Top Traffic Monitor Geo Country (10967 / 20967)
Description
This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol
- Input interface
- Output interface
This information is provided per NetFlow exporter.
Reputation field is provided as follows:
Watch list parameter “Known malicious hosts list” must be specified. The Module checks if destination IP is in this watch list; if yes, the reputation value is provided, and the rep_ip field is populated with destination IP address. If not, the source IP is checked, the reputation value is populated, and rep_ip field is populated with the source IP.
Country codes for both source IP and destination IP are provided based on “IPv4 address block and country code” watch list.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| N – number of reported hosts | The number of top hosts reported per NetFlow exporter | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
| Known malicious hosts list | List of known malicious peers | AlienVault Reputation database (OTX) |
| IPv4 address block and country code | Mapping of country codes to IP addresses blocks | This list is updated by External Data Feeder for NFO (EDFN), which uses the MaxMind GeoLite Country database as a source. See note below: |
Starting from January 1 2020 you need to register with MaxMind to get FREE GeoLite2 database. Please see https://dev.maxmind.com/geoip/geoip2/geolite2/ for more details.
Once you register and generate your new license key, replace "YOUR_LICENSE_KEY" with it in URL field of EDFN Agent:
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=YOUR_LICENSE_KEY&suffix=zip
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| IPv4 | |||
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| IPv6 | |||
| sourceIPv6Address | 27 | 16 | The IPv6 source address in the IP packet header |
| destinationIPv6Address | 28 | 16 | The IPv6 destination address in the IP packet header |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20967" |
| exp_ip | NetFlow exporter IP address | <IPv4_address> |
| input_snmp | NetFlow exporter ingress interface SNMP index | <number> |
| output_snmp | NetFlow exporter egress interface SNMP index | <number> |
| [protocol] (1) | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| src_ip | Source host IPv4 address | <IPv4_address> |
| src_ip6 | Source host IPv6 address | <IPv6_address> |
| [src_host] (2) | Source host name | <string>, included when FQDN is on |
| src_port | Source port number | <number> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| dest_ip6 | Destination host IPv6 address | <IPv6_address> |
| [dest_host] (2) | Destination host name | <string>, included when FQDN is on |
| dest_port | Destination port number | <number> |
| tcp_flag | Cumulative OR of TCP flags | <string>, e.g. "SYN,ACK,FIN" |
| packets_in | Packets in the flow received by the input interface | <number> |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received by the input interface | <number> |
| src_tos | Inbound IP type of service | <number> |
| dest_tos | Outbound IP type of service | <number> |
| src_asn | Source AS | <number> |
| dest_asn | Destination AS | <number> |
| flow_count | Number of Flows | <number> |
| percent_of_total | Percent of Total (bytes) | <decimal>, e.g. 25.444% is 25.444 |
| [flow_smpl_id] | Flow Sampler ID | <number> |
| [reputation] (3) | Reputation: | <string>: "Unexpected Host Reputation Classifier", "Scanning Host", "Malware Domain", "Malware IP", "Spamming", "C&C", "Malicious Host", "Malware distribution", "APT" |
| [rep_ip] (3) | Reputation IP | Actual IP address (source or destination) found in Reputation database |
| [src_cc] (4) | Source IP country code | ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) |
| [dest_cc] (4) | Destination IP country code | ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) |
| t_int | Observation time interval, msec | <number> |
(1) Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
(2) Host name field is optional and included only if FQDN Service is enabled.
(3) This field is omitted if no match of source or destination IP is found in Reputation database.
(4) This field is omitted if no MaxMind database is setup.