The Easiest Way to Detect Malware Traffic Without a SIEM

Organizations spend a lot of money on firewalls, antivirus software, EDR solutions, and SIEM platforms. However, attackers still find ways to communicate with compromised systems inside a network. What if there was a lightweight, open-source tool that could monitor network traffic and alert you whenever a device tries to communicate with known malicious IP addresses, domains, or URLs?

This is exactly what Maltrail does. Maltrail is an open-source malicious traffic detection system. It continuously monitors network traffic and compares it against thousands of known malicious indicators collected from threat intelligence feeds.

What Problem Does Maltrail Solve?

Imagine a user in your company accidentally downloads malware. The malware starts communicating with its command-and-control (C2) server on the Internet. Without monitoring tools, this communication may go unnoticed.

Maltrail helps detect:

  • Malware communication
  • Command-and-control traffic
  • Connections to malicious IP addresses
  • Connections to malicious domains
  • Phishing-related traffic
  • Suspicious URLs
  • Known attack tools such as sqlmap User-Agent strings
  • Potential new threats using heuristic detection methods

Instead of inspecting every packet deeply like some IDS solutions, Maltrail focuses on identifying known malicious indicators quickly and efficiently.

What Is a “Trail”?

The name “Maltrail” comes from the word “malicious trail.” A trail is simply an indicator associated with malicious activity.

Examples include:

  • Trail Type Example
  • IP Address 185.188.190.199
  • Domain bad-malware-domain.com
  • URL http://malware-site.com/payload.exe
  • User-Agent sqlmap

Maltrail continuously compares network traffic against these trails. If a match occurs, it generates an alert.

How to install Maltrail tool (Step By Step)

We will be using same kali box to run sensor and server. On Kali Linux (IP-192.168.1.15, you can keep kali IP any this is just for reference) run these commands:

Linux kali 6.18.12+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.18.12-1kali1 (2026-0 2-25) x86_64

┌──(root㉿kali)-[~/iicybersecurity]
└─# apt update
Get:1 http://kali.download/kali kali-rolling InRelease [34.0 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [21.2 MB]
Get:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [53.2 MB]
Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [104 kB]
Get:5 http://kali.download/kali kali-rolling/contrib amd64 Contents (deb) [189 kB]
Get:6 http://kali.download/kali kali-rolling/non-free amd64 Packages [175 kB]
Get:7 http://kali.download/kali kali-rolling/non-free amd64 Contents (deb) [891 kB]
Get:8 http://kali.download/kali kali-rolling/non-free-firmware amd64 Packages [15.8 kB]
Get:9 http://kali.download/kali kali-rolling/non-free-firmware amd64 Contents (deb) [38.9 kB]
Fetched 75.9 MB in 20min 10s (62.7 kB/s)
1540 packages can be upgraded. Run 'apt list --upgradable' to see them.

