NetFlow Integrator Standard

Similar documents
NetFlow Integrator Standard

NetFlow Optimizer. User Guide. Version (Build ) May 2017

NetFlow Optimizer. User Guide. Version (Build X) November 2017

Network Operations Analytics

NetFlow Optimizer. Overview. Version (Build ) May 2017

NetFlow Analytics for Splunk

FlowIntegrator. Integrating Flow Technologies with Mainstream Event Management Systems. Sasha Velednitsky

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Compare Security Analytics Solutions

Trisul Network Analytics - Traffic Analyzer

V2P Network Visibility

HPE Security ArcSight Connectors

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Flow Sampling for ASR1K

Using Centralized Security Reporting

Monitoring and Analysis

Zone-Based Firewall Logging Export Using NetFlow

Introduction to Netflow

Using NetFlow Sampling to Select the Network Traffic to Track

Implementing Access Lists and Prefix Lists

AVC Configuration. Unified Policy CLI CHAPTER

Network Management and Monitoring

Configuring Access Rules

Covert channel detection using flow-data

Monitoring the Device

Configuring AVC to Monitor MACE Metrics

Configuring the Botnet Traffic Filter

Using NetFlow Sampling to Select the Network Traffic to Track

External Logging. Bulk Port Allocation. Restrictions for Bulk Port Allocation

Configuring NetFlow and NetFlow Data Export

Configuring Application Visibility and Control for Cisco Flexible Netflow

Introduction to Network Discovery and Identity

Information about Network Security with ACLs

Configuring the Botnet Traffic Filter

Configuring Data Export for Flexible NetFlow with Flow Exporters

Scrutinizer Flow Analytics

Configuring the Botnet Traffic Filter

How the Internet sees you

Detecting and Analyzing Network Threats With NetFlow

ASA Access Control. Section 3

Introduction to Network Discovery and Identity

Configuring NetFlow and NetFlow Data Export

IP Multicast Traffic Measurement Method with IPFIX/PSAMP. Atsushi Kobayashi Yutaka Hirokawa Haruhiko Nishida NTT

NetFlow Traffic Analyzer

FlowMonitor for WhatsUp Gold v16.3 User Guide

SteelCentral NPM. NetProfiler, NetShark, Flow Gateway & Packet Analyzer. December 2015

Detecting and Analyzing Network Threats With NetFlow

Configuring NetFlow. Feature History for Configuring NetFlow. Release This feature was introduced.

Using NetFlow Filtering or Sampling to Select the Network Traffic to Track

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

This chapter describes how to configure NetFlow Data Export (NDE).

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Accessing SGM Data from a Web Browser

Advanced Application Reporting USER GUIDE

Configuring sflow. Information About sflow. sflow Agent. This chapter contains the following sections:

Internet Security: Firewall

Configuring Cisco Mediatrace

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Configuring Data Export for Flexible NetFlow with Flow Exporters

Traffic and Performance Visibility for Cisco Live 2010, Barcelona

Configuring Cisco Performance Monitor

BIG-IP Local Traffic Management: Basics. Version 12.1

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Comodo Dome Shield - Admin Guide

Comodo Dome Shield. Administrator Guide Guide Version Software Version 2.4. Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Quality of Service. Understanding Quality of Service

NetFlow Traffic Analyzer

NetFlow Basics and Deployment Strategies

Monitoring Data CHAPTER

Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

System Requirements. Things to Consider Before You Install Foglight NMS. Host Server Hardware and Software System Requirements

Cisco Catalyst 6500 Supervisor Engine 2T: NetFlow Enhancements

Monitoring and Threat Detection

Monitoring Data CHAPTER

This chapter describes how to configure NetFlow Data Export (NDE).

vrealize Operations Management Pack for NSX for vsphere 2.0

BIG-IP Analytics: Implementations. Version 13.1

IP Access List Overview

Standard Content Guide

BIG-IP Network Firewall: Policies and Implementations. Version 13.0

Master Course Computer Networks IN2097

Master Course Computer Networks IN2097

Troubleshooting with Network Analysis Module

Interface Utilization vs. Flow Analysis

McAfee Network Security Platform 9.1

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Using Diagnostic Tools

IPv6 Sampled NetFlow feature was introduced. Destination-based Netflow Accounting feature was introduced.

Tracking Messages

Configuring NetFlow Top Talkers using Cisco IOS CLI Commands or SNMP Commands

Intelligent WAN NetFlow Monitoring Deployment Guide

Network Security Monitoring with Flow Data

The following topics describe how to configure correlation policies and rules.

Network Configuration Example

This chapter provides information to configure Cflowd.

