forked from stamparm/maltrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
maltrail.conf
145 lines (101 loc) · 5.71 KB
/
maltrail.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# [Server]
# Listen address of (reporting) HTTP server
HTTP_ADDRESS 0.0.0.0
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
# Listen port of (reporting) HTTP server
HTTP_PORT 8338
# Use SSL/TLS
USE_SSL false
# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem
# User entries (username:sha256(password):UID:filter_netmask(s))
# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
# UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
# filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
# Mask custom trail names for non-admin users (UID >= 1000)
ENABLE_MASK_CUSTOM true
# Listen address of (log collecting) UDP server
#UDP_ADDRESS 0.0.0.0
#UDP_ADDRESS ::
#UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
# Listen port of (log collecting) UDP server
#UDP_PORT 8337
# Should server do the trail updates too (to support UPDATE_SERVER directive in [Sensor] parameters)
USE_SERVER_UPDATE_TRAILS false
# Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries
#IP_ALIASES
# 8.8.8.8:google
# 8.8.4.4:google
# Option to change the top-left logo with a custom image/text
#HEADER_LOGO <img src="https://i.imgur.com/JxYJ5yX.png" style="width: 26px"> XYZ
# Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs
FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download)|spammer|mass scanner
# [Sensor]
# Number of processes
PROCESS_COUNT 1
# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes)
DISABLE_CPU_AFFINITY false
# Use feeds (too) in trail updates
USE_FEED_UPDATES true
# Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives)
DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
# Ignore IPs that appear on lower than IP_MINIMUM_FEEDS number of feeds (Note: static IP trails are always included)
IP_MINIMUM_FEEDS 3
# Disable trails based on the following regular expression run against the corresponding info
#DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node
# Update trails after every given period (seconds)
UPDATE_PERIOD 86400
# Use remote custom feed (too) in trail updates
#CUSTOM_TRAILS_URL http://www.test.com/custom.txt
# Location of directory with custom trails (*.txt) files
CUSTOM_TRAILS_DIR ./trails/custom
# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB)
CAPTURE_BUFFER 10%
# Interface used for monitoring (e.g. eth0, eth1)
MONITOR_INTERFACE any
# Network capture filter (e.g. ip)
# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
#CAPTURE_FILTER ip or ip6
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
# Sensor name to appear in produced logs
SENSOR_NAME $HOSTNAME
# Remote Maltrail server instance to send log entries (Note: listening at <UDP_ADDRESS>:<UDP_PORT>)
#LOG_SERVER 192.168.2.107:8337
#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337
# Remote address to send Syslog events
#SYSLOG_SERVER 192.168.2.107:514
# Remote address to send JSON events (e.g. Logstash)
#LOGSTASH_SERVER 192.168.2.107:5000
# Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER
REMOTE_SEVERITY_REGEX (?P<high>(remote )?custom\)|malwaredomainlist|iot-malware|malware(?! (distribution|site))|adversary|ransomware)|(?P<medium>potential malware site|malware distribution)|(?P<low>mass scanner|reputation|attacker|spammer|compromised|crawler|scanning)
# Set only (!) in cases when LOG_SERVER should be exclusively used for log storage
DISABLE_LOCAL_LOG_STORAGE false
# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails). USE_SERVER_UPDATE_TRAILS directive should be active in [Server] parameters.
#UPDATE_SERVER http://192.168.2.107:8338/trails
# Use heuristic methods
USE_HEURISTICS true
# Capture HTTP requests with missing Host header (introducing potential false positives)
CHECK_MISSING_HOST false
# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events)
CHECK_HOST_DOMAINS false
# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt')
#USER_WHITELIST
# Location of file with ignore event rules. Example under misc/ignore_events.txt
#USER_IGNORELIST misc/ignore_events.txt
# Regular expression to be used against the whole event entry to be ignored
#IGNORE_EVENTS_REGEX sql injection|long domain|117.21.225.3|sinkhole
# [All]
# Show debug messages (in console output)
SHOW_DEBUG false
# Directory used for log storage
LOG_DIR $SYSTEM_LOG_DIR/maltrail
# HTTP(s) proxy address
#PROXY_ADDRESS http://192.168.5.101:8118
# Disable checking of sudo/Administrator privileges (e.g. if using: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /bin/python)
#DISABLE_CHECK_SUDO true
# Override default location for trail storage (~/.maltrail/trails.csv)
#TRAILS_FILE /etc/maltrail.csv