From 456e19feef6f7d2569f080724da2a116656e9bff Mon Sep 17 00:00:00 2001 From: kev Date: Mon, 4 Mar 2024 17:07:03 +0800 Subject: [PATCH] add maltrail --- README.md | 1 + editly/Dockerfile | 4 +- maltrail/Dockerfile | 41 +++++++++ maltrail/README.md | 17 ++++ maltrail/data/etc/maltrail.conf | 150 ++++++++++++++++++++++++++++++++ maltrail/data/log/.gitkeep | 0 maltrail/data/var/.gitkeep | 0 maltrail/docker-compose.yml | 25 ++++++ 8 files changed, 236 insertions(+), 2 deletions(-) create mode 100644 maltrail/Dockerfile create mode 100644 maltrail/README.md create mode 100644 maltrail/data/etc/maltrail.conf create mode 100644 maltrail/data/log/.gitkeep create mode 100644 maltrail/data/var/.gitkeep create mode 100644 maltrail/docker-compose.yml diff --git a/README.md b/README.md index 7c319b3..1b23dad 100644 --- a/README.md +++ b/README.md @@ -236,6 +236,7 @@ A collection of delicious docker recipes. - [x] hydra - [x] iptables - [x] kismet +- [x] maltrail - [x] routersploit - [x] snort :beetle: - [x] snort3 :beetle: diff --git a/editly/Dockerfile b/editly/Dockerfile index d20d219..7c39b2c 100644 --- a/editly/Dockerfile +++ b/editly/Dockerfile @@ -2,11 +2,11 @@ # Dockerfile for editly # -FROM node:lts-bullseye +FROM node:lts-bookworm MAINTAINER EasyPi Software Foundation ARG EDITLY_VERSION=0.14.2 -ARG FFMPEG_VERSION=6.0 +ARG FFMPEG_VERSION=6.1 RUN set -xe \ && apt update \ diff --git a/maltrail/Dockerfile b/maltrail/Dockerfile new file mode 100644 index 0000000..0a014b7 --- /dev/null +++ b/maltrail/Dockerfile @@ -0,0 +1,41 @@ +# +# Dockerfile for maltrail +# + +FROM debian:12 +MAINTAINER EasyPi Software Foundation + +ARG MALTRAIL_VERSION=0.67 +ARG MALTRAIL_URL=https://github.com/stamparm/maltrail/archive/refs/tags/${MALTRAIL_VERSION}.tar.gz + +WORKDIR /opt/maltrail + +RUN set -xe \ + && apt update -y \ + && apt install -y curl \ + build-essential \ + libpcap0.8 \ + libpcap-dev \ + procps \ + python3 \ + python3-dev \ + python3-pip \ + python-is-python3 \ + schedtool \ + && pip install --break-system-packages pcapy-ng \ + && curl -sSL ${MALTRAIL_URL} | tar xz --strip 1 \ + && mkdir -p etc log var misc/custom \ + && mv maltrail.conf etc \ + && mv trails/custom/dprk.txt misc/custom \ + && chmod +x server.py sensor.py \ + && ./server.py --version \ + && ./sensor.py --version \ + && apt remote -y curl \ + build-essential \ + libpcap-dev \ + python3-dev \ + && rm -rf /var/lib/apt/lists/* + +EXPOSE 8337/udp 8338/tcp + +CMD ["./server.py", "-c", "etc/maltrail.conf"] diff --git a/maltrail/README.md b/maltrail/README.md new file mode 100644 index 0000000..bb6c575 --- /dev/null +++ b/maltrail/README.md @@ -0,0 +1,17 @@ +maltrail +======== + +[Maltrail][1] is a malicious traffic detection system. + + +```bash +$ docker compose up -d +$ curl http://127.0.0.1:8338 + +$ ping -c 1 136.161.101.53 +$ nslookup morphed.ru + +$ tail -f ./data/log/$(date +"%Y-%m-%d").log +``` + +[1]: https://github.com/stamparm/maltrail diff --git a/maltrail/data/etc/maltrail.conf b/maltrail/data/etc/maltrail.conf new file mode 100644 index 0000000..83c4f39 --- /dev/null +++ b/maltrail/data/etc/maltrail.conf @@ -0,0 +1,150 @@ +# [Server] + +# Listen address of (reporting) HTTP server +HTTP_ADDRESS 0.0.0.0 +#HTTP_ADDRESS :: +#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 + +# Listen port of (reporting) HTTP server +HTTP_PORT 8338 + +# Use SSL/TLS +USE_SSL false + +# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes) +#SSL_PEM misc/server.pem + +# User entries (username:sha256(password):UID:filter_netmask(s)) +# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1 +# UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side) +# filter_netmask(s) is/are used to filter results +USERS + admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme! +# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme! + +# Mask custom trail names for non-admin users (UID >= 1000) +ENABLE_MASK_CUSTOM true + +# Listen address of (log collecting) UDP server +UDP_ADDRESS 0.0.0.0 +#UDP_ADDRESS :: +#UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1 + +# Listen port of (log collecting) UDP server +UDP_PORT 8337 + +# Should server do the trail updates too (to support UPDATE_SERVER directive in [Sensor] parameters) +USE_SERVER_UPDATE_TRAILS false + +# Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries +#IP_ALIASES +# 8.8.8.8:google +# 8.8.4.4:google + +# Option to change the top-left logo with a custom image/text +#HEADER_LOGO XYZ + +# Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs +FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download)|spammer|mass scanner + +# Blacklist generation rules +# BLACKLIST +# src_ip !