[Questions and Support] Suspicious Domain High False Positive

stamparm / maltrail

Malicious traffic detection system

MIT License

6.38k stars 1.07k forks source link

[Questions and Support] Suspicious Domain High False Positive #19271

Open zero77 opened 1 month ago

zero77 commented 1 month ago

Question I am getting a very high false positive for suspicious domains in particular domains ending in xyz, cc, ws

Is there any way i can disable suspicious domain detection for multiple clients

Looking through the trails it seems to be coming from the top part of this file which detects all domains ending with certain terms:

https://raw.githubusercontent.com/stamparm/maltrail/9dcfd0a4c0402feeae25ee00a288cf0d04840ce4/trails/static/suspicious/domain.txt

Support

MikhailKasimov commented 1 month ago

Hello!

Try this option to use: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L132-L133

zero77 commented 1 month ago

Thanks for your quick response, i am able to tune it out but i want to stop it from being detected altogether instead of constantly tuning it out.

Could the top part of the domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.

MikhailKasimov commented 1 month ago

Could the top part of the domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.

No problem to use different file with respective format: https://github.com/stamparm/maltrail/wiki/Maltrail-trails-base-format and use it as user-defined whitelist (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L126-L127).

MikhailKasimov commented 1 month ago

The second way (more global): is just to put # sign in front of domain you want to exclude. E.g. .cc --> # .cc, save /domain.txt file and restart the /sensor.py. Downside of this method: you potentially can miss real malware/malicious connections to .cc-based domains.

zero77 commented 1 month ago

Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?

MikhailKasimov commented 1 month ago

Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?

Known would stay detected.

MikhailKasimov commented 3 weeks ago

@zero77 Hello! Is the problem resolved?

zero77 commented 2 weeks ago

I am trying to do this on multiple Linux servers with a script that i am using for updating maltrail. The update part works but its not excluding the domain extensions i want to exclude and leave everything else untouched.

- name: Tune Domain Extensions
  lineinfile:
    path: /opt/maltrail/trails/static/suspicious/domain.txt
    regexp: '{{item.From}}'
    line: '{{item.To}}'
    state: present
  with_items:
   - { From: '.cc', To: '#.cc'}
   - { From: '.xyz', To: '#.xyz'}
  changed_when: false
  ignore_errors: yes