Features and Functionality

This section describes the specific features and functionality of Plixer FlowPro.

Getting started

Connect to Plixer FlowPro over SSH and log in as the “flowpro” user with the password configured during the installation process.

FlowPro 19.0.0.20061 [Oct 06 2020]
Copyright (C) 2012 - 2020 Plixer LLC. All rights reserved.
Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com

Machine ID       : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EF
Licensed Type    : FlowPro Defender
Licensed Status  : Subscription
Used Mon Ports   : 1 of 3
Expiration       : 10/19/2020
* License Key Expires in 13 day(s)



 FLOWPRO>

The FLOWPRO> prompt indicates that Plixer FlowPro is ready to accept commands. If the initial configuration steps have been completed correctly, Plixer FlowPro is already processing traffic and sending data to the designated IPFIX collector.

Plixer FlowPro Defender Functionality

The following features and functionality are available with the Plixer FlowPro Defender (or Plixer FlowPro APM-Defender) licensing option.

Trusted Domain List

A trusted domain list, or whitelist, is preconfigured on Plixer FlowPro to suppress alarms involving specific domains. The default whitelist contains five entries that can added or removed depending on the customer environment.

  • mcafee.com
  • sophos.com
  • sophosxl.net
  • webcfs03.com
  • apple.com

mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information from the anti-virus clients on the network into very long and complex DNS names and stores this information on their DNS server. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is also used by some forms of malware.

sophos.com and sophosxl.net are related to Sophos Anti-virus software, and use multiple techniques to get information in and out of a network using DNS. In addition to using the same technique as McAfee to send information back to their servers, they also use DNS TXT messages to send information back to the clients on the network. Use of DNS TXT messages to exchange information with an external host is also used by some malware families, and the DNS Command and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating either DNS Data Leak or DNS Command and Control alarms.

webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.

apple.com uses DNS TXT messages to exchange settings with their NTP server. This will trigger a DNS Command and Control alarm.

There may be other authorized software on internal networks that use DNS to bypass the firewall for data communications. If so, add those domains to the trusted domain list. Once configured, any other traffic communicating via DNS should be investigated.

Use the edit domainlist command to modify the trusted domain list.

Untrusted Domain Lists

Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domain lists.

Plixer Domain Reputation List

Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have been determined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and Malware Behavior Detection algorithms.

To provide maximum protection, Plixer FlowPro must update the domain reputation list every 10 minutes (set by default). During setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if Plixer FlowPro is unable to connect to nba.plixer.com - however, all other features will function normally.

Use the following Plixer FlowPro commands to control the use of this list:

Plixer JA3 Signatures

Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.

Use the following Plixer FlowPro commands to control the use of this signature list:

User-defined Domain Lists

Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defined domains to monitor. Domain names in the list must adhere to the following rules:

  • DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD) and maps.google.com (3LD)
  • Labels must contain between 1 and 63 characters to form a legitimate domain name
  • One DNS name per line

Entries that do not match these requirements will be ignored.

Use the following Plixer FlowPro command to to create or edit a custom list of domains to trigger Domain Reputation alarms:

Use the following Plixer FlowPro commands to enable or disable custom domain lists:

User-defined JA3 Signature Lists

The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.

Use this filename and path to import the user-defined JA3 blacklist CSV file:

/home/flowpro/conf/domains/ja3-custom.csv

The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you upload the CSV file containing signatures to the /home/flowpro/conf/domains/ directory, Plixer FlowPro will import it during the next refresh cycle (every 64 minutes) or the initial load.

Important

Contact Plixer Technical Support for assistance with the JA3 bin import option.

Plixer Scrutinizer Flow Analytics Algorithms

Plixer FlowPro will send data to the specified IPFIX Collector. Plixer Scrutinizer provides additional functionality to check for malicious behavior and bad actors, and to generate alarms when detected.

BotNet Detection

This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a NXDOMAIN reponse is returned. Scrutinizer is able to identify a class of malware that uses Domain Generation Algorithms (DGAs) by monitoring the number of NXDOMAINs detected as and the actual DNS name looked up.

The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in five minutes. Either the source or destination IP address can be excluded from triggering this alarm.

DNS Command and Control

This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by Plixer FlowPro. DNS TXT messages can be used to send information into and out of the protected network over DNS, even when the use of external DNS servers has been blocked. Malware uses this technique to control compromised assets within the network and to extract information back out. Additionally, some legitimate software also uses this method to communicate back to the developer site.

The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds can be set based either on the number of DNS TXT messages or number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.

The domain generating the alarm message may be added to the trusted domains list in Plixer FlowPro to suppress alarms from authorized applications on the network. See the information regarding the trusted domains list below.

DNS Data Leak

This algorithm monitors for information encoded into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. As a result, the local DNS server will fail to find the DNS name in its cache and will pass the name out of the network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a “no existing domain” response or return a non-routable address.

Plixer FlowPro reviews all DNS queries and responses using proprietary logic to detect unwanted communications. Odd behaviors are sent to Plixer Scrutinizer where they are further processed by the DNS Data Leak algorithm. Thresholds can be set based on either the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.

DNS Server Detection
The algorithm detects new DNS servers being used on or by your network through analysis of the DNS packets being exchanged between the client and the server. Exclude DNS servers that are authorized for use on the network.
Domain Reputation

Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP-based host reputation. The domain list provided by Plixer is updated every ten minutes and currently contains over 400,000 known bad domains.

To provide maximum protection, FlowPro must update its domain reputation list every ten minutes. During setup, please verify a network route exists from FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if FlowPro is unable to connect to nba.plixer.com - however, all other features will function normally.

Plixer FlowPro performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Plixer Scrutinizer for additional processing. The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm.

To suppress alarms from authorized applications in the network, the domain generating the alarm message can be added to the trusted domain list in Plixer FlowPro. See the User-defined Domain Lists section for details.

JA3 Fingerprinting
The JA3 fingerprinting functionality leverages the unique characteristics of the TLS handshake to identify the software generating encrypted traffic by comparing it against a list of known signatures. If a positive match is made, Plixer FlowPro Defender will send the details of that connection to Plixer Scrutinizer.
Malware Behavior Detection

This algorithm demonstrate Plixer’s cyber threat correlation capability. Correlation of multiple network behaviors over a long time period provides detection systems with more information resuting in higher accuracy with fewer false positive alarms.

This specific alarm correlates IP address lookup (i.e. what is my IP address) activity, which is commonly performed by malware shortly after the initial compromise, with the detection of the BotNet alarm or a Domain Reputation alert.

When either of the two events is detected, this algorithm triggers an alert as this behavior is a very strong indicator of a compromised asset.

Adding Plixer FlowPro to the Algorithms

The Plixer FlowPro appliance(s) must be linked to the algorithms the user wishes to use in the Plixer Scrutinizer Flow Analytics configuration settings:

  • Navigate to the Admin Tab > Settings > Flow Analytics Configuration
  • Click the numbers in the exporter column to associate the Plixer FlowPro exporter with that algorithm
  • Violations and alarms will be displayed in the Alarms tab

ERSPAN

What is ERSPAN?

ERSPAN is the acronym for Encapsulated Remote Switched Port Analyzer. It mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports. The traffic is encapsulated in Generic Routing Encapsulation (GRE), which is therefore routable across a Layer 3 network between the source switch and the destination. In this case, the destination is the IP of the monitor interface (e.g. ‘mon1’) on the Plixer FlowPro appliance.

Configuration

Configuration is required on both the Plixer FlowPro and the ERSPAN/GRE device.

The order of configuration (Plixer FlowPro or the ERSPAN/GRE device first) is not critical, as long as the required information listed below is gathered first. The configuration of each device requires information from the other device (Plixer FlowPro and ERSPAN device).

The following instructions detail how to configure Plixer FlowPro, a Cisco switch, and a VMware VDS.

Note

Specific commands and configuration options may vary between devices and versions. Command syntax should be verified with vendor documentation for the specific device being configured.

Prerequisites

The following information should be determined prior to starting the configuration:

Plixer FlowPro ERSPAN configuration

  • Monitor port: for example ‘mon1’.
  • Monitor port IP and CIDR: for example ‘10.30.15.50/16’ (do NOT use /32 CIDR)
  • Monitor port gateway: for example ‘10.30.1.1’
  • Peer IP Address: the ERSPAN source IP defined below - for example ‘10.30.1.203’

ERSPAN device configuration

  • ERSPAN Source IP: an IP address on the device (switch or router) or the ESXi host IP address (VDS) - for example ‘10.30.1.203’
  • Destination IP: FlowPro monitor port IP address (not the Plixer FlowPro management IP) - for example ‘10.30.15.50’
  • Source Interface(s) to SPAN: the example in step 6 of VMWare VDS configuration below shows 3 sources selected

Plixer FlowPro

The monitoring interface(s) must first be enabled as defined in the Hardware Appliance or Virtual Appliance installation instructions.

Next, refer to the enable erspan command for instructions on configuring Plixer FlowPro for ERSPAN.

Note

Each monitoring interface on the Plixer FlowPro supports only one ERSPAN configuration. Multiple ERSPAN configurations on the same interface (for example mon1) may produce unpredictable results.

Cisco Switch

monitor session 1 type erspan-source
description ERSPAN direct to FlowPro
erspan-id 32                              # required
vrf default                               # required
destination ip 10.1.2.3                   # IP address of Plixer FlowPro monitor interface
source interface port-channel1 both       # Port(s) to be sniffed
no shut                                   # enable

monitor erspan origin ip-address 10.1.2.1 global

VMware VDS

Note

This requires the VMware Enterprise Plus license and a configured vSphere Distributed Switch.

From the VMware web console:

  1. Select your VDS from the list of networks

  2. Select “Port mirroring” on the “Configure” tab|

  3. Select “New…” to create a new session

    ERSPAN_image1.jpg
  4. Select “Encapsulated Remote Mirroring (L3) Source then click “Next”.

    ERSPAN_image2.jpg
  5. Give your new session a name and set the status to Enabled, then click “Next”.

    ERSPAN_image3.jpg
  6. Add the ports you wish to mirror to the probe, then click “Next”.

    ERSPAN_image4.jpg
  7. Add the IP given to the monitor interface of the probe as the destination of the session (not the Plixer FlowPro management IP), then click “Next”.

    ERSPAN_image5.jpg
  8. Verify your configuration and click “Finish” to start the session.

    ERSPAN_image6.jpg

Server maintenance

Hardware Failure

Contact Plixer Technical Support for assistance if any hardware malfunctions occur.

Applying Security Patches

Although efforts are made to minimize the risk for security breaches on the appliance, updates to core OS components may be required.

Updates should not installed unless Plixer Technical Support advises or assists. For more information, contact Plixer Technical Support.

Backing Up Plixer FlowPro

Plixer FlowPro stores all its configuration data in the plixer.ini file. At the FLOWPRO> prompt, type “edit plixer.ini” and copy the file contents to a safe location.

Restoring Plixer FlowPro from Backup

To restore the Plixer FlowPro backup:

  • log into the appliance over SSH
  • at the FLOWPRO> prompt run the command “edit plixer.ini”
  • overwrite the contents of the file with the contents of the plixer.ini that was previously backed up
  • save the changes
  • Plixer FlowPro will rebuild the appropriate files and begin operations

If a new host server is being deployed, or the server hardware configuration has changed, a new license key will need to be applied.