-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CLI management for Maltrail
Usually, command line interface (CLI) is needed to get Maltrail's modules (sensor and server) started: python sensor.py and python server.py respectively.
But sometimes user/admin may ask himself: Can I start Maltrail with some parameteres, which would change its default behaviour?.
And the answer is here: Yes, sure!. Both of basic Maltrail's modules support CLI management.
Server part of Maltrail is just a reciever/collector of events from sensor(s) and a tool for displaying of collected events. So, basicly, there is not many parameters to have. Main one is -c, that allows to define path to maltrail.conf configuration file, if it is not by its default place (Maltrail directory).
Maltrail (server) #v0.44 {https://maltrail.github.io}
Usage: server.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-c config_file configuration file (default: 'maltrail.conf')
Pretty another deal is Maltrail sensor. This module is responsible for parsing network traffic for matches of detection patterns for malicious entries (trails). And this means, that sensor should have more wide row of parameteres it could run with.
Maltrail (sensor) #v0.44 {https://maltrail.github.io}
Usage: sensor.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-c config_file configuration file (default: 'maltrail.conf')
-r pcap_file pcap file for offline analysis
-p plugins plugin(s) to be used per event
-q, --quiet turn off regular output
--console print events to console
--offline disable (online) trail updates
Most interesting parameters are:
--offline: in this mode sensor will work with its static trails only, without fetching onilne updates for its feeds of public lists.
--console: in this mode sensor will print its output to console instead of web-GUI. Can be useful for servers, where window managers (KDE, GNOME, XFCE etc) are not in use or even absent at all.
-q, --quiet: in this mode sensor will supress regular output (e.g. process of fetching onilne updates/feeds).
-r: this parameter allows to perform offline analysis of external .pcap files for matches of detection patterns for malicious entries (trails). Example of suchlike analysis can be found here.
-p: this parameter allows to use external plugins for sensor's work. Plugins are avaliable in /maltrail/tree/master/plugins.
- Example of applying Maltrail's
stringsplugin in real time : https://twitter.com/seguridadyredes/status/1100124158384586753
-c, that allows to define path to maltrail.conf configuration file, if it is not by its default place (Maltrail directory).
Note: Parameters -c , -p, -q, --quiet, -r, --console, --offline can be used simultaneously.
- FAQ - Frequently Asked Questions
- Trail classes - Information about different classes of trails
- Specific detections - Information about Maltrail specific detections
- Maltrail trails structure - Information about Maltrail trails structure
- Maltrail trails base format - Information about Maltrail trails base format
- Maltrail trails contribution - Information about Maltrail trails contribution
- Maltrail detection nuances - Information about Maltrail detection nuances
- Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform - Information about Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform
- UI tips and tricks - Brief list of user interface features
- CLI management for Maltrail - Information about CLI management for Maltrail
- Miscellaneous - Miscellaneous HOWTOs