Maltrail trails base format - stamparm/maltrail GitHub Wiki

The article describes Maltrail trails-base format.

Maltrail has several types of bases, which contain information about signs of malicious network activity. But all of them have the same format: plain-text. It is done for simplification of reading, understanding and updating its content.

Operational fields

1: (Required) Header field, which contains information about Maltrail's copyright and license. Applicable for all detection trails. Must be placed in the start of trail file.

2: (Optional) Aliases field, which contains information about aliases, if they applicable. Useful for additional identification of malware names. Should be placed after Header field.

3: (Required) Body of trail, which contains information about signs of malicious network activity for specific malware. Must be placed after Header field, if Aliases field is absent.

Note: #-signed strings and space-lines are ignored from operations and work for comments and separators purposes respectively. The best practice is to use space-lines to separate all operational fields from each other.

Optional fields

Optional fields used to handle generic signs, that are related to specific trail.

It can can be:

• Specific part(s) of URL.
• Specific filename(s), which can increase the chance for correct identification of malware-family name.

Generally can be placed in any part of trail, but the best practice is to keep them in the end as the dedicated section(s), after all records, related to body of trail.

Given name can be arbitrary, but required to be #-signed string (e.g. # Generic, # Generic signs, # Misc., etc).