please, be aware, that only one line of respective parameter works. Two and more lines of the same parameter won't work:
Maltrail has a fuctionality of analysis of .pcap files via sensor component.
What is .pcap file itself?
.pcap file is a data file created using the software and it contains the packet data of a network (traffic, status). And this means data of any .pcap file could be checked for possible presence of malicious network traffic trails.
Maltrail sensor component has special commandline parameter -r, that allows to specify the path to target .pcap file, that should be checked forpossible presence of malicious trails.
For demostration purposes let's take a .pcap file, which wittingly contains Remcos RAT signs: https://www.malware-traffic-analysis.net/2017/12/22/index.html
To get results of checking Maltrail is able to output them in web-GUI and/or terminal console.
- Sensor web-GUI output
a) Run sudo python3 sensor.py --offline -r /home/k_mikhail/2017-12-22-malspam-pushing-RemcosRAT.pcap
As one can see, Maltrail successfully has found Remcos RAT control centre connections by its IP:port combination and dynamic DNS domain (remcos (malware) verdict) and some other domains, that distribute malware (perhaps, not only Remcos RAT. That's the reason of having generic (malware) verdict for them).
- Sensor terminal console output
b) Run sudo python3 sensor.py --offline --console -r /home/k_mikhail/2017-12-22-malspam-pushing-RemcosRAT.pcap
As one can see, Maltrail also successfully has found all malicious signs mentioned above and put respective information to terminal console.
Note: Details of CLI parameters used in this article are described in CLI-management-for-Maltrail Wiki-chapter.
- Resume
All considered variants of displaying results of .pcap file are workable and could be applied for reditecting to external tools for futher parsing, analysis and storaging.