┌──(root㉿kali)-[~/iicybersecurity]
└─# sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
python-is-python3 is already the newest version (3.13.3-1).
python-is-python3 set to manually installed.
build-essential is already the newest version (12.12).
build-essential set to manually installed.
Solving dependencies... Done
The following additional packages will be installed:
dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session dbus-x11 git-man libdbus-1-3 libdbus-1-dev libjs-sphinxdoc libnss-systemd
libpam-systemd libpcap0.8-dev libpkgconf7 libproc2-0 libpython3-dev libpython3-stdlib libsystemd-dev libsystemd-shared libsystemd0 libudev1 pkgconf pkgconf-bin
python3-minimal python3-pip-whl python3-tk python3-venv systemd systemd-sysv systemd-timesyncd systemd-userdbd udev
The following NEW packages will be installed:
libdbus-1-dev libpcap-dev libpcap0.8-dev libpkgconf7 libsystemd-dev pkgconf pkgconf-bin schedtool
The following packages will be upgraded:
dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session dbus-x11 git git-man libdbus-1-3 libjs-sphinxdoc libnss-systemd
libpam-systemd libproc2-0 libpython3-dev libpython3-stdlib libsystemd-shared libsystemd0 libudev1 procps python3 python3-dev python3-minimal python3-pip
python3-pip-whl python3-tk python3-venv systemd systemd-sysv systemd-timesyncd systemd-userdbd udev
32 upgraded, 8 newly installed, 0 to remove and 1508 not upgraded.
Need to get 26.8 MB of archives.
After this operation, 9,886 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://kali.download/kali kali-rolling/main amd64 libsystemd0 amd64 260.1-1 [446 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libpam-systemd amd64 260.1-1 [299 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 libnss-systemd amd64 260.1-1 [208 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 systemd-userdbd amd64 260.1-1 [78.9 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 systemd-sysv amd64 260.1-1 [37.4 kB]
Get:6 http://kali.download/kali kali-rolling/main amd64 libsystemd-shared amd64 260.1-1 [2,398 kB]
Get:7 http://kali.download/kali kali-rolling/main amd64 systemd amd64 260.1-1 [3,299 kB]
Get:13 http://mirrors.esto.network/kali kali-rolling/main amd64 dbus-x11 amd64 1.16.2-5 [61.6 kB]
Get:8 http://kali.download/kali kali-rolling/main amd64 systemd-timesyncd amd64 260.1-1 [68.1 kB]
Get:9 http://kali.download/kali kali-rolling/main amd64 udev amd64 260.1-1 [1,442 kB]
Get:14 http://mirrors.esto.network/kali kali-rolling/main amd64 dbus-user-session amd64 1.16.2-5 [48.5 kB]
Get:10 http://kali.download/kali kali-rolling/main amd64 libudev1 amd64 260.1-1 [133 kB]
Get:11 http://kali.download/kali kali-rolling/main amd64 dbus-system-bus-common all 1.16.2-5 [49.6 kB]
Get:12 http://kali.download/kali kali-rolling/main amd64 dbus-session-bus-common all 1.16.2-5 [48.7 kB]
Get:16 http://mirrors.esto.network/kali kali-rolling/main amd64 dbus-bin amd64 1.16.2-5 [76.4 kB]
Get:15 http://kali.download/kali kali-rolling/main amd64 dbus-daemon amd64 1.16.2-5 [156 kB]
Get:17 http://kali.download/kali kali-rolling/main amd64 dbus amd64 1.16.2-5 [67.9 kB]
Get:18 http://kali.download/kali kali-rolling/main amd64 libdbus-1-3 amd64 1.16.2-5 [176 kB]
Get:19 http://http.kali.org/kali kali-rolling/main amd64 python3-venv amd64 3.13.9-3+b1 [1,184 B]
