maltrail
Malicious traffic detection system
A network security monitor that watches your traffic and raises alerts when it spots known malicious websites, IP addresses, or domains using dozens of public threat intelligence feeds.
Maltrail is a network security tool that watches the traffic flowing through your computer network and raises alerts when it spots known bad actors. It works by comparing the domains, web addresses, IP addresses, and certain request headers it sees against a large collection of threat intelligence lists. Those lists contain entries that security researchers have identified as belonging to malware, attackers, botnets, and other malicious activity.
The threat lists come from dozens of public sources, including AV companies, security research feeds, and organizations that track botnets and ransomware. On top of those feeds, the project maintains its own manually compiled entries covering hundreds of named malware families and attack campaigns, including mobile malware for Android devices. When traffic matches an entry in any of these lists, Maltrail logs the event and flags it for review. It also has optional heuristic checks that can catch suspicious behavior that does not appear in any list yet.
The system is split into three pieces: a Sensor, a Server, and a reporting Client. The Sensor is the component that actually watches the network. You run it on a Linux machine that has visibility into your network traffic, either by connecting it to a monitoring port on your switch or by placing it inline on a network bridge. It can also run on a honeypot, which is a machine intentionally left exposed to attract attackers. The Sensor sends any events it finds to the Server, which stores them. By default all three components run on the same machine, but you can split them across separate machines if needed.
The Client is a web-based reporting interface where you can browse detected events, filter by type, and investigate what happened. The README includes screenshots of the interface and a section covering real-life example cases, such as port scans, mass scanning activity, data leakage, and false positives.
Maltrail is written in Python and runs on Linux. It is open source under the MIT license. The full README is longer than what was shown.
Where it fits
- Monitor a home or office network for connections to known malware domains and review flagged events in a web dashboard.
- Run on a honeypot machine intentionally left exposed to detect and log attacker behavior.
- Deploy a sensor on a Linux machine connected to your switch's monitoring port to see all network traffic.
- Investigate security events by browsing detected alerts filtered by type in the built-in reporting interface.