FlowPro Documentation

FlowPro DocumentationRelease 19.0.0

Plixer

Feb 16, 2022

Plixer FlowPro

1 What is Plixer FlowPro? 31.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Installation 52.1 Hardware Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Virtual Appliance - ESX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Installing VMware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Upgrading the Virtual Machine Hardware Version . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.5 Virtual Machine - Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.6 Adding Additional Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.7 Virtual Machine - KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Features and Functionality 133.1 Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Plixer FlowPro Defender Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.3 ERSPAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.4 Server maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4 Commands 234.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 Command List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.3 Command Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5 Ingress, Egress and Observation Domain Configuration 33

6 Troubleshooting 356.1 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

7 Change Log 377.1 Change Log History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

8 Third-party Attributions 398.1 libcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.2 libfixbuf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.3 libtldl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.4 PF_RING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

i

8.5 Pof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.6 super_mediator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.7 tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.8 YAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

ii

FlowPro Documentation, Release 19.0.0

Welcome to the on-line Plixer FlowPro manual. Click Here for online troubleshooting or FAQs. This manual is alsoavailable in .pdf format.

Important: Don’t struggle, contact Plixer support!

Plixer FlowPro 1

https://media.plixer.com/resources/guides/flowpro-operation-manual.pdf

https://www.plixer.com/support/contact/


2 Plixer FlowPro

CHAPTER 1

What is Plixer FlowPro?

1.1 Overview

Complete visibility of network traffic is key to managing your network, protecting your assets, and investigatingsecurity incidents. Whether you need to monitor traffic in remote offices, an isolated data closet or a data center, PlixerFlowPro provides the information you need to perform root-cause analysis of both network performance and securityevents.

Plixer FlowPro is a network sensor that delivers security and network visibility where infrastructure otherwise fallsshort. With a single sensor, network operations can gain additional insight into the network while security operationssimultaneously lower risk, gain data context, and respond quickly to security incidents.

Plixer FlowPro is available as a physical appliance or Virtual Appliance download.

1.2 Licensing

Plixer FlowPro offers several licensing options:

1.2.1 Plixer FlowPro

The base Plixer FlowPro license provides complete visibility into your network traffic where visibility is limited bygenerating flow data to send to an IPFIX collector. Plixer FlowPro captures network traffic and generates correspond-ing IPFIX records without performing any additional processing.

More features and functionality are available with additional licensing as described below.

1.2.2 Plixer FlowPro APM

The Plixer FlowPro APM (Application Performance Monitoring) license enables Plixer FlowPro to passively monitortraffic and can be configured to provide the following:

3


• Latency data on clients, servers, and Layer 7 applications through Deep Packet Inspection (DPI)

• Traffic metrics related to SIP/RTPs and voice quality

• Both latency and traffic metrics (dual mode)

Note: If additional interfaces need be added to the Virtual Appliance, that must be completed prior to requesting thePlixer FlowPro APM license.

1.2.3 Plixer FlowPro Defender

Plixer FlowPro with Plixer FlowPro Defender licensing passively monitors network traffic to provide enhanced visi-bility into the traffic within or transiting the organization. It monitors DNS traffic for signs of malware compromiseincluding BotNet detection, DNS lookups of domains likely associated with malware, and malware using DNS fordata exfiltration and/or command and control.

Plixer FlowPro Defender compares DNS Queries to a domain reputation list and matches DNS queries with responsesto identify abnormal DNS traffic. Examples of potentially abnormal traffic include no existing domain (NXDOMAIN)responses and long and complete DNS names that do not properly resolve.

Plixer FlowPro Defender also provides:

• Monitoring of other types of DNS messages, such DNS TXT messaging to bypass firewall restrictions and allowdirect communications between an outside host and an internal asset

• User-defined “whitelists” to prevent allowed domains from triggering alerts, plus user-defined “blacklists” toaugment the Plixer-supplied domain reputation lists

• Both modes simultaneously in any combination on any or all of the available monitoring ports

1.2.4 Plixer FlowPro APM-Defender

This combination license includes the following licensing options as described above:

• Plixer FlowPro APM (Application Performance Monitoring)

• Plixer FlowPro Defender

Enabling and disabling any of the available features and functionality can be performed using the appropriate enableor disable commands.

4 Chapter 1. What is Plixer FlowPro?

CHAPTER 2

Installation

Plixer FlowPro has several licensing levels. A valid production or evaluation license key is required with each install.A key can be obtained from Plixer Support or a local reseller.

The steps below describe the installation of FlowPro hardware and virtual appliances.

2.1 Hardware Appliance

Once the hardware appliance is installed in a network rack, power it on and follow the steps below:

1. Connect to the appliance over SSH at the default IP address of 192.168.168.168/24, and login with the usernameroot and password flowpro. The hardware appliance will execute a quick setup routine and immediately reboot.

CentOS Linux 7 (Core)Kernel 3.10.0-862.14.4.e17.x86_64 on an x86.64

localhost login: rootPassword: _

2. Login to the hardware appliance again using the username root and password flowpro. Answer a few briefquestions. The hardware appliance will reboot to apply the settings.

*********************************FlowPro Hardware ApplianceInitial Configuration

*********************************

What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1

(continues on next page)

5


(continued from previous page)

What is the hostname for this appliance?flowpro

What is the IP Address to your DNS?This will allow the FlowPro to resolve IP addresses.

