Wednesday, December 25, 2024
Google search engine
HomeSecurity & TestingSetup Maltrail Malicious Traffic Detection System on Linux

Setup Maltrail Malicious Traffic Detection System on Linux

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where the trail can be anything from a domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. hXXp://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for a known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Source (Maltrail GitHub Page)

Nevertheless, Maltrail uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats.

Maltrail is based on the Traffic -> Sensor <-> Server <-> Client architecture. Sensor(s) is a standalone component running on the monitoring node or at the standalone machine (e.g. Honeypot) where it “monitors” the passing Traffic for blacklisted items/trails (i.e. domain names, URLs and/or IPs) Source (Maltrail GitHub Page). More about Maltrail can be found at Maltrail GitHub Page.

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

This installation is done on Debian 10 (Buster) Linux system. So let’s install Maltrail Malicious Traffic Detection System on Debian 10 (Buster) Linux.

Step 1: Update and upgrade your server

Updating and upgrading your server ensures that we start at a point where all the latest software is on our server. Issue the command below.

sudo apt update && sudo apt update

Step 2: Install Maltrail Sensor and schedtool

Sensor(s) is a standalone component running on the monitoring node or at the standalone machine where it “monitors” the passing Traffic for blacklisted items/trails. Install it by running the commands below.

Install ‘schedtool‘ for better CPU scheduling

schedtool assists in better CPU scheduling

sudo apt-get install schedtool

The following will install git and python-pcapy, pull the files from Maltrail GitHub page then install it.

sudo apt-get install git python-pcapy -y
git clone https://github.com/stamparm/maltrail.git
cd maltrail
sudo python sensor.py &

After the last command, you should see something like below as it downloads and updates the Maltrail lists related to Malicious traffic.

Cloning git files

maltrail git clone

Downloading and updating the Maltrail lists related to Malicious traffic

maltrail python sensorpy

Step 3: Start Server on the same machine (optional)

The Server‘s primary role is to store the event details and provide back-end support for the reporting web application. In the default configuration, the server and sensor will run on the same machine. To start the server on the same machine, run the commands below.

[[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git
cd maltrail
python server.py &
maltrail python sensorpy server

You can access its web user interface by typing http://<ip or FQDN>:8338. The default credentials are Username: admin Password: changeme!

maltrail dashboard

Step 4: Fine-tune Sensor and Server configurations

For those who would wish to fine-tune their server and sensor configurations, there is a file for you to do just that. Simply dive into the directory that you cloned maltrail into and look for “maltrail.conf

sudo vim /home/tech/maltrail/maltrail.conf

Inside the file, you will find various categories inside square brackets. For the server, look for #[Server] and for the sensor settings, look for #[Sensor] category. As an example, let us change the default IP you would wish the Server to listen from.

#[Server]

#Listen address of (reporting) HTTP server
 HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1

#Listen port of (reporting) HTTP server
 HTTP_PORT 8338
#Use SSL/TLS
 USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem

#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
 USERS
     admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!      
 #local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!

To change the default password, look for “USERS”. Under it, you will notice admin and a long string that represents the password. To create a new password, use the command below. It should produce a string similar to the one we saw in the file. Before it, you can place any username. At the end of the password, do not forget to add parameters(:0:).

$ echo -n 'StrongPassword' | sha256sum | cut -d " " -f 1

05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223

The string produced represents StrongPassword as the password

Open the same file and edit it to set the new credentials

$ sudo vim /home/tech/maltrail/maltrail.conf
#[Server]

#Listen address of (reporting) HTTP server
 HTTP_ADDRESS 172.17.196.57
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1

#Listen port of (reporting) HTTP server
 HTTP_PORT 8338

#Use SSL/TLS
 USE_SSL false
#SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem

#User entries (username:sha256(password):UID:filter_netmask(s))
#Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
#filter_netmask(s) is/are used to filter results
#filter_netmask(s) is/are used to filter results
 USERS
#admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:                        # changeme!
#local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16       # changeme!
 Admin:05a181f00c157f70413d33701778a6ee7d2747ac18b9c0fbb8bd71a62dd7a223:0:  ## New credentials

After you’ve made those changes, start and stop maltrail.

cd /home/tech/maltrail
pkill -f server.py
python server.py &

Step 5: Test that everything is up and running

To test that everything is up and running execute the following:

ping -c 1 136.161.101.53
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

Also, to test the capturing of DNS traffic you can try the following:

nslookup morphed.ru
cat /var/log/maltrail/$(date +"%Y-%m-%d").log

To see the requests made on the web interface, simply refresh that page and you should get something similar to the one illustrated below.

maltrail test web interface

Conclusion

Maltrail is a wonderful tool that can really boost your network monitoring and keep your infrastructure safe at all times. Even though 100 percent security is not guaranteed, mitigation is always wise. Take a look at the tool and test it if it befits your needs. Otherwise, we would wish to thank you for visiting and staying through to the end.

You can take a look at other guides in the blog, some of which are shared below.

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments