Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
FlowPro DocumentationRelease 19.0.0
Plixer
Feb 16, 2022
Plixer FlowPro
1 What is Plixer FlowPro? 31.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Installation 52.1 Hardware Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Virtual Appliance - ESX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.3 Installing VMware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Upgrading the Virtual Machine Hardware Version . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.5 Virtual Machine - Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.6 Adding Additional Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.7 Virtual Machine - KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Features and Functionality 133.1 Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Plixer FlowPro Defender Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.3 ERSPAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.4 Server maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Commands 234.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 Command List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.3 Command Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 Ingress, Egress and Observation Domain Configuration 33
6 Troubleshooting 356.1 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7 Change Log 377.1 Change Log History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8 Third-party Attributions 398.1 libcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.2 libfixbuf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.3 libtldl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398.4 PF_RING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
i
8.5 Pof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.6 super_mediator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.7 tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408.8 YAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ii
FlowPro Documentation, Release 19.0.0
Welcome to the on-line Plixer FlowPro manual. Click Here for online troubleshooting or FAQs. This manual is alsoavailable in .pdf format.
Important: Don’t struggle, contact Plixer support!
Plixer FlowPro 1
FlowPro Documentation, Release 19.0.0
2 Plixer FlowPro
CHAPTER 1
What is Plixer FlowPro?
1.1 Overview
Complete visibility of network traffic is key to managing your network, protecting your assets, and investigatingsecurity incidents. Whether you need to monitor traffic in remote offices, an isolated data closet or a data center, PlixerFlowPro provides the information you need to perform root-cause analysis of both network performance and securityevents.
Plixer FlowPro is a network sensor that delivers security and network visibility where infrastructure otherwise fallsshort. With a single sensor, network operations can gain additional insight into the network while security operationssimultaneously lower risk, gain data context, and respond quickly to security incidents.
Plixer FlowPro is available as a physical appliance or Virtual Appliance download.
1.2 Licensing
Plixer FlowPro offers several licensing options:
1.2.1 Plixer FlowPro
The base Plixer FlowPro license provides complete visibility into your network traffic where visibility is limited bygenerating flow data to send to an IPFIX collector. Plixer FlowPro captures network traffic and generates correspond-ing IPFIX records without performing any additional processing.
More features and functionality are available with additional licensing as described below.
1.2.2 Plixer FlowPro APM
The Plixer FlowPro APM (Application Performance Monitoring) license enables Plixer FlowPro to passively monitortraffic and can be configured to provide the following:
3
FlowPro Documentation, Release 19.0.0
• Latency data on clients, servers, and Layer 7 applications through Deep Packet Inspection (DPI)
• Traffic metrics related to SIP/RTPs and voice quality
• Both latency and traffic metrics (dual mode)
Note: If additional interfaces need be added to the Virtual Appliance, that must be completed prior to requesting thePlixer FlowPro APM license.
1.2.3 Plixer FlowPro Defender
Plixer FlowPro with Plixer FlowPro Defender licensing passively monitors network traffic to provide enhanced visi-bility into the traffic within or transiting the organization. It monitors DNS traffic for signs of malware compromiseincluding BotNet detection, DNS lookups of domains likely associated with malware, and malware using DNS fordata exfiltration and/or command and control.
Plixer FlowPro Defender compares DNS Queries to a domain reputation list and matches DNS queries with responsesto identify abnormal DNS traffic. Examples of potentially abnormal traffic include no existing domain (NXDOMAIN)responses and long and complete DNS names that do not properly resolve.
Plixer FlowPro Defender also provides:
• Monitoring of other types of DNS messages, such DNS TXT messaging to bypass firewall restrictions and allowdirect communications between an outside host and an internal asset
• User-defined “whitelists” to prevent allowed domains from triggering alerts, plus user-defined “blacklists” toaugment the Plixer-supplied domain reputation lists
• Both modes simultaneously in any combination on any or all of the available monitoring ports
1.2.4 Plixer FlowPro APM-Defender
This combination license includes the following licensing options as described above:
• Plixer FlowPro APM (Application Performance Monitoring)
• Plixer FlowPro Defender
Enabling and disabling any of the available features and functionality can be performed using the appropriate enableor disable commands.
4 Chapter 1. What is Plixer FlowPro?
CHAPTER 2
Installation
Plixer FlowPro has several licensing levels. A valid production or evaluation license key is required with each install.A key can be obtained from Plixer Support or a local reseller.
The steps below describe the installation of FlowPro hardware and virtual appliances.
2.1 Hardware Appliance
Once the hardware appliance is installed in a network rack, power it on and follow the steps below:
1. Connect to the appliance over SSH at the default IP address of 192.168.168.168/24, and login with the usernameroot and password flowpro. The hardware appliance will execute a quick setup routine and immediately reboot.
CentOS Linux 7 (Core)Kernel 3.10.0-862.14.4.e17.x86_64 on an x86.64
localhost login: rootPassword: _
2. Login to the hardware appliance again using the username root and password flowpro. Answer a few briefquestions. The hardware appliance will reboot to apply the settings.
*********************************FlowPro Hardware ApplianceInitial Configuration
*********************************
What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1
(continues on next page)
5
FlowPro Documentation, Release 19.0.0
(continued from previous page)
What is the hostname for this appliance?flowpro
What is the IP Address to your DNS?This will allow the FlowPro to resolve IP addresses.
*Login to the hardware appliance again and answer a few brief questions*
3. Log in to the hardware appliance again and apply the license key using the edit license command.
4. Paste the license key after the label license= in the [client] section of the plixer.ini file.
FlowPro 19.0.0.20061 [Oct 06 2020]Copyright (C) 2012 - 2020 Plixer LLC. All rights reserved.Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com
Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : unlicensedLicensed Status : SubscriptionUsed Mon Ports : 1 of 0Expiration : 10/06/2020
FLOWPRO> help license
+--------------------------------------------------------------------------+
[ List of Commands ]
edit licenseshow license
+--------------------------------------------------------------------------+For more detail type 'help <command>' or '<command> ?'Full PDF manual can be found at '/home/flowpro/files/flowpro.pdf'+--------------------------------------------------------------------------+
5. Press CTRL+X to save
6. The interface must be enabled for the Plixer FlowPro process that will run on that interface using the enablecommand.
For example, to activate Plixer FlowPro Defender monitoring on mon1:
enable defender mon1
The commands to enable the other Plixer FlowPro processes on a specific interface are:
enable apm <interface> <apmMode> enable flowpro <interface>
2.2 Virtual Appliance - ESX
The Plixer FlowPro Virtual Appliance (FVA) is packaged as an all-in-one virtual machine template or OVF. VMwareESX/ESXi 5.0 or higher is required to deploy a VM from the OVF template. VMware Tools will also be required inorder to shut down the virtual appliance through the VMware vSphere Client.
System Requirements
6 Chapter 2. Installation
FlowPro Documentation, Release 19.0.0
Component Minimum SpecificatonsRAM 4GBDisk 20GBProcessor 1 CPU 2 Core 2GHz+Operating System ESXi 5.0
Deploying the OVF Template
1. Connect to the ESX host using VMware vSphere or vCenter.
2. Select File | Deploy OVF Template.
3. Select Deploy from File and browse to the OVF Template - click Next.
4. Review the OVF template details - click Next.
5. Enter a name for the Plixer FlowPro Virtual Appliance - click Next.
6. Select a datastore - click Next.
7. Select the disk format - click Next.
8. Select the Network Mapping - click Next.
9. Review the Virtual Settings - click Finish to import the OVF Template.
10. The virtual appliance is configured with 2 network adapters and eth1 (or mon1) is already in promiscuous mode.By default, it will start listening for traffic on the default virtual network. A mirror port of a Virtual DistributedSwitch or a mirror port using a physical NIC on the ESXi host will have to be configured if a different networkneeds to be monitored.
11. Power on the Plixer FlowPro virtual machine.
12. Navigate to the Console tab and log in using the username root and password flowpro. The virtual appliancewill perform a quick setup and immediately reboot.
13. Log in to the virtual appliance again using the username root and password flowpro. Answer a few brief ques-tions. The virtual appliance will reboot to apply the settings.
*********************************FlowPro Virtual ApplianceInitial Configuration
*********************************
What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1What is the hostname for this appliance?flowpro
What is the IP Address to your DNS?This will allow the FlowPro to resolve IP addresses.
14. Log in to the virtual appliance command line with the flowpro username and password. Apply the license keyusing the edit license command.
15. Paste the license key after the label license= in the client section of the plixer.ini file.
2.2. Virtual Appliance - ESX 7
FlowPro Documentation, Release 19.0.0
FlowPro 19.0.0.20061 [Oct 06 2020]Copyright (C) 2012 - 2020 Plixer LLC. All rights reserved.Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com
Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : unlicensedLicensed Status : SubscriptionUsed Mon Ports : 1 of 0Expiration : 10/06/2020
Standard Mode. Type 'edit license' to add a license key.
FLOWPRO> help license
+--------------------------------------------------------------------------+
[ List of Commands ]
edit licenseshow license
+--------------------------------------------------------------------------+For more detail type 'help <command>' or '<command> ?'Full PDF manual can be found at '/home/flowpro/files/flowpro.pdf'+--------------------------------------------------------------------------+
16. Press CTRL+X to save.
17. The interface must be enabled for the Plixer FlowPro processes that will run on that interface using the enablecommand.
For example, to activate Plixer FlowPro Defender montoring on mon1:
enable defender mon1
The commands to enable the other Plixer FlowPro processes on specific interfaces are:
enable apm <interface> <apmMode> enable flowpro <interface>
Note: When adding additional monitoring interfaces to the virtual appliance, be sure to use the interface namingconvention ‘monX’ so that Plixer FlowPro recognizes them as monitoring interfaces (for example: mon1, mon2).
2.3 Installing VMware Tools
VMware Tools are not required for the virtual appliance to function correctly. However, there are certain advantagesto deploying the package on each virtual appliance. See the relevant VMware documentation for more details.
VMware Tools are not installed by default because each version of ESX installs a different VMware Tools package.A script is included on the virtual appliance to simplify the install process.
1. In the VMware vSphere Client, right click on the Plixer FlowPro virtual machine and select Guest | In-stall/Upgrade VMware Tools.
2. Log in to the console of the Virtual Appliance as the root user and run the command:
8 Chapter 2. Installation
FlowPro Documentation, Release 19.0.0
# /home/flowpro/conf/vmwareToolsInstall.sh
2.4 Upgrading the Virtual Machine Hardware Version
The Plixer FlowPro Virtual Appliance is built on Virtual Machine Hardware Version 8 to maintain backwards compat-ibility with ESXi 5.0 hypervisors. While the virtual machine is powered off, in vSphere (or vCenter) right click on thevirtual machine and select Upgrade Virtual Hardware.
2.5 Virtual Machine - Hyper-V
System Requirements
Component Minimum SpecificationsRAM 4GBDisk 20GBProcessor 1 CPU 2 Core 2GHz+Operating System MS Windows Server 2012
2.5.1 Importing a Virtual Machine
1. Download the latest Plixer FlowPro Appliance
2. Unzip the file on the Hyper-V server
3. Open Hyper-V Manager and select Import Virtual Machine
4. Specify the Plixer FlowPro Appliance System Folder
5. Select the Virtual Machine
6. Choose the import type
7. Go to Settings
8. Select the Network Adapter and assign it to the appropriate Virtual Switch. The Plixer FlowPro appliance comeswith two interfaces: ‘mgmt’: for virtual appliance management and ‘mon1’: the default monitoring interface. Itrequires a mirrored port to be associated with ‘mon1’.
Note: To set up a mirrored port, reference the latest Hyper-V documentation.
9. Expand the Network Adapter section and select Advanced Features
10. Set the MAC Address to Static and enter in a unique MAC Address - click OK.
11. Start the Virtual Machine.
12. Right click on the Virtual Machine and click Connect to login to the Plixer FlowPro Appliance usingroot/flowpro. The server will perform a quick setup and immediately reboot.
2.4. Upgrading the Virtual Machine Hardware Version 9
FlowPro Documentation, Release 19.0.0
*********************************FlowPro Virtual ApplianceInitial Configuration
*********************************
What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1What is the hostname for this appliance?flowpro
What is the IP Address to your DNS?This will allow the FlowPro to resolve IP addresses.
Note: When adding additional monitoring interfaces to the virtual appliance, be sure to use the interface namingconvention ‘monX’ so that Plixer FlowPro recognizes them as monitoring interfaces (for example: mon1, mon2).
2.6 Adding Additional Interfaces
The names of the monitoring interfaces on the Plixer FlowPro appliance are important. When adding additionalinterfaces to a virtual appliance, the interfaces must be renamed to something the FlowPro can recognize.
The Plixer FlowPro appliance comes with two interfaces by default:
• ‘mgmt’: for virtual appliance management
• ‘mon1’: the default monitoring interface
Follow the instructions below to add additional interfaces to the Plixer FlowPro appliance and rename them from thedefault ‘ethX’ to ‘monX’.
Important: Take a snapshot of the virtual machine before making any changes.
2.6.1 CentOS 7
This section outlines the process of adding and renaming a new interface for a Plixer FlowPro appliance running onCentOS 7.
Add a New Interface in VMware
1. In vCenter, right click on the VM that the new interface will be added to and select ‘Edit Settings. . . ’.
2. From the ‘Edit Settings. . . ’ window, select ‘Add New Device’.
3. From the drop down menu, click on ‘Network Adapter’.
10 Chapter 2. Installation
FlowPro Documentation, Release 19.0.0
Restart the VM
Restarting the VM will allow the OS to see the new interface.
$ shutdown -r now
Rename the New Interface
Run these commands to insert the MAC address of the new interface into the correct ifcfg file.
Important: Before running the last command, verify the interface name is eth0 using the ‘ip addr’ command.
$ cp /etc/sysconfig/network-scripts/ifcfg-mon1 /etc/sysconfig/network-scripts/ifcfg-→˓mon2$ sed -i 's|mon1|mon2|g' /etc/sysconfig/network-scripts/ifcfg-mon2$ MAC=$(cat /sys/class/net/eth0/address); sed -i "s|HWADDR=.*|HWADDR=$MAC|g" /etc/→˓sysconfig/network-scripts/ifcfg-mon2
Restart the VM
Restart the VM so the new name takes effect.
$ shutdown -r now
After the reboot, verify the interface has the correct name.
$ ip addr
2.7 Virtual Machine - KVM
1. Create a new directory for your install:
mkdir kvm/FlowPro_VM_Guide/
2. Download the latest Plixer FlowPro KVM Virtual Appliance and place in the new directory:
Note: Contact Plixer Support to obtain the latest Plixer FlowPro KVM image.
3. Unzip the file in the new directory on your KVM server:
sudo tar xvzf FlowPro_KVM_Image.tar.gz
4. Run the deployment script to install Plixer FlowPro:
sudo ./deploy-flowpro.sh
The script will create a virtual machine from the image file.
5. Log in to the appliance and run the following command to get to the Plixer FlowPro console:
2.7. Virtual Machine - KVM 11
FlowPro Documentation, Release 19.0.0
virsh console Plixer FlowPro
Log in with the default credentials root/flowpro and the virtual machine will immediately reboot. Log in again to kickoff the shell script that configures the networking settings for the VM.
*********************************FlowPro Virtual ApplianceInitial Configuration
*********************************
What is the appliances static IP Address?10.1.2.3What is the appliances Netmask?255.255.255.0What is the appliances gateway?10.1.2.1What is the hostname for this appliance?flowpro
What is the IP Address to your DNS?This will allow the FlowPro to resolve IP addresses.
Follow the on-screen instructions to complete the deployment process.
12 Chapter 2. Installation
CHAPTER 3
Features and Functionality
This section describes the specific features and functionality of Plixer FlowPro.
3.1 Getting started
Connect to Plixer FlowPro over SSH and log in as the “flowpro” user with the password configured during the instal-lation process.
FlowPro 19.0.0.20061 [Oct 06 2020]Copyright (C) 2012 - 2020 Plixer LLC. All rights reserved.Need an IPFIX Collector? Download Scrutinizer at https://www.plixer.com
Machine ID : 6YZ6XEPT669666S64A1VN59N-6895DAE3550561EFLicensed Type : FlowPro DefenderLicensed Status : SubscriptionUsed Mon Ports : 1 of 3Expiration : 10/19/2020
* License Key Expires in 13 day(s)
FLOWPRO>
The FLOWPRO> prompt indicates that Plixer FlowPro is ready to accept commands. If the initial configuration stepshave been completed correctly, Plixer FlowPro is already processing traffic and sending data to the designated IPFIXcollector.
3.2 Plixer FlowPro Defender Functionality
The following features and functionality are available with the Plixer FlowPro Defender (or Plixer FlowPro APM-Defender) licensing option.
13
FlowPro Documentation, Release 19.0.0
3.2.1 Trusted Domain List
A trusted domain list, or whitelist, is preconfigured on Plixer FlowPro to suppress alarms involving specific domains.The default whitelist contains five entries that can added or removed depending on the customer environment.
• mcafee.com
• sophos.com
• sophosxl.net
• webcfs03.com
• apple.com
mcafee.com suppresses DNS Data Leak alarms from McAfee AntiVirus software. McAfee encodes information fromthe anti-virus clients on the network into very long and complex DNS names and stores this information on their DNSserver. This is exactly the type of behavior that the DNS Data Leak algorithm is looking for as this technique is alsoused by some forms of malware.
sophos.com and sophosxl.net are related to Sophos Anti-virus software, and use multiple techniques to get informa-tion in and out of a network using DNS. In addition to using the same technique as McAfee to send information backto their servers, they also use DNS TXT messages to send information back to the clients on the network. Use of DNSTXT messages to exchange information with an external host is also used by some malware families, and the DNSCommand and Control algorithm will alarm on this type of activity. This will prevent Sophos from generating eitherDNS Data Leak or DNS Command and Control alarms.
webcfs03.com belongs to SonicWALL and will also generate DNS Data Leak alarms.
apple.com uses DNS TXT messages to exchange settings with their NTP server. This will trigger a DNS Commandand Control alarm.
