No such file or directory. Please help

[Baronferg]

G'Day, Greetings and best wishes. cat: /var/log/maltrail/22-06-14.log; No such file or directory.

Please guide me to resolve. Thanks

[MikhailKasimov]

Hello!

Please, do ls /var/log/maltrail/ and place the ouput here.

[Baronferg]

maltrail@maltrail:~/maltrail$ ls var/log/maltrail/ ls: cannot access 'var/log/maltrail/': No such file or directory

Thank you

[Baronferg]

maltrail@maltrail:/home$ cd .. maltrail@maltrail:/$ pwd / maltrail@maltrail:/$ cd var maltrail@maltrail:/var$ ls backups cache crash lib local lock log mail opt run snap spool tmp maltrail@maltrail:/var$ cd log maltrail@maltrail:/var/log$ ls alternatives.log bootstrap.log cloud-init-output.log dpkg.log journal lastlog ubuntu-advantage.log wtmp apt btmp dist-upgrade faillog kern.log private ubuntu-advantage-timer.log auth.log cloud-init.log dmesg installer landscape syslog unattended-upgrades maltrail@maltrail:/var/log$ pwd /var/log maltrail@maltrail:/var/log$ ls alternatives.log bootstrap.log cloud-init-output.log dpkg.log journal lastlog ubuntu-advantage.log wtmp apt btmp dist-upgrade faillog kern.log private ubuntu-advantage-timer.log auth.log cloud-init.log dmesg installer landscape syslog unattended-upgrades maltrail@maltrail:/var/log$

[MikhailKasimov]

ls var/log/maltrail/ <-- you have errata here (missed / in front of var/). Should be ls /var/log/maltrail/

[Baronferg]

thanks. I do not see a maltrail folder under /var/log/

[Baronferg]

maltrail@maltrail:/var/log$ ls /var/log/ alternatives.log bootstrap.log cloud-init-output.log dpkg.log journal lastlog ubuntu-advantage.log wtmp apt btmp dist-upgrade faillog kern.log private ubuntu-advantage-timer.log auth.log cloud-init.log dmesg installer landscape syslog unattended-upgrades maltrail@maltrail:/var/log$

[Baronferg]

maltrail@maltrail:/var/log$ ping -c 3 136.161.101.53 PING 136.161.101.53 (136.161.101.53) 56(84) bytes of data. 64 bytes from 136.161.101.53: icmp_seq=1 ttl=56 time=31.3 ms 64 bytes from 136.161.101.53: icmp_seq=2 ttl=56 time=30.6 ms 64 bytes from 136.161.101.53: icmp_seq=3 ttl=56 time=30.7 ms

--- 136.161.101.53 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 30.631/30.880/31.264/0.275 ms maltrail@maltrail:/var/log$

[Baronferg]

maltrail@maltrail:/var/log$ cat /var/log/maltrail/$(date +"%Y-%m-%d").log cat: /var/log/maltrail/2022-06-14.log: No such file or directory maltrail@maltrail:/var/log$

[Baronferg]

Many thanks for your help.

[MikhailKasimov]

OK, let's do this from the beginning... Does maltrail get run in your system?

By commands sudo python3 server.py and sudo python3 sensor.py?

[Baronferg]

I ran the sudo python3 server.py but not the sudo python3 sensor.py I did not see instructions to run sensor.py Will do so now. Thanks

[Baronferg]

/home/maltrail maltrail@maltrail:~$ sudo python3 sensor.py python3: can't open file '/home/maltrail/sensor.py': [Errno 2] No such file or directory maltrail@maltrail:~$

[Baronferg]

maltrail@maltrail:~$ sudo python3 sensor.py python3: can't open file '/home/maltrail/sensor.py': [Errno 2] No such file or directory maltrail@maltrail:~$

[Baronferg]

Looks like I messed up the installation. Thanks for your help.

[MikhailKasimov]

but not the sudo python3 sensor.py <-- that is the reason. You need to run sudo python3 sensor.py, then to run ping -c 3 136.161.101.53 and only after that you'll see logs in /var/log/maltrail/ folder.