Get:20 http://http.kali.org/kali kali-rolling/main amd64 libpython3-dev amd64 3.13.9-3+b1 [8,588 B]
Get:21 http://http.kali.org/kali kali-rolling/main amd64 python3-dev amd64 3.13.9-3+b1 [29.8 kB]
Get:22 http://http.kali.org/kali kali-rolling/main amd64 python3-minimal amd64 3.13.9-3+b1 [25.4 kB]
Get:25 http://http.kali.org/kali kali-rolling/main amd64 libpython3-stdlib amd64 3.13.9-3+b1 [8,348 B]
Get:27 http://http.kali.org/kali kali-rolling/main amd64 procps amd64 2:4.0.4-9+b2 [880 kB]
Get:28 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.53.0-1 [9,410 kB]
Get:23 http://http.kali.org/kali kali-rolling/main amd64 python3 amd64 3.13.9-3+b1 [25.4 kB]
Get:24 http://mirrors.esto.network/kali kali-rolling/main amd64 libjs-sphinxdoc all 9.1.0-4 [45.7 kB]
Get:26 http://http.kali.org/kali kali-rolling/main amd64 libproc2-0 amd64 2:4.0.4-9+b2 [63.8 kB]
Get:38 http://http.kali.org/kali kali-rolling/main amd64 python3-pip-whl all 26.1.1+dfsg-1 [1,463 kB]
Get:29 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.53.0-1 [2,326 kB]
Get:30 http://kali.download/kali kali-rolling/main amd64 libsystemd-dev amd64 260.1-1 [1,307 kB]
Get:31 http://kali.download/kali kali-rolling/main amd64 libpkgconf7 amd64 2.5.1-4 [47.8 kB]
Get:32 http://kali.download/kali kali-rolling/main amd64 pkgconf-bin amd64 2.5.1-4 [35.9 kB]
Get:33 http://kali.download/kali kali-rolling/main amd64 pkgconf amd64 2.5.1-4 [33.6 kB]
Get:34 http://kali.download/kali kali-rolling/main amd64 libdbus-1-dev amd64 1.16.2-5 [213 kB]
Get:35 http://kali.download/kali kali-rolling/main amd64 libpcap0.8-dev amd64 1.10.6-1 [293 kB]
Get:36 http://kali.download/kali kali-rolling/main amd64 libpcap-dev amd64 1.10.6-1 [37.1 kB]
Get:37 http://http.kali.org/kali kali-rolling/main amd64 python3-pip all 26.1.1+dfsg-1 [1,406 kB]
Get:39 http://http.kali.org/kali kali-rolling/main amd64 python3-tk amd64 3.13.9-3+b1 [8,640 B]
Get:40 http://kali.download/kali kali-rolling/main amd64 schedtool amd64 1.3.0-5 [25.2 kB]
Fetched 26.8 MB in 6s (4,258 kB/s)
Extracting templates from packages: 100%
(Reading database… 426006 files and directories currently installed.)
Preparing to unpack …/libsystemd0_260.1-1_amd64.deb…
Unpacking libsystemd0:amd64 (260.1-1) over (259.1-1)…
Setting up libsystemd0:amd64 (260.1-1)…
(Reading database… 426006 files and directories currently installed.)
Preparing to unpack …/libpam-systemd_260.1-1_amd64.deb…
Unpacking libpam-systemd:amd64 (260.1-1) over (259.1-1)…
Preparing to unpack …/libnss-systemd_260.1-1_amd64.deb…
Unpacking libnss-systemd:amd64 (260.1-1) over (259.1-1)…
Preparing to unpack …/systemd-userdbd_260.1-1_amd64.deb…
Unpacking systemd-userdbd (260.1-1) over (259.1-1)…
Preparing to unpack …/systemd-sysv_260.1-1_amd64.deb…
Unpacking systemd-sysv (260.1-1) over (259.1-1)…
Preparing to unpack …/libsystemd-shared_260.1-1_amd64.deb…
Unpacking libsystemd-shared:amd64 (260.1-1) over (259.1-1)…
Setting up libsystemd-shared:amd64 (260.1-1)…
(Reading database… 426006 files and directories currently installed.)
Preparing to unpack …/systemd_260.1-1_amd64.deb…
Unpacking systemd (260.1-1) over (259.1-1)…
Preparing to unpack …/systemd-timesyncd_260.1-1_amd64.deb…
Unpacking systemd-timesyncd (260.1-1) over (259.1-1)…
Preparing to unpack …/udev_260.1-1_amd64.deb…
