Skip to main content
Version: 2.11.0

Host Reputation Monitor (10052 / 20052)

Description

This Module uses a host reputation database from Alienvault (www.alienvault.com) to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries.

The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable.

Use External Data Feeder for NFO component for initial load and periodic updates of this threat list from https://reputation.alienvault.com/reputation.snort.

Parameters

Parameter NameDescriptionComments
Enable(1) or disable (0) reporting flow denied eventsIf set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reporteddefault = 1
Enable(1) or disable (0) heartbeat messagesIf set to 1, enable heartbeat messagesdefault = 0
Enable(1) or disable (0) reporting flow created and flow updated eventsIf set to 1, enable reporting firewall flow created and flow updated events. If set to 0, firewall flow created and flow updated events are not reporteddefault = 0
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 300 sec, default = 30 sec
Known malicious hosts listList of known malicious peersThis list is loaded and updated by External Data Feeder for NFO

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow Fields

Information Element (IE)IE idIE size, BDescription
sourceIPv4Address84The IPv4 source address in the IP packet header
destinationIPv4Address124The IPv4 destination address in the IP packet header
sourceTransportPort72The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header.
destinationTransportPort112The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount14 or 8The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20052"
list_nameName of threat list configuredstring
exp_ipNetFlow exporter IPv4 addressIPv4_address
exp_ip6NetFlow exporter IPv6 addressIPv6_address
src_ipSource host IPV4 addressIPv4_address
src_portSource portnumber
dest_ipDestination host IPv4 addressIPv4_address
dest_portDestination portnumber
flow_countNumber of flowsnumber
bytesBytes total (Traffic)number
min_bytesMinimum bytes count of flowsnumber
max_bytesMaximum bytes count of flowsnumber
directionFlow directionstring: "ingress" or "egress"
reputationReputationstring: "Unexpected Host Reputation Classifier", "Scanning Host", "Malware Domain", "Malware IP", "Spamming", "Malicious Host", "Malware distribution", "APT"
t_intObservation time interval, msecnumber

Syslog/JSON Message Fields - Heartbeat

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20052"
typeMessage typestring: "heartbeat"
flow_countNumber of flowsnumber
wl1_last_timeWatchlist 1 last update timestamptimestamp
t_intObservation time interval, msecnumber