Features and Functionality¶
This section describes the specific features and functionality of the FlowPro.
Using an SSH Client, ssh to the FlowPro and log in as the flowpro user using the password configured during the installation process.
FlowPro (TM) v18.12 [2018-11-02 19:27:01 -0400 (Fri, 02 Nov 2018)] Copyright (C) 2012 - 2018 Plixer LLC. All rights reserved. Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com Install Version : FlowPro (TM) v22.214.171.1245 Machine ID : 6YZ6XEPT66H66636M95HU54D-1D4621169206AAF2 License Version : Licensed Type : Licensed Status : Unlicensed Used Mon Ports : 0 of 1 Expiration : 01/18/2038 Standard Mode. Type 'edit license' to add a license key. FLOWPRO>
The FLOWPRO> prompt indicates the FlowPro is ready for commands. If the initial steps are done correctly, the FlowPro is already processing traffic and sending feedback to the IPFIX collector specified.
Additional Functionality with FlowPro Defender licensing¶
The following features and functionality are available with the FlowPro Defender (or FlowPro APM-Defender) licensing option.
Trusted Domain List¶
A “trusted domain list”, often called a whitelist, is preconfigured on FlowPro to suppress alarms involving specific domains. The default whitelist contains five entries that can added or removed as best fits a user’s environment.
mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information from the anti-virus clients on the network into very long and complex DNS names and captures this information at their DNS server. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is also used by some forms of malware.
sophos.com and sophosxl.net are related to the Sophos Anti-virus software, and use multiple techniques to get information in and out of a network using DNS. In addition to using the same technique as McAfee to send information back to their servers, they also use DNS TXT messages to send information back to the clients on the network. Use of DNS TXT messages to exchange information with an external host is also used by some malware families, and the DNS Command and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating either DNS Data Leak or DNS Command and Control alarms.
webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.
apple.com uses DNS TXT messages to apparently exchange settings with their NTP server. This will alarm as a DNS Command and Control alarm.
There may be other authorized software on internal networks that use DNS to bypass the firewall for data communications. If so, add the domain(s) involved to the Trusted Domain list. Once configured, any other traffic using DNS to communicate will be worth additional investigation.
Use the edit domainlist command to modify the trusteddomains list.
Untrusted Domain Lists¶
FlowPro supports both the use of a domain reputation list that is downloaded from Plixer, as well as allowing a user to create or edit custom lists.
Plixer Domain Reputation List¶
FlowPro can be set to download a list of domains from Plixer. These are domains that have been determined, with a high probability, to be “bad domains”. This list is used in the “Domain Reputation” and “Malware Behavior Detection” algorithms.
To provide maximum protection, FlowPro must update the domain reputation list that it uses every ten minutes (the update frequency is set by default). During setup, please verify a network route exists from FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if FlowPro is unable to connect to nba.plixer.com, however, all other features will operate normally. Use of this list can be controlled through FlowPro.
User Defined Domain Lists¶
Users may augment the Plixer Domain Reputation list and create one or more domain lists that contain domains to monitor. Domains entered must follow the rules below:
- The DNS name must contain at least 2 labels, which is often called a second level domain, or 2LD for short (for example, google.com) and no more than 3 labels (maps.google.com), or a 3LD.
- The labels must contain between 1 and 63 characters, as is required to be a legitimate domain name.
- One DNS name per line.
Entries that do not match these requirements will be ignored.
Use the edit domainlist to create (or edit) a custom list of domains to detect domainReputation alarms.
Scrutinizer Flow Analytics Algorithms¶
FlowPro will send data to the specified IPFIX Collector. Plixer’s Scrutinizer Incident Response System has additional capabilities to check for malicious behavior and bad actors and generate alarms.
- BotNet Detection
This alarm is generated when a large number of unique DNS name lookups have failed. When a DNS lookup fails, a reply commonly known as NXDOMAIN is returned. By monitoring the number of NXDOMAINs detected as well as the DNS name looked up, behavior normally associated with a class of malware that uses Domain Generation Algorithms (DGAs) can be detected.
The default threshold is 100 unique DNS lookup failures (NXDOMAIN) messages in five minutes. Either the source or destination IP address can be excluded from triggering this alarm.
- DNS Command and Control
This algorithm monitors the use of DNS TXT messages traversing the network perimeter as detected by FlowPro. DNS TXT messages provide a means of sending information into and out of the protected network over DNS, even when the user has blocked use of an external DNS server. This technique is used by malware as a method of controlling compromised assets within the network and to extract information back out. Additionally, some legitimate companies also use this method to communicate as a means to “phone home” from their applications to the developer site.
The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXT messages. Thresholds may be set based either on the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes.
To suppress alarms from authorized applications in the network, the user may add the domain generating the alarm message to the “trusted.domains” list on FlowPro. See the discussion on “trusted.domains” list below.
- DNS Data Leak
This algorithm monitors the practice of encoding information into a DNS lookup message that has no intention of returning a valid IP address or making an actual connection to a remote device. When this happens, the local DNS server will fail to find the DNS name in its cache, and will pass the name out of the network to where it will eventually reach the authoritative server for the domain. At that point, the owner of the authoritative server can decode the information embedded in the name, and may respond with a “no existing domain” response, or return a non-routable address.
FlowPro reviews all DNS queries and responses using proprietary logic to uncover unwanted communications. Odd behaviors are sent to Scrutinizer where they are further processed by the DNS Data Leak algorithm. Thresholds may be set based either on the number of DNS TXT messages or the number of bytes observed in the DNS TXT messages within a five minute period. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to 120 minutes.
