Open zero77 opened 1 month ago
Hello!
Try this option to use: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L132-L133
Thanks for your quick response, i am able to tune it out but i want to stop it from being detected altogether instead of constantly tuning it out.
Could the top part of the domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.
Could the top part of the domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.
No problem to use different file with respective format: https://github.com/stamparm/maltrail/wiki/Maltrail-trails-base-format and use it as user-defined whitelist (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L126-L127).
The second way (more global): is just to put #
sign in front of domain you want to exclude. E.g. .cc
--> # .cc
, save /domain.txt
file and restart the /sensor.py
. Downside of this method: you potentially can miss real malware/malicious connections to .cc
-based domains.
Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?
Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?
Known would stay detected.
@zero77 Hello! Is the problem resolved?
I am trying to do this on multiple Linux servers with a script that i am using for updating maltrail. The update part works but its not excluding the domain extensions i want to exclude and leave everything else untouched.
- name: Tune Domain Extensions
lineinfile:
path: /opt/maltrail/trails/static/suspicious/domain.txt
regexp: '{{item.From}}'
line: '{{item.To}}'
state: present
with_items:
- { From: '.cc', To: '#.cc'}
- { From: '.xyz', To: '#.xyz'}
changed_when: false
ignore_errors: yes
Question I am getting a very high false positive for suspicious domains in particular domains ending in xyz, cc, ws
Is there any way i can disable suspicious domain detection for multiple clients
Looking through the trails it seems to be coming from the top part of this file which detects all domains ending with certain terms:
https://raw.githubusercontent.com/stamparm/maltrail/9dcfd0a4c0402feeae25ee00a288cf0d04840ce4/trails/static/suspicious/domain.txt
Support