Maltrail – Malicious traffic detection system

Open source projects are evolving and there are many interesting tools that help within the cyber security activities. Maltrail is an open source project that help to investigate and detect malicious traffic. The tool uses several popular feeds to blacklist or identify a threat including:

alienvault, autoshun, badips, bambenekconsultingc2, bambenekconsultingdga, binarydefense, bitcoinnodes, blocklist, botscout, bruteforceblocker, ciarmy, cruzit, cybercrimetracker, deepviz, dshielddns, dshieldip, emergingthreatsbot, emergingthreatscip, emergingthreatsdns, feodotrackerdns, malwaredomainlist, malwaredomains, malwarepatrol, maxmind, myip, nothink, openbl, openphish, palevotracker, proxylists, proxyrss, proxy, riproxies, rutgers, sblam, snort, socksproxy, sslipbl, sslproxies, torproject, torstatus, voipbl, vxvault, zeustrackerdns, zeustrackerip, zeustrackermonitor, zeustrackerurl, etc.

This beside some static entries for malicious entities that were included manually using AV reports. the architecture of this solution is based on server ,client and sensor. the sensor should be placed in SPAN/mirroring port to capture and analyze the traffic it will  be also possible to install it as a sentry server a standalone honeypot to monitor any request.


Maltrail screenshot for captured and analyzed traffic (click to enlarge)

The tool will display the information with each event to make the investigation easier and avoid false positives. information will include the threat port/service, severity level , threat name and a brief description provided from the feed/data source owner.

Python is a dependency to run Maltrail  and you can download this utility over this link: