Not logging -ping about maltrail HOT 10 CLOSED

Can you please do the PCAP just for one that ping? This is the most basic case. Also, you could put SHOW_DEBUG to true in maltrail.conf and rerun sensor. Maybe some error pops up in case of ping

from maltrail.

thx

cat maltrail.conf |grep SHOW_DEBUG

SHOW_DEBUG true

ping ,but no error

sudo python sensor.py

[sudo] password for asrr:
Maltrail (sensor) #v0.8.288

[i] using configuration file '/home/asrr/tools/maltrail/maltrail.conf'
[i] loading trails file...
[i] 814,061 trails loaded
[i] using '/var/log/maltrail' for log storage
[i] opening interface 'eth0'
[i] setting filter '(tcp[13] == 2) or (tcp[13] & 8 != 0) or not tcp'
[i] creating 3 more processes (4 CPU cores detected)
[o] running...

sudo tcpdump -i eth0 -n icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:08:26.436292 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 698, length 64
15:08:26.437418 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 698, length 64
15:08:27.436700 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 699, length 64
15:08:27.437989 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 699, length 64
15:08:28.438112 IP 172.16.9.67 > 202.99.224.68: ICMP echo request, id 5560, seq 700, length 64
15:08:28.439238 IP 202.99.224.68 > 172.16.9.67: ICMP echo reply, id 5560, seq 700, length 64
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

from maltrail.

first run sensor.py,Some mistake

sudo python sensor.py
Maltrail (sensor) #v0.8.288

[i] using configuration file '/home/weizi/tools/maltrail/maltrail.conf'
[i] updating trails (this might take a while)...
[o] 'https://reputation.alienvault.com/reputation.generic'
[o] 'http://atrack.h3x.eu/c2'

[!] something went wrong during remote data retrieval ('http://atrack.h3x.eu/c2')

[o] 'https://www.autoshun.org/files/shunlist.csv'
[o] 'https://www.badips.com/get/list/any/2?age=7d'
[o] 'http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt'
[o] 'http://osint.bambenekconsulting.com/feeds/dga-feed.txt'
[o] 'http://www.binarydefense.com/banlist.txt'

[!] something went wrong during remote data retrieval ('http://www.binarydefense.com/banlist.txt')

[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset'
[o] 'http://lists.blocklist.de/lists/all.txt'
[!] something went wrong during remote data retrieval ('http://lists.blocklist.de/lists/all.txt')
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset'
[o] 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php'

[!] something went wrong during remote data retrieval ('http://danger.rulez.sk/projects/bruteforceblocker/blist.php')

[o] 'http://cinsscore.com/list/ci-badguys.txt'

[!] something went wrong during remote data retrieval ('http://cinsscore.com/list/ci-badguys.txt')

[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset'
[o] 'http://cybercrime-tracker.net/all.php'

[!] something went wrong during remote data retrieval ('http://cybercrime-tracker.net/all.php')

[o] 'http://www.dshield.org/feeds/suspiciousdomains_High.txt'

[!] something went wrong during remote data retrieval ('http://www.dshield.org/feeds/suspiciousdomains_High.txt')

[o] 'http://feeds.dshield.org/top10-2.txt'
[!] something went wrong during remote data retrieval ('http://feeds.dshield.org/top10-2.txt')
[o] 'http://rules.emergingthreats.net/open/suricata/rules/botcc.rules'
[o] 'http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules'
[!] something went wrong during remote data retrieval ('https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules')
[o] 'https://feodotracker.abuse.ch/blocklist/?download=domainblocklist'
[o] 'https://feodotracker.abuse.ch/blocklist/?download=ipblocklist'
[o] 'http://blocklist.greensnow.co/greensnow.txt'
[o] 'https://raw.githubusercontent.com/Neo23x0/Loki/master/iocs/otx-c2-iocs.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malc0de.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset'
[o] 'http://malwaredomains.lehigh.edu/files/domains.txt'
[!] something went wrong during remote data retrieval ('http://malwaredomains.lehigh.edu/files/domains.txt')
[o] 'https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian'
[o] 'http://malwareurls.joxeankoret.com/normal.txt'
[!] something went wrong during remote data retrieval ('http://malwareurls.joxeankoret.com/normal.txt')
[o] 'https://www.maxmind.com/en/proxy-detection-sample-list'
[o] 'https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt'
[!] something went wrong during remote data retrieval ('https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt')
[o] 'http://www.nothink.org/blacklist/blacklist_malware_irc.txt'
[o] 'http://www.openbl.org/lists/base.txt'
[o] 'https://openphish.com/feed.txt'
[!] something went wrong during remote data retrieval ('https://openphish.com/feed.txt')
[o] 'https://palevotracker.abuse.ch/blocklists.php?download=combinedblocklist'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset'
[o] 'http://report.rutgers.edu/DROP/attackers'
[o] 'http://sblam.com/blacklist.txt'
[o] 'http://labs.snort.org/feeds/ip-filter.blf'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset'
[o] 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset'
[o] 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1'
[!] something went wrong during remote data retrieval ('https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1')
[o] 'https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv'
[o] 'http://www.voipbl.org/update/'
[o] 'http://vxvault.siri-urz.net/URL_List.php'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=badips'
[o] 'https://zeustracker.abuse.ch/monitor.php?filter=all'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
[o] '(static)'
[o] '(custom)'
[i] using '/var/log/maltrail' for log storage
[i] opening interface 'eth0'
[i] setting filter '(tcp[13] == 2) or (tcp[13] & 8 != 0) or not tcp'
[i] creating 3 more processes (4 CPU cores detected)
[o] running...
^C

from maltrail.

About those blacklist downloads. You seem to have a very laggy connection. I assume that those downloads timeout, as I am getting all of them (maybe 1 problematic).

p.s. Can you please make a real PCAP dump for that ping and send it to [email protected]?

from maltrail.

Mail has been issued。
sudo tcpdump -i eth0 icmp -w /tmp/pcap
thx.

from maltrail.

thx
Can those blacklist manual down?
How to do？

from maltrail.

thx

I understood.

• ip 202.99.224.68 is not in train
• look 384 lines in sensor.py

elif protocol in IPPROTO_LUT:  # non-TCP/UDP (e.g. ICMP)
            if protocol == socket.IPPROTO_ICMP:
                i = iph_length + ip_offset
                if ord(packet[i]) != 8:  # Echo request
                    return

            if dst_ip in trails:
                log_event((sec, usec, src_ip, '-', dst_ip, '-', IPPROTO_LUT[protocol], TRAIL.IP, dst_ip, trails[dst_ip][0], trails[dst_ip][1]))
            elif src_ip in trails:
                log_event((sec, usec, src_ip, '-', dst_ip, '-', IPPROTO_LUT[protocol], TRAIL.IP, src_ip, trails[src_ip][0], trails[src_ip][1]))

from maltrail.

rm ~/.maltrail
download file again

from maltrail.

I've been reading this all over again from PC. Been using mobile. Now I see what you've done:

"2015-12-26 12:17:54.146010" weizi-linux 172.16.9.67 59850 202.99.224.68 53 UDP DNS bluereader.org malware otx.alienvault.comu

This means that bluereader.org was the trail (DNS blacklisted name) and not the IP 202.99.224.68 as you suggested in your original message. Hence, ping hasn't triggered the event

from maltrail.

right.
See examples
"ping -c 1 136.161.101.53 cat /var/log/maltrail/$(date +"%Y-%m-%d").log"
I casually changed a IP，but Did not expect the address is not in the trail
Thanks again.

from maltrail.