Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Questions and Support] Suspicious Domain High False Positive #19271

Open
zero77 opened this issue Aug 8, 2024 · 8 comments
Open

[Questions and Support] Suspicious Domain High False Positive #19271

zero77 opened this issue Aug 8, 2024 · 8 comments
Labels
question support

Comments

@zero77
Copy link

zero77 commented Aug 8, 2024
edited
Loading

Question
I am getting a very high false positive for suspicious domains in particular domains ending in xyz, cc, ws

Is there any way i can disable suspicious ___domain detection for multiple clients

Looking through the trails it seems to be coming from the top part of this file which detects all domains ending with certain terms:

https://raw.githubusercontent.com/stamparm/maltrail/9dcfd0a4c0402feeae25ee00a288cf0d04840ce4/trails/static/suspicious/___domain.txt

Support
@MikhailKasimov
Copy link
Collaborator

Hello!

Try this option to use: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L132-L133

@zero77
Copy link
Author

zero77 commented Aug 8, 2024

Thanks for your quick response, i am able to tune it out but i want to stop it from being detected altogether instead of constantly tuning it out.

Could the top part of the ___domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.

@MikhailKasimov
Copy link
Collaborator

MikhailKasimov commented Aug 8, 2024
edited
Loading

Could the top part of the ___domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives.

No problem to use different file with respective format: https://github.com/stamparm/maltrail/wiki/Maltrail-trails-base-format and use it as user-defined whitelist (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L126-L127).

@MikhailKasimov
Copy link
Collaborator

The second way (more global): is just to put # sign in front of ___domain you want to exclude. E.g. .cc --> # .cc, save /___domain.txt file and restart the /sensor.py. Downside of this method: you potentially can miss real malware/malicious connections to .cc-based domains.

@zero77
Copy link
Author

zero77 commented Aug 8, 2024

Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?

@MikhailKasimov
Copy link
Collaborator

Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ?

Known would stay detected.

@MikhailKasimov
Copy link
Collaborator

@zero77 Hello! Is the problem resolved?

@zero77
Copy link
Author

zero77 commented Aug 28, 2024

I am trying to do this on multiple Linux servers with a script that i am using for updating maltrail.
The update part works but its not excluding the ___domain extensions i want to exclude and leave everything else untouched.

- name: Tune Domain Extensions
  lineinfile:
    path: /opt/maltrail/trails/static/suspicious/___domain.txt
    regexp: '{{item.From}}'
    line: '{{item.To}}'
    state: present
  with_items:
   - { From: '.cc', To: '#.cc'}
   - { From: '.xyz', To: '#.xyz'}
  changed_when: false
  ignore_errors: yes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikhailKasimov @zero77