*Login to the hardware appliance again and answer a few brief questions*

3. Log in to the hardware appliance again and apply the license key using the edit license command.

4. Paste the license key after the label license= in the [client] section of the plixer.ini file.

FlowPro 19.0.0.20061 [Oct 06 2020]Copyright (C) 2012 - 2020 Plixer LLC. All rights reserved.Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com

Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : unlicensedLicensed Status : SubscriptionUsed Mon Ports : 1 of 0Expiration : 10/06/2020

FLOWPRO> help license

+--------------------------------------------------------------------------+

[ List of Commands ]

edit licenseshow license

+--------------------------------------------------------------------------+For more detail type 'help <command>' or '<command> ?'Full PDF manual can be found at '/home/flowpro/files/flowpro.pdf'+--------------------------------------------------------------------------+

5. Press CTRL+X to save

6. The interface must be enabled for the Plixer FlowPro process that will run on that interface using the enablecommand.

For example, to activate Plixer FlowPro Defender monitoring on mon1:

enable defender mon1

The commands to enable the other Plixer FlowPro processes on a specific interface are:

enable apm <interface> <apmMode> enable flowpro <interface>

2.2 Virtual Appliance - ESX

The Plixer FlowPro Virtual Appliance (FVA) is packaged as an all-in-one virtual machine template or OVF. VMwareESX/ESXi 5.0 or higher is required to deploy a VM from the OVF template. VMware Tools will also be required inorder to shut down the virtual appliance through the VMware vSphere Client.

System Requirements

6 Chapter 2. Installation


Component Minimum SpecificatonsRAM 4GBDisk 20GBProcessor 1 CPU 2 Core 2GHz+Operating System ESXi 5.0

Deploying the OVF Template

1. Connect to the ESX host using VMware vSphere or vCenter.

2. Select File | Deploy OVF Template.

3. Select Deploy from File and browse to the OVF Template - click Next.

4. Review the OVF template details - click Next.

5. Enter a name for the Plixer FlowPro Virtual Appliance - click Next.

6. Select a datastore - click Next.

7. Select the disk format - click Next.

8. Select the Network Mapping - click Next.

9. Review the Virtual Settings - click Finish to import the OVF Template.

10. The virtual appliance is configured with 2 network adapters and eth1 (or mon1) is already in promiscuous mode.By default, it will start listening for traffic on the default virtual network. A mirror port of a Virtual DistributedSwitch or a mirror port using a physical NIC on the ESXi host will have to be configured if a different networkneeds to be monitored.

11. Power on the Plixer FlowPro virtual machine.

12. Navigate to the Console tab and log in using the username root and password flowpro. The virtual appliancewill perform a quick setup and immediately reboot.

13. Log in to the virtual appliance again using the username root and password flowpro. Answer a few brief ques-tions. The virtual appliance will reboot to apply the settings.

*********************************FlowPro Virtual ApplianceInitial Configuration

*********************************

What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1What is the hostname for this appliance?flowpro


14. Log in to the virtual appliance command line with the flowpro username and password. Apply the license keyusing the edit license command.

15. Paste the license key after the label license= in the client section of the plixer.ini file.

2.2. Virtual Appliance - ESX 7



Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : unlicensedLicensed Status : SubscriptionUsed Mon Ports : 1 of 0Expiration : 10/06/2020

Standard Mode. Type 'edit license' to add a license key.

FLOWPRO> help license

+--------------------------------------------------------------------------+

[ List of Commands ]

edit licenseshow license

+--------------------------------------------------------------------------+For more detail type 'help <command>' or '<command> ?'Full PDF manual can be found at '/home/flowpro/files/flowpro.pdf'+--------------------------------------------------------------------------+

16. Press CTRL+X to save.

17. The interface must be enabled for the Plixer FlowPro processes that will run on that interface using the enablecommand.

For example, to activate Plixer FlowPro Defender montoring on mon1:

enable defender mon1

The commands to enable the other Plixer FlowPro processes on specific interfaces are:

enable apm <interface> <apmMode> enable flowpro <interface>

Note: When adding additional monitoring interfaces to the virtual appliance, be sure to use the interface namingconvention ‘monX’ so that Plixer FlowPro recognizes them as monitoring interfaces (for example: mon1, mon2).

2.3 Installing VMware Tools

VMware Tools are not required for the virtual appliance to function correctly. However, there are certain advantagesto deploying the package on each virtual appliance. See the relevant VMware documentation for more details.

VMware Tools are not installed by default because each version of ESX installs a different VMware Tools package.A script is included on the virtual appliance to simplify the install process.

1. In the VMware vSphere Client, right click on the Plixer FlowPro virtual machine and select Guest | In-stall/Upgrade VMware Tools.

2. Log in to the console of the Virtual Appliance as the root user and run the command:



# /home/flowpro/conf/vmwareToolsInstall.sh

2.4 Upgrading the Virtual Machine Hardware Version

The Plixer FlowPro Virtual Appliance is built on Virtual Machine Hardware Version 8 to maintain backwards compat-ibility with ESXi 5.0 hypervisors. While the virtual machine is powered off, in vSphere (or vCenter) right click on thevirtual machine and select Upgrade Virtual Hardware.

2.5 Virtual Machine - Hyper-V

System Requirements

Component Minimum SpecificationsRAM 4GBDisk 20GBProcessor 1 CPU 2 Core 2GHz+Operating System MS Windows Server 2012

2.5.1 Importing a Virtual Machine

1. Download the latest Plixer FlowPro Appliance

2. Unzip the file on the Hyper-V server

3. Open Hyper-V Manager and select Import Virtual Machine

4. Specify the Plixer FlowPro Appliance System Folder

5. Select the Virtual Machine

6. Choose the import type

7. Go to Settings

8. Select the Network Adapter and assign it to the appropriate Virtual Switch. The Plixer FlowPro appliance comeswith two interfaces: ‘mgmt’: for virtual appliance management and ‘mon1’: the default monitoring interface. Itrequires a mirrored port to be associated with ‘mon1’.

