-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Questions and Support] Suspicious Domain High False Positive #19271
Comments
Hello! Try this option to use: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L132-L133 |
Thanks for your quick response, i am able to tune it out but i want to stop it from being detected altogether instead of constantly tuning it out. Could the top part of the ___domain.txt be separated into a different file. So people can decide if they want to keep it as it's very broad and leads to false positives. |
No problem to use different file with respective format: https://github.com/stamparm/maltrail/wiki/Maltrail-trails-base-format and use it as user-defined whitelist (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L126-L127). |
The second way (more global): is just to put |
Thanks for the suggestions, if i commented out .cc i would still detect known malicious cc domains right ? |
Known would stay detected. |
@zero77 Hello! Is the problem resolved? |
I am trying to do this on multiple Linux servers with a script that i am using for updating maltrail.
|
Question
I am getting a very high false positive for suspicious domains in particular domains ending in xyz, cc, ws
Is there any way i can disable suspicious ___domain detection for multiple clients
Looking through the trails it seems to be coming from the top part of this file which detects all domains ending with certain terms:
https://raw.githubusercontent.com/stamparm/maltrail/9dcfd0a4c0402feeae25ee00a288cf0d04840ce4/trails/static/suspicious/___domain.txt
Support
The text was updated successfully, but these errors were encountered: