mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-12-21 01:27:01 +02:00
add maltrail
This commit is contained in:
parent
cb5cb05e15
commit
456e19feef
@ -236,6 +236,7 @@ A collection of delicious docker recipes.
|
||||
- [x] hydra
|
||||
- [x] iptables
|
||||
- [x] kismet
|
||||
- [x] maltrail
|
||||
- [x] routersploit
|
||||
- [x] snort :beetle:
|
||||
- [x] snort3 :beetle:
|
||||
|
@ -2,11 +2,11 @@
|
||||
# Dockerfile for editly
|
||||
#
|
||||
|
||||
FROM node:lts-bullseye
|
||||
FROM node:lts-bookworm
|
||||
MAINTAINER EasyPi Software Foundation
|
||||
|
||||
ARG EDITLY_VERSION=0.14.2
|
||||
ARG FFMPEG_VERSION=6.0
|
||||
ARG FFMPEG_VERSION=6.1
|
||||
|
||||
RUN set -xe \
|
||||
&& apt update \
|
||||
|
41
maltrail/Dockerfile
Normal file
41
maltrail/Dockerfile
Normal file
@ -0,0 +1,41 @@
|
||||
#
|
||||
# Dockerfile for maltrail
|
||||
#
|
||||
|
||||
FROM debian:12
|
||||
MAINTAINER EasyPi Software Foundation
|
||||
|
||||
ARG MALTRAIL_VERSION=0.67
|
||||
ARG MALTRAIL_URL=https://github.com/stamparm/maltrail/archive/refs/tags/${MALTRAIL_VERSION}.tar.gz
|
||||
|
||||
WORKDIR /opt/maltrail
|
||||
|
||||
RUN set -xe \
|
||||
&& apt update -y \
|
||||
&& apt install -y curl \
|
||||
build-essential \
|
||||
libpcap0.8 \
|
||||
libpcap-dev \
|
||||
procps \
|
||||
python3 \
|
||||
python3-dev \
|
||||
python3-pip \
|
||||
python-is-python3 \
|
||||
schedtool \
|
||||
&& pip install --break-system-packages pcapy-ng \
|
||||
&& curl -sSL ${MALTRAIL_URL} | tar xz --strip 1 \
|
||||
&& mkdir -p etc log var misc/custom \
|
||||
&& mv maltrail.conf etc \
|
||||
&& mv trails/custom/dprk.txt misc/custom \
|
||||
&& chmod +x server.py sensor.py \
|
||||
&& ./server.py --version \
|
||||
&& ./sensor.py --version \
|
||||
&& apt remote -y curl \
|
||||
build-essential \
|
||||
libpcap-dev \
|
||||
python3-dev \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
EXPOSE 8337/udp 8338/tcp
|
||||
|
||||
CMD ["./server.py", "-c", "etc/maltrail.conf"]
|
17
maltrail/README.md
Normal file
17
maltrail/README.md
Normal file
@ -0,0 +1,17 @@
|
||||
maltrail
|
||||
========
|
||||
|
||||
[Maltrail][1] is a malicious traffic detection system.
|
||||
|
||||
|
||||
```bash
|
||||
$ docker compose up -d
|
||||
$ curl http://127.0.0.1:8338
|
||||
|
||||
$ ping -c 1 136.161.101.53
|
||||
$ nslookup morphed.ru
|
||||
|
||||
$ tail -f ./data/log/$(date +"%Y-%m-%d").log
|
||||
```
|
||||
|
||||
[1]: https://github.com/stamparm/maltrail
|
150
maltrail/data/etc/maltrail.conf
Normal file
150
maltrail/data/etc/maltrail.conf
Normal file
@ -0,0 +1,150 @@
|
||||
# [Server]
|
||||
|
||||
# Listen address of (reporting) HTTP server
|
||||
HTTP_ADDRESS 0.0.0.0
|
||||
#HTTP_ADDRESS ::
|
||||
#HTTP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
|
||||
|
||||
# Listen port of (reporting) HTTP server
|
||||
HTTP_PORT 8338
|
||||
|
||||
# Use SSL/TLS
|
||||
USE_SSL false
|
||||
|
||||
# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
|
||||
#SSL_PEM misc/server.pem
|
||||
|
||||
# User entries (username:sha256(password):UID:filter_netmask(s))
|
||||
# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
|
||||
# UID >= 1000 have only rights to display results (Note: this moment only functionality implemented at the client side)
|
||||
# filter_netmask(s) is/are used to filter results
|
||||
USERS
|
||||
admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme!