NetFlow Monitoring. NetFlow Monitoring

CISCO EXAM QUESTIONS & ANSWERS

RIPE75 - Network monitoring at scale. Louis Poinsignon

Transcription:

NetFlow Integrator Standard User Guide Version 2.4.2 (Build 2.4.2.0.11) November 2015 Copyright 2012, 2013 NetFlow Logic Corporation. All rights reserved. Patents Pending.

Contents About this Guide... 3 Introduction... 3 What Are Modules and Converters?... 3 How NFI Updater Works... 5 How to Use this Guide... 5 Solutions at a Glance... 6 Modules Specifications... 8 Network Traffic and Devices Monitoring... 8 Network Subnets Monitor (10011 / 20011)... 8 TCP Health (10060 / 20060)... 9 Top Connections Monitor (10063 / 20063)... 10 Top Host Pairs (10064 / 20064)... 12 Traffic by CBQoS (10065 / 20065)... 14 Traffic by Autonomous Systems (10066 / 20066)... 15 Top Traffic Monitor (10067 / 20067)... 16 Top Packets Monitor (10068 / 20068)... 18 Enhanced Traffic Monitor... 20 Top Traffic Monitor (10967 / 20967)... 20 Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper... 23 Network Bandwidth Consumption Monitor (10964 / 20964)... 23 Security... 26 Hosts Geographical Location Monitor (10040 / 20040)... 26 Botnet Command and Control Traffic Monitor (10050 / 20050)... 27 APT1 Monitor (10051 / 20051)... 29 Host Reputation Monitor (10052 / 20052)... 29 Threat Feeds Monitor (10053 / 20053)... 31 Email... 33 Outbound Mail Spammers Monitor (10025 / 20025)... 33 Inbound Mail Spammers Monitor (10026 / 20026)... 34 Unauthorized Mail Servers Monitor (10027 / 20027)... 35 Rejected Emails Monitor (10028 / 20028)... 37 Services Monitor... 38 DNS Monitor (10004 / 20004, 20005)... 38 Asset Access Monitor (10014 / 20014)... 40 Services Performance Monitor (10017 / 20017)... 41 Cisco ASA Devices Monitoring... 43 Top Bandwidth Consumers for Cisco ASA (10018 / 20018)... 43 Top Traffic Destinations for Cisco ASA (10019 / 20019)... 45 Top Policy Violators for Cisco ASA (10020 / 20020)... 46 Top Hosts with most Connections for Cisco ASA (10021 / 20021)... 47 Palo Alto Networks Devices Monitoring... 48 Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030)... 48 Top Traffic Destinations for Palo Alto Networks (10031 / 20031)... 49 Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032)... 50 NetFlow Integrator Standard User Guide NetFlow Logic Confidential 1

Most Active Hosts for Palo Alto Networks (10033 / 20033)... 52 Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034)... 53 Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035)... 54 VMware... 55 Top VM:Host Pairs (10164 / 20164)... 55 Top VM Traffic Monitor (10167 / 20167)... 56 Utilities... 58 Sampling Monitor (10002 / 20002)... 58 SNMP Information Monitor (10003 / 20003)... 59 Special Converters... 60 Original Flow Data (20001)... 60 sflow Data (20800, 20900)... 62 FDR Packeteer-2 Flow Data (20010)... 63 Appendix... 67 NetFlow v5 - NetFlow v9 Field Types Mapping... 67 Modules NetFlow for Splunk App X-Reference... 68 NetFlow Integrator Standard User Guide NetFlow Logic Confidential 2

About this Guide Introduction Use this document to learn about NetFlow Integrator s Modules and Converters, Updater, and Services, their functionality, inputs, outputs, and configuration parameters. NetFlow Integrator (NFI) is a software-only processing engine for network flow data (NetFlow, IPFIX, sflow, etc.). It is not a NetFlow collector. NetFlow Integrator accepts network flow data from network devices (routers, switches, firewalls), applies map-reduce algorithms to the data to extract the information needed to address desired use cases, converts the processed data to syslog (or other formats such as JSON), then sends that useful information to your visualization platform or SIEM (e.g. VMware vrealize Log Insight, VMware vrealize Operations, or Splunk Enterprise). By enabling appropriate Modules and Converters, you turn on specific functionality within NetFlow Integrator. For example, you can monitor: your network conversations and hosts behavior your network devices your network traffic reported by Cisco ASA NetFlow Secure Event Logging (NSEL) And many other use cases are expressed via the Modules. What Are Modules and Converters? NetFlow data is notoriously voluminous. Traditionally, all NetFlow records generated by network devices are captured and stored for further interpretation. This exact process of capturing all NetFlow records, without understanding the significance of information contained in the records data, creates tremendous storage and data analysis problems. A mid-range 20Gb device in a large office can process tens of thousands of network exchanges per second, which results in a hundred thousand NetFlow records per second. Assuming that each NetFlow record is 100 bytes long, storing data at this rate it would take 8.6TB of disk space every day. Even a smaller switch, router or firewall that processes 10 times less network connections produces 860GB of flow data every day. NetFlow Integrator Modules and Converters are designed to provide solutions for specific use cases and at the same time reduce the amount of data (without losing information veracity) that needs to be stored by orders of magnitude. The Modules and Converters are packaged into Module Set packages. Each Module consists of one or more content-based rules and one or more time-based triggers (called Data Collection Interval ). Converters provide mechanisms for translating information emitted by the Modules into a format suitable for further processing. Please see Solutions at a Glance section below for more details. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 3

