Possible integration with maltrail

[Furkan Çalışkan]

Hi,

Has anyone heard about maltrail or tried it? [https://github.com/stamparm/maltrail]

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined

I'm wondering how can I integrate it with my currently installed distributed SO installation. I'm asking it because Bro already have this URL and IP requests per machine. Any idea?

Thanks,

[Pete]

Furkan,

Maltrail is on my radar and in my TODO list. I think it would be a great addition to SecurityOnion. I haven't played with it yet, but had requested a couple of changes that will allow it to play nice with other sensor-type apps (eg. it no longer hogs all CPUs in multi-thread mode).

It has a server/sensor/standalone architecture similar to SecurityOnion, and its python-based HTTP server could be proxied by apache2 just like ELSA is. It uses UDP to push alerts from sensor to server, and http from sensor to server to pull new threat intel down. That could be adapted to use Salt if someone wanted to go through the effort..

It's under heavy and active development, and has a good collection of feature requests from a variety of users. It may need to mature a little, as the first release, "Borg Queen," was just on January 5 and in less than 2 months there have been more than 350 commits on top of that. Keeping up with the latest changes would take some effort in packaging and testing.

I'll update the list with the results of my testing once I get a chance to play with it.

[Wes]

I'd be interested in evaluating this as well :)

Thanks,
Wes

[Umut Arus]

Hi,

I tried it and liked it. It resolved many tasks about security and malwares, DDoS clients in network.

regards.

[Furkan Çalışkan]

I manually installed and tested in one of my internet facing sensors and it rocks. If we add this to the securityonion, correlating this data with Bro/elsa logs would be perfect.

Should we do a planning for this feature? I want to help if there is a task-force.

8 Mart 2016 Salı 17:37:02 UTC+2 tarihinde Umut Arus yazdı:

[Dave Prince]

Any more info on if this will be integrated in the future?

[Tom OBrion]

I don't want to get to in the weeds on this, but just want to know if this would have any more functionality than utilizing Critical Stack or CIF or other Intel feed into Bro Intel framework?

Just seems like there is a tad bit of overlap depending on the functionality? I do plan to peak at it, but thought if someone has first hand experience with both they could chime in.

Thanks

Tom

[Furkan Çalışkan]

Utilizing Critical stack by integrating it with Bro can be an alternative for this. Maltrail just have extra features like; custom web gui etc... There can be a TI main-menu in ELSA for providing this GUI functionality.

30 Haziran 2016 Perşembe 22:57:04 UTC+3 tarihinde Tom OBrion yazdı: