Host Reputation Monitor (10052 / 20052)
Description
This Module uses a host reputation database from Alienvault (www.alienvault.com) to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries.
The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable.
Use External Data Feeder for NFO component for initial load and periodic updates of this threat list from https://reputation.alienvault.com/reputation.snort.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
| Enable(1) or disable (0) heartbeat messages | If set to 1, enable heartbeat messages | default = 0 |
| Enable(1) or disable (0) reporting flow created and flow updated events | If set to 1, enable reporting firewall flow created and flow updated events. If set to 0, firewall flow created and flow updated events are not reported | default = 0 |
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 300 sec, default = 30 sec |
| Known malicious hosts list | List of known malicious peers | This list is loaded and updated by External Data Feeder for NFO |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
| octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20052" |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source host IPV4 address | <IPv4_address> |
| src_port | Source port | <number> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| dest_port | Destination port | <number> |
| flow_count | Number of flows | <number> |
| bytes | Bytes total (Traffic) | <number> |
| min_bytes | Minimum bytes count of flows | <number> |
| max_bytes | Maximum bytes count of flows | <number> |
| direction | Flow direction | <string>: "ingress" or "egress" |
| reputation | Reputation | <string>: "Unexpected Host Reputation Classifier" "Scanning Host" "Malware Domain" "Malware IP" "Spamming" "C&C" "Malicious Host" "Malware distribution" "APT" |
| t_int | Observation time interval, msec | <number> |
Syslog/JSON Message Fields - Heartbeat
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20052" |
| type | Message type | <string>: "heartbeat" |
| flow_count | Number of flows | <number> |
| wl1_last_time | Watchlist 1 last update timestamp | <timestamp> |
| t_int | Observation time interval, msec | <number> |