Looks like I messed up the installation. <-- https://github.com/stamparm/maltrail#quick-start

[Baronferg]

Ok. Many thanks for the audit. Do you do this professionally?

[MikhailKasimov]

Ok. Many thanks for the audit. Do you do this professionally?

By taking the participation in Maltrail's development. :)

[Baronferg]

Great. I may circle back to you for further professional paid advisory. Thanks and stay tuned.

[Baronferg]

maltrail@maltrail:~$ ping -c 3 136.161.101.53 PING 136.161.101.53 (136.161.101.53) 56(84) bytes of data. 64 bytes from 136.161.101.53: icmp_seq=1 ttl=56 time=32.2 ms 64 bytes from 136.161.101.53: icmp_seq=2 ttl=56 time=30.7 ms 64 bytes from 136.161.101.53: icmp_seq=3 ttl=56 time=30.7 ms

--- 136.161.101.53 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 30.654/31.192/32.245/0.744 ms maltrail@maltrail:~$ cat /var/log/maltrail/$(date +"%Y-%m-%d").log "2022-06-14 16:26:38.412120" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2022-06-14 16:26:39.348152" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2022-06-14 16:26:40.388121" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) maltrail@maltrail:~$

[Baronferg]

maltrail@maltrail:~$ nslookup morphed.ru Server: 127.0.0.53 Address: 127.0.0.53#53

Non-authoritative answer: Name: morphed.ru Address: 206.191.152.58

maltrail@maltrail:~$ cat /var/log/maltrail/$(date +"%Y-%m-%d").log "2022-06-14 16:26:38.412120" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2022-06-14 16:26:39.348152" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2022-06-14 16:26:40.388121" maltrail 192.168.131.150 - 136.161.101.53 - ICMP IP 136.161.101.53 "sinkhole conficker (malware)" (static) "2022-06-14 16:30:21.612204" maltrail 192.168.131.150 60981 192.168.131.7 53 UDP DNS morphed.ru "andromeda (malware)" (static) "2022-06-14 16:30:21.612158" maltrail 127.0.0.1 35821 127.0.0.53 53 UDP DNS morphed.ru "andromeda (malware)" (static) maltrail@maltrail:~$

[Baronferg]

Hello! It appears that I made some progress. Many thanks for your directional oversight.

[MikhailKasimov]

Hello! It appears that I made some progress. Many thanks for your directional oversight.

Hello! Great. Hope, you will get good experience on Maltrail using. Thank you!

[Baronferg]

Good morning, Greetings and best wishes. I am still reading up on MalTrail, but have not yet found an answer to my thought. If I run nslookup morphed.ru from a terminal window on the maltrail host, the web gui displays Threats, Events, etc, etc. If, however, I run nslookup from my Windows 10 workstation, nothing is reported on the web gui. Please advise. How else can I verify that MalTrail is tracking the network's activities, as nothing else is displaying on the web gui? Thanks

[MikhailKasimov]

Greetings!

I suspect, that Maltrail host is not a gateway for your Windows 10 workstation. Hence, traffic from\to W10 bypasses Maltrail host, where sensor isntalled is, and no info can be forwarded to Maltrail server.

Ways to solve:

1) To forward traffic from\to W 10 worstation machine throigh the Maltrail host.

OR

2) Install Maltrail sensor also on W 10 workstation machine and do some settings to get this sensor sends logs to Maltrail server. See wiki-page: https://github.com/stamparm/maltrail/wiki/Miscellaneous#2-setting-up-centralized-maltrail-server-log-collector-for-multi-sensor-maltrail-installation

But, honestly, installing Maltrail on Windows machine(-s) is not the best idea (pretty much of haemorrhoids on installation of auxiliary software).

[Baronferg]

Thank you. I understand. I have Fortinet firewall as the Gateway and cannot change that. Installing the sensor on the Workstation seems to be the best option at this time. Any further advice is much appreciated. Thanks again.

[Baronferg]

Is there a Sensor client for windows? Thanks

[MikhailKasimov]

Is there a Sensor client for windows? Thanks

As a pre-packed exe\nsis\msi installers -- no.