Note: To set up a mirrored port, reference the latest Hyper-V documentation.

9. Expand the Network Adapter section and select Advanced Features

10. Set the MAC Address to Static and enter in a unique MAC Address - click OK.

11. Start the Virtual Machine.

12. Right click on the Virtual Machine and click Connect to login to the Plixer FlowPro Appliance usingroot/flowpro. The server will perform a quick setup and immediately reboot.

2.4. Upgrading the Virtual Machine Hardware Version 9



*********************************



Note: When adding additional monitoring interfaces to the virtual appliance, be sure to use the interface namingconvention ‘monX’ so that Plixer FlowPro recognizes them as monitoring interfaces (for example: mon1, mon2).

2.6 Adding Additional Interfaces

The names of the monitoring interfaces on the Plixer FlowPro appliance are important. When adding additionalinterfaces to a virtual appliance, the interfaces must be renamed to something the FlowPro can recognize.

The Plixer FlowPro appliance comes with two interfaces by default:

• ‘mgmt’: for virtual appliance management

• ‘mon1’: the default monitoring interface

Follow the instructions below to add additional interfaces to the Plixer FlowPro appliance and rename them from thedefault ‘ethX’ to ‘monX’.

Important: Take a snapshot of the virtual machine before making any changes.

2.6.1 CentOS 7

This section outlines the process of adding and renaming a new interface for a Plixer FlowPro appliance running onCentOS 7.

Add a New Interface in VMware

1. In vCenter, right click on the VM that the new interface will be added to and select ‘Edit Settings. . . ’.

2. From the ‘Edit Settings. . . ’ window, select ‘Add New Device’.

3. From the drop down menu, click on ‘Network Adapter’.



Restart the VM

Restarting the VM will allow the OS to see the new interface.

$ shutdown -r now

Rename the New Interface

Run these commands to insert the MAC address of the new interface into the correct ifcfg file.

Important: Before running the last command, verify the interface name is eth0 using the ‘ip addr’ command.

$ cp /etc/sysconfig/network-scripts/ifcfg-mon1 /etc/sysconfig/network-scripts/ifcfg-→˓mon2$ sed -i 's|mon1|mon2|g' /etc/sysconfig/network-scripts/ifcfg-mon2$ MAC=$(cat /sys/class/net/eth0/address); sed -i "s|HWADDR=.*|HWADDR=$MAC|g" /etc/→˓sysconfig/network-scripts/ifcfg-mon2

Restart the VM

Restart the VM so the new name takes effect.

$ shutdown -r now

After the reboot, verify the interface has the correct name.

$ ip addr

2.7 Virtual Machine - KVM

1. Create a new directory for your install:

mkdir kvm/FlowPro_VM_Guide/

2. Download the latest Plixer FlowPro KVM Virtual Appliance and place in the new directory:

Note: Contact Plixer Support to obtain the latest Plixer FlowPro KVM image.

3. Unzip the file in the new directory on your KVM server:

sudo tar xvzf FlowPro_KVM_Image.tar.gz

4. Run the deployment script to install Plixer FlowPro:

sudo ./deploy-flowpro.sh

The script will create a virtual machine from the image file.

5. Log in to the appliance and run the following command to get to the Plixer FlowPro console:

2.7. Virtual Machine - KVM 11

https://www.plixer.com/support/


virsh console Plixer FlowPro

Log in with the default credentials root/flowpro and the virtual machine will immediately reboot. Log in again to kickoff the shell script that configures the networking settings for the VM.


*********************************



Follow the on-screen instructions to complete the deployment process.


CHAPTER 3

Features and Functionality

This section describes the specific features and functionality of Plixer FlowPro.

3.1 Getting started

Connect to Plixer FlowPro over SSH and log in as the “flowpro” user with the password configured during the instal-lation process.


Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : FlowPro DefenderLicensed Status : SubscriptionUsed Mon Ports : 1 of 3Expiration : 10/19/2020

* License Key Expires in 13 day(s)

FLOWPRO>

The FLOWPRO> prompt indicates that Plixer FlowPro is ready to accept commands. If the initial configuration stepshave been completed correctly, Plixer FlowPro is already processing traffic and sending data to the designated IPFIXcollector.

3.2 Plixer FlowPro Defender Functionality

The following features and functionality are available with the Plixer FlowPro Defender (or Plixer FlowPro APM-Defender) licensing option.

13


3.2.1 Trusted Domain List

A trusted domain list, or whitelist, is preconfigured on Plixer FlowPro to suppress alarms involving specific domains.The default whitelist contains five entries that can added or removed depending on the customer environment.

• mcafee.com

• sophos.com

• sophosxl.net

• webcfs03.com

• apple.com

mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information fromthe anti-virus clients on the network into very long and complex DNS names and stores this information on their DNSserver. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is alsoused by some forms of malware.

sophos.com and sophosxl.net are related to Sophos Anti-virus software, and use multiple techniques to get informa-tion in and out of a network using DNS. In addition to using the same technique as McAfee to send information backto their servers, they also use DNS TXT messages to send information back to the clients on the network. Use of DNSTXT messages to exchange information with an external host is also used by some malware families, and the DNSCommand and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating eitherDNS Data Leak or DNS Command and Control alarms.

webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.

apple.com uses DNS TXT messages to exchange settings with their NTP server. This will trigger a DNS Commandand Control alarm.

