Untrusted domain lists¶
FlowPro supports the use of a domain reputation review downloaded from external and user-defined domain lists.
Domain reputation¶
FlowPro enforces domain reputation review through the use of domain aware network intrusion detection rules.
On service start, FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml
, violations are attributed to a rule class and forwarded Scrutinizer events.
JA3 signatures¶
FlowPro enforces JA3 signature review through the use of TLS aware network intrusion detection rules.
On service start, FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml
, violations are attributed to a rule class and forwarded Scrutinizer events.
User-defined domain lists¶
You can load the custom domains via /home/plixer/flowpro/importDomainRep.sh
, and then save it locally in your FlowPro as domains.csv.
Then run the following command to convert the domain list into DNS domain reputation detection rules in /home/plixer/flowpro/rules/custom.rules
:
./home/plixer/flowpro/importDomainRep.sh path_to_domain.csv
User-defined JA3 signature lists¶
This will produce events in Scrutinizer under the Device Retrieving External IP Address Detected policy, alerting when DNS requests are made for the untrusted domains.
Finally, run the following command to restart the FlowPro service to enter the events into the detection engine:
sudo service flowpro restart