[Questions and Support] Registering new attacks (ssh, ftp) #19205
Comments
MikhailKasimov
changed the title
|
Hello! Before adding rules, please, be aware on some useful articles on Maltrail's bases structure, contribution practice, etc: Maltrail trails structure - Information about Maltrail trails structure Thank you! |
|
Maybe I don't specify well. I want to know if in maltrail it is possible to add a custom trail that registers the access connections within my network for ssh or ftp by means of an alert? |
|
Custom trails are possible, of course. They should be placed in |
|
Could you share some examples of custom trails. |
|
You can meet them in
|
|
What format should custom trails use .txt or.py |
|
.txt |
|
you can find an example in that same directory:
|
|
My question is if it works like the suricata rules attached example alert icmp any any -> any any (msg:"ICMP packet request alert"; sid:69696969;) tcp alert any any -> any 80 (msg:"The server connects to the Internet"; sid:79797979;) tcp alert $EXTERNAL_NET any -> $HOME_NET 1212 (msg:"SSH connection detected"; sid:89898989;) since I have tried in many ways to add a custom rule to detect everything related to port 22 ssh and it does not work for me |
Your rules catch all respective connections with no difference malicious they are or not. Maltrail detects connections from malicious sources only. Information about such sources are going from respective feeds ( So, if you want to keep your own custom trail, be ready to fulfill it manually every time you meet undetected malicious source. Malicious, not all. |
hello I would like to add some rules that allow to register attacks to the ssh port, ftp, etc. can this be done?
The text was updated successfully, but these errors were encountered: