Comments (10)
Can you please do the PCAP just for one that ping? This is the most basic case. Also, you could put SHOW_DEBUG to true in maltrail.conf and rerun sensor. Maybe some error pops up in case of ping
from maltrail.
thx
cat maltrail.conf |grep SHOW_DEBUG
SHOW_DEBUG true
ping ,but no error
sudo python sensor.py
[sudo] password for asrr:
Maltrail (sensor) #v0.8.288
[i] using configuration file '/home/asrr/tools/maltrail/maltrail.conf'
[i] loading trails file...
[i] 814,061 trails loaded
[i] using '/var/log/maltrail' for log storage
[i] opening interface 'eth0'
[i] setting filter '(tcp[13] == 2) or (tcp[13] & 8 != 0) or not tcp'
[i] creating 3 more processes (4 CPU cores detected)
[o] running...
sudo tcpdump -i eth0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:08:26.436292 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 698, length 64
15:08:26.437418 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 698, length 64
15:08:27.436700 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 699, length 64
15:08:27.437989 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 699, length 64
15:08:28.438112 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 700, length 64
15:08:28.439238 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 700, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
from maltrail.
first run sensor.py,Some mistake
sudo python sensor.py
Maltrail (sensor) #v0.8.288
[i] using configuration file '/home/weizi/tools/maltrail/maltrail.conf'
[i] updating trails (this might take a while)...
[o] 'https://reputation.alienvault.com/reputation.generic'
[o] 'http://atrack.h3x.eu/c2'
[!] something went wrong during remote data retrieval ('http://atrack.h3x.eu/c2')
[o] 'https://www.autoshun.org/files/shunlist.csv'
[o] 'https://www.badips.com/get/list/any/2?age=7d'
[o] 'http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt'
[o] 'http://osint.bambenekconsulting.com/feeds/dga-feed.txt'
[o] 'http://www.binarydefense.com/banlist.txt'
[!] something went wrong during remote data retrieval ('http://www.binarydefense.com/banlist.txt')
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset'
[o] 'http://lists.blocklist.de/lists/all.txt'
[!] something went wrong during remote data retrieval ('http://lists.blocklist.de/lists/all.txt')
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset'
[o] 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php'
[!] something went wrong during remote data retrieval ('http://danger.rulez.sk/projects/bruteforceblocker/blist.php')
[o] 'http://cinsscore.com/list/ci-badguys.txt'
[!] something went wrong during remote data retrieval ('http://cinsscore.com/list/ci-badguys.txt')
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset'
[o] 'http://cybercrime-tracker.net/all.php'
[!] something went wrong during remote data retrieval ('http://cybercrime-tracker.net/all.php')
[o] 'http://www.dshield.org/feeds/suspiciousdomains_High.txt'
[!] something went wrong during remote data retrieval ('http://www.dshield.org/feeds/suspiciousdomains_High.txt')
[o] 'http://feeds.dshield.org/top10-2.txt'
[!] something went wrong during remote data retrieval ('http://feeds.dshield.org/top10-2.txt')
[o] 'http://rules.emergingthreats.net/open/suricata/rules/botcc.rules'
[o] 'http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules'
[!] something went wrong during remote data retrieval ('https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules')
[o] 'https://feodotracker.abuse.ch/blocklist/?download=domainblocklist'
[o] 'https://feodotracker.abuse.ch/blocklist/?download=ipblocklist'
[o] 'http://blocklist.greensnow.co/greensnow.txt'
[o] 'https://raw.githubusercontent.com/Neo23x0/Loki/master/iocs/otx-c2-iocs.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malc0de.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset'
[o] 'http://malwaredomains.lehigh.edu/files/domains.txt'
[!] something went wrong during remote data retrieval ('http://malwaredomains.lehigh.edu/files/domains.txt')
[o] 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian'
[o] 'http://malwareurls.joxeankoret.com/normal.txt'
[!] something went wrong during remote data retrieval ('http://malwareurls.joxeankoret.com/normal.txt')
[o] 'https://www.maxmind.com/en/proxy-detection-sample-list'
[o] 'https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt'
[!] something went wrong during remote data retrieval ('https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt')
[o] 'http://www.nothink.org/blacklist/blacklist_malware_irc.txt'
[o] 'http://www.openbl.org/lists/base.txt'
[o] 'https://openphish.com/feed.txt'
[!] something went wrong during remote data retrieval ('https://openphish.com/feed.txt')
[o] 'https://palevotracker.abuse.ch/blocklists.php?download=combinedblocklist'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset'
[o] 'http://report.rutgers.edu/DROP/attackers'
[o] 'http://sblam.com/blacklist.txt'
[o] 'http://labs.snort.org/feeds/ip-filter.blf'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset'
[o] 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset'
[o] 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1'
[!] something went wrong during remote data retrieval ('https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1')
[o] 'https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv'
[o] 'http://www.voipbl.org/update/'
[o] 'http://vxvault.siri-urz.net/URL_List.php'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=badips'
[o] 'https://zeustracker.abuse.ch/monitor.php?filter=all'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
[o] '(static)'
[o] '(custom)'
[i] using '/var/log/maltrail' for log storage
[i] opening interface 'eth0'
[i] setting filter '(tcp[13] == 2) or (tcp[13] & 8 != 0) or not tcp'
[i] creating 3 more processes (4 CPU cores detected)
[o] running...