Let us consider a typical example: a network administrator would like to know how the bandwidth of his Cisco ASA firewall is consumed. This is not possible using traditional Cisco ASA logging because setting logging at the Informational level severely impacts device performance. A better approach is to use Cisco ASA NetFlow Secure Event Logging (NSEL) but the sheer volume of NSEL data may overwhelm traditional NetFlow collectors. This is when NetFlow Integrator s Modules mechanism comes to the rescue. The diagram below shows how data reduction is implemented in the Top Bandwidth Consumers Module. This Module employs an in-memory Map-Shuffle-Reduce algorithm. To report top 50 bandwidth consumers, the Module sums up bytes by source IP -- processing every single flow record over a short period of time (e.g. 30 seconds) (Map), then the data is sorted by accumulated bytes (Shuffle), and finally the top 50 records are retrieved (Reduce), converted to syslog, and sent to a SIEM system (e.g. Splunk). Thus this Module processes thousands of flow records per second, and reports only top 50 bandwidth consumers every 30 seconds, which are typically responsible for 98%-99% of all traffic. NFI Modules use cases are not limited to NetFlow Consolidation. Another diagram below shows how security oriented NFI module reports all malicious network conversation based on threat lists. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 4

How NFI Updater Works NFI Updater is a remote component which serves as a knowledge base of information outside of the NetFlow domain. Its task is to provide NetFlow Integrator with information generally unavailable in the data streams supplied by NetFlow/IPFIX exporters. How to Use this Guide Updater is comprised of a Platform and a collection of Agents each of which is designed to obtain information of a certain kind. The Platform provides a common interface for the Agents configuration and data exchange and serves as a conduit for delivering information collected by the Agents to the NetFlow Integrator. Typically Updater is installed on a separate server with access to the internet. The Modules Specification section contains detailed descriptions of the Modules. Modules are numbered from 10000. Each Converter produces its own type of syslog message, identified by a special field: nfc_id. For example, Top Bandwidth Consumers for Cisco ASA (10018/20018) Module has the corresponding Converter 20018. The syslog message produced by this Converter-20018 is identified by the field nfc_id =20018. All Modules are configurable. Parameters to specify the granularity and the amount of consolidated flow data to be sent out are described at the end of each Module specification. For example, Data Collection Interval, sec sets the interval for the Module time trigger. Top N parameter specifies the number of records (usually per exporter) to be converted and sent out. Other parameters may specify a list of IP addresses, or subnets, or ports, depending on the use case of the Module. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 5

Solutions at a Glance The table below shows which Modules need to be enabled to turn on NetFlow Integrator specific solutions and corresponding Splunk application menu. Module Set (package) Module (AppMod id / syslog id) Network Traffic and Devices Monitor (network_monitor) Network Subnets Monitor (10011 / 20011) TCP Health (10060 / 20060) Top Connections Monitor (10063 / 20063) Top Host Pairs (10064 / 20064) Traffic by CBQoS (10065 / 20065) Traffic by Autonomous Systems (10066 / 20066) Top Traffic Monitor (10067 / 20067) Top Packets Monitor (10068 / 20068) Reports top bandwidth consumers for each monitored subnet This Module reports TCP Health by detecting top hosts with the most TCP Resets This Module identifies hosts with the most connections This Module reports top Host Pairs network conversations This Module reports traffic for all DSCP bits combinations (QoS) This Module reports traffic by all Autonomous Systems (AS) This Module identifies hosts with the most traffic This Module identifies hosts with the most packets Enhanced Traffic Monitor (network_monitor) Top Traffic Monitor (10967 / 20967) Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper Network Bandwidth Consumption Monitor (10964 / 20964) Security (security) Hosts Geographical Location Monitor (10040 / 20040) Botnet Command and Control Traffic Monitor (10050 / 20050) APT1 Monitor (10051 / 20051) 1 Peer by Reputation Monitor (10052 / 20052) Threat Feeds Monitor (10053 / 20053) Email (email_monitor) This Module identifies hosts with the most traffic and reports Reputation and Geo locations of source and destination hosts This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. This Module identifies hosts with most traffic, and reports them with their geographical locations This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report. This Module uses a host reputation database from Alienvault (www.alienvault.com) to report communications with malicious peers This Module monitors traffic originated from known threat lists specified as IP blocks, list of domains, or IP addresses. 1 Mandiant APT1 report was published in 2013 and has not been updated since this time. This Module is obsolete and no longer supported. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 6

