Introduction
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g.
zvpprsensinaix.com for
Banjori malware), URL (e.g.
http://109.162.38.120/harsh02.exe for known malicious
executable), IP address (e.g.
185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g.
sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new
malware).
 |
| Malicious Traffic Detection System. |
The following (black)lists (i.e. feeds) are being utilized:
alienvault, autoshun, badips, bambenekconsultingc2dns,
bambenekconsultingc2ip, bambenekconsultingdga, bitcoinnodes,
blocklist, botscout, bruteforceblocker, ciarmy, cruzit,
cybercrimetracker, deepviz, dataplanesipinvitation,
dataplanesipquery, dataplane, dshielddns, dshieldip,
emergingthreatsbot, emergingthreatscip, emergingthreatsdns,
feodotrackerdns, malwaredomainlist, malwaredomains, malwarepatrol,
maxmind, myip, nothink, openbl, openphish, packetmailcarisirt,
packetmailramnode, palevotracker, policeman, proxylists, proxyrss,
proxy, ransomwaretrackerdns, ransomwaretrackerip,
ransomwaretrackerurl, riproxies, rutgers, sblam, securityresearch,
snort, socksproxy, sslipbl, sslproxies, torproject, torstatus,
turris, urlvir, voipbl, vxvault, zeustrackerdns, zeustrackerip,
zeustrackermonitor, zeustrackerurl, etc.
As of static entries, the trails for the following malicious entities (e.g. malware C&Cs or sinkholes) have been manually included (from various AV reports and personal research):
aboc, adwind, alienspy, almalocker, alureon, android_acecard,
android_adrd, android_alienspy, android_arspam,
android_backflash, android_basebridge, android_boxer,
android_chuli, android_claco, android_coolreaper,
android_counterclank, android_cyberwurx, android_dendoroid,
android_dougalek, android_droidjack, android_droidkungfu,
android_enesoluty, android_ewalls, android_exprespam,
android_fakebanco, android_fakedown, android_fakeinst,
android_fakelog, android_fakemart, android_fakemrat,
android_fakeneflic, android_fakesecsuit, android_feabme,
android_flexispy, android_frogonal, android_geinimi,
android_ghostpush, android_ginmaster, android_gmaster,
android_godwon, android_golddream, android_gonesixty,
android_ibanking, android_kemoge, android_lockdroid,
android_lovetrap, android_maistealer, android_maxit,
android_oneclickfraud, android_opfake, android_ozotshielder,
android_pikspam, android_pjapps, android_qdplugin,
android_repane, android_roidsec, android_samsapo,
android_sandorat, android_selfmite, android_simplocker,
android_skullkey, android_sndapps, android_spytekcell,
android_stealer, android_stels, android_teelog, android_tetus,
android_tonclank, android_torec, android_uracto,
android_usbcleaver, android_walkinwat, android_windseeker,
android_zertsecurity, androm, andromem, angler, anuna, arec,
aridviper, artro, autoit, avalanche, avrecon, axpergle, babar,
bachosens, badblock, balamid, bamital, bankapol, bankpatch,
banloa, banprox, bayrob, bedep, blackenergy, blackvine,
blockbuster, bredolab, bubnix, bucriv, buterat, camerashy,
carbanak, carberp, careto, casper, cerber, changeup, chanitor,
chekua, cheshire, chewbacca, chisbur, cleaver, cloud_atlas,
conficker, contopee, copykittens, corebot, cosmicduke,
couponarific, criakl, cridex, crilock, cryakl, cryptinfinite,
cryptodefense, cryptolocker, cryptowall, ctblocker, cutwail,
darkhotel, defru, desertfalcon, destory, dnschanger,
dnsmessenger, dnstrojan, dorifel, dorkbot, drapion, dridex,
dukes, dursg, dyreza, elf_aidra, elf_billgates, elf_darlloz,
elf_ekoms, elf_fysbis, elf_groundhog, elf_hacked_mint,
elf_mayhem, elf_mokes, elf_pinscan, elf_rekoobe, elf_shelldos,
elf_sshscan, elf_themoon, elf_turla, elf_xnote, elf_xorddos,
elpman, emogen, emotet, equation, evilbunny, ewind, expiro,
fakeav, fakeran, fantom, fareit, fbi_ransomware, fiexp,
fignotok, fin4, finfisher, fraudload, fynloski, fysna, gamarue,
gauss, gbot, generic, golroted, gozi, groundbait, harnig,
hawkeye, helompy, hiloti, hinired, htran, immortal, injecto,
ios_keyraider, ios_muda, ios_oneclickfraud, ios_specter,
ismdoor, jenxcus, kegotip, keydnap, kingslayer, kolab,
koobface, korgo, korplug, kovter, kradellsh, kulekmoko,
lazarus, locky, lollipop, lotus_blossom, luckycat, majikpos,
malwaremustdie, marsjoke, mdrop, mebroot, mestep, mhretriev,
miniduke, misogow, modpos, morto, nanocor, nbot, necurs,
nemeot, neshuta, nettraveler, netwire, neurevt, nexlogger,
nivdort, nonbolqu, nuqel, nwt, nymaim, odcodc, oficla, onkods,
optima, osx_keranger, osx_keydnap, osx_salgorea,