There may be other authorized software on internal networks that use DNS to bypass the firewall for data communica-tions. If so, add those domains to the trusted domain list. Once configured, any other traffic communicating via DNSshould be investigated.

Use the edit domainlist command to modify the trusted domain list.

3.2.2 Untrusted Domain Lists

Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domainlists.

Plixer Domain Reputation List

Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have beendetermined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and MalwareBehavior Detection algorithms.

To provide maximum protection, Plixer FlowPro must update the domain reputation list every 10 minutes (set bydefault). During setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The DomainReputation algorithm will not detect any malware if Plixer FlowPro is unable to connect to nba.plixer.com - however,all other features will function normally.

Use the following Plixer FlowPro commands to control the use of this list:

• enable domainreputationlist to enable

• disable domainreputationlist to disable

14 Chapter 3. Features and Functionality


Plixer JA3 Signatures

Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.

Use the following Plixer FlowPro commands to control the use of this signature list:

• enable domainreputationlist to enable

• disable domainreputationlist to disable

User-defined Domain Lists

Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defineddomains to monitor. Domain names in the list must adhere to the following rules:

• DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD)and maps.google.com (3LD)

• Labels must contain between 1 and 63 characters to form a legitimate domain name

• One DNS name per line

Entries that do not match these requirements will be ignored.

Use the following Plixer FlowPro command to to create or edit a custom list of domains to trigger Domain Reputationalarms:

• edit domainlist

Use the following Plixer FlowPro commands to enable or disable custom domain lists:

• enable domainlist to enable

• disable domainlist to disable

User-defined JA3 Signature Lists

The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.

Use this filename and path to import the user-defined JA3 blacklist CSV file:

/home/flowpro/conf/domains/ja3-custom.csv

The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you upload the CSV filecontaining signatures to the /home/flowpro/conf/domains/ directory, Plixer FlowPro will import it during the nextrefresh cycle (every 64 minutes) or the initial load.

Important: Contact Plixer Technical Support for assistance with the JA3 bin import option.

Plixer Scrutinizer Flow Analytics Algorithms

Plixer FlowPro will send data to the specified IPFIX Collector. Plixer Scrutinizer provides additional functionality tocheck for malicious behavior and bad actors, and to generate alarms when detected.

BotNet Detection This alarm is generated when a large number of unique DNS name lookups havefailed. When a DNS lookup fails, a NXDOMAIN reponse is returned. Scrutinizer is able to identifya class of malware that uses Domain Generation Algorithms (DGAs) by monitoring the number ofNXDOMAINs detected as and the actual DNS name looked up.

3.2. Plixer FlowPro Defender Functionality 15


The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in five minutes.Either the source or destination IP address can be excluded from triggering this alarm.

DNS Command and Control This algorithm monitors the use of DNS TXT messages traversing thenetwork perimeter as detected by Plixer FlowPro. DNS TXT messages can be used to send infor-mation into and out of the protected network over DNS, even when the use of external DNS servershas been blocked. Malware uses this technique to control compromised assets within the networkand to extract information back out. Additionally, some legitimate software also uses this method tocommunicate back to the developer site.

The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXTmessages. Thresholds can be set based either on the number of DNS TXT messages or number ofbytes observed in the DNS TXT messages within a five minute period. The default setting is for anydetected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.

The domain generating the alarm message may be added to the trusted domains list in Plixer FlowProto suppress alarms from authorized applications on the network. See the information regarding thetrusted domains list below.

DNS Data Leak This algorithm monitors for information encoded into a DNS lookup message that hasno intention of returning a valid IP address or making an actual connection to a remote device. As aresult, the local DNS server will fail to find the DNS name in its cache and will pass the name out ofthe network to where it will eventually reach the authoritative server for the domain. At that point,the owner of the authoritative server can decode the information embedded in the name, and mayrespond with a “no existing domain” response or return a non-routable address.

Plixer FlowPro reviews all DNS queries and responses using proprietary logic to detect unwantedcommunications. Odd behaviors are sent to Plixer Scrutinizer where they are further processed bythe DNS Data Leak algorithm. Thresholds can be set based on either the number of DNS TXTmessages or the number of bytes observed in the DNS TXT messages within a five minute period.The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to120 minutes.

DNS Server Detection The algorithm detects new DNS servers being used on or by your networkthrough analysis of the DNS packets being exchanged between the client and the server. ExcludeDNS servers that are authorized for use on the network.

Domain Reputation Domain reputation provides much more accurate alarming with a dramatic decreasein the number of false positive alarms as compared to IP-based host reputation. The domain listprovided by Plixer is updated every ten minutes and currently contains over 400,000 known baddomains.

To provide maximum protection, FlowPro must update its domain reputation list every ten minutes.During setup, please verify a network route exists from FlowPro to nba.plixer.com. The DomainReputation algorithm will not detect any malware if FlowPro is unable to connect to nba.plixer.com- however, all other features will function normally.

Plixer FlowPro performs the actual monitoring, and when it detects a domain with poor reputation,it passes the information to Plixer Scrutinizer for additional processing. The default setting is forany detected traffic to trigger an alarm and alarm aggregation defaults to disabled so that all DNSlookups observed will result in a unique alarm.

To suppress alarms from authorized applications in the network, the domain generating the alarmmessage can be added to the trusted domain list in Plixer FlowPro. See the User-defined DomainLists section for details.

JA3 Fingerprinting The JA3 fingerprinting functionality leverages the unique characteristics of the TLShandshake to identify the software generating encrypted traffic by comparing it against a list of



known signatures. If a positive match is made, Plixer FlowPro Defender will send the details of thatconnection to Plixer Scrutinizer.