Outbound Mail Spammers Monitor (10025 / 20025) Inbound Mail Spammers Monitor (10026 / 20026) Unauthorized Mail Servers Monitor (10027 / 20027) Rejected Emails Monitor (10028 / 20028) Services Monitor (services_monitor) DNS Monitor (10004 / 20004, 20005) Asset Access Monitor (10014 / 20014) Services Performance Monitor (10017 / 20017) This Module detects internal hosts infected with spam malware This Module detects external hosts sending excessive email traffic to your organization This Module detects internal hosts running unauthorized mail servers This Module detects external hosts sending emails rejected by internal mail servers This Module monitors DNS servers and DNS traffic This Module monitors traffic to selected services and matches communications to a list of authorized peers This Module monitors services performance characteristics Cisco ASA (cisco_asa) Top Bandwidth Consumers for Cisco ASA (10018 / 20018) Top Traffic Destinations for Cisco ASA (10019 / 20019) Top Policy Violators for Cisco ASA (10020 / 20020) Top Hosts with most Connections for Cisco ASA (10021 / 20021) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of most popular destinations measured by the traffic This Module provides a list of firewall policies violators This Module provides top N (by the number of connections) consumers (users) Palo Alto Networks (panw_monitor) Top Bandwidth Consumers for Palo Alto Networks (10030 / 20030) Top Traffic Destinations for Palo Alto Networks (10031 / 20031) Hosts with Most Policy Violations for Palo Alto Networks (10032 / 20032) Most Active Hosts for Palo Alto Networks (10033 / 20033) Bandwidth Consumption per Application for Palo Alto Networks (10034 / 20034) Bandwidth Consumption per Application and Users for Palo Alto Networks (10035 / 20035) This Module provides a list of top network bandwidth consumers operating on the internal network This Module provides a list of top network bandwidth destinations This Module provides a list of top firewall policies violators This Module provides a list of most active hosts by the number of initiated connections This Module provides a list of most active applications by traffic This Module provides a list of most active applications and users by traffic VMware (vmware) Top VM:Host Pairs (10164 / 20164) Top VM Traffic Monitor (10167 / 20167) This Module reports top network conversations in VM environment This Module identifies VMs with the most traffic Utilities (service_rules) Sampling Monitor (10002 / 20002) SNMP Information Monitor (10003 / 20003) This Module reports NetFlow sampling information This Module reports SNMP information NetFlow Integrator Standard User Guide NetFlow Logic Confidential 7

Modules Specifications Network Traffic and Devices Monitoring All Modules report information in syslog key=value pairs format, as shown below. Network Subnets Monitor (10011 / 20011) This Module reports top bandwidth consumers for each monitored subnet. This information is provided per NetFlow exporter and monitored subnet. Input NetFlow v5, v9, IPFIX, and Cisco ASA NSEL. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address or The IPv4 or IPv6 source address in the IP packet 8 or 27 4 or 16 sourceipv6address header destinationipv4address or The IPv4 or IPv6 destination address in the IP packet 12 or 28 4 or 16 destinationipv6address header The value of the protocol number in the IP packet protocolidentifier 4 1 header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id=20011 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 Subnet IPv4 subnet <IPv4_address> NetFlow Integrator Standard User Guide NetFlow Logic Confidential 8

No Field Key Comments 7 Subnet IPv6 subnet <IPv6_address> 8 Mask mask 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Transport Protocol ( TCP = 6, UDP = 17) protocol 12 Bytes Out (Traffic) bytes_out 13 Bytes In (Traffic) bytes_in 14 Packets Out count packets_out 15 Packets In count packets_in 16 Number of flows flow_count < number> 17 Percent of Total Traffic of the Source Host within Subnet percent_of_total 18 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec Monitored subnet IPv4 address and subnet mask List of the watched subnets IPv4 addresses and masks (CIDR notation) e.g. 67.202.0.0 / 18; 72.44.32.0 / 24 Monitored subnet IPv6 address List of the watched subnets IPv6 and subnet mask addresses and masks (CIDR notation) e.g. 2620:0:2d0:200::7/24 N number of reported hosts Top N (number of reported hosts per min = 1, max = 100000, subnet) default = 50 TCP Health (10060 / 20060) This Module reports TCP Health by detecting top hosts with the most TCP Resets. Top hosts are defined by percent of TCP resets to the total number of Resets for definitive NetFlow exporter or by percent of TCP resets to the total number of host s connections. This information is provided by a definitive NetFlow exporter. Input NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sflow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 9