~ ^192.168. and dst_port ~ ^22$ +# src_ip ~ ^192.168. and filter ~ malware + +# [Sensor] + +# Number of processes +PROCESS_COUNT 1 + +# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes) +DISABLE_CPU_AFFINITY false + +# Use feeds (too) in trail updates +USE_FEED_UPDATES true + +# Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives) +DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault + +# Ignore IPs that appear on lower than IP_MINIMUM_FEEDS number of feeds (Note: static IP trails are always included) +IP_MINIMUM_FEEDS 3 + +# Disable trails based on the following regular expression run against the corresponding info +#DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node + +# Update trails after every given period (seconds) +UPDATE_PERIOD 86400 + +# Use remote custom feed (too) in trail updates +#CUSTOM_TRAILS_URL http://www.test.com/custom.txt + +# Location of directory with custom trails (*.txt) files +CUSTOM_TRAILS_DIR ./misc/custom + +# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB) +CAPTURE_BUFFER 10% + +# Interface used for monitoring (e.g. eth0, eth1) +MONITOR_INTERFACE any + +# Network capture filter (e.g. ip) +# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/ +#CAPTURE_FILTER ip or ip6 +CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118)) + +# Sensor name to appear in produced logs +SENSOR_NAME $HOSTNAME + +# Remote Maltrail server instance to send log entries (Note: listening at :) +LOG_SERVER 127.0.0.1:8337 +#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337 + +# Remote address to send Syslog events +#SYSLOG_SERVER 192.168.2.107:514 + +# Remote address to send JSON events (e.g. Logstash) +#LOGSTASH_SERVER 192.168.2.107:5000 + +# Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER +REMOTE_SEVERITY_REGEX (?P(remote )?custom\)|malwaredomainlist|iot-malware|malware(?! (distribution|site))|adversary|ransomware)|(?Ppotential malware site|malware distribution)|(?Pmass scanner|reputation|attacker|spammer|compromised|crawler|scanning) + +# Set only (!) in cases when LOG_SERVER should be exclusively used for log storage +DISABLE_LOCAL_LOG_STORAGE false + +# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails). USE_SERVER_UPDATE_TRAILS directive should be active in [Server] parameters. +#UPDATE_SERVER http://192.168.2.107:8338/trails + +# Use heuristic methods +USE_HEURISTICS true + +# Capture HTTP requests with missing Host header (introducing potential false positives) +CHECK_MISSING_HOST false + +# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events) +CHECK_HOST_DOMAINS false + +# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt') +#USER_WHITELIST misc/whitelist.txt + +# Location of file with ignore event rules. Example under misc/ignore_events.txt +#USER_IGNORELIST misc/ignore_events.txt + +# Regular expression to be used against the whole event entry to be ignored +#IGNORE_EVENTS_REGEX sql injection|long domain|117.21.225.3|sinkhole + +# [All] + +# Show debug messages (in console output) +SHOW_DEBUG false + +# Directory used for log storage +LOG_DIR ./log/maltrail + +# HTTP(s) proxy address +#PROXY_ADDRESS http://192.168.5.101:8118 + +# Disable checking of sudo/Administrator privileges (e.g. if using: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /bin/python) +DISABLE_CHECK_SUDO true + +# Override default location for trail storage (~/.maltrail/trails.csv) +TRAILS_FILE ./var/maltrail.csv diff --git a/maltrail/data/log/.gitkeep b/maltrail/data/log/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/maltrail/data/var/.gitkeep b/maltrail/data/var/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/maltrail/docker-compose.yml b/maltrail/docker-compose.yml new file mode 100644 index 0000000..27cd717 --- /dev/null +++ b/maltrail/docker-compose.yml @@ -0,0 +1,25 @@ +version: "3.8" + +services: + + maltrail-server: + image: vimagick/maltrail + command: ./server.py -c etc/maltrail.conf + container_name: maltrail-server + volumes: + - ./data/etc:/opt/maltrail/etc + - ./data/log:/opt/maltrail/log + - ./data/var:/opt/maltrail/var + network_mode: host + restart: unless-stopped + + maltrail-sensor: + image: vimagick/maltrail + command: ./sensor.py -c etc/maltrail.conf + container_name: maltrail-sensor + volumes: + - ./data/etc:/opt/maltrail/etc + - ./data/log:/opt/maltrail/log + - ./data/var:/opt/maltrail/var + network_mode: host + restart: unless-stopped