Malware Behavior Detection This algorithm demonstrate Plixer’s cyber threat correlation capability.Correlation of multiple network behaviors over a long time period provides detection systems withmore information resuting in higher accuracy with fewer false positive alarms.

This specific alarm correlates IP address lookup (i.e. what is my IP address) activity, which iscommonly performed by malware shortly after the initial compromise, with the detection of theBotNet alarm or a Domain Reputation alert.

When either of the two events is detected, this algorithm triggers an alert as this behavior is a verystrong indicator of a compromised asset.

Adding Plixer FlowPro to the Algorithms The Plixer FlowPro appliance(s) must be linked to the algo-rithms the user wishes to use in the Plixer Scrutinizer Flow Analytics configuration settings:

• Navigate to the Admin Tab > Settings > Flow Analytics Configuration

• Click the numbers in the exporter column to associate the Plixer FlowPro exporter with thatalgorithm

• Violations and alarms will be displayed in the Alarms tab

3.3 ERSPAN

3.3.1 What is ERSPAN?

ERSPAN is the acronym for Encapsulated Remote Switched Port Analyzer. It mirrors traffic on one or more sourceports and delivers the mirrored traffic to one or more destination ports. The traffic is encapsulated in Generic RoutingEncapsulation (GRE), which is therefore routable across a Layer 3 network between the source switch and the desti-nation. In this case, the destination is the IP of the monitor interface (e.g. ‘mon1’) on the Plixer FlowPro appliance.

3.3.2 Configuration

Configuration is required on both the Plixer FlowPro and the ERSPAN/GRE device.

The order of configuration (Plixer FlowPro or the ERSPAN/GRE device first) is not critical, as long as the requiredinformation listed below is gathered first. The configuration of each device requires information from the other device(Plixer FlowPro and ERSPAN device).

The following instructions detail how to configure Plixer FlowPro, a Cisco switch, and a VMware VDS.

Note: Specific commands and configuration options may vary between devices and versions. Command syntaxshould be verified with vendor documentation for the specific device being configured.

Prerequisites

The following information should be determined prior to starting the configuration:

Plixer FlowPro ERSPAN configuration

• Monitor port: for example ‘mon1’.

• Monitor port IP and CIDR: for example ‘10.30.15.50/16’ (do NOT use /32 CIDR)

3.3. ERSPAN 17


• Monitor port gateway: for example ‘10.30.1.1’

• Peer IP Address: the ERSPAN source IP defined below - for example ‘10.30.1.203’

ERSPAN device configuration

• ERSPAN Source IP: an IP address on the device (switch or router) or the ESXi host IP address(VDS) - for example ‘10.30.1.203’

• Destination IP: FlowPro monitor port IP address (not the Plixer FlowPro management IP) - forexample ‘10.30.15.50’

• Source Interface(s) to SPAN: the example in step 6 of VMWare VDS configuration below shows 3sources selected

Plixer FlowPro

The monitoring interface(s) must first be enabled as defined in the Hardware Appliance or Virtual Appliance installa-tion instructions.

Next, refer to the enable erspan command for instructions on configuring Plixer FlowPro for ERSPAN.

Note: Each monitoring interface on the Plixer FlowPro supports only one ERSPAN configuration. Multiple ERSPANconfigurations on the same interface (for example mon1) may produce unpredictable results.

Cisco Switch

monitor session 1 type erspan-sourcedescription ERSPAN direct to FlowProerspan-id 32 # requiredvrf default # requireddestination ip 10.1.2.3 # IP address of Plixer FlowPro monitor→˓interfacesource interface port-channel1 both # Port(s) to be sniffedno shut # enable

monitor erspan origin ip-address 10.1.2.1 global

VMware VDS

Note: This requires the VMware Enterprise Plus license and a configured vSphere Distributed Switch.

From the VMware web console:

1. Select your VDS from the list of networks

2. Select “Port mirroring” on the “Configure” tab|

3. Select “New. . . ” to create a new session



4. Select “Encapsulated Remote Mirroring (L3) Source then click “Next”.

5. Give your new session a name and set the status to Enabled, then click “Next”.

3.3. ERSPAN 19


6. Add the ports you wish to mirror to the probe, then click “Next”.

7. Add the IP given to the monitor interface of the probe as the destination of the session (not the Plixer FlowPromanagement IP), then click “Next”.



8. Verify your configuration and click “Finish” to start the session.

3.4 Server maintenance

3.4.1 Hardware Failure

Contact Plixer Technical Support for assistance if any hardware malfunctions occur.

3.4. Server maintenance 21


3.4.2 Applying Security Patches

Although efforts are made to minimize the risk for security breaches on the appliance, updates to core OS componentsmay be required.

Updates should not installed unless Plixer Technical Support advises or assists. For more information, contact PlixerTechnical Support.

3.4.3 Backing Up Plixer FlowPro

Plixer FlowPro stores all its configuration data in the plixer.ini file. At the FLOWPRO> prompt, type “edit plixer.ini”and copy the file contents to a safe location.

3.4.4 Restoring Plixer FlowPro from Backup

To restore the Plixer FlowPro backup:

• log into the appliance over SSH

• at the FLOWPRO> prompt run the command “edit plixer.ini”

• overwrite the contents of the file with the contents of the plixer.ini that was previously backed up

• save the changes

• Plixer FlowPro will rebuild the appropriate files and begin operations

If a new host server is being deployed, or the server hardware configuration has changed, a new license key will needto be applied.


CHAPTER 4

Commands

4.1 Overview

The Plixer FlowPro command set provides numerous configuration and maintenance utilities required for device man-agement and technical support purposes.

Click on a command in the table to see the usage instructions.

23


4.2 Command List

Com-mand

Sub-command

check replistclear domainlist

logdisable apm

defenderdomainlistdomainReputationListerspanflowproHTTPMonitoringtrackProcessMetrics

edit domainlistlicenseplixer.ini

enable apmdefenderdomainlistdomainReputationListerspanflowproHTTPMonitoringtrackProcessMetrics

service flowproset activeDomainResendSeconds

collectorhostnamepassword

show configurationdomainlisterspanfeaturesinterfaceslicenselogmachine_idstatus

snoop interfaceipaddress

system restartshutdown

4.3 Command Usage

4.3.1 check

Verify different settings and configurations on the Plixer FlowPro appliance.

24 Chapter 4. Commands


check replist

Usage: check replist

Description: Check the ability for FlowPro to reach nba.plixer.com to download the reputationlists every ten minutes. If this appliance does not have access to the internet, contact PlixerTechnical Support for help.

Note: This feature requires the Plixer FlowPro Defender license.

4.3.2 clear

Clean up or remove data from a system. Use with caution.

clear domainlist

Usage: clear domainlist <domain_list>

Description: Remove a domain list from the system. Use with caution. Use the show domain-list command to list all active domain lists.


clear log

Usage: clear log <log_file>

Description: Remove data from a specific log file. Use with caution. Use the show log com-mand to display a list of active logs.

Note: You cannot clear data from the cli.log file.

EXAMPLE: FLOWPRO> clear log dns1yaf.log

4.3.3 disable

Disable Settings.

disable apm

Usage: disable apm <interface> <apmMode>

Description: Disable either monitoring of Latency, VOIP or both on an interface. The specifiedinterface must be active. Valid <apmMode> options are:

voip latency both

Use the show configuration command to display a list of currently enabled interfaces.

Note: This feature requires the Plixer FlowPro APM license.

disable defender

Usage: disable defender <interface>

Description: Disable DNS monitoring on an interface. The specified interface must be active.Use the show configuration command to display a list of currently enabled interfaces.

4.3. Command Usage 25



disable domainlist

Usage: disable domainlist <domain_list>

Description: Disable a custom domain reputation list. The disabled domain list will not beremoved and can be re-enabled using the enable domainlist command.


disable domainReputationList

Usage: disable domainReputationList

Description: Disable checking against the domain reputation lists configured on the system.Use the show domainlist command to display the available domain lists.


disable erspan

Usage: disable erspan <interface>

Description: Disable the ERSPAN configured on a monitoring interface.

disable flowpro

Usage: disable flowpro <interface>

Description: Disable traffic monitoring on an interface. Use the show configuration commandto display the list of enabled interfaces.

disable HTTPMonitoring

Usage: disable HTTPMonitoring

Description: This process keeps track of all domains contacted with HTTP. The list of currentlyactive domains is saved for the number of seconds set by the set activeDomainResendSecondscommand.

HTTP monitoring applies to the same interfaces that are configured using the enable defendercommand.


disable trackProcessMetrics

Usage: disable trackProcessMetrics

Description: Disable Plixer FlowPro process metrics.

4.3.4 edit

Edit the Plixer FlowPro configuration files.

edit domainlist



Usage: edit domainlist <domain_list>

Description: Edit a custom domain reputation list. The name specified in <domain_list> willcreate a new list with that name if none exists already.

The custom domain reputation list created must contain one domain per line and each domainmust contain a two or three layer domain (2LD/3LD). Domains names that do not contain 2 or3 layers will be ignored.


edit license

Usage: edit license

Description: Opens the plixer.ini file where the license key is stored. The plixer.ini file alsostores the Plixer FlowPro configuration information. After editing the plixer.ini file, PlixerFlowPro will restart services to load the changes made.

edit plixer.ini

Usage: edit plixer.ini

Description: Opens the plixer.ini file for edit. The plixer.ini file stores the Plixer FlowProconfiguration information. After editing the plixer.ini file, Plixer FlowPro will restart servicesto load the changes made.

4.3.5 enable

Enable monitoring options. All settings can be edited in the configuration file using ‘edit plixer.ini’.

enable apm

Usage: enable apm <interface> <apmMode>

Description: Enable the monitoring of Latency, VOIP or both on an interface. The specifiedinterface must be active. Valid <apmModes> options are:

voip latency both

Use the show interfaces command to display a list of available monitoring interfaces.

Note: This feature requires the Plixer FlowPro APM license.

enable defender

Usage: enable defender <interface>

Description: Enable DNS monitoring on an interface. The specified interface must be active.Use the show interfaces command to display a list of available monitoring interfaces.


enable domainlist

Usage: enable domainlist <domain_list>



Description: Enable a custom domain reputation list. Custom user-defined reputation lists canbe created to supplement the known compromised domain list provided by Plixer.

Use the ‘edit domainlist <domain_list_name>’ command to create a new list.


enable domainReputationList

Usage: enable domainReputationList

Description: Enable Plixer FlowPro to download an updated list of known compromised do-mains. This list will be downloaded from nba.plixer.com every ten minutes. Use the checkreplist command to verify acccess to the list.


enable erspan

Usage: enable erspan <interface> <ipaddress/cidr> <gateway> <peerIPaddress>

Description: Configure a monitor interface to receive traffic from an ERSPAN/GRE tunnel.This configuration supports all types of GRE tunnels.

All of the following parameters are required:

• interface

• ipaddress/cidr

• gateway

• peerIPaddress

<interface>: interface used to monitor the ERSPAN/GRE tunnel traffic. This interface must beone of the monitoring interfaces displayed by the command show interfaces.

