FlowPro Defender : Features and Functionality

This section describes the specific features and functionality of the FlowPro Defender.

Getting Started

Using an SSH Client, ssh to the FlowPro Defender and log in as the flowpro user using the password configured during the installation process.

[root@VA_DC_5 ~]# ssh flowpro@10.1.4.31
Password:
Last login: Mon May  4 12:25:11 2015 from 10.1.10.65

FlowPro Defender (TM) v15.4.30.277
[2015-04-30 16:01:05 -0400 (Thu, 30 Apr 2015)]
Copyright (C) 2012 - 2015 Plixer All rights reserved.
Plixer
Need an IPFIX Collector? Download Scrutinizer at http://www.plixer.com

          Machine ID  : xxxxxxxxxxxxxxxx
     Licensed Version : 15.5
        Licensed Type : valid
          Expiration  : Tue Apr 12 2016

License expires in 343 day(s)

FLOWPRO>

The FLOWPRO> prompt indicates the FlowPro Defender is ready for commands. If the initial steps are done correctly, the FlowPro Defender is already processing traffic and sending feedback to the IPFIX collector specified.

Trusted Domain List

A “trusted domain list”, often called a whitelist, is preconfigured on FlowPro Defender to suppress alarms involving specific domains. The default whitelist contains five entries that can added or removed as best fits a user’s environment.

  • Mcafee.com
  • Sophos.com
  • Sophosxl.net
  • webcfs03.com
  • apple.com

Mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information from the anti-virus clients on the network into very long and complex DNS names and captures this information at their DNS server. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is also used by some forms of malware. Sophos.com and sophosxl.net are related to the Sophos Anti-virus software, and it uses multiple techniques to get information in and out of a network using DNS. In addition to using the same technique as McAfee to send information back to their servers, they also use DNS TXT messages to send information back into the clients on the network. Use of DNS TXT messages to exchange information with an external host is also used by some malware families, and the DNS Command and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating either DNS Data Leak or DNS Command and Control alarms.

  • Webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.
  • Apple.com uses DNS TXT messages to apparently exchange settings with their NTP server. This will alarm as a DNS Command and Control alarm.

There may be other authorized software on internal networks that use DNS to bypass the firewall for data communications. If so, add the domain(s) involved to the Trusted Domain list. Once configured, any other traffic using DNS to communicate will be worth additional investigation.

Use the edit command to modify the trusteddomains list.

Untrusted Domain Lists

FlowPro Defender supports both the use of a domain reputation list that is downloaded from Plixer, as well as allowing a user to create or edit custom lists.

Plixer Domain Reputation List

FlowPro Defender can download a list of domains from Plixer once each hour. These are domains that have been determined to be “bad domains” with a high probability, and this list is used in the “Domain Reputation” and “Malware Behavior Detection” algorithms.

To provide maximum protection, FlowPro Defender must update the domain reputation list that it uses each hour. During setup, please verify a network route exists from FlowPro Defender to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if FlowPro Defender is unable to connect to nba.plixer.com, however, all other features will operate normally. Use of this list can be controlled through FlowPro Defender.

To enable or disable the use of this list:

  1. Remotely log on to the FlowPro Defender
  2. Type at the FLOWPRO> prompt edit plixer.ini
  3. To enable (default is enabled), set the value enableDomainReputationList=1 or, to disable the list, set the value enableDomainReputationList=0
  4. Save changes and exit the editor

User Defined Domain Lists

Users may augment the Plixer Domain Reputation list and create one or more domain lists that contain domains to monitor. Domains entered must follow the rules below:

  • The DNS name must contain at least 2 labels, which is often called a second level domain, or 2LD for short (for example, google.com) and no more than 3 labels (maps.google.com), or a 3LD.
  • The labels must contain between 1 and 63 characters, as is required to be a legitimate domain name.

Entries that do not match these requirements will be ignored. To create a custom list of domains to detect domainReputation alarms:

  1. Log on to the FlowPro Defender
  2. At the FLOWPRO> prompt type edit my_domain_list_name NOTE: DO NOT enter a file extension. This will be automatically assigned.
  3. Add, remove, or modify the file contents as desired
  4. Save changes and exit the editor

To enable or disable custom domain lists, use the enable and disable commands.

Scrutinizer Flow Analytics Algorithms

FlowPro Defender will send data to the specified IPFIX Collector. Plixer’s Scrutinizer Incident Response System has additional capabilities to check for malicious behavior and bad actors.

BotNet Detection This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a reply commonly known as NXDOMAIN is returned. By monitoring the number of NXDOMAINs detected as well as the DNS name looked up, behavior normally associated with a class of malware that uses Domain Generation Algorithms (DGAs) can be detected.

The default threshold is 100 unique DNS lookup failures (NXDOMAIN) messages in five minutes. Either the source or destination IP address can be excluded from triggering this alarm.

DNS Command and Control This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by FlowPro Defender. DNS TXT messages provide a means of sending information into and out of the protected network over DNS, even when the user has blocked use of an external DNS server. This technique is used by malware as a method of controlling compromised assets within the network and to extract information back out. Additionally, some legitimate companies also use this method to communicate as a means to “phone home” from their applications to the developer site.

