[Questions and Support] Registering new attacks (ssh, ftp)

stamparm / maltrail

Malicious traffic detection system

MIT License

6.61k stars 1.1k forks source link

[Questions and Support] Registering new attacks (ssh, ftp) #19205

Open Chelito4 opened 1 year ago

Chelito4 commented 1 year ago

hello I would like to add some rules that allow to register attacks to the ssh port, ftp, etc. can this be done?

MikhailKasimov commented 1 year ago

Hello!

Before adding rules, please, be aware on some useful articles on Maltrail's bases structure, contribution practice, etc:

Maltrail trails structure - Information about Maltrail trails structure Maltrail trails base format - Information about Maltrail trails base format Maltrail trails contribution - Information about Maltrail trails contribution

Thank you!

Chelito4 commented 1 year ago

Maybe I don't specify well. I want to know if in maltrail it is possible to add a custom trail that registers the access connections within my network for ssh or ftp by means of an alert?

MikhailKasimov commented 1 year ago

Custom trails are possible, of course. They should be placed in \trails\custom\ folder. But anyway, for custom trails you need handle the trails structure and format (see articles 1 and 2).

Chelito4 commented 1 year ago

Could you share some examples of custom trails.

MikhailKasimov commented 1 year ago

You can meet them in /trails/custom folder in Maltrail's catalog.

Chelito4 commented 1 year ago

What format should custom trails use .txt or.py

MikhailKasimov commented 1 year ago

.txt

stamparm commented 1 year ago

you can find an example in that same directory:

Chelito4 commented 1 year ago

My question is if it works like the suricata rules attached example

alert icmp any any -> any any (msg:"ICMP packet request alert"; sid:69696969;)

tcp alert any any -> any 80 (msg:"The server connects to the Internet"; sid:79797979;)

tcp alert $EXTERNAL_NET any -> $HOME_NET 1212 (msg:"SSH connection detected"; sid:89898989;)

since I have tried in many ways to add a custom rule to detect everything related to port 22 ssh and it does not work for me

MikhailKasimov commented 1 year ago

My question is if it works like the suricata rules attached example

alert icmp any any -> any any (msg:"ICMP packet request alert"; sid:69696969;)

tcp alert any any -> any 80 (msg:"The server connects to the Internet"; sid:79797979;)

tcp alert $EXTERNAL_NET any -> $HOME_NET 1212 (msg:"SSH connection detected"; sid:89898989;)

since I have tried in many ways to add a custom rule to detect everything related to port 22 ssh and it does not work for me

Your rules catch all respective connections with no difference malicious they are or not. Maltrail detects connections from malicious sources only. Information about such sources are going from respective feeds (known attacker detection).

So, if you want to keep your own custom trail, be ready to fulfill it manually every time you meet undetected malicious source. Malicious, not all.