<ipaddress/cidr>: IP address dedicated to the ERSPAN/GRE tunnel. This IP must be routablefrom the monitoring interface to the network device configured to send ERSPAN/GRE. Boththe IP address and CIDR are required, which must be unique to this interface. Do not use theIP address of the management interface of the FlowPro appliance.

<gateway>: used by the monitoring interface to create a route to keep the outgoing traffic fromthe ERSPAN/GRE tunnel localized to the monitoring interface.

<peerIPaddress>: external address of the network device configured to send ERSPAN/GRE. Ifthe device is a VMware VDS, enter the IP address of the VMware host.

Command Example:

enable erspan mon1 10.30.15.50/16 10.30.1.1 10.30.1.203

Go to the ERSPAN configuration section for instructions on how to configure theERSPAN/GRE device.

enable flowpro

Usage: enable flowpro <interface>

Description: Enable traffic monitoring on an interface. The interface must be active. Use theshow interfaces command to display a list of available monitoring interfaces.



enable HTTPMonitoring

Usage: enable HTTPMonitoring

Description: This process keeps track of all domains accessed with HTTP. The list of currentlyactive domains is saved for the number of seconds set by the set activeDomainResendSecondscommand.

HTTP monitoring will be on the same interfaces that are configured using the enable defendercommand.


enable trackProcessMetrics

Usage: enable trackProcessMetrics

Description: Send process information to your collector about the FlowPro processes. Infor-mation about CPU and memory usage will be sent to the collector.

4.3.6 service

service flowpro

Usage: service flowpro <start|stop|restart>

Description: Control the Plixer FlowPro service daemon.

4.3.7 set

Change various settings for the Plixer FlowPro appliance.

set activeDomainResendSeconds

Usage: set activeDomainResendSeconds <seconds>

Description: Set the number of seconds to resend the active domain list to your collector. Theactive domain list is the list of domains seen by the Plixer FlowPro Defender HTTP modulesince the last time the list was sent. Run the enable HTTPMonitoring command To enable theHTTP monitoring. The <seconds> parameter must be set to a whole number between 300 (5minutes) and 86400 (24 hours).


set collector

Usage: set collector <ip> <port>

Description: Configure the collector IP address and port number for the Plixer FlowPro to sendflows to. The collector IP and port are required. The flows will not be collected by the collectorif it is not configured to listen on that port number.

set hostname

Usage: set hostname <hostname>

Description: Change the hostname of the Plixer FlowPro appliance. The ‘hostname’ parameteris required. A reboot is required for this change to take effect.



set password

Usage: set password

Description: Change the password for the ‘flowpro’ operating system user.

4.3.8 show

Display Plixer FlowPro information or settings.

show configuration

Usage: show configuration

Description: Shows current Plixer FlowPro configuration settings.

show domainlist

Usage: show domainlist

Description: Shows all custom domain lists configured on the system. Run the edit domainlistcommand to edit the custom domain list.


show erspan

Usage: show erspan

Description: Shows current ERSPAN configuration information. Only one ERSPAN tunnelcan be configured per interface.

show features

Usage: show features

Description: Shows licensed Plixer FlowPro features.

show interfaces

Usage: show interfaces

Description: Shows available interfaces that can be configured to monitor mirrored traffic.

show license

Usage: show license

Description: Shows current license information.

show log

Usage: show log <log_file>

Description: Shows the current entries for the given log. Entering ‘show log’ without naminga <log_file> will display the full list of available logs.

show machine_id

Usage: show machine_id

Description: Shows the machine id of the Plixer FlowPro appliance.

show status



Usage: show status

Description: Shows status of Plixer FlowPro processes.

4.3.9 snoop

The snoop command can be used to verify that packets are being received by or sent from the Plixer FlowPro for acertain IP address or interface. This command runs tcpdump with a filter of either an interface or ip address.

snoop interface

Usage: snoop interface <interface>

Description: Runs tcpdump filtered on a specific interface. Use the show interfaces commandto see a list of available interfaces. Use CTRL+C to exit the snoop command.

snoop ipaddress

Usage: snoop ipaddress <ipaddress>

Description: Runs tcpdump filtered on an IP address. Use CTRL+C to exit the snoop com-mand.

4.3.10 system

The system command is used to change state of the Plixer FlowPro operating system.

system restart

Usage: system restart

Description: Restart the operating system.

system shutdown

Usage: system shutdown

Description: Shutdown the operating system.




CHAPTER 5

Ingress, Egress and Observation Domain Configuration

The default behavior for traffic monitoring is to label the flows from each interface as its own ingress and egress(mon1 = ingress on 1, egress on 1). The observation domain is fixed at 42 by default. However, Plixer FlowPro can beconfigured to label the flows as coming from any licensed ingress and egress interface, and/or from any observationdomain.

For example: users may want to label traffic monitoring so ingress is mon1 and egress is mon2.

This is done by modifying the plixer.ini file. Open the editor from the FLOWPRO> prompt:

FLOWPRO> edit plixer.ini

In the editor, locate the following line:

monitorTraffic=mon1

When specified in this format, mon1 is configured for ingress of 1 and egress of 1. By modifying this setting in thefollowing format, Plixer FlowPro will configure mon1 to have an ingress of 1 and egress of 2.

monitorTraffic=mon1:1:2

The format to use is monX:ingress:egress. Once the necessary configuration changes have been made, save theplixer.ini file. Plixer FlowPro will then restart the services with the new configuration. Note that the values foringress and egress are limited to the maximum number of licensed interfaces.

