Untrusted domain lists

Plixer FlowPro supports the use of a domain reputation review downloaded from external and user-defined domain lists.

Domain reputation

Plixer FlowPro enforces domain reputation review through the use of domain aware network intrusion detection rules.

On service start, Plixer FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml, violations are attributed to a rule class and forwarded Plixer Scrutinizer events.

JA3 signatures

Plixer FlowPro enforces JA3 signature review through the use of TLS aware network intrusion detection rules.

On service start, Plixer FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml, violations are attributed to a rule class and forwarded Plixer Scrutinizer events.

User-defined domain lists

You can load the custom domains via /home/plixer/flowpro/importDomainRep.sh, and then save it locally in your Plixer FlowPro as domains.csv.

Then run the following command to convert the domain list into DNS domain reputation detection rules in /home/plixer/flowpro/rules/custom.rules:

./home/plixer/flowpro/importDomainRep.sh path_to_domain.csv

User-defined JA3 signature lists

This will produce events in Plixer Scrutinizer under the Device Retrieving External IP Address Detected policy, alerting when DNS requests are made for the untrusted domains.

Finally, run the following command to restart the Plixer FlowPro service to enter the events into the detection engine:

sudo service flowpro restart