Untrusted Domain Lists

Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domain lists.

Plixer Domain Reputation List

Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have been determined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and Malware Behavior Detection algorithms.

To provide maximum protection, Plixer FlowPro periodically updates the domain reputation list. During setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if Plixer FlowPro is unable to connect to nba.plixer.com - however, all other features will function normally.

Use the following Plixer FlowPro commands to control the use of this list:

• enable domainreputationlist to enable

• disable domainreputationlist to disable

Plixer JA3 Signatures

Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.

Use the following Plixer FlowPro commands to control the use of this signature list:

• enable domainreputationlist to enable

• disable domainreputationlist to disable

User-defined Domain Lists

Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defined domains to monitor. Domain names in the list must adhere to the following rules:

• DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD) and maps.google.com (3LD)

• Labels must contain between 1 and 63 characters to form a legitimate domain name

• One DNS name per line

Entries that do not match these requirements will be ignored.

Use the following Plixer FlowPro command to create or edit a custom list of domains to trigger Domain Reputation alarms:

• edit domainlist

Use the following Plixer FlowPro commands to enable or disable custom domain lists:

• enable domainlist to enable

• disable domainlist to disable

User-defined JA3 Signature Lists

The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.

To import the user-defined JA3 blacklist CSV file, use the filename and path: /home/flowpro/conf/domains/ja3-custom.csv

The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you upload the CSV file containing signatures to the /home/flowpro/conf/domains/ directory, Plixer FlowPro will then check for an updated JA3 list every minute and reload it if there are any changes.

Important

Contact Plixer Technical Support for assistance with the JA3 bin import option.