|
||||
# local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme!
|
||||
|
||||
# Mask custom trail names for non-admin users (UID >= 1000)
|
||||
ENABLE_MASK_CUSTOM true
|
||||
|
||||
# Listen address of (log collecting) UDP server
|
||||
UDP_ADDRESS 0.0.0.0
|
||||
#UDP_ADDRESS ::
|
||||
#UDP_ADDRESS fe80::12c3:7bff:fe6d:cf9b%eno1
|
||||
|
||||
# Listen port of (log collecting) UDP server
|
||||
UDP_PORT 8337
|
||||
|
||||
# Should server do the trail updates too (to support UPDATE_SERVER directive in [Sensor] parameters)
|
||||
USE_SERVER_UPDATE_TRAILS false
|
||||
|
||||
# Aliases used in client's web browser interface to describe the src_ip and/or dst_ip column entries
|
||||
#IP_ALIASES
|
||||
# 8.8.8.8:google
|
||||
# 8.8.4.4:google
|
||||
|
||||
# Option to change the top-left logo with a custom image/text
|
||||
#HEADER_LOGO <img src="https://i.imgur.com/JxYJ5yX.png" style="width: 26px"> XYZ
|
||||
|
||||
# Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs
|
||||
FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code|iot-malware download)|spammer|mass scanner
|
||||
|
||||
# Blacklist generation rules
|
||||
# BLACKLIST
|
||||
# src_ip !~ ^192.168. and dst_port ~ ^22$
|
||||
# src_ip ~ ^192.168. and filter ~ malware
|
||||
|
||||
# [Sensor]
|
||||
|
||||
# Number of processes
|
||||
PROCESS_COUNT 1
|
||||
|
||||
# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes)
|
||||
DISABLE_CPU_AFFINITY false
|
||||
|
||||
# Use feeds (too) in trail updates
|
||||
USE_FEED_UPDATES true
|
||||
|
||||
# Disable (retrieval from) specified feeds (Note: respective .py files inside /trails/feeds; turris and ciarmy/cinsscore seem to be too "noisy" lately; policeman is old and produces lots of false positives)
|
||||
DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
|
||||
|
||||
# Ignore IPs that appear on lower than IP_MINIMUM_FEEDS number of feeds (Note: static IP trails are always included)
|
||||
IP_MINIMUM_FEEDS 3
|
||||
|
||||
# Disable trails based on the following regular expression run against the corresponding info
|
||||
#DISABLED_TRAILS_INFO_REGEX known attacker|tor exit node
|
||||
|
||||
# Update trails after every given period (seconds)
|
||||
UPDATE_PERIOD 86400
|
||||
|
||||
# Use remote custom feed (too) in trail updates
|
||||
#CUSTOM_TRAILS_URL http://www.test.com/custom.txt
|
||||
|
||||
# Location of directory with custom trails (*.txt) files
|
||||
CUSTOM_TRAILS_DIR ./misc/custom
|
||||
|
||||
# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB)
|
||||
CAPTURE_BUFFER 10%
|
||||
|
||||
# Interface used for monitoring (e.g. eth0, eth1)
|
||||
MONITOR_INTERFACE any
|
||||
|
||||
# Network capture filter (e.g. ip)
|
||||
# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
|
||||
#CAPTURE_FILTER ip or ip6
|
||||
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
|
||||
|
||||
# Sensor name to appear in produced logs
|
||||
SENSOR_NAME $HOSTNAME
|
||||
|
||||
# Remote Maltrail server instance to send log entries (Note: listening at <UDP_ADDRESS>:<UDP_PORT>)
|
||||
LOG_SERVER 127.0.0.1:8337
|
||||
#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337
|
||||
|
||||
# Remote address to send Syslog events
|
||||
#SYSLOG_SERVER 192.168.2.107:514
|
||||
|
||||
# Remote address to send JSON events (e.g. Logstash)
|
||||
#LOGSTASH_SERVER 192.168.2.107:5000
|
||||
|
||||
# Regular expression used for calculating severity attribute when sending events to SYSLOG_SERVER or LOGSTASH_SERVER
|
||||
REMOTE_SEVERITY_REGEX (?P<high>(remote )?custom\)|malwaredomainlist|iot-malware|malware(?! (distribution|site))|adversary|ransomware)|(?P<medium>potential malware site|malware distribution)|(?P<low>mass scanner|reputation|attacker|spammer|compromised|crawler|scanning)
|
||||
|
||||
# Set only (!) in cases when LOG_SERVER should be exclusively used for log storage
|
||||
DISABLE_LOCAL_LOG_STORAGE false
|
||||
|
||||
# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails). USE_SERVER_UPDATE_TRAILS directive should be active in [Server] parameters.
