Maltrail scans the traffic on your hosts and detects malicious traffic based on publicly available lists, AV lists, and user defined lists.
The system is based on a “Sensor” and a “Server” components.
The “sensor” can be set up as:
- a standalone server on the public network (“honeypot”)
- a server passively connected to a mirroring port on a switch
- transparent inline traffic pass-through server
In all 3 configurations, the sensor will collect suspicious events and pass them to the “Server”.
The “server” collects and stores all the events received from the “sensor” and produces visual reports through its web interface.
More information about Maltrail including download and installation instructions are available on the Maltrail’s GitHub page.