CLI management for Maltrail - stamparm/maltrail GitHub Wiki

Usually, command line interface (CLI) is needed to get Maltrail's modules (sensor and server) started: python sensor.py and python server.py respectively.

But sometimes user/admin may ask himself: Can I start Maltrail with some parameteres, which would change its default behaviour?.

And the answer is here: Yes, sure!. Both of basic Maltrail's modules support CLI management.

Maltrail server

Server part of Maltrail is just a reciever/collector of events from sensor(s) and a tool for displaying of collected events. So, basicly, there is not many parameters to have. Main one is -c, that allows to define path to maltrail.conf configuration file, if it is not by its default place (Maltrail directory).

Maltrail (server) #v0.44 {https://maltrail.github.io}

Usage: server.py [options]

Options:
  --version       show program's version number and exit
  -h, --help      show this help message and exit
  -c config_file  configuration file (default: 'maltrail.conf')

Maltrail sensor

Pretty another deal is Maltrail sensor. This module is responsible for parsing network traffic for matches of detection patterns for malicious entries (trails). And this means, that sensor should have more wide row of parameteres it could run with.

Maltrail (sensor) #v0.44 {https://maltrail.github.io}

Usage: sensor.py [options]

Options:
  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -c config_file     configuration file (default: 'maltrail.conf')
  -r pcap_file       pcap file for offline analysis
  -p plugins         plugin(s) to be used per event
  -q, --quiet        turn off regular output
  --console          print events to console
  --offline          disable (online) trail updates

Most interesting parameters are:

--offline: in this mode sensor will work with its static trails only, without fetching onilne updates for its feeds of public lists.

--console: in this mode sensor will print its output to console instead of web-GUI. Can be useful for servers, where window managers (KDE, GNOME, XFCE etc) are not in use or even absent at all.

-q, --quiet: in this mode sensor will supress regular output (e.g. process of fetching onilne updates/feeds).

-r: this parameter allows to perform offline analysis of external .pcap files for matches of detection patterns for malicious entries (trails). Example of suchlike analysis can be found here.

-p: this parameter allows to use external plugins for sensor's work. Plugins are avaliable in /maltrail/tree/master/plugins.

• Example of applying Maltrail's strings plugin in real time : https://twitter.com/seguridadyredes/status/1100124158384586753

-c, that allows to define path to maltrail.conf configuration file, if it is not by its default place (Maltrail directory).

Note: Parameters -c , -p, -q, --quiet, -r, --console, --offline can be used simultaneously.