Egressagent
Installation
Debian
Red Hat
Configuration
The initial example (not default) configuration for Egressagent can be created in the web application
under Agents > Add new egress agent
. After saving and downloading it, store the configuration on
the machine running the agent at /opt/intrudect-egressagent/etc/config.json
.
Methods
Several methods can be used to send traffic from isolated networks.
DirectTCP
andDirectUDP
methods will attempt to use all ports across both IPv4 and IPv6. Administrators commonly overlook UDP or IPv6 configurations. Given that there are 4 x 65535 ports to test, scanning is done using parallel processing as defined here:
-
DirectICMP
attempts tunneling over ICMP using both IPv4 and IPv6. ICMP or IPv6 configurations are often forgotten as well. -
DNS methods (
PublicDNS
,DefaultDNS
, andPrivateDNS
) test connectivity via both UDP and TCP, and IPv4 and IPv6. Many isolated networks still respond to DNS queries. -
FindGW
,FindDNS
andFindProxy
methods are noisy, scanning internal networks for other hosts and trying outbound connection via these hosts.
"Methods": {
"DirectUDP": true,
"DirectTCP": true,
"DirectICMP": true,
"PublicDNS": true,
"DefaultDNS": true,
"PrivateDNS": true,
"FindGW": true,
"FindDNS": true,
"FindProxy": false
},
Alerting
Multiple servers and domains receive and decrypt traffic from Egressagent. This decrypted information includes the client web application's address. An alert is then forwarded to that address.
Reverse proxy needs to only expose /api/alert/new
uri.
server {
...
location /api/alert/new {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_ssl_verify off;
proxy_bind 127.0.0.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header CF-Connecting-IP $remote_addr; # Set CF header in case needed
}
}