There may be other authorized software on internal networks that use DNS to bypass the firewall for data communica-tions. If so, add those domains to the trusted domain list. Once configured, any other traffic communicating via DNSshould be investigated.
Use the edit domainlist command to modify the trusted domain list.
3.2.2 Untrusted Domain Lists
Plixer FlowPro supports the use of a domain reputation list downloaded from Plixer as well as user-defined domainlists.
Plixer Domain Reputation List
Plixer FlowPro can be configured to download a list of domains from Plixer. These are domains that have beendetermined, with a high probability, to be “bad domains”. This list is used in the Domain Reputation and MalwareBehavior Detection algorithms.
To provide maximum protection, Plixer FlowPro must update the domain reputation list every 10 minutes (set bydefault). During setup, please verify a network route exists from Plixer FlowPro to nba.plixer.com. The DomainReputation algorithm will not detect any malware if Plixer FlowPro is unable to connect to nba.plixer.com - however,all other features will function normally.
Use the following Plixer FlowPro commands to control the use of this list:
• enable domainreputationlist to enable
• disable domainreputationlist to disable
14 Chapter 3. Features and Functionality
FlowPro Documentation, Release 19.0.0
Plixer JA3 Signatures
Plixer FlowPro can be configured to download a list of JA3 Signatures from Plixer.
Use the following Plixer FlowPro commands to control the use of this signature list:
• enable domainreputationlist to enable
• disable domainreputationlist to disable
User-defined Domain Lists
Users may supplement the Plixer domain reputation list by creating one or more domain lists that contain user-defineddomains to monitor. Domain names in the list must adhere to the following rules:
• DNS names must contain at least 2 (2LD) but no more than 3 (3LD) labels. For example: google.com (2LD)and maps.google.com (3LD)
• Labels must contain between 1 and 63 characters to form a legitimate domain name
• One DNS name per line
Entries that do not match these requirements will be ignored.
Use the following Plixer FlowPro command to to create or edit a custom list of domains to trigger Domain Reputationalarms:
• edit domainlist
Use the following Plixer FlowPro commands to enable or disable custom domain lists:
• enable domainlist to enable
• disable domainlist to disable
User-defined JA3 Signature Lists
The JA3 blacklist functionality supports custom blacklists specified in either a bin or csv format.
Use this filename and path to import the user-defined JA3 blacklist CSV file:
/home/flowpro/conf/domains/ja3-custom.csv
The expected format is one MD5 hash in hexadecimal, without leading 0x, per line. Once you upload the CSV filecontaining signatures to the /home/flowpro/conf/domains/ directory, Plixer FlowPro will import it during the nextrefresh cycle (every 64 minutes) or the initial load.
Important: Contact Plixer Technical Support for assistance with the JA3 bin import option.
Plixer Scrutinizer Flow Analytics Algorithms
Plixer FlowPro will send data to the specified IPFIX Collector. Plixer Scrutinizer provides additional functionality tocheck for malicious behavior and bad actors, and to generate alarms when detected.
BotNet Detection This alarm is generated when a large number of unique DNS name lookups havefailed. When a DNS lookup fails, a NXDOMAIN reponse is returned. Scrutinizer is able to identifya class of malware that uses Domain Generation Algorithms (DGAs) by monitoring the number ofNXDOMAINs detected as and the actual DNS name looked up.
3.2. Plixer FlowPro Defender Functionality 15
FlowPro Documentation, Release 19.0.0
The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in five minutes.Either the source or destination IP address can be excluded from triggering this alarm.
DNS Command and Control This algorithm monitors the use of DNS TXT messages traversing thenetwork perimeter as detected by Plixer FlowPro. DNS TXT messages can be used to send infor-mation into and out of the protected network over DNS, even when the use of external DNS servershas been blocked. Malware uses this technique to control compromised assets within the networkand to extract information back out. Additionally, some legitimate software also uses this method tocommunicate back to the developer site.
The algorithm will detect inbound, outbound, and bidirectional communications using DNS TXTmessages. Thresholds can be set based either on the number of DNS TXT messages or number ofbytes observed in the DNS TXT messages within a five minute period. The default setting is for anydetected traffic to trigger an alarm and alarm aggregation defaults to 120 minutes.
The domain generating the alarm message may be added to the trusted domains list in Plixer FlowProto suppress alarms from authorized applications on the network. See the information regarding thetrusted domains list below.
DNS Data Leak This algorithm monitors for information encoded into a DNS lookup message that hasno intention of returning a valid IP address or making an actual connection to a remote device. As aresult, the local DNS server will fail to find the DNS name in its cache and will pass the name out ofthe network to where it will eventually reach the authoritative server for the domain. At that point,the owner of the authoritative server can decode the information embedded in the name, and mayrespond with a “no existing domain” response or return a non-routable address.
Plixer FlowPro reviews all DNS queries and responses using proprietary logic to detect unwantedcommunications. Odd behaviors are sent to Plixer Scrutinizer where they are further processed bythe DNS Data Leak algorithm. Thresholds can be set based on either the number of DNS TXTmessages or the number of bytes observed in the DNS TXT messages within a five minute period.The default setting is for any detected traffic to trigger an alarm and alarm aggregation defaults to120 minutes.
DNS Server Detection The algorithm detects new DNS servers being used on or by your networkthrough analysis of the DNS packets being exchanged between the client and the server. ExcludeDNS servers that are authorized for use on the network.
Domain Reputation Domain reputation provides much more accurate alarming with a dramatic decreasein the number of false positive alarms as compared to IP-based host reputation. The domain listprovided by Plixer is updated every ten minutes and currently contains over 400,000 known baddomains.
To provide maximum protection, FlowPro must update its domain reputation list every ten minutes.During setup, please verify a network route exists from FlowPro to nba.plixer.com. The DomainReputation algorithm will not detect any malware if FlowPro is unable to connect to nba.plixer.com- however, all other features will function normally.
