Comments (12)
stamparm
commented on July 29, 2024
Have you restarted sensor after changing configuration file? If yes, then it is a bug. Can you please send details of the problematic threat (e.g. screenshot of row with problematic threat/IP)
from maltrail.
DigiAngel
commented on July 29, 2024
Yes....restarted a few times...did a git pull this morning as well. I do see whitelisting working in different environments (home), so I wonder if this might be the Cisco VLAN thing again. In any case here's the screenshot...thank you!
from maltrail.
stamparm
commented on July 29, 2024
Can't see from picture was the threat heuristic or something else?
from maltrail.
DigiAngel
commented on July 29, 2024
Threat type was IP...thank you :)
from maltrail.
stamparm
commented on July 29, 2024
@DigiAngel please update and retry
from maltrail.
DigiAngel
commented on July 29, 2024
Done :) Will monitor...nice thicker sparklines and love the malicious ASN icon...nicely done.
from maltrail.
stamparm
commented on July 29, 2024
:)
from maltrail.
DigiAngel
commented on July 29, 2024
Hrmm...these appear to still be showing up:
"2015-12-21 23:16:44.100681" ids x.x.x.31 42904 72.21.81.200 443 TCP IP 72.21.81.200 "malware distribution (suspicious)" "malc0de.com (+binarydefense.com)"
"2015-12-21 23:16:44.100826" ids x.x.x.31 59385 72.21.81.200 443 TCP IP 72.21.81.200 "malware distribution (suspicious)" "malc0de.com (+binarydefense.com)"
"2015-12-21 23:16:51.278247" ids x.x.x.31 33248 72.21.81.200 443 TCP IP 72.21.81.200 "malware distribution (suspicious)" "malc0de.com (+binarydefense.com)"
Some session and tls info for the last hit (src port 33248):
2015-12-21T23:16:51+0000 CHqXOQ3U2J26Bj6Tr7 x.x.x.31 33248 72.21.81.200 443 tcp ssl 82.728257 970 7997 SF T F 0 ShADadFf 11 1418 11 8445 (empty)
2015-12-21T23:16:51+0000 CHqXOQ3U2J26Bj6Tr7 x.x.x.31 33248 72.21.81.200 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 secp256r1 iecvlist.microsoft.com F - - T FzVFNs27QByTM9jJ94,F8HspA2KYNfDeuJDw1,FHAjW824xAVxerkd0b (empty) CN=*.vo.msecnd.net CN=Microsoft IT SSL SHA2,OU=Microsoft IT,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US - - 16773 16789 17 T
Thank you.
from maltrail.
stamparm
commented on July 29, 2024
Strange, can't reproduce with the latest revision.
Can you please send me a PCAP (with related traffic) and corresponding USER_WHITELIST?
from maltrail.
DigiAngel
commented on July 29, 2024
Can do...capturing now.
from maltrail.
DigiAngel
commented on July 29, 2024
Ah dang....I had 71.21.81.200 in the whitelist, and the IP that's showing up is 72.21.81.200....my fault on this one...sorry...now correct in my whitelist...monitoring now...I'm an idiot 8-|
from maltrail.
DigiAngel
commented on July 29, 2024
Confirming this is working great now..thank you so much...sorry for the hassle.
from maltrail.
Related Issues (20)
- [BUG]False Positive 185.199.109.133 HOT 1
- Custom image HOT 5
- Netflow or Span Port HOT 1
- [Feature Request] Show Number Of Past Entries HOT 1
- IP: 117.17.191.45 | Malware HOT 1
- [Feature Request] HOT 1
- Maltrail won't boot HOT 8
- Running a docker container built with your Dockerfile both server.py and sensor.py fail to restart. HOT 4
- [Questions and Support] ModuleNotFoundError: No module named 'thirdparty.six.moves' HOT 4
- [Feature Request] Integrate IPinfo's free database for ASN+country enrichment, filters, and eliminating HTTP calls HOT 4
- [Questions and Support] The server.py does not raise if I define an ip in UDP_ADDRESS HOT 6
- External IP Flagged in Blocklist in Maltrail and Appears to also be affecting blocks on other sites... HOT 18
- Windows 11 Returns HOT 9
- [BUG] cruzit URL changed HOT 1
- [BUG] python six module HOT 10
- [BUG] Fortinet block page (fortinet-block-page-55.fortinet.com) listed as malicious. HOT 2
- Bad domains HOT 2
- [Questions and Support] Maltrail not listening on port 8337/udp HOT 6
- [Feature Request] Improvement for PHP-inj detection (TellYouThePass Ransomware)
- Not really an Issue HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from maltrail.