Detect attacks on your network with Maltrail


Maltrail is also at home in virtual environments. For instance, you can analyze the network traffic of guest systems in a VMware infrastructure. The ESXi host has a Python interpreter on board, but Maltrail works better as a standalone virtual machine. The VM needs one network adapter per port group. Because Maltrail accesses the IP packets via PCAP, the port group or virtual switch needs permission to use promiscuous mode. In this setup, Maltrail works only with copies of the packets. This keeps the virtual servers accessible even if the sensor process throws errors or the Maltrail VM is not running.

The Maltrail sensor can, of course, report to its own server, but it can also feed Syslog and Logstash. To do this, it formats its messages as standardized syslogs or as structured JSON. This support for logging means you can integrate Maltrail into a larger log infrastructure or include it as part of a logging-as-a-service strategy.


The lightweight Maltrail network scanner analyzes network traffic for suspicious activity, gleaning information from freely available blacklists and reputation databases. Maltrail also acts like an intrusion detection system: It loads signatures and compares them with the inspected IP packets. If a match occurs, an alert appears on the dashboard to warn the admin. Maltrail is not an all-around no-worries package, but it is a useful building block in a security strategy.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Instrumented Garden

    Place long-range wireless sensors in a garden and keep track of ambient conditions with gauges and time-based graphs.

  • Packet Telemetry with Host-INT

    Inband Network Telemetry and Host-INT can provide valuable insights on network performance – including information on latency and packet drops.

  • WiFi Thermo-Hygrometer

    A WiFi sensor monitors indoor humidity and temperature and a Node-RED dashboard reports the results, helping you to maintain a pleasant environment.

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

  • Bpytop

    Linux users have many options for monitoring system resources, but bpytop, a new Python port of bashtop, more than stands out from the crowd.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More