The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds may be set based either on the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes.

To suppress alarms from authorized applications in the network, the user may add the domain generating the alarm message to the “trusted.domains” list on FlowPro Defender. See the discussion on “trusted.domains” list below.

DNS Data Leak This algorithm monitors the practice of encoding information into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. When this happens, the local DNS server will fail to find the DNS name in its cache, and will pass the name out of the network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a “no existing domain” response, or return a non-routable address.

FlowPro defender reviews all DNS queries and responses using proprietary logic to uncover unwanted communications. Odd behaviors are sent to Scrutinizer where they are further processed by the DNS Data Leak algorithm. Thresholds may be set based either on the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes.

Domain Reputation Plixer is introducing domain reputation with 15.5. Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP based Host Reputation. The domain list is provided by Plixer and is updated each hour and currently contains over 400,000 known bad domains.

To provide maximum protection, FlowPro Defender must update the domain reputation list that it uses each hour. During setup, please verify a network route exists from FlowPro Defender to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if FlowPro Defender is unable to connect to nba.plixer.com, however, all other features will operate normally.

FlowPro Defender performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Scrutinizer for additional processing. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm.

To suppress alarms from authorized applications in the network, the user may add the domain generating the alarm message to the “Trusted Domain” list on FlowPro Defender. See the discussion on FlowPro Defender for additional details.

Malware Behavior Detection This is the first algorithm to demonstrate Plixer’s cyber threat correlation capability. Correlation of multiple network behaviors over a long time period provides detection systems with more information allowing for a higher accuracy with fewer false positive alarms.

This specific alarm is correlating IP address lookups (i.e. what is my IP address) activity which is commonly performed by malware shortly after the initial compromise with the detection of the BotNet alarm or with a Domain Reputation alert. In other words, this algorithm looks for the following correlation:

  • IP address lookup combined with a Domain Reputation trigger
  • IP address lookup combined with a BotNet trigger

When either of the two events is detected, this algorithm triggers an alert as this behavior is a very strong indicator of a compromised asset.

Adding FlowPro Defender to the Algorithms In Scrutinizer’s Flow Analytics Configuration interface, the FlowPro Appliance(s) must be associated to the Algorithms the user wishes to utilize.

In Scrutinizer: Navigate to the Admin Tab > Settings > Flow Analytics Configuration. Clicking the numbers in the exporter column will allow users to include the FlowPro Defender Exporter into that Algorithm. Violations and Alarms will show up in the Alarms Tab

Server Maintenance

Hardware Failure

If any hardware malfunctions occur, contact technical support for assistance.

Applying Security Patches

Although efforts are made to minimize the risk for security breaches on the appliance, updates to core OS components may be applied.

It is recommended that updates are not installed unless technical support advises or assists. For more information, contact technical support.

Upgrades

Customers are entitled to upgrades provided that maintenance is active. For further instructions, contact technical support.

Backing up the FlowPro Defender

The FlowPro Defender stores all its details in the plixer.ini file. From the FLOWPRO> prompt, type edit plixer.ini and copy the file contents to a safe location.

Restoring a FlowPro Defender from Backup

To restore the FlowPro Defender backup, use SSH to log into the appliance. From the FLOWPRO> prompt, type edit plixer.ini and hit enter. Overwrite the contents of the file with the backed up plixer.ini content. Save the changes. FlowPro Defender will rebuild the appropriate files and begin operations.

If a new server is being used or server configurations have changed, a new license key may need to be applied.

Commands

At any time running the command help, help <command>, <command> ?, or ? will display help in the interface.

check

The check command is used to test access to the Domain Reputation lists hosted on nba.plixer.com.

FLOWPRO> check replist

The output will indicate whether access is available to the domain lists. If access isn’t available, the problem usually is that the FlowPro Defender does not have access to the internet.

clear

The clear command clears log files from the FlowPro Defender. These log files contain details pertaining to the operation of flowpro.

EXAMPLE clear log <logfile>

FLOWPRO> clear log dns1yaf.log

By executing clear log by itself, FlowPro Defender will show a list of available logs

delete

The delete command is used to permanently remove domain lists from the FlowPro Defender.

EXAMPLE delete <domainlist_name>

FLOWPRO> delete mylist

To see all domain lists, use the show command.

disable

The disable command is used to temporarily ignore domains in particular domain lists from the FlowPro Defender. This list will remain on the FlowPro Defender Appliance until it is removed.

EXAMPLE disable <domainlist_name>

FLOWPRO> disable mylist

To see all domain lists, use the show command.

edit

The edit command is used to modify system files used in the day to day operations of FlowPro Defender.

EXAMPLE edit <plixer.ini|domainlist_name>

The plixer.ini file is the main configuration file for FlowPro Defender. It contains settings used by FlowPro to configure licensing, reputation lists, listening interfaces, IPFIX collector, and more.

FLOWPRO> edit plixer.in.

The other function of edit is to update any custom domain lists used by FlowPro Defender to check for bad actors.

FLOWPRO> edit mylist

Newly created lists will be enabled once saved. Lists can be disabled using the disable command.

enable

The enable command is used to re-enable a disabled domain list.