^C
from maltrail.
About those blacklist downloads. You seem to have a very laggy connection. I assume that those downloads timeout, as I am getting all of them (maybe 1 problematic).
p.s. Can you please make a real PCAP dump for that ping and send it to [email protected]?
from maltrail.
Mail has been issued。
sudo tcpdump -i eth0 icmp -w /tmp/pcap
thx.
from maltrail.
thx
Can those blacklist manual down?
How to do?
from maltrail.
thx
I understood.
- ip 202.99.224.68 is not in train
- look 384 lines in sensor.py
elif protocol in IPPROTO_LUT: # non-TCP/UDP (e.g. ICMP)
if protocol == socket.IPPROTO_ICMP:
i = iph_length + ip_offset
if ord(packet[i]) != 8: # Echo request
return
if dst_ip in trails:
log_event((sec, usec, src_ip, '-', dst_ip, '-', IPPROTO_LUT[protocol], TRAIL.IP, dst_ip, trails[dst_ip][0], trails[dst_ip][1]))
elif src_ip in trails:
log_event((sec, usec, src_ip, '-', dst_ip, '-', IPPROTO_LUT[protocol], TRAIL.IP, src_ip, trails[src_ip][0], trails[src_ip][1]))
from maltrail.
rm ~/.maltrail
download file again
from maltrail.
I've been reading this all over again from PC. Been using mobile. Now I see what you've done:
"2015-12-26 12:17:54.146010" weizi-linux 172.16.9.67 59850 202.99.224.68 53 UDP DNS bluereader.org malware otx.alienvault.comu
This means that bluereader.org
was the trail (DNS blacklisted name) and not the IP 202.99.224.68
as you suggested in your original message. Hence, ping hasn't triggered the event
from maltrail.
right.
See examples
"ping -c 1 136.161.101.53 cat /var/log/maltrail/$(date +"%Y-%m-%d").log"
I casually changed a IP,but Did not expect the address is not in the trail
Thanks again.
from maltrail.
Related Issues (20)
- [Questions] How to enable only selected trails? HOT 5
- [Feature Request] Extend FAIL2BAN_REGEX with "iot-malware download" verdict HOT 1
- Add abuseipdb lists HOT 5
- Updating maltrail HOT 2
- [Feature Request][RCE] Improve CVE-2016-0545 detection HOT 1
- [Feature Request] Suspicious Hidden Child Process of Launchd HOT 1
- api:how to curl maltrail info HOT 5
- How to add severity to local logs? HOT 4
- [BUG]False Positive 185.199.109.133 HOT 1
- Custom image HOT 5
- Netflow or Span Port HOT 1
- [Feature Request] Show Number Of Past Entries HOT 1
- IP: 117.17.191.45 | Malware HOT 1
- [Feature Request] HOT 1
- Maltrail won't boot HOT 8
- Running a docker container built with your Dockerfile both server.py and sensor.py fail to restart. HOT 4
- [Questions and Support] ModuleNotFoundError: No module named 'thirdparty.six.moves' HOT 4
- [Feature Request] Integrate IPinfo's free database for ASN+country enrichment, filters, and eliminating HTTP calls HOT 4
- [Questions and Support] The server.py does not raise if I define an ip in UDP_ADDRESS HOT 6
- External IP Flagged in Blocklist in Maltrail and Appears to also be affecting blocks on other sites... HOT 18
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from maltrail.