|
| 1 | +# [Server] |
| 2 | + |
| 3 | +# Listen address of (reporting) HTTP server |
| 4 | +HTTP_ADDRESS 0.0.0.0 |
| 5 | +#HTTP_ADDRESS :: |
| 6 | +#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 |
| 7 | + |
| 8 | +# Listen port of (reporting) HTTP server |
| 9 | +HTTP_PORT 8338 |
| 10 | + |
| 11 | +# Use SSL/TLS |
| 12 | +USE_SSL false |
| 13 | + |
| 14 | +# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes) |
| 15 | +#SSL_PEM misc/server.pem |
| 16 | + |
| 17 | +# User entries (username:sha256(password):UID:filter_netmask(s)) |
| 18 | +# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1 |
| 19 | +# UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side) |
| 20 | +# filter_netmask(s) is/are used to filter results |
| 21 | +USERS |
| 22 | + admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme! |
| 23 | +# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme! |
| 24 | + |
| 25 | +# Mask custom trail names for non-admin users (UID >= 1000) |
| 26 | +ENABLE_MASK_CUSTOM true |
| 27 | + |
| 28 | +# Listen address of (log collecting) UDP server |
| 29 | +UDP_ADDRESS 0.0.0.0 |
| 30 | +#UDP_ADDRESS :: |
| 31 | +#UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 |
| 32 | + |
| 33 | +# Listen port of (log collecting) UDP server |
| 34 | +UDP_PORT 8337 |
| 35 | + |
| 36 | +# Should server do the trail updates too (to support UPDATE_SERVER directive in [Sensor] parameters) |
| 37 | +USE_SERVER_UPDATE_TRAILS false |
| 38 | + |
| 39 | +# Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries |
| 40 | +#IP_ALIASES |
| 41 | +# 8.8.8.8:google |
| 42 | +# 8.8.4.4:google |
| 43 | + |
| 44 | +# Option to change the top-left logo with a custom image/text |
| 45 | +#HEADER_LOGO <img src="https://i.imgur.com/JxYJ5yX.png" style="width: 26px"> XYZ |
| 46 | + |
| 47 | +# Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs |
| 48 | +FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download)|spammer|mass scanner |
| 49 | + |
| 50 | +# Blacklist generation rules |
| 51 | +# BLACKLIST |
| 52 | +# src_ip !~ ^192.168. and dst_port ~ ^22$ |
| 53 | +# src_ip ~ ^192.168. and filter ~ malware |
| 54 | + |
| 55 | +# [Sensor] |
| 56 | + |
| 57 | +# Number of processes |
| 58 | +PROCESS_COUNT 1 |
| 59 | + |
| 60 | +# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes) |
| 61 | +DISABLE_CPU_AFFINITY false |
| 62 | + |
| 63 | +# Use feeds (too) in trail updates |
| 64 | +USE_FEED_UPDATES true |
| 65 | + |
| 66 | +# Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives) |
| 67 | +DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault |
| 68 | + |
| 69 | +# Ignore IPs that appear on lower than IP_MINIMUM_FEEDS number of feeds (Note: static IP trails are always included) |
| 70 | +IP_MINIMUM_FEEDS 3 |
| 71 | + |
| 72 | +# Disable trails based on the following regular expression run against the corresponding info |
| 73 | +#DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node |
| 74 | + |
| 75 | +# Update trails after every given period (seconds) |
| 76 | +UPDATE_PERIOD 86400 |
| 77 | + |
| 78 | +# Use remote custom feed (too) in trail updates |
| 79 | +#CUSTOM_TRAILS_URL http://www.test.com/custom.txt |
| 80 | + |
| 81 | +# Location of directory with custom trails (*.txt) files |
| 82 | +CUSTOM_TRAILS_DIR ./misc/custom |
| 83 | + |
| 84 | +# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB) |
| 85 | +CAPTURE_BUFFER 10% |
| 86 | + |
| 87 | +# Interface used for monitoring (e.g. eth0, eth1) |
| 88 | +MONITOR_INTERFACE any |
| 89 | + |
| 90 | +# Network capture filter (e.g. ip) |
| 91 | +# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/ |
| 92 | +#CAPTURE_FILTER ip or ip6 |
| 93 | +CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118)) |
| 94 | + |
| 95 | +# Sensor name to appear in produced logs |
| 96 | +SENSOR_NAME $HOSTNAME |
| 97 | + |
| 98 | +# Remote Maltrail server instance to send log entries (Note: listening at <UDP_ADDRESS>:<UDP_PORT>) |
| 99 | +LOG_SERVER 127.0.0.1:8337 |
| 100 | +#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337 |
| 101 | + |
| 102 | +# Remote address to send Syslog events |
| 103 | +#SYSLOG_SERVER 192.168.2.107:514 |
| 104 | + |
| 105 | +# Remote address to send JSON events (e.g. Logstash) |
| 106 | +#LOGSTASH_SERVER 192.168.2.107:5000 |
| 107 | + |
| 108 | +# Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER |
| 109 | +REMOTE_SEVERITY_REGEX (?P<high>(remote )?custom\)|malwaredomainlist|iot-malware|malware(?! (distribution|site))|adversary|ransomware)|(?P<medium>potential malware site|malware distribution)|(?P<low>mass scanner|reputation|attacker|spammer|compromised|crawler|scanning) |
| 110 | + |
| 111 | +# Set only (!) in cases when LOG_SERVER should be exclusively used for log storage |
| 112 | +DISABLE_LOCAL_LOG_STORAGE false |
| 113 | + |
| 114 | +# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails). USE_SERVER_UPDATE_TRAILS directive should be active in [Server] parameters. |
| 115 | +#UPDATE_SERVER http://192.168.2.107:8338/trails |
| 116 | + |
| 117 | +# Use heuristic methods |
| 118 | +USE_HEURISTICS true |
| 119 | + |
| 120 | +# Capture HTTP requests with missing Host header (introducing potential false positives) |
| 121 | +CHECK_MISSING_HOST false |
| 122 | + |
| 123 | +# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events) |
| 124 | +CHECK_HOST_DOMAINS false |
| 125 | + |
| 126 | +# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt') |
| 127 | +#USER_WHITELIST misc/whitelist.txt |
| 128 | + |
| 129 | +# Location of file with ignore event rules. Example under misc/ignore_events.txt |
| 130 | +#USER_IGNORELIST misc/ignore_events.txt |
| 131 | + |
| 132 | +# Regular expression to be used against the whole event entry to be ignored |
| 133 | +#IGNORE_EVENTS_REGEX sql injection|long domain|117.21.225.3|sinkhole |
| 134 | + |
| 135 | +# [All] |
| 136 | + |
| 137 | +# Show debug messages (in console output) |
| 138 | +SHOW_DEBUG false |
| 139 | + |
| 140 | +# Directory used for log storage |
| 141 | +LOG_DIR ./log/maltrail |
| 142 | + |
| 143 | +# HTTP(s) proxy address |
| 144 | +#PROXY_ADDRESS http://192.168.5.101:8118 |
| 145 | + |
| 146 | +# Disable checking of sudo/Administrator privileges (e.g. if using: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /bin/python) |
| 147 | +DISABLE_CHECK_SUDO true |
| 148 | + |
| 149 | +# Override default location for trail storage (~/.maltrail/trails.csv) |
| 150 | +TRAILS_FILE ./var/maltrail.csv |
0 commit comments