Asset Access Monitor (10014 / 20014)
Description
This Module monitors traffic to selected services characterized by an IP address, destination port number and an IP protocol (services) and matches communications to a list of authorized peers. The list of authorized peers may include IP address ranges or IP addresses of individual hosts. For each of the services the Module reports communications with the hosts outside of the authorized peers list.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| List of protected IPv4 address, destination port number and IP protocol | Monitored Services List | e.g. 67.202.0.0,80,6; 72.44.32.0,53,17 |
| List of protected IPv6 address, destination port number and IP protocol | Monitored Services List | e.g. 2620:0:2d0:200::7,80,6 |
| Authorized Peers (IPv4 addresses and masks) | List of IPv4 addresses and masks (CIDR notation) (potentially IP addresses ranges) | e.g. 67.202.0.0,18; 72.44.32.0,24 |
| Authorized Peers (IPv6 addresses and masks) | List of IPv6 addresses and masks (CIDR notation) (potentially IP addresses ranges) | e.g. 2620:0:2d0:200::7,64 |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address or sourceIPv6Address | 8 or 27 | 4 or 16 | The IPv4 or IPv6 source address in the IP packet header |
| destinationIPv4Address or destinationIPv6Address | 12 or 28 | 4 or 16 | The IPv4 or IPv6 destination address in the IP packet header |
| protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20014" |
| exp_ip | NetFlow exporter IP address | <IPv4_address> |
| src_ip | Peer IPv4 address | <IPv4_address> |
| src_ip6 | Peer IPv6 address | <IPv6_address> |
| [src_host] | Peer host name | <string> |
| dest_ip | Service IPv4 address | <IPv4_address> |
| dest_ip6 | Service IPv6 address | <IPv6_address> |
| [dest_host] | Service host name | <string> |
| dest_port | Service transport port number | <number> |
| protocol | IP protocol (TCP = 6, UDP = 17) | <number> |
| flow_count | Number of observed flows | <number> |
| bytes_in | Traffic received, bytes | <number> |
| bytes_out | Traffic sent, bytes | <number> |
| t_int | Observation time interval, msec | <number> |