FlowPro functionality overview#
When FlowPro is enabled, it leverages deep packet inspection (DPI) and advanced traffic analysis techniques to detect potential security threats and alert you when your assets may be compromised by malware.
By monitoring DNS traffic, FlowPro provides critical insights into data entering and leaving your network, helping to identify malicious activity and prevent data exfiltration.
The following features and functionalities are available when the FlowPro functionality is enabled:
DNS Traffic Analysis: Gain visibility into DNS queries and responses to identify potentially malicious domains or unusual behavior.
Threat Detection: Utilize selective packet capture, threat feeds, and custom network intrusion detection system (NIDS) rules for identifying suspicious activity, such as command-and-control traffic or DNS tunneling.
TLS and JA3 Signature Reporting: Monitor encrypted traffic to detect anomalous patterns and potential misuse of encryption protocols.
HTTP Connection Reporting: Identify and track HTTP requests for enhanced visibility into application-layer behavior.
File Hash Analysis: Capture information on transferred files and calculate hashes to detect potential malware.
DNS Reputation Checks: Compare DNS queries against domain reputation lists to uncover threats such as NXDOMAIN responses and suspiciously long DNS names.
Customizable Whitelists and Blacklists: Define trusted and restricted domains to tailor detection to your organization’s needs.
Botnet and Command-and-Control Detection: Identify and mitigate traffic associated with known botnets or malicious command-and-control servers.
Custom rules#
For online appliances, FlowPro is pre-equipped with the ability to implement a large set of detection and prevention rules from the Emerging Threats ruleset collection of known potentially malicious or suspect traffic. This can be enabled when adding or editing a FlowPro integration by toggling the Default NIDS Rules option via Admin > Resources > FlowPro Probes in the Scrutinizer web UI. In addition to this, users can define custom rules in the /home/plixer/flowpro/rules/custom.rules file to be considered by Suricata.
A rule consists of the following:
Action: Determines what happens when the rule matches.
Header: Defines the protocol, IP addresses, ports and direction of the rule.
Rule options: Defines the specifics of the rule.
The command suricata-update can be used to manage the running rule set if a custom source is available via HTTPS.
The custom Suricata rules file uses the following format (newline delimited):
Note
General rules are used in the following example for demonstration. In high-performance environments, rules should be as specific as possible.
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"This rule alerts on traffic from the internal network to the external network over 8080/tcp"; classtype:web-application-activity; sid:2000010; rev:1;)
alert http 10.1.2.3 any -> any any (msg:"HTTP GET request to example.com detected from 10.1.2.3"; classtype:trojan-activity; flow:established,to_server; http.method; content:"GET"; nocase; http.host; content:"example.com"; nocase; sid:3000001; rev:1;)
alert tcp any any -> any 22 (msg:"SSH protocol version 2 detected"; flow:established,to_server; content:"SSH-2.0"; startswith; sid:3000002; rev:1;)
alert dns any any -> any 53 (msg:"DNS query for malicious-domain.com detected"; classtype:targeted-activity; dns.query; content:"malicious-domain.com"; nocase; sid:3000003; rev:1;)
alert http any any -> any any (msg:"Download of malicious.exe detected"; classtype:suspicious-filename-detect; flow:established,to_server; http.request_uri; content:"/malicious.exe"; endswith; sid:3000004; rev:1;)
alert tls any any -> any any (msg:"TLS 1.0 usage detected"; classtype:non-standard-protocol; tls.version:1.0; sid:3000005; rev:1;)
#alert tcp any any -> any any (msg:"A commented out rule to temporarily disable"; classtype:example; sid:3000006; rev:1;)
The following fields are the minimum required for FlowPro events to be sent to Scrutinizer. Each class type corresponds to a specific policy in Scrutinizer.
View content
EVENT CODE |
DESCRIPTION |
|---|---|
attempted-recon |
Attempted information leak |
successful-recon-limited |
Information leak |
successful-recon-largescale |
Large-scale information leak |
attempted-dos |
Attempted denial of service |
successful-dos |
Denial of service |
attempted-user |
Attempted user privilege gain |
unsuccessful-user |
Unsuccessful user privilege gain |
successful-user |
Successful user privilege gain |
successful-admin |
Successful administrator privilege gain |
rpc-portmap-decode |
Decode of an RPC query |
shellcode-detect |
Executable code was detected |
suspicious-filename-detect |
A suspicious filename was detected |
suspicious-login |
An attempted login using a suspicious username |
system-call-detect |
A system call was detected |
trojan-activity |
A network Trojan was detected |
unusual-client-port-connection |
A client was using an unusual port |
network-scan |
Detection of a network scan |
denial-of-service |
Detection of a denial of service attack |
non-standard-protocol |
Detection of a non-standard protocol or event |
web-application-activity |
Access to a potentially vulnerable web app |
web-application-attack |
Web application attack |
default-login-attempt |
Attempt to login by a default username/password |
targeted-activity |
Targeted malicious activity was detected |
exploit-kit |
Exploit kit activity detected |
external-ip-check |
Device retrieving external IP address detected |
domain-c2 |
Domain observed used for C2 detected |
pup-activity |
Possibly unwanted program detected |
credential-theft |
Successful credential theft detected |
social-engineering |
Possible social engineering attempted |
coin-mining |
Crypto currency mining activity detected |
command-and-control |
Malware command and control activity detected |
Rule updates#
The command suricata-update can be used to manage the running rule set if a custom source is available via HTTPS.
