FA algorithm listΒΆ
The table below contains general information and recommended applications for all flow analytics algorithms available in Plixer Scrutinizer.
Algorithm |
Function |
Recommended Flow Sources |
Notes |
|---|---|---|---|
Bogon Traffic |
Alerts if traffic to or from an unallocated public IP space is detected |
Edge routers and public IP addresses defined in IP groups |
|
BotNet Detection |
Alerts when a large number of unique DNS name lookups have failed |
Plixer FlowPro |
Requires Plixer FlowPro Defender |
Breach Attempt Detection |
Alerts when flow behaviors that may indicate a brute force password attack on an internal IP address are observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
DDoS Detection |
Alerts when a Distributed Denial of Service (DDoS) attack targeting the protected network space is identified |
Edge routers and public IP addresses defined in IP groups |
|
Denied Flows Firewall |
Alerts when the number of denied flows from an internal to an external IP address exceeds the configured threshold |
Internal/core routers |
|
DNS Command and Control Detection |
Alerts when the volume or size of DNS TXT messages at the network perimeter exceeds the configured threshold |
Plixer FlowPro |
Requires Plixer FlowPro Defender |
DNS Data Leak Detection |
Alerts when the volume or size of messages with suspicious DNS names exceeds the configured threshold |
Plixer FlowPro |
Requires Plixer FlowPro Defender |
DNS Hits |
Alerts when a host initiates an excessive number of DNS queries |
Internal/core routers |
|
DNS Server Detection |
Alerts when a new DNS is detected based on packet exchanges between clients and servers |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires Plixer FlowPro Defender |
Domain Reputation |
Alerts when traffic associated with a suspicious domain (based on a list maintained by Plixer) is detected |
Plixer FlowPro |
Requires Plixer FlowPro Defender |
DRDoS Detection |
Alerts when a Distributed Reflection Denial of Service attack targeting the protected network space is identified |
Edge routers and public IP addresses defined in IP groups |
|
FIN Scan |
Alerts when a FIN scan is detected |
Internal/core routers and edge routers |
|
Flow Reports Thresholds |
Alerts when a custom threshold configured for a saved report is exceeded |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Host Indexing |
Monitors traffic to maintain an index of hosts seen on the network that includes additional details, such as conversation direction, throughput, and source (Exporter) |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Host Reputation |
Monitors traffic to maintain a list of active, non-whitelisted Tor nodes |
Edge routers and public IP addresses defined in IP groups |
|
Host Watchlist |
Alerts when a host violating a user-defined IP address blacklist is detected |
Edge routers and public IP addresses defined in IP groups |
|
ICMP Destination Unreachable |
Alerts when a large number of ICMP Destination Unreachable messages are sent to a suspicious IP address |
Internal/core routers |
|
ICMP Port Unreachable |
Alerts when a large number of ICMP Port Unreachable messages are sent to a suspect IP address |
Internal/core routers |
|
Incident Correlation |
Alerts when multiple Indicator of Compromise (IOC) events for a single host are detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
IP Address Violations |
Alerts when a flow containing a non-authorized IP address as the source or destination is received |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires authorized subnets to be defined |
JA3 Fingerprinting |
Alerts when software sending suspicious encrypted traffic based on TLS handshake data and known signatures is identified |
Plixer FlowPro |
Requires Plixer FlowPro Defender |
Large Ping |
Alerts when an unusually large ICMP Echo Request (ping) is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Lateral Movement |
Alerts when successful lateral movement is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Lateral Movement Attempt |
Alerts when behavior that may indicate attempted lateral movement is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Medianet Jitter Violations |
Alerts when jitter values reported by a Medianet flow exceed the configured threshold |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Multicast Violations |
Alerts when multicast traffic volume exceeds the configured threshold |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
NetFlow Domain Reputation |
Alerts when a DNS lookup from a blacklisted IP is reported via NetFlow |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Blacklist is maintained on nba.plixer.com but cached locally |
Network Transports |
Alerts when traffic over unapproved transport protocols is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
NULL Scan |
Alerts when a NULL scan is detected |
Internal/core routers and edge routers |
|
Odd TCP Flags Scan |
Alerts when a scan using unusual TCP flag combinations is detected |
Internal/core routers and edge routers |
|
P2P Detection |
Alerts when a P2P session with a host count exceeding the configured threshold is observed |
Internal/core routers and edge routers |
|
Packet Flood |
Alerts when a packet flood is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Persistent Flow Risk |
Alerts when a persistent flow is detected |
Internal/core routers and edge routers |
|
Persistent Flow Risk - ASA |
Alerts when a persistent flow matching a specified 5-tuple is detected |
Internal/core routers and edge routers |
|
Ping Flood |
Alerts when a ping flood is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Ping Scan |
Alerts when a host suspected of performing a ping scan is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Protocol Misdirection |
Alerts when traffic not matching the port being used is detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Reverse SSH Shell |
Alerts when potential reverse SSH tunnels to external destinations are detected |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
RST/ACK Detection |
Alerts when the system observes a large number of TCP flows containing only RST and ACK flags being sent to the same destination |
Internal/core routers and edge routers |
|
Slow Port Scan |
Alerts when the system observes a large number of ports on the same host being probed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Source Equals Destination |
Alerts when traffic with the same host and destination is observed |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
SYN Scan |
Alerts when a SYN scan is detected |
Internal/core routers and edge routers |
|
TCP Scan |
Alerts when a potential TCP scan is detected from an Exporter that does not provide TCP flag information |
Internal/core routers and edge routers |
|
Top Applications |
Monitors application traffic |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Autonomous Systems |
Monitors traffic to and from autonomous systems |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Countries |
Monitors traffic by country |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top Hosts |
Monitors traffic by host |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
|
Top IP groups |
Monitors traffic by IP group |
Internal/core routers, edge routers, and public IP addresses defined in IP groups |
Requires at least one IP group to be defined |
UDP Scan |
Alerts when a potential UDP scan is detected |
Internal/core routers and edge routers |
|
XMAS Scan |
Alerts when a XMAS scan is detected |
Internal/core routers and edge routers |