forked from stamparm/maltrail
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmaltrail.conf
More file actions
83 lines (57 loc) · 2.49 KB
/
maltrail.conf
File metadata and controls
83 lines (57 loc) · 2.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# [Server]
# Listen address of (reporting) HTTP server
HTTP_ADDRESS 0.0.0.0
# Listen port of (reporting) HTTP server
HTTP_PORT 8338
# Use SSL/TLS
USE_SSL false
# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM server.pem
# User entries (username:pbkdf2_hash(password):UID:filter_netmask(s))
# Note(s): use 'core/pbkdf2.py' to calculate 'pbkdf2_hash'
# UID >= 1000 have only rights to display results
# filter_netmask(s) is/are used to filter results
USERS
admin:$ff0ae5570e1f39a8$10000$d42e622afe0b0ede53b64b97a59d65c221edbf9dde2f0e95:0:0.0.0.0/0 # changeme!
# Listen address of (log collecting) UDP server
#UDP_ADDRESS 0.0.0.0
# Listen port of (log collecting) UDP server
#UDP_PORT 8337
# Directory used for log storage
LOG_DIR $SYSTEM_LOG_DIR/maltrail
# Should server do the trail updates too (to support UPDATE_SERVER)
USE_SERVER_UPDATE_TRAILS false
# [Sensor]
# Use multiprocessing (if available)
USE_MULTIPROCESSING true
# Use feeds (too) in trail updates
USE_FEED_UPDATES true
# Update trails after every given period (seconds)
UPDATE_PERIOD 86400
# Location of directory with custom trails (*.txt) files
CUSTOM_TRAILS_DIR ./trails/custom
# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 536870912)
CAPTURE_BUFFER 20%
# Interface used for monitoring
#MONITOR_INTERFACE \\Device\\NPF_{70D09A93-BDAB-4F2E-B4BE-5DCAE73AAF64}
MONITOR_INTERFACE any
# Network capture filter (e.g. ip)
# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
CAPTURE_FILTER (tcp[13] == 2) or (tcp[13] & 8 != 0) or not tcp
# Sensor name to appear in produced logs
SENSOR_NAME $HOSTNAME
# Remote address to send log entries (local storage otherwise)
#LOG_SERVER 192.168.2.107:8337
# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails)
#UPDATE_SERVER http://192.168.2.107:8338/trails
# Use heuristic methods too
USE_HEURISTICS true
# Capture HTTP requests having too short or missing User-Agent header (not recommended)
CHECK_SHORT_OR_MISSING_USER_AGENT false
# Capture HTTP requests with missing Host header (introducing potential false positives)
CHECK_MISSING_HOST false
# Comma delimited (custom user) whitelist (i.e. IP addresses, domain names, etc.)
USER_WHITELIST 127.0.0.1,127.0.0.2
# [All]
# Show debug messages (in console output)
SHOW_DEBUG false