Threat Feeds Monitor (10053 / 20053)
Description​
This Module monitors traffic originated from known threat feeds:
- List of attacking IP address ranges: http://feeds.dshield.org/block.txt
- List of suspicious domains: https://secure.dshield.org/feeds/suspiciousdomains_High.txt
The Module reports all communications of internal hosts with known suspicious domains (IP addresses are resolved from the list of domain names using your DNS) and IP addresses blocks, and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable.
Use External Data Feeder for NFO component for initial load and periodic updates of these threat list parameters.
Please contact support@netflowlogic.com if you want to use your own feeds.
Parameters​
| Parameter Name | Description | Comments |
|---|---|---|
| Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
| Enable(1) or disable (0) heartbeat messages | If set to 1, enable heartbeat messages | default = 0 |
| Enable(1) or disable (0) reporting flow created and flow updated events | If set to 1, enable reporting firewall flow created and flow updated events. If set to 0, firewall flow created and flow updated events are not reported | default = 0 |
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 300 sec, default = 30 sec |
| Known Threat Feeds hosts (ipv4_dst_addr) list | List of known Threat Feeds addresses resolved using DNS | This list is loaded and updated by External Data Feeder for NFO |
| Known Threat Feeds IPv4 address ranges list | List of known Threat Feeds address ranges | This list is loaded and updated by External Data Feeder for NFO |
Input ​
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields​
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
| octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
Syslog/JSON Message Fields​
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20053" |
| exp_ip | NetFlow exporter IPv4 address | <IPv4_address> |
| src_ip | Source host IPV4 address | <IPv4_address> |
| src_port | Source port | <number> |
| dest_ip | Destination host IPv4 address | <IPv4_address> |
| dest_port | Destination port | <number> |
| origin | Communication origin | <string> = host | block |
| flow_count | Number of flows | <number> |
| bytes | Bytes total (Traffic) | <number> |
| min_bytes | Minimum bytes count of flows | <number> |
| max_bytes | Maximum bytes count of flows | <number> |
| direction | Flow direction | <string>: "ingress" or "egress" |
| t_int | Observation time interval, msec | <number> |
Syslog/JSON Message Fields - Heartbeat​
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20053" |
| type | Message type | <string>: "heartbeat" |
| flow_count | Number of flows | <number> |
| wl1_last_time | Watchlist 1 last update timestamp | <timestamp> |
| wl2_last_time | Watchlist 2 last update timestamp | <timestamp> |
| t_int | Observation time interval, msec | <number> |