Syslog message fields - Hosts No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20060 5 Source host IPv4 address src_ip <IPv4_address> 6 Source host IPv6 address src_ip6 <IPv6_address> 7 Source host name [src_host] 2 8 Count of Resets reset_count 9 10 Percent of the total number of resets sent by source host Percent of the resets to the total number of the source host connections total_share local_share <string>, included when FQDN is on 11 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N - reporting threshold in percent min = 0 %, max = 100 %, % of Total Resets of total resets number default = 10 % N - reporting threshold in percent min = 0 %, max = 100 %, of resets to the number of host % of Resets to local host connections default = 50 % connections Top Connections Monitor (10063 / 20063) This Module identifies hosts with the most connections. It consolidates NetFlow records over a period of time (Module execution interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface 2 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 10

This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address 27 16 The IPv6 source address in the IP packet header destinationipv6address 28 16 The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20063 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 3 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 3 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 11

No Field Key Comments 15 Destination host name [dest_host]3 <string>, included when FQDN is on 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag 18 19 Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (flow_count) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = 100000, default NetFlow exporter = 50 Top Host Pairs (10064 / 20064) This Module reports top Host Pairs network conversations. A network conversion is a series of data exchanges between two hosts, over the same protocol (TCP or UDP), and going through the same router/switch (exporter). The number of exchanged bytes and packets are summed up. Unless specified in one of the parameters, the Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. Deduplication: optionally the module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 12

Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address 27 16 The IPv6 source address in the IP packet header destinationipv6address 28 16 The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id=20064 5 NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Server IP address dest_ip <IPv4_address> 8 Server IPv6 address dest_ip6 <IPv6_address> 9 Server host name [dest_host] 4 10 Server port number [dest_port] 5 <string>, included when FQDN is on 11 Client IP address src_ip <IPv4_address> 12 Client IPv6 address src_ip6 <IPv6_address> 13 Client host name [src_host]4 14 Packets from client to server packets_in <string>, included when FQDN is on 4 Host name field is optional and included only if FQDN Service is enabled. 5 Server destination port is optional NetFlow Integrator Standard User Guide NetFlow Logic Confidential 13

No Field Key Comments 15 Layer 3 bytes from client to server bytes_in 16 Packets from server to client packets_out 17 Layer 3 bytes from server to client bytes_out 18 Layer 3 bytes in both directions bytes 19 Number of flows flow_count 20 Percent of Total (bytes) (Client + Server) percent_of_total 21 Flow Sampler ID [flow_smpl_id] 22 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported host pairs The number of top host pairs reported min = 1, max = 100000, per NetFlow exporter default = 50 List of server destination ports to be used to determine which host is a client List of known server destination and which is a server. If the list is port numbers empty, the server is the one sending e.g. 53, 80, 443 more traffic than receiving Enable(1) or disable (0) reporting by server port Enable(1) or disable (0) reporting by authoritative exporters only Traffic by CBQoS (10065 / 20065) If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted If set to 1, the Module reports host pairs only from authoritative exporters default = 1 default = 0 This Module reports traffic for all DSCP bits combinations (QoS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 14

Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20065 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 Transport Protocol ( TCP = 6, UDP = 17) protocol 7 Inbound IP type of service src_tos 8 Outbound IP type of service dest_tos 9 Packets received in the QoS class flows packets_in 10 11 12 Total number of Layer 3 bytes received in the QoS class flows Number of flows received in the QoS class flows Percent of Total (bytes) of all bytes received by the exporter bytes_in flow_count percent_of_total 13 Flow Sampler ID [flow_smpl_id] 14 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec Traffic by Autonomous Systems (10066 / 20066) This Module reports traffic by all Autonomous Systems (AS). This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX. Required NetFlow fields Information Element (IE) IE id IE size, B octetdeltacount 1 4 or 8 The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 15

Information Element (IE) IE id IE size, B packetdeltacount 2 4 or 8 The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20066 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 Source AS src_asn 7 Destination AS dest_asn 8 9 Total number of Layer 3 bytes in the packets of the flow received (IPv4) Total number of Layer 3 bytes in the packets of the flow received (IPv6) bytes bytes6 10 Packets in the flow received (IPv4) packets 11 Packets in the flow received (IPv6) packets6 12 Number of Flows flow_count 13 Percent of Total (bytes) percent_of_total <decimal> 14 Flow Sampler ID [flow_smpl_id] 15 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top ASN pairs reported min = 1, max = 100000, per NetFlow exporter default = 50 Top Traffic Monitor (10067 / 20067) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address NetFlow Integrator Standard User Guide NetFlow Logic Confidential 16

Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address 27 16 The IPv6 source address in the IP packet header destinationipv6address 28 16 The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20067 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 6 <string>, included when FQDN is on 6 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 17

No Field Key Comments 12 Source port number src_port 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host]6 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag 18 19 Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (bytes) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = 100000, NetFlow exporter default = 50 Top Packets Monitor (10068 / 20068) This Module identifies hosts with the most packets. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address Destination IP address Source port number Destination port number Layer 3 protocol NetFlow Integrator Standard User Guide NetFlow Logic Confidential 18

Input interface Output interface This information is provided per NetFlow exporter. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B IPv4 sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header IPv6 sourceipv6address 27 16 The IPv6 source address in the IP packet header destinationipv6address 28 16 The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20068 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 7 NetFlow exporter ingress interface SNMP index NetFlow exporter egress interface SNMP index input_snmp output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 7 12 Source port number src_port <string>, included when FQDN is on 7 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 19

No Field Key Comments 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host]7 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag 18 19 Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (packets) percent_of_total 26 Flow Sampler ID [flow_smpl_id] 27 Observation time interval, msec t_int <decimal>, e.g. 25.444% is 25.444 Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = 100000, NetFlow exporter default = 50 Enhanced Traffic Monitor This package contains an enhanced version of Top Traffic Monitor Module 10067. It reports Reputation and Geo locations of source and destination hosts. Top Traffic Monitor (10967 / 20967) This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields: Source IP address NetFlow Integrator Standard User Guide NetFlow Logic Confidential 20

Destination IP address Source port number Destination port number Layer 3 protocol Input interface Output interface This information is provided per NetFlow exporter. Reputation field is provided as follows: Watch list Known malicious hosts list must be specified. The Module checks if destination IP is in this watch list; if yes, the reputation value is provided, and the rep_ip field is populated with destination IP address. If not, the source IP is checked, the reputation value is populated, and rep_ip field is populated with the source IP. Country codes for both source IP and destination IP are provided based on IPv4 address block and country code watch list. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header IPv4 destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourceipv6address 27 16 The IPv6 source address in the IP packet header IPv6 destinationipv6address 28 16 The IPv6 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlow Integrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlow Integrator server IP address Format: IPv4_address 3 NetFlow Integrator server NetFlow source ID Configurable. 4 Message type identifier nfc_id nfc_id=20967 5 NetFlow exporter IP address exp_ip <IPv4 address> 6 NetFlow exporter ingress interface SNMP index input_snmp NetFlow Integrator Standard User Guide NetFlow Logic Confidential 21

No Field Key Comments 7 NetFlow exporter egress interface SNMP index output_snmp 8 Transport Protocol ( TCP = 6, UDP = 17) protocol 9 Source host IPv4 address src_ip <IPv4_address> 10 Source host IPv6 address src_ip6 <IPv6_address> 11 Source host name [src_host] 8 12 Source port number src_port <string>, included when FQDN is on 13 Destination host IPv4 address dest_ip <IPv4_address> 14 Destination host IPv6 address dest_ip6 <IPv6_address> 15 Destination host name [dest_host] 9 16 Destination port number dest_port 17 Cumulative OR of TCP flags tcp_flag 18 19 Packets in the flow received by the input interface Total number of Layer 3 bytes in the packets of the flow received by the input interface packets_in bytes_in <string>, included when FQDN is on 20 Inbound IP type of service src_tos 21 Outbound IP type of service dest_tos 22 Source AS src_asn 23 Destination AS dest_asn 24 Number of Flows flow_count 25 Percent of Total (bytes) percent_of_total 26 Flow Sampler ID [flow_smpl_id] <decimal>, e.g. 25.444% is 25.444 8 Host name field is optional and included only if FQDN Service is enabled. 9 Host name field is optional and included only if FQDN Service is enabled. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 22

No Field Key Comments 27 Reputation: [reputation] 10 <string>: "Unexpected Host Reputation Classifier" "Scanning Host" "Malware Domain" "Malware IP" "Spamming" "C&C" "Malicious Host" "Malware distribution" "APT" 28 Reputation IP [rep_ip] Actual IP address (source or destination) found in Reputation database 29 Source IP country code [src_cc] ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) 30 Destination IP country code [dest_cc] ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) 31 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 5 sec, max = 600 sec, default = 30 sec N number of reported hosts The number of top hosts reported per min = 1, max = 100000, NetFlow exporter default = 50 Known malicious hosts list List of known malicious peers AlienVault Reputation database (OTX) IPv4 address block and country code Mapping of country codes to IP addresses blocks This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source Network Bandwidth Consumption Monitor by Application for Blue Coat PacketShaper This package contains a Module for Blue Coat PacketShaper-2 Flow Data. Network Bandwidth Consumption Monitor (10964 / 20964) This Module reports network bandwidth consumption by pairs of network users per application kind per PacketShaper instance. The Module consolidates per application kind information based on network 10 Omit this field if no match of source or destination IP is found in Reputation database NetFlow Integrator Standard User Guide NetFlow Logic Confidential 23

conversations, where a network conversation is a series of network traffic exchanges between two network hosts executing that application. Network conversation attributes are user configurable and may include source and destination IP addresses and source and destination transport layer ports. Optionally, the user may provide a list of known ports by which the server side of a network conversation may be determined. In a case when a list of ports is not provided or when the ports are not present in the provided list the Module makes a best effort determination of the server side by assuming that a party which sent most traffic is the server. The Module classifies applications by the PacketShaper ClassId field found in the Packeteer-2 messages. The Module determines a corresponding application name by dereferencing a list of application names distinguished by the respective ClassId values. The user has the ability to control Module s output by specifying treatment of the input Packeteer-2 records which ClassId is not present in the PacketShaper ClassId - Application Name mapping table. Unclassified records may either be discarded or processed normally and supplied a default application name such as unknown. Input Flow records in the Blue Coat PacketShaper Packeteer-2 format. Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id=20964 5 PacketShaper instance IPv4 address exp_ip <IPv4_address> 6 PacketShaper application ClassId class_id 7 PacketShaper application name application <string> 8 Server IPv4 address dest_ip <IPv4_address> 9 Server host name [dest_host] 11 10 Server transport layer port number [dest_port] <string>, included when NFI FQDN service is enabled 11 Client IPv4 address src_ip <IPv4_address> 12 Client host name [src_host] 13 Client transport layer port number [src_port] <string>, included when NFI FQDN service is enabled 11 Optional message fields are enclosed in square brackets NetFlow Integrator Standard User Guide NetFlow Logic Confidential 24

20 No Field Key Comments 14 Packets sent from the client to the server packets_in 15 Layer 3 bytes from the client to the server bytes_in 16 Packets from the server to the client packets_out 17 Layer 3 bytes from the server to the client bytes_out 18 Number of observed flows flow_count 19 Percent of total traffic produced by this host pair per application during current data collection interval percent_of_total Observation time interval, msec t_int <floating point decimal> Parameters Parameter Name Comments Time-based Rule invocation min = 5 sec, max = 600 sec, Module reporting interval interval, sec default = 30 sec A number of unique communicating host pairs reported per application per N - The number of unique host pairs per min = 1, max = 100000, PacketShaper instance. The application kind to report default = 50 host pairs are reported in the descending order by traffic volume. List of known server destination port numbers Enable(1) or disable (0) reporting by the server port Enable(1) or disable (0) reporting by the client port A list of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field in the output syslog message is omitted. Turning this parameter on or off does not affect the number of unique host pairs output by the module. If set to 1, enable traffic reporting by source port. If set to 0, src_port field the output syslog message is omitted. Turning this parameter on or off does not affect the number of unique host pairs output by the module. e.g. 53, 80, 443 default = 0 default = 0 List of PacketShaper ClassId values and corresponding Application names A list of PacketShaper ClassId and Application name e.g. 2525, /Outbound/AOL-AIM- ICQ NetFlow Integrator Standard User Guide NetFlow Logic Confidential 25

