Host Reputation Monitor (10052 / 20052)

Description

This Module uses a host reputation database from Alienvault (www.alienvault.com) to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries.
The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable.
Use External Data Feeder for NFO component for initial load and periodic updates of this threat list from https://reputation.alienvault.com/reputation.snort.

Parameters

Parameter Name
Description
Comments
Enable(1) or disable (0) reporting flow denied events
If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported
default = 1
Enable(1) or disable (0) heartbeat messages
If set to 1, enable heartbeat messages
default = 0
Enable(1) or disable (0) reporting flow created and flow updated events
If set to 1, enable reporting firewall flow created and flow updated events. If set to 0, firewall flow created and flow updated events are not reported
default = 0
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 300 sec, default = 30 sec
Known malicious hosts list
List of known malicious peers
This list is loaded and updated by External Data Feeder for NFO

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
sourceTransportPort
7
2
The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header.
destinationTransportPort
11
2
The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount
1
4 or 8
The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20052"
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source host IPV4 address
<IPv4_address>
src_port
Source port
<number>
dest_ip
Destination host IPv4 address
<IPv4_address>
dest_port
Destination port
<number>
flow_count
Number of flows
<number>
bytes
Bytes total (Traffic)
<number>
min_bytes
Minimum bytes count of flows
<number>
max_bytes
Maximum bytes count of flows
<number>
direction
Flow direction
<string>: "ingress" or "egress"
reputation
Reputation
<string>:
"Unexpected Host Reputation Classifier"
"Scanning Host"
"Malware Domain"
"Malware IP"
"Spamming"
"C&C"
"Malicious Host"
"Malware distribution"
"APT"
t_int
Observation time interval, msec
<number>

Syslog/JSON Message Fields - Heartbeat

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20052"
type
Message type
<string>: "heartbeat"
flow_count
Number of flows
<number>
wl1_last_time
Watchlist 1 last update timestamp
<timestamp>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago