Maltrail
Detect malicious network traffic using 47+ live threat feeds, heuristics, and a fat-client reporting dashboard — no commercial stack required.
Maltrail is an open-source malicious traffic detection system that identifies network threats by matching live traffic against a continuously-updated corpus of blacklisted domains, IP addresses, URLs, and HTTP User-Agent strings drawn from more than 47 community and commercial threat feeds. It targets network administrators, SOC analysts, and security researchers who need actionable threat visibility without deploying expensive enterprise solutions.
The system is built around a three-tier architecture: Sensors capture raw packets via pcapy-ng on SPAN-mirrored ports or honeypots, a lightweight Server aggregates and persists events, and a fat-client web interface performs all data post-processing in the browser — allowing a single Python process to serve forensic-quality visualization of millions of events without server-side query load.
Beyond signature matching, Maltrail includes optional heuristic detection that catches unknown threats by correlating DNS resource exhaustion, port-scan patterns, and behavioral anomalies. Custom trail support lets teams add organization-specific indicators, while fail2ban and CEF output enable seamless firewall automation and SIEM integration without additional middleware.
Distributed deployments are supported out of the box: sensors forward events over UDP to a central server, and an official Docker image with daily cron-driven trail updates makes deployment straightforward on any Linux host. Maltrail has been actively maintained since 2014 with monthly versioned releases.
What You Get
- Real-time packet capture and trail matching — pcapy-ng sensors inspect live traffic on SPAN/mirrored interfaces and match domains, IPs, URLs, and HTTP User-Agents against the full threat corpus as packets arrive.
- 47+ integrated threat feeds — Feed modules for AbuseIPDB, AlienVault, Talos, OpenPhish, MalwareDomainList, Tor Project, CIArmy, DataPlane, EmergingThreats, and dozens more are updated automatically on a daily schedule.
- Heuristic anomaly detection — Optional detection layer identifies unknown threats by correlating DNS resource exhaustion, mass port-scan patterns, and suspicious behavioral sequences that fall outside known signatures.
- Fat-client web reporting dashboard — The server streams gzip-compressed event chunks to the browser, where all filtering, sorting, and visualization happens client-side — enabling forensic-quality analysis of millions of events from a single lightweight Python process.
- UDP-based distributed sensor architecture — Sensors can run on remote network segments and forward events over UDP to a central aggregation server, supporting multi-site deployments with no additional messaging infrastructure.
- Custom trail and whitelist support — Teams can define organization-specific blacklists and whitelists for domains, IPs, and URLs, and point Maltrail at custom trail URLs via configuration.
- Fail2ban and CEF integration — Built-in CEF (Common Event Format) output and fail2ban configuration files enable direct firewall automation and SIEM ingestion without middleware.
- Docker deployment with automated updates — Official container image using Python 3, tini process manager, and a daily cron job for trail refresh makes deployment and updates straightforward on any Linux host.
Common Use Cases
- Detecting active botnet C2 communications — A network administrator deploys Maltrail on a SPAN port to identify infected internal hosts beaconing to known botnet domains like Banjori, TrickBot, or Necurs.
- Honeypot threat intelligence collection — A security researcher runs Maltrail alongside a honeypot to log attacker behavior, capture malware download URLs, and build organization-specific threat indicators.
- SOC triage and incident investigation — An analyst uses the fat-client reporting interface to filter millions of daily events by severity, trail type, or source IP to identify lateral movement or data exfiltration attempts.
- Automated firewall blocking via fail2ban — A security engineer integrates Maltrail’s event log with fail2ban rules to automatically block source IPs flagged by high-confidence feeds like SSL Blacklist or FeodoTracker.
- Multi-site distributed monitoring — A managed security provider deploys sensors at multiple customer network segments, forwarding all events over UDP to a central Maltrail server for unified threat visibility.
- Detecting web-based attack attempts — A DevOps team runs Maltrail on a web-facing segment to catch SQL injection probes, remote code execution attempts, and directory traversal scans matching built-in HTTP heuristic regexes.
