Maltrail trails structure - stamparm/maltrail GitHub Wiki
The article describes Maltrail trails structure.
Globally Maltrail contains two types of its trails bases:
baseline
, which contain information (IoCs) of malicious network activity;auxiliary
, which contain additional information, that helps to identify suspicious network behavior.
Maltrail baseline trails
This type of trails is placed in /maltrail/trails/
folder by default.
custom
-- contains all static user-side manual trails, that are not included into Maltrail's upstream.feeds
-- contains scripts, that manage utilizing publicly available (black)lists with malicious and/or generally suspicious trails.static
-- contains Maltrail's regulary updated static files with IoCs of malicious network activity.
In its turn all static
trails are classified as malicious
, malware
and suspicious
:
malicious
-- contains information about networks IOCs, related to script-based attacks, compromised content management systems (CMS), specific frameworks, which can be used as a part of entire network attack, control panels connections, etc.malware
-- contains information about networks IOCs, related to various of malware-based attacks: command centre (C&C) connections for stealers, worms, trojans, etc.suspicious
-- contains information about networks IOCs, related to potential unwanted applications (PUA), adware, crypto-mining connections, unusual domain connections, etc.
Informational static trails: mass_scanner.txt
and mass_scanner_cidr.txt
globally are not related to any of listed classes.
mass_scanner.txt
-- contains information about IP-addresses, registered for scanning service purposes in the Internet.mass_scanner_cidr.txt
-- contains information about classless inter-domain routing (CIDR) IP-ranges, registered for scanning service purposes in the Internet.
Maltrail auxiliary trails
This type of trails is placed in /maltrail/misc/
folder by default.
bogon_ranges.txt
-- contains information about bogon ranges of IP-addresses, that not assigned to any entity by Internet Assigned Numbers Authority (IANA) and RIR (Regional Internet Resgistry).cdn_ranges.txt
-- -- contains information about IP-ranges for content delivery networks (CDN).ua.txt
-- contains information for detection the unusual strings inUser-Agent
field of HTTP-requests.whitelist.txt
-- contains whitelisted trails. Helps to avoid false positives.worst_asns.txt
-- contains information about IP-ranges autonomous system number (ASN), which have bad reputation based on the amount of malicious activity hosted on the AS.