|
||||
#UPDATE_SERVER http://192.168.2.107:8338/trails
|
||||
|
||||
# Use heuristic methods
|
||||
USE_HEURISTICS true
|
||||
|
||||
# Capture HTTP requests with missing Host header (introducing potential false positives)
|
||||
CHECK_MISSING_HOST false
|
||||
|
||||
# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events)
|
||||
CHECK_HOST_DOMAINS false
|
||||
|
||||
# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt')
|
||||
#USER_WHITELIST misc/whitelist.txt
|
||||
|
||||
# Location of file with ignore event rules. Example under misc/ignore_events.txt
|
||||
#USER_IGNORELIST misc/ignore_events.txt
|
||||
|
||||
# Regular expression to be used against the whole event entry to be ignored
|
||||
#IGNORE_EVENTS_REGEX sql injection|long domain|117.21.225.3|sinkhole
|
||||
|
||||
# [All]
|
||||
|
||||
# Show debug messages (in console output)
|
||||
SHOW_DEBUG false
|
||||
|
||||
# Directory used for log storage
|
||||
LOG_DIR ./log/maltrail
|
||||
|
||||
# HTTP(s) proxy address
|
||||
#PROXY_ADDRESS http://192.168.5.101:8118
|
||||
|
||||
# Disable checking of sudo/Administrator privileges (e.g. if using: setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /bin/python)
|
||||
DISABLE_CHECK_SUDO true
|
||||
|
||||
# Override default location for trail storage (~/.maltrail/trails.csv)
|
||||
TRAILS_FILE ./var/maltrail.csv
|
0
maltrail/data/log/.gitkeep
Normal file
0
maltrail/data/log/.gitkeep
Normal file
0
maltrail/data/var/.gitkeep
Normal file
0
maltrail/data/var/.gitkeep
Normal file
25
maltrail/docker-compose.yml
Normal file
25
maltrail/docker-compose.yml
Normal file
@ -0,0 +1,25 @@
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
|
||||
maltrail-server:
|
||||
image: vimagick/maltrail
|
||||
command: ./server.py -c etc/maltrail.conf
|
||||
container_name: maltrail-server
|
||||
volumes:
|
||||
- ./data/etc:/opt/maltrail/etc
|
||||
- ./data/log:/opt/maltrail/log
|
||||
- ./data/var:/opt/maltrail/var
|
||||
network_mode: host
|
||||
restart: unless-stopped
|
||||
|
||||
maltrail-sensor:
|
||||
image: vimagick/maltrail
|
||||
command: ./sensor.py -c etc/maltrail.conf
|
||||
container_name: maltrail-sensor
|
||||
volumes:
|
||||
- ./data/etc:/opt/maltrail/etc
|
||||
- ./data/log:/opt/maltrail/log
|
||||
- ./data/var:/opt/maltrail/var
|
||||
network_mode: host
|
||||
restart: unless-stopped
|
Loading…
Reference in New Issue
Block a user