Untrusted Domain Lists¶
Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domain lists.
Plixer Domain Reputation List¶
Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have been determined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and Malware Behavior Detection algorithms.
To provide maximum protection, Plixer FlowPro periodically updates the domain reputation list. During setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The Domain Reputation algorithm will not detect any malware if Plixer FlowPro is unable to connect to nba.plixer.com - however, all other features will function normally.
Use the following Plixer FlowPro commands to control the use of this list:
Plixer JA3 Signatures¶
Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.
Use the following Plixer FlowPro commands to control the use of this signature list:
User-defined Domain Lists¶
Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defined domains to monitor. Domain names in the list must adhere to the following rules:
- DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD) and maps.google.com (3LD)
- Labels must contain between 1 and 63 characters to form a legitimate domain name
- One DNS name per line
Entries that do not match these requirements will be ignored.
Use the following Plixer FlowPro command to create or edit a custom list of domains to trigger Domain Reputation alarms:
Use the following Plixer FlowPro commands to enable or disable custom domain lists:
User-defined JA3 Signature Lists¶
The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.
Use this filename and path to import the user-defined JA3 blacklist CSV file:
The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you upload the CSV file containing signatures to the /home/flowpro/conf/domains/ directory, Plixer FlowPro will then check for an updated JA3 list every minute and reload it if there are any changes.
Contact Plixer Technical Support for assistance with the JA3 bin import option.