forked from stamparm/maltrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
maltrail.conf
124 lines (87 loc) · 4.25 KB
/
maltrail.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# [Server]
# Listen address of (reporting) HTTP server
HTTP_ADDRESS 0.0.0.0
#HTTP_ADDRESS ::
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
# Listen port of (reporting) HTTP server
HTTP_PORT 8338
# Use SSL/TLS
USE_SSL false
# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem
# User entries (username:sha256(password):UID:filter_netmask(s))
# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
# UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
# filter_netmask(s) is/are used to filter results
USERS
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
# Listen address of (log collecting) UDP server
#UDP_ADDRESS 0.0.0.0
#UDP_ADDRESS ::
#UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
# Listen port of (log collecting) UDP server
#UDP_PORT 8337
# Should server do the trail updates too (to support UPDATE_SERVER)
USE_SERVER_UPDATE_TRAILS false
# Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries
#IP_ALIASES
# 8.8.8.8:google
# 8.8.4.4:google
# [Sensor]
# Number of processes
PROCESS_COUNT $CPU_CORES
# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes)
DISABLE_CPU_AFFINITY false
# Use feeds (too) in trail updates
USE_FEED_UPDATES true
# Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives)
DISABLED_FEEDS turris, ciarmy, policeman, myip
# Disable trails based on the following regular expression run against the corresponding info
#DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node
# Update trails after every given period (seconds)
UPDATE_PERIOD 86400
# Use remote custom feed (too) in trail updates
#CUSTOM_TRAILS_URL http://www.test.com/custom.txt
# Location of directory with custom trails (*.txt) files
CUSTOM_TRAILS_DIR ./trails/custom
# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB)
CAPTURE_BUFFER 10%
# Interface used for monitoring (e.g. eth0, eth1)
MONITOR_INTERFACE any
# Network capture filter (e.g. ip)
# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
#CAPTURE_FILTER ip or ip6
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
# Sensor name to appear in produced logs
SENSOR_NAME $HOSTNAME
# Remote address to send log entries
#LOG_SERVER 192.168.2.107:8337
#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337
# Remote address to send syslog entries
#SYSLOG_SERVER 192.168.2.107:514
# Use only (!) in cases when LOG_SERVER should be used for log storage
DISABLE_LOCAL_LOG_STORAGE false
# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails)
#UPDATE_SERVER http://192.168.2.107:8338/trails
# Use heuristic methods
USE_HEURISTICS true
# Capture HTTP requests with missing Host header (introducing potential false positives)
CHECK_MISSING_HOST false
# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events)
CHECK_HOST_DOMAINS false
# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt')
#USER_WHITELIST
# Location of file with ignore event rules. Example under misc/ignore_events.txt
#USER_IGNORELIST misc/ignore_events.txt
# [All]
# Show debug messages (in console output)
SHOW_DEBUG false
# Directory used for log storage
LOG_DIR $SYSTEM_LOG_DIR/maltrail
# HTTP(s) proxy address
#PROXY_ADDRESS http://192.168.5.101:8118
# Disable checking of sudo/Administrator privileges
#DISABLE_CHECK_SUDO true
# Override default location for trail storage (~/.maltrail/trails.csv)
#TRAILS_FILE /etc/maltrail.csv