Under The Hood
Architecture Maltrail follows a clean three-tier distributed model — Traffic→Sensor↔Server↔Client — where each tier has a well-defined responsibility boundary. Sensors handle raw packet capture and trail matching in a single high-throughput loop, the server handles event persistence and HTTP serving via a built-in Python daemon, and the client browser performs all data post-processing on compressed event streams. Core modules are logically separated into addr, common, httpd, log, update, and settings, with a centralized AttribDict configuration singleton providing dot-notation access throughout. An event-driven threading model handles periodic trail updates and parallel packet processing without blocking the capture loop. The main sensor module, at roughly 1400 lines, concentrates packet parsing, heuristic analysis, trail matching, and event emission into a single execution context — a functional design choice that maximizes capture throughput but limits the ability to swap or test individual subsystems independently.
Tech Stack
Maltrail is pure Python (2.6/2.7/3.x compatible) with no web framework — the HTTP server is built on the standard library’s BaseHTTPServer abstracted through a bundled six compatibility shim. Packet capture depends exclusively on pcapy-ng for raw socket access on Linux. The frontend is static HTML and JavaScript with jQuery, served from a local html/ directory; all event rendering and filtering happens browser-side via compressed data chunks streamed from the server. Trail intelligence spans 47 Python feed modules and six static trail directories, all loaded into an in-memory TrailsDict at startup. SQLite handles IP category (datacenter/cloud) lookups via an ipcat database. The Docker image uses Python 3, tini as PID 1, and cron for scheduled daily trail updates.
Code Quality
The codebase has no test files or testing infrastructure of any kind — no unit tests, no integration tests, no CI configuration. Error handling is mixed: most exception paths are typed, but bare except: blocks appear in the sensor’s core capture loop where broad exception suppression is used to keep the process alive under adverse conditions. There are no type hints anywhere, reflecting the project’s Python 2.6 compatibility baseline. No linter configuration exists in the repository. Despite these gaps, the codebase is readable and has maintained consistent style over more than a decade of development — comment density is moderate, module responsibilities are clear, and the configuration file is extensively documented with inline explanations of every option.
What Makes It Unique Maltrail’s defining innovation is treating disparate network observables — domains, IPs, URLs, and HTTP User-Agent strings — as a unified ‘trail’ abstraction matchable against a single continuously-updated corpus. The fat-client reporting model, where the server streams compressed binary event chunks for browser-side rendering, allows a minimal Python process to serve forensic-quality dashboards over millions of daily events without any server-side query engine. The heuristic layer adds DNS resource exhaustion detection, port-scan correlation, and behavioral anomaly scoring that operate independently of signature databases, catching novel threats that blacklists miss. The CEF output format and fail2ban integration mean Maltrail slots directly into existing SOC toolchains without custom adapters.
Self-Hosting
Maltrail is released under the MIT License, one of the most permissive open-source licenses available. You are free to use it commercially, modify the source, distribute it, and incorporate it into proprietary security products without any copyleft obligation. There are no paid tiers, no license keys, and no feature gating — everything in the repository is available to self-hosters.
Running Maltrail yourself requires a Linux host (or Docker) with administrative privileges for the sensor component, which needs raw socket access for packet capture via pcapy-ng. The sensor demands at least 1 GB of RAM in single-process mode and more in multiprocessing configurations depending on capture buffer size. The server component is lightweight with no special resource requirements. Operational responsibilities fall entirely on your team: you manage trail update schedules (via cron or manual runs of core/update.py), monitor disk usage for event logs, maintain the host OS, and handle any incidents where the process fails silently. There is no watchdog or health-check endpoint built in, so you will need external monitoring.
There is no hosted or managed version of Maltrail — the project is entirely self-hosted. Support is community-driven through GitHub Issues, and response times depend on volunteer maintainer availability. You get no SLA, no managed upgrades, no cloud backup, and no high-availability configuration. What you gain is full network traffic privacy (events never leave your infrastructure), complete control over which feeds to enable, and the ability to extend the system with custom feed modules or trail files without vendor approval.
Related Apps
Uptime Kuma
Monitoring
Self-hosted monitoring for every service you run — 23 monitor types, 95 notification channels, live dashboards, and public status pages with no vendor lock-in.
Uptime Kuma
MITNetdata
Monitoring · Devops
Real-time per-second metrics, ML-powered anomaly detection, and zero-config observability for any infrastructure.
Netdata
GPL 3.0Grafana
Monitoring · Analytics
The open-source observability platform that unifies metrics, logs, and traces from any data source into dynamic, queryable dashboards.