I've had Maltrail running pretty well from 5th August to 12th August, but since then it's made zero detections.
The service is running, there is nothing in its error log. I restarted the firewall and still the same. I'm using the two test examples from the Maltrail readme:
nslookup morphed.ru.
ping 136.161.101.53
Neither gets picked up.
I'm on OPNsense v19.7.2 and the plugin is v1.0 - Maltrail is monitoring the WAN interface.
Can you post maltrail.conf please?
Quote from: mimugmail on August 14, 2019, 12:15:18 PM
Can you post maltrail.conf please?
Which one? When I search I see two, one which looks like a standard one and another with OPNsense tokens all over the place.
/usr/local/share/maltrail/maltrail.conf
Quote from: mimugmail on August 14, 2019, 04:19:12 PM
/usr/local/share/maltrail/maltrail.conf
Quote
# [Server]
HTTP_ADDRESS 192.168.1.1
HTTP_PORT 8338
USE_SSL false
DISABLE_LOCAL_LOG_STORAGE false
SENSOR_NAME $HOSTNAME
CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
PROCESS_COUNT $CPU_CORES
DISABLE_CPU_AFFINITY false
USE_FEED_UPDATES true
DISABLED_FEEDS turris, ciarmy, policeman, myip
UPDATE_PERIOD
USE_SERVER_UPDATE_TRAILS false
USE_HEURISTICS true
CHECK_MISSING_HOST false
CHECK_HOST_DOMAINS false
SHOW_DEBUG false
LOG_DIR /var/log/maltrail
MONITOR_INTERFACE pppoe0
CAPTURE_BUFFER 10%
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
USERS
admin:CHANGED:2000:0.0.0.0/0 # changeme!
Can you try lan or physical wan, maybe a problem with pppoe
Quote from: mimugmail on August 15, 2019, 08:36:58 AM
Can you try lan or physical wan, maybe a problem with pppoe
I will when I get to my destination and can remote into my network, but seeing as it's been fine for many days and nothing else changed I'm not sure if that will make a difference. Plus the PPPoE is my WAN it's how I connect to my ISP.
I'll keep you updated.
You can also try to start sensor manually so it runs in foreground
Quote from: mimugmail on August 15, 2019, 02:34:11 PM
You can also try to start sensor manually so it runs in foreground
How do I do that and I presume I need to stop the service version first?
/usr/local/etc/rc.d/opnsense-maltrailsensor stop
python2.7 /usr/local/share/maltrail/sensor.py
Quote from: mimugmail on August 15, 2019, 05:03:06 PM
/usr/local/etc/rc.d/opnsense-maltrailsensor stop
python2.7 /usr/local/share/maltrail/sensor.py
Done
root@bart:~ # /usr/local/etc/rc.d/opnsense-maltrailsensor stop
Stopping maltrailsensor.
Waiting for PIDS: 41882.
root@bart:~ # python2.7 /usr/local/share/maltrail/sensor.py
Maltrail (sensor) #v0.13.26
[i] using configuration file '/usr/local/share/maltrail/maltrail.conf'
[i] using '/var/log/maltrail' for log storage
[?] at least 384MB of free memory required
[i] using '/root/.maltrail/trails.csv' for trail storage
[i] updating trails (this might take a while)...