Plixer FlowPro performs the actual monitoring, and when it detects a domain with poor reputation,it passes the information to Plixer Scrutinizer for additional processing. The default setting is forany detected traffic to trigger an alarm and alarm aggregation defaults to disabled so that all DNSlookups observed will result in a unique alarm.
To suppress alarms from authorized applications in the network, the domain generating the alarmmessage can be added to the trusted domain list in Plixer FlowPro. See the User-defined DomainLists section for details.
JA3 Fingerprinting The JA3 fingerprinting functionality leverages the unique characteristics of the TLShandshake to identify the software generating encrypted traffic by comparing it against a list of
16 Chapter 3. Features and Functionality
FlowPro Documentation, Release 19.0.0
known signatures. If a positive match is made, Plixer FlowPro Defender will send the details of thatconnection to Plixer Scrutinizer.
Malware Behavior Detection This algorithm demonstrate Plixer’s cyber threat correlation capability.Correlation of multiple network behaviors over a long time period provides detection systems withmore information resuting in higher accuracy with fewer false positive alarms.
This specific alarm correlates IP address lookup (i.e. what is my IP address) activity, which iscommonly performed by malware shortly after the initial compromise, with the detection of theBotNet alarm or a Domain Reputation alert.
When either of the two events is detected, this algorithm triggers an alert as this behavior is a verystrong indicator of a compromised asset.
Adding Plixer FlowPro to the Algorithms The Plixer FlowPro appliance(s) must be linked to the algo-rithms the user wishes to use in the Plixer Scrutinizer Flow Analytics configuration settings:
• Navigate to the Admin Tab > Settings > Flow Analytics Configuration
• Click the numbers in the exporter column to associate the Plixer FlowPro exporter with thatalgorithm
• Violations and alarms will be displayed in the Alarms tab
3.3 ERSPAN
3.3.1 What is ERSPAN?
ERSPAN is the acronym for Encapsulated Remote Switched Port Analyzer. It mirrors traffic on one or more sourceports and delivers the mirrored traffic to one or more destination ports. The traffic is encapsulated in Generic RoutingEncapsulation (GRE), which is therefore routable across a Layer 3 network between the source switch and the desti-nation. In this case, the destination is the IP of the monitor interface (e.g. ‘mon1’) on the Plixer FlowPro appliance.
3.3.2 Configuration
Configuration is required on both the Plixer FlowPro and the ERSPAN/GRE device.
The order of configuration (Plixer FlowPro or the ERSPAN/GRE device first) is not critical, as long as the requiredinformation listed below is gathered first. The configuration of each device requires information from the other device(Plixer FlowPro and ERSPAN device).
The following instructions detail how to configure Plixer FlowPro, a Cisco switch, and a VMware VDS.
Note: Specific commands and configuration options may vary between devices and versions. Command syntaxshould be verified with vendor documentation for the specific device being configured.
Prerequisites
The following information should be determined prior to starting the configuration:
Plixer FlowPro ERSPAN configuration
• Monitor port: for example ‘mon1’.
• Monitor port IP and CIDR: for example ‘10.30.15.50/16’ (do NOT use /32 CIDR)
3.3. ERSPAN 17
FlowPro Documentation, Release 19.0.0
• Monitor port gateway: for example ‘10.30.1.1’
• Peer IP Address: the ERSPAN source IP defined below - for example ‘10.30.1.203’
ERSPAN device configuration
• ERSPAN Source IP: an IP address on the device (switch or router) or the ESXi host IP address(VDS) - for example ‘10.30.1.203’
• Destination IP: FlowPro monitor port IP address (not the Plixer FlowPro management IP) - forexample ‘10.30.15.50’
• Source Interface(s) to SPAN: the example in step 6 of VMWare VDS configuration below shows 3sources selected
Plixer FlowPro
The monitoring interface(s) must first be enabled as defined in the Hardware Appliance or Virtual Appliance installa-tion instructions.
Next, refer to the enable erspan command for instructions on configuring Plixer FlowPro for ERSPAN.
Note: Each monitoring interface on the Plixer FlowPro supports only one ERSPAN configuration. Multiple ERSPANconfigurations on the same interface (for example mon1) may produce unpredictable results.
Cisco Switch
monitor session 1 type erspan-sourcedescription ERSPAN direct to FlowProerspan-id 32 # requiredvrf default # requireddestination ip 10.1.2.3 # IP address of Plixer FlowPro monitor→˓interfacesource interface port-channel1 both # Port(s) to be sniffedno shut # enable
monitor erspan origin ip-address 10.1.2.1 global
VMware VDS
Note: This requires the VMware Enterprise Plus license and a configured vSphere Distributed Switch.
From the VMware web console:
1. Select your VDS from the list of networks
2. Select “Port mirroring” on the “Configure” tab|
3. Select “New. . . ” to create a new session
18 Chapter 3. Features and Functionality
FlowPro Documentation, Release 19.0.0
4. Select “Encapsulated Remote Mirroring (L3) Source then click “Next”.
5. Give your new session a name and set the status to Enabled, then click “Next”.
3.3. ERSPAN 19
FlowPro Documentation, Release 19.0.0
6. Add the ports you wish to mirror to the probe, then click “Next”.
7. Add the IP given to the monitor interface of the probe as the destination of the session (not the Plixer FlowPromanagement IP), then click “Next”.
20 Chapter 3. Features and Functionality
FlowPro Documentation, Release 19.0.0
8. Verify your configuration and click “Finish” to start the session.
3.4 Server maintenance
3.4.1 Hardware Failure
Contact Plixer Technical Support for assistance if any hardware malfunctions occur.
3.4. Server maintenance 21
FlowPro Documentation, Release 19.0.0
3.4.2 Applying Security Patches
Although efforts are made to minimize the risk for security breaches on the appliance, updates to core OS componentsmay be required.
Updates should not installed unless Plixer Technical Support advises or assists. For more information, contact PlixerTechnical Support.
3.4.3 Backing Up Plixer FlowPro
Plixer FlowPro stores all its configuration data in the plixer.ini file. At the FLOWPRO> prompt, type “edit plixer.ini”and copy the file contents to a safe location.