- Domain Reputation
Domain reputation provides much more accurate alarming with a dramatic decrease in the number of false positive alarms as compared to IP based Host Reputation. The domain list is provided by Plixer and is updated every ten minutes and currently contains over 400,000 known bad domains.
To provide maximum protection, FlowPro must update the domain reputation list that it uses every ten minutes. During setup, please verify a network route exists from FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if FlowPro is unable to connect to nba.plixer.com, however, all other features will operate normally.
FlowPro performs the actual monitoring, and when it detects a domain with poor reputation, it passes the information to Scrutinizer for additional processing. The default setting is for any detected traffic to alarm, and alarm aggregation defaults to disabled so that all DNS lookups observed will result in a unique alarm.
To suppress alarms from authorized applications in the network, the user may add the domain generating the alarm message to the “Trusted Domain” list on FlowPro. See the User Defined Domain Lists section for additional details.
- Malware Behavior Detection
This is the first algorithm to demonstrate Plixer’s cyber threat correlation capability. Correlation of multiple network behaviors over a long time period provides detection systems with more information allowing for a higher accuracy with fewer false positive alarms.
This specific alarm is correlating IP address lookups (i.e. what is my IP address) activity which is commonly performed by malware shortly after the initial compromise with the detection of the BotNet alarm or with a Domain Reputation alert. In other words, this algorithm looks for the following correlation:
- IP address lookup combined with a Domain Reputation trigger
- IP address lookup combined with a BotNet trigger
When either of the two events is detected, this algorithm triggers an alert as this behavior is a very strong indicator of a compromised asset.
- Adding FlowPro to the Algorithms
In Scrutinizer’s Flow Analytics Configuration interface, the FlowPro Appliance(s) must be associated to the Algorithms the user wishes to utilize.
In Scrutinizer: Navigate to the Admin Tab > Settings > Flow Analytics Configuration. Clicking the numbers in the exporter column will allow users to include the FlowPro exporter into that algorithm. Violations and alarms will show up in the Alarms tab.
What is ERSPAN?¶
ERSPAN is an acronym that stands for Encapsulated Remote Switched Port Analyzer. ERSPAN mirrors traffic on one or more “source” ports and delivers the mirrored traffic to one or more “destination” ports. The traffic is encapsulated in generic routing encapsulation (GRE) and is, therefore, routable across a layer 3 network between the “source” switch and the “destination”. In this case, the “destination” is the IP of the monitor interface (e.g. ‘mon1’) on the FlowPro appliance.
Configuration is required on both the FlowPro and the ERSPAN/GRE device.
The order of configuration, whether to configure the FlowPro or the ERSPAN/GRE device first, isn’t critical, so long as the prerequisite information listed below is gathered first. Each side of the configuration requires information from the other side (ie. FlowPro and ERSPAN device).
Instructions are provided below for configuring the FlowPro, a Cisco Switch, and a VMWare VDS.
Specific commands and configuration options may vary between devices and versions. It is recommended to verify command syntax with the vendor’s documentation for the specific device being configured.
The following information should be specified prior to starting the configuration.
FlowPro ERSPAN configuration
- Which monitor port? mon1? mon2? The examples in this document will be using ‘mon1’.
- Monitor port IP and CIDR (Do not use a /32 CIDR) The examples in this document will be using ‘10.30.15.50/16’
- Monitor port gateway - The examples in this document will be using ‘10.30.1.1’
- Peer IP Address - This is the ERSPAN Origin IP defined below. The examples in this document will be using ‘10.30.1.203’
ERSPAN device configuration
- ERSPAN Origin IP - This should be an IP on the device if it’s a switch or a router; if it’s a VDS it will be the ESXi host’s IP address. The examples in this document are using 10.30.1.203
- Destination IP - This is the FlowPro monitor port IP address (not the FlowPro management IP) The examples in this document are using 10.30.15.50
- Source Interface(s) to SPAN - The example in step 6 of VMWare VDS configuration shows 3 selected.
Next, refer to the enable erspan command for instructions on configuring FlowPro for ERSPAN.
Each monitoring interface on the FlowPro supports only one ERSPAN configuration. Multiple ERSPAN configurations on the same interface (ie. mon1) may produce unpredictable results.
monitor session 1 type erspan-source description ERSPAN direct to FlowPro erspan-id 32 # required vrf default # required destination ip 10.1.2.3 # IP address of FlowPro Monitor Interface source interface port-channel1 both # Port(s) to be sniffed no shut # enable monitor erspan origin ip-address 10.1.2.1 global
This requires the Enterprise plus license level and a configured virtually distributed switch.
From the web console of VMware:
Select your VDS from the list of networks.
Under the “Configure” tab, select “Port mirroring”.
Select “New…” to create a new session.
Applying Security Patches¶
Although efforts are made to minimize the risk for security breaches on the appliance, updates to core OS components may be applied.
It is recommended that updates are not installed unless technical support advises or assists. For more information, contact technical support.
Customers are entitled to upgrades provided that maintenance is active. For further instructions, contact technical support.
Backing up the FlowPro¶
The FlowPro stores all its details in the plixer.ini file. From the FLOWPRO> prompt, type edit plixer.ini and copy the file contents to a safe location.
Restoring a FlowPro from Backup¶
To restore the FlowPro backup, use ssh to log into the appliance. From the FLOWPRO> prompt, type edit plixer.ini and hit enter. Overwrite the contents of the file with the backed up plixer.ini content. Save the changes. FlowPro will rebuild the appropriate files and begin operations.
If a new server is being used or server configurations have changed, a new license key may need to be applied.