Botnet Command and Control Traffic Monitor (10050 / 20050)
Description
This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list of IP addresses of C&C hosts is obtained from the list published by Emerging Threats (http://www.emergingthreats.net/) company:
- List of known C&C servers: https://rules.emergingthreats.net/blockrules/emerging-botcc.rules
The Module reports all communications of internal hosts with C&C list, and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable.
Use External Data Feeder for NFO component for initial load and periodic updates of this threat list.
Please contact support@netflowlogic.com if you want to use your own feeds.
Parameters
Parameter Name | Description | Comments |
---|---|---|
Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
Enable(1) or disable (0) heartbeat messages | If set to 1, enable heartbeat messages | default = 0 |
Enable(1) or disable (0) reporting flow created and flow updated events | If set to 1, enable reporting firewall flow created and flow updated events. If set to 0, firewall flow created and flow updated events are not reported | default = 0 |
Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 300 sec, default = 30 sec |
Known C&C hosts (ipv4_dst_addr) list | List of C&C IPv4 addresses | ‘Shadowserver C&C list’ from Emerging Threats. This list is updated by External Data Feeder for NFO |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
Information Element (IE) | IE id | IE size, B | Description |
---|---|---|---|
sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
Syslog/JSON Message Fields
Key | Field Description | Comments |
---|---|---|
nfc_id | Message type identifier | "nfc_id=20050" |
exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
src_ip | Source host IPV4 address | <IPv4_address> |
src_port | Source port | <number> |
dest_ip | Destination host IPv4 address | <IPv4_address> |
dest_port | Destination port | <number> |
flow_count | Number of flows | <number> |
bytes | Bytes total (Traffic) | <number> |
min_bytes | Minimum bytes count of flows | <number> |
max_bytes | Maximum bytes count of flows | <number> |
direction | Flow direction | <string>: "ingress" or "egress" |
t_int | Observation time interval, msec | <number> |
Syslog/JSON Message Fields - Heartbeat
Key | Field Description | Comments |
---|---|---|
nfc_id | Message type identifier | "nfc_id=20050" |
type | Message type | <string>: "heartbeat" |
flow_count | Number of flows | <number> |
wl1_last_time | Watchlist 1 last update timestamp | <timestamp> |
t_int | Observation time interval, msec | <number> |