The suricata-rule-update file is located at /home/plixer/flowpro/rules/suricata-rule-update.yaml.
This file is comprised of the following sections:
disable-conf: A path to a file containing match statements for conditional rule exclusion. See the example configuration to disable rules for more information.
ignore: A list used to exclude local custom filenames from duplication. This can be absolute path or local if located in
/home/plixer/flowpro/rules.sources: The URL pointing to a custom Suricata rule source.
All other suricata-rule-update configuration entries are managed by the system.
Selective packet capture#
When deployed as part of the Plixer One platform, FlowPro enables selective capturing of network packets based on user-defined rules. This allows for targeted sampling of network traffic, which can result in more efficient analysis/investigation as well as optimal resource utilization.
Note
The steps described below require Scrutinizer 19.6.0 or higher. For assistance with other versions, contact Plixer Technical Support.
Selective packet capture rules can be defined via the Scrutinizer web interface as follows:
Navigate to Admin > Resources > FlowPro Capture Rules.
Click the + button and configure the following details in the tray:
Name: A name for the capture rule
Client IP: Client/source IP address of packets to capture
Server IP: Server/destination IP address of packets to capture
Well-Known Port: Well-known port to monitor for packets
Max Packets: Maximum number of packets to capture
Stops On: End date for capturing packets
Retain Until: End date for retaining captured packet data
[Optional] Use the Enabled toggle to disable the rule to start capturing packets at a later time.
Click the Save button to create the rule.
Packets will start being captured as soon as a rule is saved (if enabled). Rules with captured data will be indicated by a check in the Data column.
Note
The timezones configured on the Scrutinizer server and the FlowPro probe must be the same for the Stops On rule to be correctly observed.
Downloading PCAP files via Scrutinizer
Captures can be downloaded by clicking Download PCAP for events under the FlowPro Event Capture policy in the Scrutinizer Alarm Monitor views.
Because these download requests are redirected to the FlowPro appliance, an exception for the default self-signed certificate must be added to Scrutinizer user browsers. To do this, navigate to https://<FLOWPRO_MGMT_IP>:8080, and then accept the security exception.
Rule management
Once the maximum number of packets has been captured, or the defined end date has been reached, the rule will automatically be disabled. Inactive rules will be marked with a yellow indicator in the main view/table instead of green (enabled/active).
To continue capturing packets, click on the rule name, make the necessary changes (Max Packets or Stops On) in the configuration tray, and then re-enable the rule.
Rules that are no longer needed can instead be deleted. To do this, use the checkboxes to select one or more rules to be deleted, and then use the Delete option in the Bulk Actions menu/tray.
FlowPro exclusions#
To exclude hosts from FlowPro detections, you can add them to the FlowPro Exclusions IP group. This group allows flexibility in defining exclusions by supporting individual IP addresses, entire subnets, or other IP groups.
Once added, traffic from these hosts will no longer trigger detections, ensuring they are excluded from monitoring while maintaining overall security visibility.
This feature is useful for trusted systems, testing environments, or specific infrastructure components that may generate benign traffic resembling threats.
Administrators should carefully manage this group to prevent accidental exclusion of potentially malicious activity, balancing security and operational requirements effectively.
Untrusted domain lists#
FlowPro supports the use of a domain reputation review downloaded from external and user-defined domain lists.
Domain reputation
FlowPro enforces domain reputation review through the use of domain aware network intrusion detection rules.
On service start, FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml, violations are attributed to a rule class and forwarded Scrutinizer events.
JA3 signatures
FlowPro enforces JA3 signature review through the use of TLS aware network intrusion detection rules.
On service start, FlowPro will integrate all rule sources in /home/plixer/flowpro/rules/suricata-update.yaml, violations are attributed to a rule class and forwarded Scrutinizer events.
User-defined domain lists
You can load the custom domains via /home/plixer/flowpro/importDomainRep.sh, and then save it locally in your FlowPro as domains.csv.
Then run the following command to convert the domain list into DNS domain reputation detection rules in /home/plixer/flowpro/rules/custom.rules:
./home/plixer/flowpro/importDomainRep.sh path_to_domain.csv
User-defined JA3 signature lists
This will produce events in Scrutinizer under the Device Retrieving External IP Address Detected policy, alerting when DNS requests are made for the untrusted domains.
Finally, run the following command to restart the FlowPro service to enter the events into the detection engine:
sudo service flowpro restart