FLOWPRO> enable mylist

license

The license command is used to manage the FlowPro Defender license key. To generate a license key, Plixer or the reseller will need the FlowPro Defender’s unique machine ID. The machine ID is displayed when issuing the license check command.

The following command can be used to show licensing details:

license <check|status>

FLOWPRO> license check
        Machine ID : 5YZ6XEPV66C766369M8DBN2A
  Licensed Version : 15.5
     Licensed Type : valid
        Expiration : Thu Jul 28 2016

License expires in 730 day(s)

The license key can be configured on the FlowPro Defender using the license set command.

license <set|update>

FLOWPRO> license set

When applying the license key, it must be one continuous string without any line feeds or carriage returns on the same line as the license=.

[flowpro]
collector=10.1.4.94:2055
enableDomainReputationList=1
monitorTraffic=mon1
monitorDNS=mon2
license=Nb7RuIh35R1Uv9uOWTWhBUuLX4mLNtYCxfqlL0j3IEV2r// hkHhl3EnTTFdZZPK+0jprzFIlW10dmIN7sZOiwlCcA+L5g6HTzQJ/ b8l6hLeLEsoHiYXgj0SsWkKeCu2IBb6Alpv3msIf1k+ps2cbf8abUR/
kdLVkwOwAwozq2kY7/RzTwvj7$

In the new window, beside license= paste in the license key and Press CTRL+X to save. Issuing the license check or license status will verify the key is properly installed.

Contact technical support to acquire a new license key.

password

The password command will change the password used for the flowpro username.

FLOWPRO> password
(current) UNIX password:
New password:
Retype new password:

Successful password changes will be applied to the next log in.

This password is used when logging in remotely or on the server directly.

service

The service command can be used to manually start, stop, or restart the FlowPro Defender service.

service <service_name> <start|stop|restart>

FLOWPRO> service flowpro restart

set

The set command is used to set certain system parameters. At this time, it is used to set the IPFIX Collector. It is primarily an alias to the command edit plixer.ini.

FLOWPRO> set collector

Future versions of FlowPro Defender may allow users to utilize the set command without modifying the full configuration.

show

The show command is used to display state or list details available for modification and customization by the user.

The show domainlist command displays all available domain lists that are both enabled and disabled.

FLOWPRO> show domainlist

FLOWPRO> show domainlists

mylist (enabled)
trusted (disabled)

2 list(s) Found ...

The show log command lists the available logs to view. By specifying a log file name after the show log command, it will display its contents.

The show realtime command lists the available logs to watch in real time. By specifying a log file name after the show realtime command, it will show new content added to the log file as it happens.

The show status command displays all running components of the FlowPro Defender system, the state of those services, and the current license details.

FLOWPRO> show status
+--------------------------------------------------------------------+
| FlowPro Defender              ACTIVE
| Super Mediator                ACTIVE
| FlowPro Process Monitor       ACTIVE
| (Traffic) mon1                ACTIVE
| (DNS) mon1                    ACTIVE
| FlowPro License               License expires in 343 day(s)
+--------------------------------------------------------------------+

snoop

The snoop command can be used to verify that packets are being received by or sent from the FlowPro Defender for a certain IP address or interface

snoop ip <ip_address> Snoop interfaces <interface_name>

FLOWPRO> snoop ip 10.1.1.1
FLOWPRO> snoop interfaces mon1

Press CTRL+C to exit the snoop command.

system

The system command is used to change state of the FlowPro Defender. The directive change is used to change the host name or IP address.

system <change|restart|shutdown>

FLOWPRO> system change FLOWPRO> system restart
FLOWPRO> system shutdown

Ingress, Egress, and Observation Domain Configuration

The default behavior for traffic monitoring is to label the flows from each interface as its own ingress and egress. (mon1 = ingress on 1, egress on 1). By default, the observation domain is fixed at 42. However, FlowPro Defender can be configured to label the flows as coming from any licensed ingress and egress interface, and/or from any observation domain.

For example: Users may want to label traffic monitoring so ingress is mon1 (i.e. 1) and egress is mon2 (i.e. 2).

This is done by modifying the plixer.ini

FLOWPRO> edit plixer.ini

In the editor, locate the following line:

monitorTraffic=mon1

When specified in this format, mon1 is configured for ingress of 1 and egress of 1. By modifying this setting in the following format, FlowPro will configure mon1 to have an ingress of 1 and egress of 2.

monitorTraffic=mon1:1:2

The format to use is monX:ingress:egress. Once the necessary configuration changes have been made, save the plixer.ini file. FlowPro Defender will then restart the services with the new configuration. Note that the values for ingress and egress are limited to the maximum number of licensed interfaces.

To define a different observation domain for an interface, modify the plixer.ini file as before using the format monX:ingress:egress:observation_domain To set the observation domain, the ingress and egress labels must also be set. To change the observation domain for mon1 to 45, while using the ingress and egress values set above, modify the setting above to read as:

monitorTraffic=mon1:1:2:45

Or, to use the default values for mon1 with an observation domain of 45:

monitorTraffic=mon1:1:1:45