Skip to content

Egressagent

Installation

Debian

sudo apt install ./intrudect-egressagent-x.y.z.arch.deb

Red Hat

sudo dnf install ./intrudect-egressagent-x.y.z-0.arch.rpm

Configuration

The initial example (not default) configuration for Egressagent can be created in the web application under Agents > Add new egress agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-egressagent/etc/config.json.

Methods

Several methods can be used to send traffic from isolated networks.

  • DirectTCP and DirectUDP methods will attempt to use all ports across both IPv4 and IPv6. Administrators commonly overlook UDP or IPv6 configurations. Given that there are 4 x 65535 ports to test, scanning is done using parallel processing as defined here:
"Threads": {
    "DirectUDP": 100,
    "DirectTCP": 100
  },
  • DirectICMP attempts tunneling over ICMP using both IPv4 and IPv6. ICMP or IPv6 configurations are often forgotten as well.

  • DNS methods (PublicDNS, DefaultDNS, and PrivateDNS) test connectivity via both UDP and TCP, and IPv4 and IPv6. Many isolated networks still respond to DNS queries.

  • FindGW, FindDNS and FindProxy methods are noisy, scanning internal networks for other hosts and trying outbound connection via these hosts.

"Methods": {
    "DirectUDP": true,
    "DirectTCP": true,
    "DirectICMP": true,
    "PublicDNS": true,
    "DefaultDNS": true,
    "PrivateDNS": true,
    "FindGW": true,
    "FindDNS": true,
    "FindProxy": false
  },

Alerting

downloads

Multiple servers and domains receive and decrypt traffic from Egressagent. This decrypted information includes the client web application's address. An alert is then forwarded to that address.

Reverse proxy needs to only expose /api/alert/new uri.

server {

    ...

    location /api/alert/new {   
        proxy_pass http://127.0.0.1:8080;
        proxy_redirect off;
        proxy_ssl_verify off; 
        proxy_bind 127.0.0.1;
        proxy_set_header Host $host; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_set_header CF-Connecting-IP $remote_addr;  # Set CF header in case needed
    }
}