Untrusted Domain Lists¶
Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domain lists.
Plixer Domain Reputation List¶
Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have been determined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and Malware Behavior Detection algorithms.
To provide maximum protection, Plixer FlowPro periodically updates the domain reputation list.
During setup, please verify a network route exists from
Plixer FlowPro to nba.plixer.com
. The Domain Reputation algorithm will not detect
any malware if Plixer FlowPro is unable to connect to nba.plixer.com
- however,
all other features will function normally.
Use the following Plixer FlowPro commands to control the use of this list:
enable domainreputationlist to enable
disable domainreputationlist to disable
Plixer JA3 Signatures¶
Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.
Use the following Plixer FlowPro commands to control the use of this signature list:
enable domainreputationlist to enable
disable domainreputationlist to disable
User-defined Domain Lists¶
Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defined domains to monitor. Domain names in the list must adhere to the following rules:
DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD) and maps.google.com (3LD)
Labels must contain between 1 and 63 characters to form a legitimate domain name
One DNS name per line
Entries that do not match these requirements will be ignored.
Use the following Plixer FlowPro command to create or edit a custom list of domains to trigger Domain Reputation alarms:
edit domainlist
Use the following Plixer FlowPro commands to enable or disable custom domain lists:
enable domainlist to enable
disable domainlist to disable
User-defined JA3 Signature Lists¶
The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.
To import the user-defined JA3 blacklist CSV file, use the filename and path: /home/flowpro/conf/domains/ja3-custom.csv
The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you
upload the CSV file containing signatures to the /home/flowpro/conf/domains/
directory,
Plixer FlowPro will then check for an updated JA3 list every minute and reload it if there are
any changes.
Important
Contact Plixer Technical Support for assistance with the JA3 bin import option.