# [Server] # Listen address of (reporting) HTTP server HTTP_ADDRESS 0.0.0.0 #HTTP_ADDRESS :: #HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 # Listen port of (reporting) HTTP server HTTP_PORT 8338 # Use SSL/TLS USE_SSL false # SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes) #SSL_PEM misc/server.pem # User entries (username:sha256(password):UID:filter_netmask(s)) # Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1 # UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side) # filter_netmask(s) is/are used to filter results USERS admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme! # local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme! # Mask custom trail names for non-admin users (UID >= 1000) ENABLE_MASK_CUSTOM true # Listen address of (log collecting) UDP server #UDP_ADDRESS 0.0.0.0 #UDP_ADDRESS :: #UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 # Listen port of (log collecting) UDP server #UDP_PORT 8337 # Should server do the trail updates too (to support UPDATE_SERVER directive in [Sensor] parameters) USE_SERVER_UPDATE_TRAILS false # Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries #IP_ALIASES # 8.8.8.8:google # 8.8.4.4:google # Option to change the top-left logo with a custom image/text #HEADER_LOGO XYZ # Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download)|spammer|mass scanner # Blacklist generation rules # BLACKLIST # src_ip !~ ^192.168. and dst_port ~ ^22$ # src_ip ~ ^192.168. and filter ~ malware # [Sensor] # Number of processes PROCESS_COUNT 1 # Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes) DISABLE_CPU_AFFINITY false # Use feeds (too) in trail updates USE_FEED_UPDATES true # Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives) DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault # Ignore IPs that appear on lower than IP_MINIMUM_FEEDS number of feeds (Note: static IP trails are always included) IP_MINIMUM_FEEDS 3 # Disable trails based on the following regular expression run against the corresponding info #DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node # Update trails after every given period (seconds) UPDATE_PERIOD 86400 # Use remote custom feed (too) in trail updates #CUSTOM_TRAILS_URL http://www.test.com/custom.txt # Location of directory with custom trails (*.txt) files CUSTOM_TRAILS_DIR ./trails/custom # (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB) CAPTURE_BUFFER 10% # Interface used for monitoring (e.g. eth0, eth1) MONITOR_INTERFACE any # Network capture filter (e.g. ip) # Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/ #CAPTURE_FILTER ip or ip6 CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118)) # Sensor name to appear in produced logs SENSOR_NAME $HOSTNAME # Remote Maltrail server instance to send log entries (Note: listening at :) #LOG_SERVER 192.168.2.107:8337 #LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337 # Remote address to send Syslog events #SYSLOG_SERVER 192.168.2.107:514 # Remote address to send JSON events (e.g. Logstash) #LOGSTASH_SERVER 192.168.2.107:5000 # Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER REMOTE_SEVERITY_REGEX (?P(remote )?custom\)|malwaredomainlist|iot-malware|malware(?! (distribution|site))|adversary|ransomware)|(?Ppotential malware site|malware distribution)|(?Pmass scanner|reputation|attacker|spammer|compromised|crawler|scanning) # Set only (!) in cases when LOG_SERVER should be exclusively used for log storage DISABLE_LOCAL_LOG_STORAGE false # Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails). USE_SERVER_UPDATE_TRAILS directive should be active in [Server] parameters. #UPDATE_SERVER http://192.168.2.107:8338/trails # Use heuristic methods USE_HEURISTICS true # Capture HTTP requests with missing Host header (introducing potential false positives) CHECK_MISSING_HOST false # Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events) CHECK_HOST_DOMAINS false # Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt') #USER_WHITELIST # Location of file with ignore event rules. Example under misc/ignore_events.txt #USER_IGNORELIST misc/ignore_events.txt # Regular expression to be used against the whole event entry to be ignored #IGNORE_EVENTS_REGEX sql injection|long domain|117.21.225.3|sinkhole # [All] # Show debug messages (in console output) SHOW_DEBUG false # Directory used for log storage LOG_DIR $SYSTEM_LOG_DIR/maltrail # HTTP(s) proxy address #PROXY_ADDRESS http://192.168.5.101:8118 # Disable checking of sudo/Administrator privileges (e.g. if using: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /bin/python) #DISABLE_CHECK_SUDO true # Override default location for trail storage (~/.maltrail/trails.csv) #TRAILS_FILE /etc/maltrail.csv