[o] 'https://data.netlab.360.com/feeds/dga/chinad.txt'
[o] 'https://data.netlab.360.com/feeds/dga/conficker.txt'
[o] 'https://data.netlab.360.com/feeds/dga/cryptolocker.txt'
[o] 'https://data.netlab.360.com/feeds/dga/gameover.txt'
[o] 'https://data.netlab.360.com/feeds/dga/locky.txt'
[o] 'https://data.netlab.360.com/feeds/dga/necurs.txt'
[o] 'https://data.netlab.360.com/feeds/dga/tofsee.txt'
[o] 'https://data.netlab.360.com/feeds/dga/virut.txt'
[o] 'https://www.abuseipdb.com/statistics'
[o] 'https://reputation.alienvault.com/reputation.generic'
[o] 'https://cybercrime-tracker.net/ccam.php'
[o] 'https://www.badips.com/get/list/any/2?age=7d'
[o] 'https://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt'
[o] 'https://osint.bambenekconsulting.com/feeds/dga-feed.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset'
[o] 'https://raw.githubusercontent.com/stamparm/blackbook/master/blackbook.csv'
[o] 'https://lists.blocklist.de/lists/all.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset'
[o] 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php'
[o] 'https://raw.githubusercontent.com/fox-it/cobaltstrike-extraneous-space/master/cobaltstrike-servers.csv'
[o] 'https://www.cruzit.com/xxwbl2txt.php'
[o] 'https://cybercrime-tracker.net/all.php'
[o] 'https://dataplane.org/*.txt'
[o] 'https://isc.sans.edu/feeds/suspiciousdomains_Low.txt'
[o] 'https://feeds.dshield.org/top10-2.txt'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/botcc.rules'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules'
[o] 'https://feodotracker.abuse.ch/blocklist/?download=domainblocklist'
[o] 'https://feodotracker.abuse.ch/blocklist/?download=ipblocklist'
[o] 'https://blocklist.greensnow.co/greensnow.txt'
[o] 'https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt'
[o] 'https://raw.githubusercontent.com/gwillem/magento-malware-scanner/master/rules/burner-domains.txt'
[o] 'https://malc0de.com/bl/ZONES'
[o] 'https://www.malwaredomainlist.com/hostslist/hosts.txt'
[o] 'http://malwaredomains.lehigh.edu/files/domains.txt'
[o] 'https://www.maxmind.com/en/high-risk-ip-sample-list'
[o] 'https://raw.githubusercontent.com/Hestat/minerchk/master/hostslist.txt'
[o] 'https://www.nothink.org/blacklist/blacklist_malware_irc.txt'
[o] 'https://openphish.com/feed.txt'
[o] 'https://palevotracker.abuse.ch/blocklists.php?download=combinedblocklist'
[o] 'https://cybercrime-tracker.net/ccpmgate.php'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset'
[o] 'https://report.cs.rutgers.edu/DROP/attackers'
[o] 'https://sblam.com/blacklist.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset'
[o] 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset'
[o] 'https://www.talosintelligence.com/feeds/ip-filter.blf'
[o] 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1'
[o] 'https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv'
[o] 'https://github.com/JR0driguezB/malware_configs'
[o] 'https://urlhaus.abuse.ch/downloads/text/'
[o] 'http://www.urlvir.com/export-hosts/'
[o] 'http://www.voipbl.org/update/'
[o] 'http://vxvault.net/URL_List.php'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=badips'
[o] 'https://zeustracker.abuse.ch/monitor.php?filter=all'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
[o] '(static)'
[o] '(custom)'
[x] something went wrong during remote data retrieval ('(custom)')
[i] update finished
[i] trails stored to '/root/.maltrail/trails.csv'
[i] updating ipcat database...
[i] opening interface 'pppoe0'
[i] setting capture filter 'udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))'
[i] preparing capture buffer...
[i] creating 3 more processes (out of total 4)
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1071, in run
self.finished.wait(self.interval)
File "/usr/local/lib/python2.7/threading.py", line 614, in wait
self.__cond.wait(timeout)
File "/usr/local/lib/python2.7/threading.py", line 349, in wait
endtime = _time() + timeout
TypeError: unsupported operand type(s) for +: 'float' and 'str'
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1071, in run
self.finished.wait(self.interval)
File "/usr/local/lib/python2.7/threading.py", line 614, in wait
self.__cond.wait(timeout)
File "/usr/local/lib/python2.7/threading.py", line 349, in wait
endtime = _time() + timeout
TypeError: unsupported operand type(s) for +: 'float' and 'str'
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1071, in run
self.finished.wait(self.interval)
File "/usr/local/lib/python2.7/threading.py", line 614, in wait
self.__cond.wait(timeout)
File "/usr/local/lib/python2.7/threading.py", line 349, in wait
endtime = _time() + timeout
TypeError: unsupported operand type(s) for +: 'float' and 'str'
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1071, in run
self.finished.wait(self.interval)
File "/usr/local/lib/python2.7/threading.py", line 614, in wait
self.__cond.wait(timeout)
File "/usr/local/lib/python2.7/threading.py", line 349, in wait
endtime = _time() + timeout
TypeError: unsupported operand type(s) for +: 'float' and 'str'
[?] please install 'schedtool' for better CPU scheduling
[o] running...