Parameter Name Comments If set to 1, drop Packeteer-2 Report information for a user-defined records with unknown ClassId. subset of applications (1) or for all default = 0 Report all network conversations applications (0) otherwise. Security Hosts Geographical Location Monitor (10040 / 20040) This Module identifies hosts with most traffic, and reports them with their geographical locations. This Module uses an IPv4 address blocks to geographical locations mapping database provided by MaxMind GeoLite Country - to find geographical locations of the connecting hosts. The GeoIP database contains approximately 100K entries. The GeoLite Country database update frequency is one month. A commercial version of the MaxMind GeoIP database is updated every other day. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this list. Besides a GeoIP database the Module has two other optional watch lists: List of monitored localities: Alpha-2 codes per ISO (https://www.iso.org/obp/ui/) List of watched local subnets: CIDR notation The Module is using local subnets list to resolve inbound and outbound traffic, and reports it separately (field direction=ingress or direction=egress in syslog). In inbound traffic report the source IPv4 address is an IPv4 address of a host with most traffic in a geographic locality, and the destination IPv4 address is an IPv4 address of an internal host. In outbound traffic report the source IPv4 address is an IPv4 address of an internal host, and the destination IPv4 address is an IPv4 address of a host with most traffic in an outbound geographic locality. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9 Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header Syslog message fields No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss NetFlow Integrator Standard User Guide NetFlow Logic Confidential 26

No Field Key Comments 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id=20040 5 NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Destination host IPv4 address dest_ip <IPv4_address> 8 Traffic direction direction <string>: egress ingress 9 Country code cc 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Observation time interval, msec t_int ISO-3166-1 Alpha 2 country code (a two-character country designation, e.g. US) Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 600 sec, default = 30 sec List of monitored localities List of two letter country codes e.g. AQ, US, GB List of watched local subnets and hosts IPv4 address block and country code List of the watched subnets IPv4 addresses and masks (CIDR notation) Mapping of country codes to IP addresses blocks Botnet Command and Control Traffic Monitor (10050 / 20050) e.g. 67.202.0.0 / 18; 72.44.32.0 / 24 default = 0.0.0.0 / 0 This list is updated by NFI Updater, which uses the MaxMind GeoLite Country database as a source This Module monitors traffic originated from known Command and Control hosts (C&C) or directed to these hosts. The list of IP addresses of C&C hosts is obtained from the list published by Emerging Threats (http://www.emergingthreats.net/) company: List of known C&C servers: https://rules.emergingthreats.net/blockrules/emerging-botcc.rules The Module reports all communications of internal hosts with C&C list, and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 27

Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list. 12 Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header destinationipv4address 12 4 The IPv4 destination address in the IP packet header sourcetransportport 7 2 destinationtransportport 11 2 octetdeltacount 1 4 or 8 Syslog message fields The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. No Field Key Comments 1 NetFlowIntegrator timestamp Format: Mmm dd hh:mm:ss 2 NetFlowIntegrator server IP address Format: IPv4_address 3 NetFlowIntegrator server NetFlow source ID Configurable 4 Message type identifier nfc_id nfc_id=20050 5 NetFlow exporter IPv4 address exp_ip <IPv4_address> 6 Source host IPV4 address src_ip <IPv4_address> 7 Source port src_port 8 Destination host IPv4 address dest_ip <IPv4_address> 9 Destination port dest_port 10 Number of flows flow_count < number> 11 Bytes total (Traffic) bytes 12 Minimum bytes count of flows min_bytes 12 Please contact support@netflowlogic.com if you want to use your own feeds. NetFlow Integrator Standard User Guide NetFlow Logic Confidential 28

No Field Key Comments 13 Maximum bytes count of flows max_bytes 14 Flow direction direction <string>: ingress or egress 15 Observation time interval, msec t_int Parameters Parameter Name Comments Data Collection Interval, sec Module logic execution interval min = 10 sec, max = 300 sec, default = 30 sec Shadowserver C&C list from Known C&C hosts List of C&C IPv4 addresses Emerging Threats. This list is (ipv4_dst_addr) list updated by NFI Updater APT1 Monitor (10051 / 20051) This Module monitors traffic originated from known APT1 hosts and IP blocks identified in Mandiant APT1 report (http://intelreport.mandiant.com/mandiant_apt1_report.pdf) The Mandiant APT1 report has not been updated since 2013. This Module is obsolete and no longer supported. Host Reputation Monitor (10052 / 20052) This Module uses a host reputation database from Alienvault (www.alienvault.com) to report communications with malicious peers. The reputation table provides a suspicious host IPv4 address and one or more host classifications (e.g. Scanning Host, Malicious Host, Malware Domain). The host reputation database size is approximately 260K entries. The Module reports all communications of internal hosts with the hosts included in the reputation database and provides consolidated information about these communications over a time interval. The observation interval (T, sec) is configurable. Use Updater feature of NetFlow Integrator for initial load and periodic updates of this threat list from https://reputation.alienvault.com/reputation.snort. Input NetFlow v5, v9, IPFIX, Cisco ASA NSEL, and Palo Alto Networks NetFlow v9. Required NetFlow fields Information Element (IE) IE id IE size, B sourceipv4address 8 4 The IPv4 source address in the IP packet header NetFlow Integrator Standard User Guide NetFlow Logic Confidential 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback