Miscellaneous - stamparm/maltrail GitHub Wiki

1. Setting up Maltrail as an Intrusion Prevention System (IPS)

Basically, Maltrail is designed as an Intrusion Detection System (IDS). This means, that Maltrail just detects threats only with no further actions on blocking them.

Nevertheless, Maltrail provides a mechanism, which allows it to be used as an Intrusion Prevention System (IPS) too.

In [Server] section of configuration file maltrail.conf user can find option FAIL2BAN_REGEX.

This option contains the regular expression (e.g. attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download|spammer|mass scanner) to be used in /fail2ban web calls for extraction of today's attacker source IPs.

This allows the usage of IP blocking mechanisms (e.g. fail2ban, iptables or ipset) by periodic pulling of blacklisted IP addresses from a remote location.

  • Example (works in Linux systems only):
#!/bin/bash
ipset -q flush maltrail
ipset -q create maltrail hash:net
for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done
iptables -I INPUT -m set --match-set maltrail src -j DROP

Save this script as, for example, as /opt/maltrail/maltrail-ips.sh and make it executable by chmod +x /opt/maltrail/maltrail-ips.sh command.

This script could be run as a root cronjob on a minute basis:

  1. Open bash-shell terminal and do sudo crontab -eu root command.
  2. Put * * * * * root /opt/maltrail/maltrail-ips.sh and save current configuration for crontab file.

systemd-way for periodical run of /opt/maltrail/maltrail-ips.sh described here.

2. Setting up centralized Maltrail server log-collector for multi-sensor Maltrail installation

Given: One system with installed Maltrail server and couple of client machines with Maltrail sensor to be run.

  • Maltrail server is installed on a machine with IP 192.168.10.1.
  • Maltrail sensors are on machines with IP 192.168.10.2, 192.168.10.3 and 192.168.10.4 respectively.

Task: To build centralized log collecting from all client machines with Maltrail sensor installed to Maltrail server.

Solution:

  • On server side 192.168.10.1 do:
  1. In [Server] section of /maltrail.conf configuration file activate option UDP_PORT 8337 by removing commenting sign # and set default #UDP_ADDRESS 0.0.0.0 parameter to UDP_ADDRESS 192.168.10.1.
  2. Save changes in /maltrail.conf configuration file and (re-)run Maltrail server with python server.py command.
  • On client side 192.168.10.2, 192.168.10.3 and 192.168.10.4 do:
  1. In [Sensor] section of /maltrail.conf configuration file activate LOG_SERVER 192.168.10.1:8337 option.
  2. Save changes in /maltrail.conf configuration file and (re-)run Maltrail sensor with python sensor.py command on each machine.

Note: Please, be aware, that only one line of respective parameter works. Two and more lines of the same parameter won't work:

3. Offline analysis of .pcap files

Maltrail has a fuctionality of analysis of .pcap files via sensor component.

What is .pcap file itself?

.pcap file is a data file created using the software and it contains the packet data of a network (traffic, status). And this means data of any .pcap file could be checked for possible presence of malicious network traffic trails.

Maltrail sensor component has special commandline parameter -r, that allows to specify the path to target .pcap file, that should be checked forpossible presence of malicious trails.

For demostration purposes let's take a .pcap file, which wittingly contains Remcos RAT signs: https://www.malware-traffic-analysis.net/2017/12/22/index.html

To get results of checking Maltrail is able to output them in web-GUI and/or terminal console.

  • Sensor web-GUI output

a) Run sudo python3 sensor.py --offline -r /home/k_mikhail/2017-12-22-malspam-pushing-RemcosRAT.pcap

Web-GUI output for pcap file analisys

As one can see, Maltrail successfully has found Remcos RAT control centre connections by its IP:port combination and dynamic DNS domain (remcos (malware) verdict) and some other domains, that distribute malware (perhaps, not only Remcos RAT. That's the reason of having generic (malware) verdict for them).

  • Sensor terminal console output

b) Run sudo python3 sensor.py --offline --console -r /home/k_mikhail/2017-12-22-malspam-pushing-RemcosRAT.pcap

Terminal console output for pcap file analisys

As one can see, Maltrail also successfully has found all malicious signs mentioned above and put respective information to terminal console.

Note: Details of CLI parameters used in this article are described in CLI-management-for-Maltrail Wiki-chapter.

  • Resume

All considered variants of displaying results of .pcap file are workable and could be applied for reditecting to external tools for futher parsing, analysis and storaging.