Unpacking udev (260.1-1) over (259.1-1)…
Preparing to unpack …/libudev1_260.1-1_amd64.deb…
Unpacking libudev1:amd64 (260.1-1) over (259.1-1)…
Setting up libudev1:amd64 (260.1-1)…
(Reading database… 426018 files and directories currently installed.)
Preparing to unpack …/00-dbus-system-bus-common_1.16.2-5_all.deb…
Unpacking dbus-system-bus-common (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/01-dbus-session-bus-common_1.16.2-5_all.deb…
Unpacking dbus-session-bus-common (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/02-dbus-x11_1.16.2-5_amd64.deb…
Unpacking dbus-x11 (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/03-dbus-user-session_1.16.2-5_amd64.deb…
Unpacking dbus-user-session (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/04-dbus-daemon_1.16.2-5_amd64.deb…
Unpacking dbus-daemon (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/05-dbus-bin_1.16.2-5_amd64.deb…
Unpacking dbus-bin (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/06-dbus_1.16.2-5_amd64.deb…
Unpacking dbus (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/07-libdbus-1-3_1.16.2-5_amd64.deb…
Unpacking libdbus-1-3:amd64 (1.16.2-5) over (1.16.2-4)…
Preparing to unpack …/08-python3-venv_3.13.9-3+b1_amd64.deb…
Unpacking python3-venv (3.13.9-3+b1) over (3.13.9-3)…
Preparing to unpack …/09-libpython3-dev_3.13.9-3+b1_amd64.deb…
Unpacking libpython3-dev:amd64 (3.13.9-3+b1) over (3.13.9-3)…
Preparing to unpack …/10-python3-dev_3.13.9-3+b1_amd64.deb…
Unpacking python3-dev (3.13.9-3+b1) over (3.13.9-3)…
Preparing to unpack …/11-python3-minimal_3.13.9-3+b1_amd64.deb…
Unpacking python3-minimal (3.13.9-3+b1) over (3.13.9-3)…
Setting up python3-minimal (3.13.9-3+b1)…
(Reading database… 426022 files and directories currently installed.)
Preparing to unpack …/00-python3_3.13.9-3+b1_amd64.deb…
running python pre-rtupdate hooks for python3.13...
Unpacking python3 (3.13.9-3+b1) over (3.13.9-3)…
Preparing to unpack …/01-libjs-sphinxdoc_9.1.0-4_all.deb…
Unpacking libjs-sphinxdoc (9.1.0-4) over (8.2.3-12)…
Preparing to unpack …/02-libpython3-stdlib_3.13.9-3+b1_amd64.deb…
Unpacking libpython3-stdlib:amd64 (3.13.9-3+b1) over (3.13.9-3)…
Preparing to unpack …/03-libproc2-0_2%3a4.0.4-9+b2_amd64.deb…
Unpacking libproc2-0:amd64 (2:4.0.4-9+b2) over (2:4.0.4-9+b1)…
Preparing to unpack …/04-procps_2%3a4.0.4-9+b2_amd64.deb…
Unpacking procps (2:4.0.4-9+b2) over (2:4.0.4-9+b1)…
Preparing to unpack …/05-git_1%3a2.53.0-1_amd64.deb…
Unpacking git (1:2.53.0-1) over (1:2.51.0-1)…
Preparing to unpack …/06-git-man_1%3a2.53.0-1_all.deb…
Unpacking git-man (1:2.53.0-1) over (1:2.51.0-1)…
Selecting previously unselected package libsystemd-dev:amd64.
Preparing to unpack …/07-libsystemd-dev_260.1-1_amd64.deb…
Unpacking libsystemd-dev:amd64 (260.1-1)…
Selecting previously unselected package libpkgconf7:amd64.
Preparing to unpack …/08-libpkgconf7_2.5.1-4_amd64.deb…
Unpacking libpkgconf7:amd64 (2.5.1-4)…
Selecting previously unselected package pkgconf-bin.
Preparing to unpack …/09-pkgconf-bin_2.5.1-4_amd64.deb…
Unpacking pkgconf-bin (2.5.1-4)…
Selecting previously unselected package pkgconf:amd64.
Preparing to unpack …/10-pkgconf_2.5.1-4_amd64.deb…
Unpacking pkgconf:amd64 (2.5.1-4)…
Selecting previously unselected package libdbus-1-dev:amd64.
Preparing to unpack …/11-libdbus-1-dev_1.16.2-5_amd64.deb…