3.4.4 Restoring Plixer FlowPro from Backup
To restore the Plixer FlowPro backup:
• log into the appliance over SSH
• at the FLOWPRO> prompt run the command “edit plixer.ini”
• overwrite the contents of the file with the contents of the plixer.ini that was previously backed up
• save the changes
• Plixer FlowPro will rebuild the appropriate files and begin operations
If a new host server is being deployed, or the server hardware configuration has changed, a new license key will needto be applied.
22 Chapter 3. Features and Functionality
CHAPTER 4
Commands
4.1 Overview
The Plixer FlowPro command set provides numerous configuration and maintenance utilities required for device man-agement and technical support purposes.
Click on a command in the table to see the usage instructions.
23
FlowPro Documentation, Release 19.0.0
4.2 Command List
Com-mand
Sub-command
check replistclear domainlist
logdisable apm
defenderdomainlistdomainReputationListerspanflowproHTTPMonitoringtrackProcessMetrics
edit domainlistlicenseplixer.ini
enable apmdefenderdomainlistdomainReputationListerspanflowproHTTPMonitoringtrackProcessMetrics
service flowproset activeDomainResendSeconds
collectorhostnamepassword
show configurationdomainlisterspanfeaturesinterfaceslicenselogmachine_idstatus
snoop interfaceipaddress
system restartshutdown
4.3 Command Usage
4.3.1 check
Verify different settings and configurations on the Plixer FlowPro appliance.
24 Chapter 4. Commands
FlowPro Documentation, Release 19.0.0
check replist
Usage: check replist
Description: Check the ability for FlowPro to reach nba.plixer.com to download the reputationlists every ten minutes. If this appliance does not have access to the internet, contact PlixerTechnical Support for help.
Note: This feature requires the Plixer FlowPro Defender license.
4.3.2 clear
Clean up or remove data from a system. Use with caution.
clear domainlist
Usage: clear domainlist <domain_list>
Description: Remove a domain list from the system. Use with caution. Use the show domain-list command to list all active domain lists.
Note: This feature requires the Plixer FlowPro Defender license.
clear log
Usage: clear log <log_file>
Description: Remove data from a specific log file. Use with caution. Use the show log com-mand to display a list of active logs.
Note: You cannot clear data from the cli.log file.
EXAMPLE: FLOWPRO> clear log dns1yaf.log
4.3.3 disable
Disable Settings.
disable apm
Usage: disable apm <interface> <apmMode>
Description: Disable either monitoring of Latency, VOIP or both on an interface. The specifiedinterface must be active. Valid <apmMode> options are:
voip latency both
Use the show configuration command to display a list of currently enabled interfaces.
Note: This feature requires the Plixer FlowPro APM license.
disable defender
Usage: disable defender <interface>
Description: Disable DNS monitoring on an interface. The specified interface must be active.Use the show configuration command to display a list of currently enabled interfaces.
4.3. Command Usage 25
FlowPro Documentation, Release 19.0.0
Note: This feature requires the Plixer FlowPro Defender license.
disable domainlist
Usage: disable domainlist <domain_list>
Description: Disable a custom domain reputation list. The disabled domain list will not beremoved and can be re-enabled using the enable domainlist command.
Note: This feature requires the Plixer FlowPro Defender license.
disable domainReputationList
Usage: disable domainReputationList
Description: Disable checking against the domain reputation lists configured on the system.Use the show domainlist command to display the available domain lists.
Note: This feature requires the Plixer FlowPro Defender license.
disable erspan
Usage: disable erspan <interface>
Description: Disable the ERSPAN configured on a monitoring interface.
disable flowpro
Usage: disable flowpro <interface>
Description: Disable traffic monitoring on an interface. Use the show configuration commandto display the list of enabled interfaces.
disable HTTPMonitoring
Usage: disable HTTPMonitoring
Description: This process keeps track of all domains contacted with HTTP. The list of currentlyactive domains is saved for the number of seconds set by the set activeDomainResendSecondscommand.
HTTP monitoring applies to the same interfaces that are configured using the enable defendercommand.
Note: This feature requires the Plixer FlowPro Defender license.
disable trackProcessMetrics
Usage: disable trackProcessMetrics
Description: Disable Plixer FlowPro process metrics.
4.3.4 edit
Edit the Plixer FlowPro configuration files.
edit domainlist
26 Chapter 4. Commands
FlowPro Documentation, Release 19.0.0
Usage: edit domainlist <domain_list>
Description: Edit a custom domain reputation list. The name specified in <domain_list> willcreate a new list with that name if none exists already.
The custom domain reputation list created must contain one domain per line and each domainmust contain a two or three layer domain (2LD/3LD). Domains names that do not contain 2 or3 layers will be ignored.
Note: This feature requires the Plixer FlowPro Defender license.
edit license
Usage: edit license
Description: Opens the plixer.ini file where the license key is stored. The plixer.ini file alsostores the Plixer FlowPro configuration information. After editing the plixer.ini file, PlixerFlowPro will restart services to load the changes made.
edit plixer.ini
Usage: edit plixer.ini
Description: Opens the plixer.ini file for edit. The plixer.ini file stores the Plixer FlowProconfiguration information. After editing the plixer.ini file, Plixer FlowPro will restart servicesto load the changes made.
4.3.5 enable
Enable monitoring options. All settings can be edited in the configuration file using ‘edit plixer.ini’.
enable apm
Usage: enable apm <interface> <apmMode>
Description: Enable the monitoring of Latency, VOIP or both on an interface. The specifiedinterface must be active. Valid <apmModes> options are:
voip latency both
Use the show interfaces command to display a list of available monitoring interfaces.
Note: This feature requires the Plixer FlowPro APM license.
enable defender
Usage: enable defender <interface>
Description: Enable DNS monitoring on an interface. The specified interface must be active.Use the show interfaces command to display a list of available monitoring interfaces.
Note: This feature requires the Plixer FlowPro Defender license.
enable domainlist
Usage: enable domainlist <domain_list>
4.3. Command Usage 27
FlowPro Documentation, Release 19.0.0
Description: Enable a custom domain reputation list. Custom user-defined reputation lists canbe created to supplement the known compromised domain list provided by Plixer.