osx_wirelurker, palevo, pdfjsc, pegasus, pepperat, phytob,
picgoo, pift, plagent, plugx, ponmocup, poshcoder, potao,
powelike, proslikefan, pushdo, pykspa, qakbot, quasar, ramnit,
ransirac, reactorbot, redoctober, redsip, remcos, renocide,
reveton, revetrat, rovnix, runforestrun, russian_doll, rustock,
sakurel, sality, satana, sathurbot, scarcruft, scarletmimic,
scieron, seaduke, sednit, sefnit, selfdel, shifu, shylock,
siesta, silentbrute, silly, simda, sinkhole_abuse,
sinkhole_anubis, sinkhole_arbor, sinkhole_bitdefender,
sinkhole_blacklab, sinkhole_botnethunter, sinkhole_certgovau,
sinkhole_certpl, sinkhole_checkpoint, sinkhole_cirtdk,
sinkhole_conficker, sinkhole_cryptolocker, sinkhole_drweb,
sinkhole_dynadot, sinkhole_dyre, sinkhole_farsight,
sinkhole_fbizeus, sinkhole_fitsec, sinkhole_fnord,
sinkhole_gameoverzeus, sinkhole_georgiatech, sinkhole_gladtech,
sinkhole_honeybot, sinkhole_kaspersky, sinkhole_microsoft,
sinkhole_rsa, sinkhole_secureworks, sinkhole_shadowserver,
sinkhole_sidnlabs, sinkhole_sinkdns, sinkhole_sofacy,
sinkhole_sugarbucket, sinkhole_tech, sinkhole_unknown,
sinkhole_virustracker, sinkhole_wapacklabs, sinkhole_zinkhole,
skeeyah, skynet, skyper, smsfakesky, snake, snifula, snort,
sockrat, sofacy, sohanad, spyeye, stabuniq, stonedrill,
stuxnet, synolocker, tdss, teamspy, teerac, teslacrypt,
themida, tibet, tinba, torpig, torrentlocker, troldesh, turla,
unruy, upatre, utoti, vawtrak, vbcheman, vinderuf, virtum,
virut, vittalia, vobfus, volatilecedar, vundo, waledac,
waterbug, wecorl, wndred, xadupi, xcodeghost, xtrat, yenibot,
yimfoca, zaletelly, zcrypt, zemot, zeroaccess, zeus, zherotee,
zlader, zlob, zombrari, zxshell, etc.
Architecture
Maltrail is based on the
Traffic -> Sensor <-> Server <-> Client architecture.
Sensor(s) is a standalone component running on the monitoring node (e.g. Linux platform connected passively to the SPAN/mirroring port or transparently inline on a Linux bridge) or at the standalone machine (e.g. Honeypot) where it "monitors" the
passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs). In case of a positive match, it sends the event details to the (central) Server where they are being stored inside the appropriate logging directory (i.e. LOG_DIR described in the Configuration section). If Sensor is being run on the same machine as Server (default configuration), logs are stored directly into the local logging directory. Otherwise, they are being sent via UDP messages to the remote server (i.e. LOG_SERVER described in the Configuration section).
Server's primary role is to store the event details and provide back-end support for the reporting web application. In default configuration, server and sensor will run on the same machine. So, to prevent potential disruptions in sensor activities, the front-end reporting part is based on the "
Fat client" architecture (i.e. all data post-processing is being done inside the client's web browser instance). Events (i.e. log entries) for the chosen (24h) period are transferred to the Client, where the reporting web application is solely responsible for the presentation part. Data is sent toward the client in compressed chunks, where they are processed sequentially. The final report is created in a highly condensed form, practically allowing presentation of virtually unlimited number of events.
Note: Server component can be skipped altogether, and just use the standalone Sensor. In such case, all events would be stored in the local logging directory, while the log entries could be examined either manually or by some CSV reading application.
Quick start
The following set of commands should get your Maltrail Sensor up and running (out of the box with default settings and monitoring interface "any"):
sudo apt-get install git python-pcapy
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py
To start the (optional) Server on same machine, open a new terminal and execute the following:
[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py
To test that everything is up and running execute the following:
ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log
To stop Sensor and Server instances (if running in background) execute the following:
sudo pkill -f sensor.py
pkill -f server.py
Access the reporting interface (i.e. Client) by visiting the
http://127.0.0.1:8338 (default credentials:
admin:changeme!) from your web browser:
 |
| Malicious Traffic Detection System 101Scratch |