Unpacking libdbus-1-dev:amd64 (1.16.2-5)…
Selecting previously unselected package libpcap0.8-dev:amd64.
Preparing to unpack …/12-libpcap0.8-dev_1.10.6-1_amd64.deb…
Unpacking libpcap0.8-dev:amd64 (1.10.6-1)…
Selecting previously unselected package libpcap-dev:amd64.
Preparing to unpack …/13-libpcap-dev_1.10.6-1_amd64.deb…
Unpacking libpcap-dev:amd64 (1.10.6-1)…
Preparing to unpack …/14-python3-pip_26.1.1+dfsg-1_all.deb…
Unpacking python3-pip (26.1.1+dfsg-1) over (26.0.1+dfsg-1)…
Preparing to unpack …/15-python3-pip-whl_26.1.1+dfsg-1_all.deb…
Unpacking python3-pip-whl (26.1.1+dfsg-1) over (26.0.1+dfsg-1)…
Preparing to unpack …/16-python3-tk_3.13.9-3+b1_amd64.deb…
Unpacking python3-tk (3.13.9-3+b1) over (3.13.9-3)…
Selecting previously unselected package schedtool.
Preparing to unpack …/17-schedtool_1.3.0-5_amd64.deb…
Unpacking schedtool (1.3.0-5)…
Setting up libpython3-dev:amd64 (3.13.9-3+b1)…
Setting up python3-pip-whl (26.1.1+dfsg-1)…
Setting up libpkgconf7:amd64 (2.5.1-4)…
Setting up libnss-systemd:amd64 (260.1-1)…
Setting up python3-tk (3.13.9-3+b1)…
Setting up systemd (260.1-1)…
Created symlink '/etc/systemd/system/autovt@.service' → '/usr/lib/systemd/system/getty@.service'.
Setting up libdbus-1-3:amd64 (1.16.2-5)…
Setting up libproc2-0:amd64 (2:4.0.4-9+b2)…
Setting up systemd-timesyncd (260.1-1)…
systemd-time-wait-sync.service is a disabled or a static unit not running, not starting it.
Setting up udev (260.1-1)…
Setting up pkgconf-bin (2.5.1-4)…
Setting up libjs-sphinxdoc (9.1.0-4)…
Setting up dbus-session-bus-common (1.16.2-5)…
Setting up procps (2:4.0.4-9+b2)…
Setting up git-man (1:2.53.0-1)…
Setting up dbus-system-bus-common (1.16.2-5)…
Setting up dbus-bin (1.16.2-5)…
Setting up libsystemd-dev:amd64 (260.1-1)…
Setting up libpython3-stdlib:amd64 (3.13.9-3+b1)…
Setting up schedtool (1.3.0-5)…
Setting up systemd-userdbd (260.1-1)…
Setting up systemd-sysv (260.1-1)…
Setting up python3 (3.13.9-3+b1)…
running python rtupdate hooks for python3.13...
/usr/share/commix/src/core/tamper/backslashes.py:21: SyntaxWarning: invalid escape sequence '\)'
About: Adds back slashes (\) between the characters in a given payload.
running python post-rtupdate hooks for python3.13...
Setting up dbus-daemon (1.16.2-5)…
Setting up pkgconf:amd64 (2.5.1-4)…
Setting up python3-venv (3.13.9-3+b1)…
Setting up libdbus-1-dev:amd64 (1.16.2-5)…
Setting up dbus (1.16.2-5)…
A reboot may be required to replace a running dbus-daemon.
Please reboot the system when convenient.
dbus.service is a disabled or a static unit, not starting it.
Setting up python3-dev (3.13.9-3+b1)…
Setting up git (1:2.53.0-1)…
Setting up python3-pip (26.1.1+dfsg-1)…
Setting up dbus-x11 (1.16.2-5)…
Setting up libpam-systemd:amd64 (260.1-1)…
Setting up dbus-user-session (1.16.2-5)…
Processing triggers for initramfs-tools (0.150)…
update-initramfs: Generating /boot/initrd.img-6.18.12+kali-amd64
Processing triggers for doc-base (0.11.2)…
Processing 42 changed doc-base files...
Processing triggers for libc-bin (2.42-13)…
Processing triggers for man-db (2.13.1-1)…
Processing triggers for shared-mime-info (2.4-5+b3)…
Processing triggers for sgml-base (1.31+nmu1)…
Processing triggers for kali-menu (2026.1.5)…
Setting up libpcap0.8-dev:amd64 (1.10.6-1)…
Setting up libpcap-dev:amd64 (1.10.6-1)…