Issue opened on Github https://github.com/opnsense/plugins/issues/1470
Issue fixed in upcoming patch - thank-you
I'm experiencing the same behavior on 19.7.5_5, Maltrail version 1.2. Works fine for a day or 2 then just craps out. Any suggestions?
maltrail.conf is as follows:
# [Server]
HTTP_ADDRESS 10.10.10.1
HTTP_PORT 8338
USE_SSL false
DISABLE_LOCAL_LOG_STORAGE false
SENSOR_NAME $HOSTNAME
CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
PROCESS_COUNT $CPU_CORES
DISABLE_CPU_AFFINITY false
USE_FEED_UPDATES true
DISABLED_FEEDS turris, ciarmy, policeman, myip
UPDATE_PERIOD 86400
USE_SERVER_UPDATE_TRAILS false
USE_HEURISTICS true
CHECK_MISSING_HOST false
CHECK_HOST_DOMAINS false
SHOW_DEBUG false
LOG_DIR /var/log/maltrail
MONITOR_INTERFACE igb2,ovpns2,ovpnc4,ovpnc3,ovpnc1,igb1,igb3
CAPTURE_BUFFER 10%
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))
USERS
admin:5dc7ddttttt9f87c18ce4db9ttttte5a94c7c88tttttd655325ttttt5698c336:2000:0.0.0.0/0 # changeme!
You mean with pppoe?
So this also happens when you only enable it on WAN?
Seems fine for mine on just the PPPoE WAN interface, it was also on LAN but I found it was occasionally maxing the CPU out when under load (large downloads/heavy traffic), so I removed LAN. I haven't rebooted since so there's still that to try, but I'm still getting data.
Quote from: mimugmail on October 25, 2019, 09:54:54 PM
So this also happens when you only enable it on WAN?
I enabled it on WAN-only for the last couple of days for testing purposes, and it seems to have stayed up. All other configurations, including WAN+LAN+WLAN or the default ("select none = all") lead to failure within 36 hours.
From my perspective, if WAN-only is the only configuration that works there's really no point in running this plug-in.
It's maybe something related to tun, but if you dont help troubleshooting I cant help with it.
I'm not sure why you suspect I'm unwilling to help troubleshoot...I enabled it for WAN-only for 2 days, as you suggested.
The only thing logged in /var/log/maltrail/error.log are SIGTERM events from my start/stop of the server (and/or sensor) via the gui. I've not found a way to enable verbose logging in maltrail so perhaps I try to run it from terminal with some type of verbose python3 output?
edit: i see it's using python2.7, and trying to run sensor.py with python3 results in "please install pcapy". i have sensor.py running via term on 2.7 now. will monitor and report back.
If it's running fine for WAN test the next Interface (OpenVPN) which is not standard. When you find it you can run maltrail in foreground to see whats happening.
Python 3 is not supported yet by maltrail itself. This will take some more weeks by the maltrail devs
Quote from: mimugmail on October 29, 2019, 07:10:19 AM
When you find it you can run maltrail in foreground to see whats happening.
Yep, spun that up last night. Monitoring all preferred interfaces, including OVPN. Will report back either at 48 hr. mark (longer than daemon ever ran) or if it errors out in foreground...whichever comes first. :)
root@pudding:/usr/local/share/maltrail # python2.7 /usr/local/share/maltrail/sensor.py
Maltrail (sensor) #v0.15
[i] using configuration file '/usr/local/share/maltrail/maltrail.conf'
[i] using '/var/log/maltrail' for log storage
[?] at least 384MB of free memory required
[i] using '/root/.maltrail/trails.csv' for trail storage (last modification: 'Mon, 28 Oct 2019 21:10:23 GMT')
[i] loading trails...
