Maltrail trails structure - stamparm/maltrail GitHub Wiki

The article describes Maltrail trails structure.

Globally Maltrail contains two types of its trails bases:

  1. baseline, which contain information (IoCs) of malicious network activity;
  2. auxiliary, which contain additional information, that helps to identify suspicious network behavior.

Maltrail baseline trails

This type of trails is placed in /maltrail/trails/ folder by default.

Maltrail baseline trails

  • custom -- contains all static user-side manual trails, that are not included into Maltrail's upstream.
  • feeds -- contains scripts, that manage utilizing publicly available (black)lists with malicious and/or generally suspicious trails.
  • static -- contains Maltrail's regulary updated static files with IoCs of malicious network activity.

In its turn all static trails are classified as malicious, malware and suspicious:

Maltrail static trails classification

  • malicious -- contains information about networks IOCs, related to script-based attacks, compromised content management systems (CMS), specific frameworks, which can be used as a part of entire network attack, control panels connections, etc.
  • malware -- contains information about networks IOCs, related to various of malware-based attacks: command centre (C&C) connections for stealers, worms, trojans, etc.
  • suspicious -- contains information about networks IOCs, related to potential unwanted applications (PUA), adware, crypto-mining connections, unusual domain connections, etc.

Informational static trails: mass_scanner.txt and mass_scanner_cidr.txt globally are not related to any of listed classes.

  • mass_scanner.txt -- contains information about IP-addresses, registered for scanning service purposes in the Internet.
  • mass_scanner_cidr.txt -- contains information about classless inter-domain routing (CIDR) IP-ranges, registered for scanning service purposes in the Internet.

Maltrail auxiliary trails

This type of trails is placed in /maltrail/misc/ folder by default.

Maltrail auxiliary trails

  • bogon_ranges.txt -- contains information about bogon ranges of IP-addresses, that not assigned to any entity by Internet Assigned Numbers Authority (IANA) and RIR (Regional Internet Resgistry).
  • cdn_ranges.txt -- -- contains information about IP-ranges for content delivery networks (CDN).
  • ua.txt -- contains information for detection the unusual strings in User-Agent field of HTTP-requests.
  • whitelist.txt -- contains whitelisted trails. Helps to avoid false positives.
  • worst_asns.txt -- contains information about IP-ranges autonomous system number (ASN), which have bad reputation based on the amount of malicious activity hosted on the AS.