┌──(root㉿kali)-[~/iicybersecurity]
└─# sudo pip3 install pcapy-ng
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Kali-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have pypy3-venv installed.

If you wish to install a non-Kali-packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

For more information, refer to the following:
* https://www.kali.org/docs/general-use/python3-external-packages/
* /usr/share/doc/python3.13/README.venv

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

┌──(root㉿kali)-[~/iicybersecurity]
└─# python3 -m venv pcapenv
source pcapenv/bin/activate
pip install --upgrade pip setuptools wheel
pip install pcapy-ng
Requirement already satisfied: pip in ./pcapenv/lib/python3.13/site-packages (26.1.1)

Collecting pip
Downloading pip-26.1.2-py3-none-any.whl.metadata (4.6 kB)
Collecting setuptools
Downloading setuptools-82.0.1-py3-none-any.whl.metadata (6.5 kB)
Collecting wheel
Downloading wheel-0.47.0-py3-none-any.whl.metadata (2.3 kB)
Collecting packaging>=24.0 (from wheel)
Downloading packaging-26.2-py3-none-any.whl.metadata (3.5 kB)
Downloading pip-26.1.2-py3-none-any.whl (1.8 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.8/1.8 MB 11.6 MB/s 0:00:00
Downloading setuptools-82.0.1-py3-none-any.whl (1.0 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.0/1.0 MB 9.8 MB/s 0:00:00
Downloading wheel-0.47.0-py3-none-any.whl (32 kB)
Downloading packaging-26.2-py3-none-any.whl (100 kB)
Installing collected packages: setuptools, pip, packaging, wheel
Attempting uninstall: pip
Found existing installation: pip 26.1.1
Uninstalling pip-26.1.1:
Successfully uninstalled pip-26.1.1
Successfully installed packaging-26.2 pip-26.1.2 setuptools-82.0.1 wheel-0.47.0
Collecting pcapy-ng
Downloading pcapy_ng-1.1.0.tar.gz (38 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Building wheels for collected packages: pcapy-ng
Building wheel for pcapy-ng (pyproject.toml) ... done
Created wheel for pcapy-ng: filename=pcapy_ng-1.1.0-cp313-cp313-linux_x86_64.whl size=87234 sha256=283356a1f67a2b40be5e0583481a89d0d656cf607928545cece2fabb114f4b4e
Stored in directory: /root/.cache/pip/wheels/4c/85/27/ce302f32ea41198bca543a8996463aecce0a5834c15751c1f9
Successfully built pcapy-ng
Installing collected packages: pcapy-ng
Successfully installed pcapy-ng-1.1.0

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity]
└─#

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity]
└─# pip install --upgrade pip
pip install pcapy-ng
Requirement already satisfied: pip in ./pcapenv/lib/python3.13/site-packages (26.1.2)
Requirement already satisfied: pcapy-ng in ./pcapenv/lib/python3.13/site-packages (1.1.0)

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity]
└─# ls
pcapenv

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity]
└─# git clone --depth 1 https://github.com/stamparm/maltrail.git
Cloning into 'maltrail'...
remote: Enumerating objects: 3222, done.
remote: Counting objects: 100% (3222/3222), done.
remote: Compressing objects: 100% (2721/2721), done.
remote: Total 3222 (delta 558), reused 2816 (delta 495), pack-reused 0 (from 0)
Receiving objects: 100% (3222/3222), 15.04 MiB | 1.96 MiB/s, done.
Resolving deltas: 100% (558/558), done.

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity]
└─# cd maltrail

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity/maltrail]
└─# ls
CHANGELOG core fail2ban LICENSE maltrail-sensor.service misc README.md SECURITY.md server.py trails
CITATION.cff docker html maltrail.conf maltrail-server.service plugins requirements.txt sensor.py thirdparty

┌──(pcapenv)─(root㉿kali)-[~/iicybersecurity/maltrail]
└─# sudo python3 sensor.py
Maltrail (sensor) #v1.5 {https://maltrail.github.io}