The observation domain ID identifies the source of the IPFIX flows to the collector, which in this case is the PlixerFlowPro appliance. In most cases, there is no need to change the default value.

To define a different observation domain for an interface, modify the plixer.ini file as before using the formatmonX:ingress:egress:observation_domain. The ingress and egress labels must also be set when setting the obser-vation domain. To change the observation domain for mon1 from the default to 45, while keeping the ingress andegress values set above, modify the configuration setting specified above to read as:

monitorTraffic=mon1:1:2:45

Or, to use the default ingress/egress values for mon1 but change the observation domain to 45:

33


monitorTraffic=mon1:1:1:45

34 Chapter 5. Ingress, Egress and Observation Domain Configuration

CHAPTER 6

Troubleshooting

6.1 Support

Technical support is available with an active maintenance contract. Contact our support team at:

• +1 (207) 324-8805 ext 4

• https://www.plixer.com/support/

35

https://www.plixer.com/support/


36 Chapter 6. Troubleshooting

CHAPTER 7

Change Log

For more details on the new features below, reference the Plixer website and Plixer FlowPro documentation.

KEY: ACTION: (Bug Ticket Number) description

Ex. ADDED: (1640) Thresholds based on outbound traffic

7.1 Change Log History

————————————————————————–

7.1.1 Version 19.0.0 - 10/2020

ADDED: (55) Custom JA3 Blacklist SupportADDED: (63) JA3 Fingerprinting Support

FIXED: (43) Make FlowPro licensed features clearly understandableFIXED: (56) Hardware 10Gb FlowPro APM understatingFIXED: (61) /home/flowpro/conf/vmwareToolsInstall.sh is missingFIXED: (64) Add the FlowPro version to FlowPro prompt

————————————————————————–

7.1.2 Version 18.12.14 - 1/21/2019

ADDED: (14) Consolidated all FlowPro license types to one probeADDED: (120) Support for ERSPANADDED: (121) Defender decapsulates GRE packets

37

https://www.plixer.com/


ADDED: (376) Weekly log rotation

FIXED: (377) Defender no longer truncates logs on restart

————————————————————————–

7.1.3 Version 18.5 - 5/22/2018

FIXED: (25173) FlowPro monitor interfaces not entering promiscuous modeFIXED: (25634) Replace the EULA.txt in FlowProFIXED: (25639) FlowPro needs to support subscription licenseFIXED: (25119) FlowPro APM Install/Upgrades need updatingFIXED: (25526) Can’t upgrade nProbe due to package dependenciesFIXED: (25557) Update nProbe Version On APMFIXED: (25627) Undefined address error on deploymentFIXED: (25710) Default Defender Plixer.ini is missing a field on fresh installsFIXED: (25742) Rewrite the FlowPro manualFIXED: (25880) FlowPro User Manual typoFIXED: (25881) FlowPro PDF User Manual header says Plixer documentationFIXED: (25913) APM won’t start nProbe for more than one interface

————————————————————————–

7.1.4 Version 16.8 - 8/16/2016

ADDED: (13509) Defender now exports HTTP Header FieldsFIXED: (21010) Domain Exclusion List – Now Applies to BotNet Detection

————————————————————————–

38 Chapter 7. Change Log

CHAPTER 8

Third-party Attributions

Certain open source or other third-party software components are integrated and/or redistributed with Plixer FlowPro.The licenses are reproduced here in accordance with their licensing terms - these terms only apply to the librariesthemselves, not the Plixer FlowPro software.

8.1 libcap

http://www.tcpdump.org/ Copyright (c) The Tcpdump Group Licensed under the GNU GPL 2.0 License – see LicensesDirectory

8.2 libfixbuf

http://aircert.sourceforge.net/fixbuf/ Copyright (c) 2005-2006 Carnegie Mellon University Licensed under the GNUGPL 2.0 License – see Licenses Directory

8.3 libtldl

http://www.gnu.org/software/libtool/ Copyright (c) 1999, 2003, 2011-2015 Free Software Foundation, Inc. Written byThomas Tanner, 1999 Licensed under the GNU LGPL 2.1 License – see Licenses Directory

8.4 PF_RING

https://www.ntop.org/products/packet-capture/pf_ring/ Copyright (c) 2004-2014 ntop.org Licensed under the GNUGPL 2.0 License – see Licenses Directory

39

http://www.tcpdump.org/

http://aircert.sourceforge.net/fixbuf/

http://www.gnu.org/software/libtool/

https://www.ntop.org/products/packet-capture/pf_ring/


8.5 Pof

http://lcamtuf.coredump.cx/p0f3/ Copyright (c) 2000-2006 by Michal Zalewski Licensed under the GNU LGPL 2.1License – see Licenses Directory

8.6 super_mediator

http://tools.netsa.cert.org/super_mediator/ Copyright (c) 2004-2014 Carnegie Mellon University Licensed under theGNU GPL 2.0 License – see Licenses Directory

8.7 tcpdump

http://www.tcpdump.org/ Copyright (c) The Tcpdump Group Licensed under the BSD 3-clause License – see LicensesDirectory

8.8 YAF

https://tools.netsa.cert.org/yaf/ Copyright (c) 2005-2013 Carnegie Mellon University Licensed under the GNU GPL2.0 License – see Licenses Directory

40 Chapter 8. Third-party Attributions

http://lcamtuf.coredump.cx/p0f3/

http://tools.netsa.cert.org/super_mediator/

http://www.tcpdump.org/

https://tools.netsa.cert.org/yaf/

Documents

FlowPro Documentation