[i] 643,538 trails loaded
[i] opening interface 'igb2'
[i] opening interface 'igb3'
[i] opening interface 'igb1'
[i] opening interface 'ovpnc3'
[i] opening interface 'ovpnc1'
[i] opening interface 'ovpnc4'
[i] setting capture filter 'udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))'
[i] preparing capture buffer...
[i] creating 3 more processes (out of total 4)
[?] please install 'schedtool' for better CPU scheduling
[o] running...
If you run all you cant precisely determine which one is responsible for breaking. Better test one by one
It ended up throwing 2 errors when attempting to update trails:
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1073, in run
self.function(*self.args, **self.kwargs)
File "/usr/local/share/maltrail/core/parallel.py", line 67, in update_timer
trails.update(_)
File "/usr/local/share/maltrail/core/trailsdict.py", line 55, in update
setattr(self, attr, getattr(value, attr))
AttributeError: 'TrailsDict' object has no attribute '_regex'
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/lib/python2.7/threading.py", line 1073, in run
self.function(*self.args, **self.kwargs)
File "/usr/local/share/maltrail/sensor.py", line 769, in update_timer
if "static" in trails[trail][1]:
File "/usr/local/share/maltrail/core/trailsdict.py", line 78, in __getitem__
return (self._infos[int(_[0])], self._references[int(_[1])])
IndexError: list index out of range
I noted that mailtrail.conf states a CUSTOM_TRAILS_DIR that does not exist: /usr/local/maltrail/trails/custom/
Shouldn't this be /usr/local/share/maltrail/trails/custom/ ? I manually edited maltrail.conf for the proper directory and restarted the foreground process. Will continue to monitor...
Quote from: mimugmail on October 29, 2019, 06:52:15 PM
If you run all you cant precisely determine which one is responsible for breaking. Better test one by one
Hi, running sensor.py against WAN interface alone led to same errors as before during the "updating trails" process. Several instances of the "AttributeError: 'TrailsDict' object has no attribute '_regex'" error during the download process, and a single "IndexError: list index out of range" at the conclusion of the routine.
And these errors are responsible (or apprear)when the software Stop after 2 days?
Normally it runs fine on physical Interfaces, then we had the problem with pppoe which is now fixed by the author. I could imagine there might be a problem with OpenVpn like tun stuff. But for me there was never a reason to run against these since imho it only makes sense against WAN or LAN.
Quote from: mimugmail on November 02, 2019, 07:59:07 AM
And these errors are responsible (or apprear)when the software Stop after 2 days?
Normally it runs fine on physical Interfaces, then we had the problem with pppoe which is now fixed by the author. I could imagine there might be a problem with OpenVpn like tun stuff. But for me there was never a reason to run against these since imho it only makes sense against WAN or LAN.
The errors appear when downloading & updating trails...regardless of which interfaces are selected. I used WAN-only for the last test, as you suggested, and it still encountered the errors I pasted previously.
By "author" I assume you mean maltrail dev? Is he/she on this forum?
No, you can reach him here:
https://github.com/stamparm/maltrail
Quote from: mimugmail on November 02, 2019, 08:36:38 PM
No, you can reach him here:
https://github.com/stamparm/maltrail
Thanks. I'll report back if there's something requiring change on OPN side but either way you're welcome to follow here: https://github.com/stamparm/maltrail/issues/4551
I added a comment over there, thx
I pushed an update to FreeBSD ports, after this it will get merged to OPNsense and with next released you'll get a new pkg.
Quote from: mimugmail on November 05, 2019, 04:24:41 PM
I pushed an update to FreeBSD ports, after this it will get merged to OPNsense and with next released you'll get a new pkg.
Thanks @mimugmail! 8)
Update is in. :)