MalTrail

Detailed Description of Maltrail: A Malicious Traffic Detection System

---

Introduction

Maltrail is a sophisticated malicious traffic detection system designed to identify and monitor suspicious network activities by leveraging publicly available blacklists, static threat lists from antivirus reports, and custom user-defined trails. These trails can include domain names (e.g., zvpprsensinaix.com), URLs (e.g., hXXp://109.162.38.120/harsh02.exe), IP addresses (e.g., 185.130.5.231), and HTTP User-Agent headers (e.g., sqlmap). The system also employs optional heuristic mechanisms to detect emerging threats, such as new malware variants.

Maltrail integrates multiple threat intelligence feeds, including:

• Dynamic blacklists like abuseipdb, alienvault, malc0de, and urlhaus.
• Static threat lists, manually curated from antivirus reports (e.g., malware command-and-control servers, sinkholes).
• Custom user-defined trails for specialized monitoring needs.

The system is built on a modular architecture that separates traffic capture (Sensor), data processing (Server), and reporting (Client).

---

Architecture

Maltrail follows a Traffic → Sensor → Server ↔ Client workflow:

1. Sensor Component:

• Runs as a standalone process on monitoring nodes (e.g., Linux systems connected via SPAN/mirroring ports or inline bridges).
• Monitors network traffic for blacklisted items (domains, URLs, IPs) using pcapy-ng.
• Logs detected events to either a local directory (LOG_DIR) or remotely via UDP to a central server.
• Supports multiprocessing for high-performance packet capture and processing.

1. Server Component:

• Stores event logs in CSV format (e.g., time sensor src_ip dst_ip trail_type trail info reference).
• Provides backend support for the reporting web interface.
• Default configuration runs on the same machine as the Sensor, but can be deployed separately.

1. Client Component (Front-End):

• Uses a "Fat Client" architecture to compress and process data locally in the browser.
• Displays condensed reports with interactive visualizations (timelines, charts) for easy analysis.

Sensor ↔ Server ↔ Client Architecture

Key Features:

• Real-time monitoring: Detects malicious traffic in real time.
• Scalability: Supports multiple sensors and servers via UDP communication.
• Flexible logging: Logs can be stored locally or sent to external systems (e.g., Syslog, Logstash).

---

Requirements

To run Maltrail, the following prerequisites are necessary:

1. Python Environment:

• Python 2.6/2.7/3.x on Linux/BSD.
• Install pcapy-ng (not the deprecated pcapy) via: bash pip3 install pcapy-ng

1. Sensor Requirements:

• Minimum 1GB RAM for single-process mode; more for multiprocessing.
• Administrative privileges for packet capture.

1. Server Requirements:

• No special requirements beyond Python and basic networking tools.

---

Quick Start

Ubuntu/Debian Installation

sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool
pip3 install pcapy-ng
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python3 sensor.py

SUSE/OpenSUSE Installation

sudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool
pip3 install pcapy-ng
git clone --depth 1 https://github.com/stamparm/maltrail.git
cd maltrail
sudo python3 sensor.py

Enable Promiscuous Mode:

for dev in $(ifconfig | grep mtu | grep -Eo '^\w+'); do ifconfig $dev promisc; done

Optional Server Setup

Run the server on the same machine:

python server.py

Or via Docker (server only):

docker run -d --name maltrail --restart=unless-stopped \
  -p 8338:8338/tcp -p 8337:8337/udp \
  ghcr.io/stamparm/maltrail:latest

---

Administrator’s Guide

Sensor Configuration (maltrail.conf)

Key options include:

• USE_MULTIPROCESSING: Enables CPU affinity for packet capture.
• UPDATE_PERIOD: Sets automatic trail updates (default: 86400 seconds/day).
• CUSTOM_TRAILS_DIR: Path to custom .txt files.
• USE_HEURISTICS: Activates heuristic detection (e.g., suspicious domain lengths).
• CAPTURE_BUFFER: Memory allocation for packet capture in multiprocessing mode.

Example snippet:

[Sensor]
MONITOR_INTERFACE = any
CAPTURE_FILTER = port 22 or port 80
USE_HEURISTICS = true
LOG_SERVER = 192.168.1.10:5000

Server Configuration (maltrail.conf)

• HTTP_ADDRESS: Web server listening address (default: 0.0.0.0).
• UDP_PORT: Log collection port.
• BLACKLIST: Regular expressions for IP filtering.

Example snippet:

[Server]
HTTP_PORT = 8338
USE_SSL = false
USERS = admin:changeme!@100,guest:guest@200

---

User’s Guide

Reporting Interface

Access the dashboard at http://127.0.0.1:8338 with default credentials (admin:changeme!).

Key Features:

• Timeline: Filter events by date (4-month view).
• Summary Widgets:
• Events: Count of IP/DNS/URL-based threats.
• Sources: Stacked bar chart for top IPs.
• Threats/Pie Chart: Malware distribution.
• Trails/Pie Chart: Suspicious domains/IPs.

Dashboard Overview

Event Details:

• Each row shows a unique threat (e.g., src_ip, dst_ip, trail).
• Hover over IPs to see reverse DNS/WHOIS info.
• Click the bubble icon for expanded details:

  {"timestamp": "2023-10-05T14:30:00", ...}

---

Real-Life Cases

Mass Scans

Maltrail detects large-scale scans (e.g., Shodan/ZoomEye) targeting specific ports: Example: Port 22 brute-force scan

Anonymous Attackers (Tor Network)

Detects Tor exit node usage for suspicious traffic:

Malware Threats

• C&C Connections: Detects infected hosts contacting malware C&Cs.
• DGA Domains: Identifies dynamically generated domains (e.g., necurs).

Suspicious HTTP Requests

Detects SQL injection attempts: Example: com_contenthistory exploit

---

Heuristic Detection & False Positives

Maltrail’s heuristics flag suspicious patterns (e.g., long domain names, excessive DNS queries). However, false positives may occur:

• False Positive Example: A legitimate Google server misclassified as an attacker.

---

Best Practices

1. Installation:

   sudo apt-get install git python3 python3-dev pcapy-ng
   cd /tmp; git clone https://github.com/stamparm/maltrail.git
   sudo mv maltrail /opt && chown -R $USER:$USER /opt/maltrail

2. Automation: Use crontab for periodic updates:

   */5 * * * * if ! ps aux | grep sensor.py; then python3 /opt/maltrail/sensor.py; fi
   0 1 * * * cd /opt/maltrail && git pull

3. Systemd Integration: Enable services for automatic startup:

   sudo cp maltrail-sensor.service /etc/systemd/system/
   sudo systemctl enable maltrail-server maltrail-sensor

---

Conclusion

Maltrail is a powerful tool for network security teams, offering real-time threat detection via blacklists and heuristics. Its modular design allows customization for specific environments while providing actionable insights through its reporting interface.

---

License: MIT (Open-source). Support: Available on GitHub (@maltrail) and community forums. Extensions: Integrations with Splunk, Wazuh, and OPNSense.