[*] starting @ 11:53:40 /2026-06-10/

[i] using configuration file '/root/iicybersecurity/maltrail/maltrail.conf'
[i] using '/var/log/maltrail' for log storage
[i] using '/root/.maltrail/trails.csv' for trail storage
[i] updating trails (this might take a while)...
[o] 'https://raw.githubusercontent.com/borestad/blocklist-abuseipdb/main/abuseipdb-s100-1d.ipv4'
[o] 'https://cybercrime-tracker.net/ccam.php'
[x] something went wrong during remote data retrieval ('https://cybercrime-tracker.net/ccam.php')
[o] 'https://www.badips.com/get/list/any/2?age=7d'
[o] 'https://www.binarydefense.com/banlist.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset'
[x] something went wrong during remote data retrieval ('https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset')
[o] 'https://raw.githubusercontent.com/stamparm/blackbook/master/blackbook.csv'
[o] 'https://blackhole.monster/blackhole-today'
[o] 'https://lists.blocklist.de/lists/all.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset'
[o] 'http://danger.rulez.sk/projects/bruteforceblocker/blist.php'
[o] 'https://iplists.firehol.org/files/cleantalk_1d.ipset'
[o] 'https://raw.githubusercontent.com/fox-it/cobaltstrike-extraneous-space/master/cobaltstrike-servers.csv'
[o] 'https://cybercrime-tracker.net/all.php'
[x] something went wrong during remote data retrieval ('https://cybercrime-tracker.net/all.php')
[o] 'https://dataplane.org/*.txt'
[o] 'https://iplists.firehol.org/files/dshield_top_1000.ipset'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/botcc.rules'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt'
[o] 'https://rules.emergingthreats.net/open/suricata/rules/emerging-malware.rules'
[o] 'https://cybercrime-tracker.net/ccpmgate.php'
[x] something went wrong during remote data retrieval ('https://cybercrime-tracker.net/ccpmgate.php')
[o] 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt'
[o] 'https://iplists.firehol.org/files/gpf_comics.ipset'
[o] 'https://blocklist.greensnow.co/greensnow.txt'
[o] 'https://www.sekuripy.hr/blacklist.txt'
[o] 'https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset'
[o] 'https://raw.githubusercontent.com/Hestat/minerchk/master/hostslist.txt'
[o] 'https://openphish.com/feed.txt'
[o] 'https://palevotracker.abuse.ch/blocklists.php?download=combinedblocklist'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt'
[o] 'https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt'
[o] 'https://report.cs.rutgers.edu/DROP/attackers'
[o] 'https://sblam.com/blacklist.txt'
[o] 'https://raw.githubusercontent.com/scriptzteam/badIPS/main/ips.txt'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset'
[o] 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset'
[o] 'https://raw.githubusercontent.com/stamparm/aux/master/maltrail-static-trails.txt'
[o] 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1'
[o] 'https://github.com/JR0driguezB/malware_configs'
[o] 'https://urlhaus.abuse.ch/downloads/text/'
[o] 'http://tracker.viriback.com/dump.php'
[o] 'https://zeustracker.abuse.ch/monitor.php?filter=all'
[o] 'https://zeustracker.abuse.ch/blocklist.php?download=compromised'
[o] '(custom)'
[o] '(static)'
[i] post-processing trails (this might take a while)...
[i] update finished
[i] trails stored to '/root/.maltrail/trails.csv'
[i] updating ipcat database...
[?] in case of any problems with packet capture on virtual interface 'any', please put all monitoring interfaces to promiscuous mode manually (e.g. 'sudo ifconfig eth0 promisc')
[i] opening interface 'any'
[i] setting capture filter 'udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))'
[^] running...
z

On another ssh session to kali box run these commands

 

┌──(root㉿kali)-[/home/kali]
└─# cd /root/iicybersecurity/maltrail

┌──(root㉿kali)-[~/iicybersecurity/maltrail]
└─# ls
CHANGELOG core fail2ban LICENSE maltrail-sensor.service misc README.md SECURITY.md server.py trails
CITATION.cff docker html maltrail.conf maltrail-server.service plugins requirements.txt sensor.py thirdparty

┌──(root㉿kali)-[~/iicybersecurity/maltrail]
└─# python server.py
Maltrail (server) #v1.5 {https://maltrail.github.io}

[*] starting @ 14:01:34 /2026-06-10/

[i] using configuration file '/root/iicybersecurity/maltrail/maltrail.conf'
[i] starting HTTP server at http://0.0.0.0:8338/
[^] running...

This will start the server on same kali box where sensor is running. Now once the server is up login into the UI of Maltrail using username password as admin/changeme!

Now lets do some attack to check its dashboard. From another machine on your network on same subnet as kali machine, open command prompt on another machine. From command prompt we will make DNS request to malicious domains targeting our kali machine (192.168.1.15) as DNS. on making DNS request to malicious domains you will see alerts on Maltrail dashboard.

On Maltrail dashboard after attack.

Conclusion

Maltrail is one of the easiest open-source network security tools to understand and deploy. It acts as an intelligent observer of network traffic, comparing communication against known malicious indicators and generating alerts whenever suspicious activity is detected.

For students, SOC analysts, blue teamers, and cybersecurity professionals who want to learn network threat detection without investing in expensive enterprise tools, Maltrail is an excellent starting point. It combines threat intelligence, network monitoring, and alerting into a lightweight solution that can provide immediate security visibility.

If you are building a home lab, SOC lab, or cybersecurity training environment, Maltrail is definitely worth exploring.