Use the ‘edit domainlist <domain_list_name>’ command to create a new list.
Note: This feature requires the Plixer FlowPro Defender license.
enable domainReputationList
Usage: enable domainReputationList
Description: Enable Plixer FlowPro to download an updated list of known compromised do-mains. This list will be downloaded from nba.plixer.com every ten minutes. Use the checkreplist command to verify acccess to the list.
Note: This feature requires the Plixer FlowPro Defender license.
enable erspan
Usage: enable erspan <interface> <ipaddress/cidr> <gateway> <peerIPaddress>
Description: Configure a monitor interface to receive traffic from an ERSPAN/GRE tunnel.This configuration supports all types of GRE tunnels.
All of the following parameters are required:
• interface
• ipaddress/cidr
• gateway
• peerIPaddress
<interface>: interface used to monitor the ERSPAN/GRE tunnel traffic. This interface must beone of the monitoring interfaces displayed by the command show interfaces.
<ipaddress/cidr>: IP address dedicated to the ERSPAN/GRE tunnel. This IP must be routablefrom the monitoring interface to the network device configured to send ERSPAN/GRE. Boththe IP address and CIDR are required, which must be unique to this interface. Do not use theIP address of the management interface of the FlowPro appliance.
<gateway>: used by the monitoring interface to create a route to keep the outgoing traffic fromthe ERSPAN/GRE tunnel localized to the monitoring interface.
<peerIPaddress>: external address of the network device configured to send ERSPAN/GRE. Ifthe device is a VMware VDS, enter the IP address of the VMware host.
Command Example:
enable erspan mon1 10.30.15.50/16 10.30.1.1 10.30.1.203
Go to the ERSPAN configuration section for instructions on how to configure theERSPAN/GRE device.
enable flowpro
Usage: enable flowpro <interface>
Description: Enable traffic monitoring on an interface. The interface must be active. Use theshow interfaces command to display a list of available monitoring interfaces.
28 Chapter 4. Commands
FlowPro Documentation, Release 19.0.0
enable HTTPMonitoring
Usage: enable HTTPMonitoring
Description: This process keeps track of all domains accessed with HTTP. The list of currentlyactive domains is saved for the number of seconds set by the set activeDomainResendSecondscommand.
HTTP monitoring will be on the same interfaces that are configured using the enable defendercommand.
Note: This feature requires the Plixer FlowPro Defender license.
enable trackProcessMetrics
Usage: enable trackProcessMetrics
Description: Send process information to your collector about the FlowPro processes. Infor-mation about CPU and memory usage will be sent to the collector.
4.3.6 service
service flowpro
Usage: service flowpro <start|stop|restart>
Description: Control the Plixer FlowPro service daemon.
4.3.7 set
Change various settings for the Plixer FlowPro appliance.
set activeDomainResendSeconds
Usage: set activeDomainResendSeconds <seconds>
Description: Set the number of seconds to resend the active domain list to your collector. Theactive domain list is the list of domains seen by the Plixer FlowPro Defender HTTP modulesince the last time the list was sent. Run the enable HTTPMonitoring command To enable theHTTP monitoring. The <seconds> parameter must be set to a whole number between 300 (5minutes) and 86400 (24 hours).
Note: This feature requires the Plixer FlowPro Defender license.
set collector
Usage: set collector <ip> <port>
Description: Configure the collector IP address and port number for the Plixer FlowPro to sendflows to. The collector IP and port are required. The flows will not be collected by the collectorif it is not configured to listen on that port number.
set hostname
Usage: set hostname <hostname>
Description: Change the hostname of the Plixer FlowPro appliance. The ‘hostname’ parameteris required. A reboot is required for this change to take effect.
4.3. Command Usage 29
FlowPro Documentation, Release 19.0.0
set password
Usage: set password
Description: Change the password for the ‘flowpro’ operating system user.
4.3.8 show
Display Plixer FlowPro information or settings.
show configuration
Usage: show configuration
Description: Shows current Plixer FlowPro configuration settings.
show domainlist
Usage: show domainlist
Description: Shows all custom domain lists configured on the system. Run the edit domainlistcommand to edit the custom domain list.
Note: This feature requires the Plixer FlowPro Defender license.
show erspan
Usage: show erspan
Description: Shows current ERSPAN configuration information. Only one ERSPAN tunnelcan be configured per interface.
show features
Usage: show features
Description: Shows licensed Plixer FlowPro features.
show interfaces
Usage: show interfaces
Description: Shows available interfaces that can be configured to monitor mirrored traffic.
show license
Usage: show license
Description: Shows current license information.
show log
Usage: show log <log_file>
Description: Shows the current entries for the given log. Entering ‘show log’ without naminga <log_file> will display the full list of available logs.
show machine_id
Usage: show machine_id
Description: Shows the machine id of the Plixer FlowPro appliance.
show status
30 Chapter 4. Commands
FlowPro Documentation, Release 19.0.0
Usage: show status
Description: Shows status of Plixer FlowPro processes.
4.3.9 snoop
The snoop command can be used to verify that packets are being received by or sent from the Plixer FlowPro for acertain IP address or interface. This command runs tcpdump with a filter of either an interface or ip address.
snoop interface
Usage: snoop interface <interface>
Description: Runs tcpdump filtered on a specific interface. Use the show interfaces commandto see a list of available interfaces. Use CTRL+C to exit the snoop command.
snoop ipaddress
Usage: snoop ipaddress <ipaddress>
Description: Runs tcpdump filtered on an IP address. Use CTRL+C to exit the snoop com-mand.
4.3.10 system
The system command is used to change state of the Plixer FlowPro operating system.
system restart
Usage: system restart
Description: Restart the operating system.
system shutdown
Usage: system shutdown
Description: Shutdown the operating system.
4.3. Command Usage 31
FlowPro Documentation, Release 19.0.0
32 Chapter 4. Commands
CHAPTER 5
Ingress, Egress and Observation Domain Configuration
The default behavior for traffic monitoring is to label the flows from each interface as its own ingress and egress(mon1 = ingress on 1, egress on 1). The observation domain is fixed at 42 by default. However, Plixer FlowPro can beconfigured to label the flows as coming from any licensed ingress and egress interface, and/or from any observationdomain.
For example: users may want to label traffic monitoring so ingress is mon1 and egress is mon2.
This is done by modifying the plixer.ini file. Open the editor from the FLOWPRO> prompt:
FLOWPRO> edit plixer.ini
In the editor, locate the following line:
monitorTraffic=mon1
When specified in this format, mon1 is configured for ingress of 1 and egress of 1. By modifying this setting in thefollowing format, Plixer FlowPro will configure mon1 to have an ingress of 1 and egress of 2.
monitorTraffic=mon1:1:2
The format to use is monX:ingress:egress. Once the necessary configuration changes have been made, save theplixer.ini file. Plixer FlowPro will then restart the services with the new configuration. Note that the values foringress and egress are limited to the maximum number of licensed interfaces.
The observation domain ID identifies the source of the IPFIX flows to the collector, which in this case is the PlixerFlowPro appliance. In most cases, there is no need to change the default value.
To define a different observation domain for an interface, modify the plixer.ini file as before using the formatmonX:ingress:egress:observation_domain. The ingress and egress labels must also be set when setting the obser-vation domain. To change the observation domain for mon1 from the default to 45, while keeping the ingress andegress values set above, modify the configuration setting specified above to read as:
monitorTraffic=mon1:1:2:45
Or, to use the default ingress/egress values for mon1 but change the observation domain to 45:
33
FlowPro Documentation, Release 19.0.0
monitorTraffic=mon1:1:1:45
34 Chapter 5. Ingress, Egress and Observation Domain Configuration
CHAPTER 6
Troubleshooting
6.1 Support
Technical support is available with an active maintenance contract. Contact our support team at:
• +1 (207) 324-8805 ext 4
• https://www.plixer.com/support/
35
FlowPro Documentation, Release 19.0.0
36 Chapter 6. Troubleshooting
CHAPTER 7
Change Log
For more details on the new features below, reference the Plixer website and Plixer FlowPro documentation.
KEY: ACTION: (Bug Ticket Number) description
Ex. ADDED: (1640) Thresholds based on outbound traffic
7.1 Change Log History
————————————————————————–
7.1.1 Version 19.0.0 - 10/2020
ADDED: (55) Custom JA3 Blacklist SupportADDED: (63) JA3 Fingerprinting Support
FIXED: (43) Make FlowPro licensed features clearly understandableFIXED: (56) Hardware 10Gb FlowPro APM understatingFIXED: (61) /home/flowpro/conf/vmwareToolsInstall.sh is missingFIXED: (64) Add the FlowPro version to FlowPro prompt
————————————————————————–
7.1.2 Version 18.12.14 - 1/21/2019
ADDED: (14) Consolidated all FlowPro license types to one probeADDED: (120) Support for ERSPANADDED: (121) Defender decapsulates GRE packets
37
FlowPro Documentation, Release 19.0.0
ADDED: (376) Weekly log rotation
FIXED: (377) Defender no longer truncates logs on restart
————————————————————————–
7.1.3 Version 18.5 - 5/22/2018
FIXED: (25173) FlowPro monitor interfaces not entering promiscuous modeFIXED: (25634) Replace the EULA.txt in FlowProFIXED: (25639) FlowPro needs to support subscription licenseFIXED: (25119) FlowPro APM Install/Upgrades need updatingFIXED: (25526) Can’t upgrade nProbe due to package dependenciesFIXED: (25557) Update nProbe Version On APMFIXED: (25627) Undefined address error on deploymentFIXED: (25710) Default Defender Plixer.ini is missing a field on fresh installsFIXED: (25742) Rewrite the FlowPro manualFIXED: (25880) FlowPro User Manual typoFIXED: (25881) FlowPro PDF User Manual header says Plixer documentationFIXED: (25913) APM won’t start nProbe for more than one interface
————————————————————————–
7.1.4 Version 16.8 - 8/16/2016
ADDED: (13509) Defender now exports HTTP Header FieldsFIXED: (21010) Domain Exclusion List – Now Applies to BotNet Detection
————————————————————————–
38 Chapter 7. Change Log
CHAPTER 8
Third-party Attributions
Certain open source or other third-party software components are integrated and/or redistributed with Plixer FlowPro.The licenses are reproduced here in accordance with their licensing terms - these terms only apply to the librariesthemselves, not the Plixer FlowPro software.
8.1 libcap
http://www.tcpdump.org/ Copyright (c) The Tcpdump Group Licensed under the GNU GPL 2.0 License – see LicensesDirectory
8.2 libfixbuf
http://aircert.sourceforge.net/fixbuf/ Copyright (c) 2005-2006 Carnegie Mellon University Licensed under the GNUGPL 2.0 License – see Licenses Directory
8.3 libtldl
http://www.gnu.org/software/libtool/ Copyright (c) 1999, 2003, 2011-2015 Free Software Foundation, Inc. Written byThomas Tanner, 1999 Licensed under the GNU LGPL 2.1 License – see Licenses Directory
8.4 PF_RING
https://www.ntop.org/products/packet-capture/pf_ring/ Copyright (c) 2004-2014 ntop.org Licensed under the GNUGPL 2.0 License – see Licenses Directory
39
FlowPro Documentation, Release 19.0.0
8.5 Pof
http://lcamtuf.coredump.cx/p0f3/ Copyright (c) 2000-2006 by Michal Zalewski Licensed under the GNU LGPL 2.1License – see Licenses Directory
8.6 super_mediator
http://tools.netsa.cert.org/super_mediator/ Copyright (c) 2004-2014 Carnegie Mellon University Licensed under theGNU GPL 2.0 License – see Licenses Directory
8.7 tcpdump
http://www.tcpdump.org/ Copyright (c) The Tcpdump Group Licensed under the BSD 3-clause License – see LicensesDirectory
8.8 YAF
https://tools.netsa.cert.org/yaf/ Copyright (c) 2005-2013 Carnegie Mellon University Licensed under the GNU GPL2.0 License – see Licenses Directory
40 Chapter 8. Third-party Attributions