Netagent
Package name: intrudect-netagent
This package listens on network interface where network traffic is mirrored from switches and attempts to identify anomalies or IOCs. It centrally logs metadata about TCP, DNS and DHCP traffic.
Considerations
Before deploying Netagent, consider the following:
- If you haven't done it recently, start by reviewing your network documentation.
- Consider the amount of network traffic on your LAN. Do you need 10G/25G network cards and matching hardware, or is it a typical office network with low Office 365 traffic?
- If network traffic volume is unknown, it's best to install LibreNMS or Cacti to determine the actual traffic load.
- Evaluate how the network is segmented and decide how many Netagents you need to install.
- If installing on a VM, ensure that a separate physical Ethernet adapter is directly assigned to the VM.
Hardware requirements
Current filtering does not require much CPU or RAM. Any recent 1U low end server is more than capable. If installed together with Security Onion or Arkime, refer to their hardware requirements.
Configuration
The initial example (not default) configuration for Netagent can be created in the web application under Agents > Add new network agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-netagent/etc/config.json. Once in place, Netagent will request an updated configuration from the web application every minute.
Admin protocols scan
An attacker can use protocols such as SSH, SMB, RDP, or WinRM to move between workstations. If these protocols are typically not initiated from ordinary workstations, any connection originating outside the expected network blocks may indicate attacker activity. The MonitorPorts value allows you to define the ports to be analyzed by the module. The Workstations setting specifies the network blocks where ordinary workstations reside and from which admin protocol connections are not expected. The ExcludeSrc and ExcludeDST values let you precisely define the source and destination IP addresses that should be excluded from the analysis.
"AdmProtocolScan": {
"LoadAdmProtocolScanModule": true,
"MonitorPorts": [
22,
3389,
5985,
5986
],
"Workstations": [
"192.168.1.96/28",
"192.168.1.150/32",
"192.168.1.171/32"
],
"ExcludeSrc": [
"192.168.1.10"
],
"ExcludeDST": [
"192.168.1.90",
"192.168.1.99"
]
}
ARP scan
An attacker can use ARP requests to discover and identify devices on the network. The RequestIPThreshold and ExcludeIP values allow you to define the maximum number of ARP requests allowed per specified time period and specify IP addresses whose ARP requests should be excluded from the analysis.
"ARPScan": {
"LoadARPScanModule": true,
"RequestIPThreshold": 100,
"ExcludeIP": [
"192.168.1.117"
]
}
DHCP scan
When analyzing DHCP queries, it is possible to detect machines with known suspicious hostnames, such as hacking operating systems (e.g., “kali”, “parrot”) or unauthorized devices (e.g., “raspberrypi”). The BadHostnames setting allows you to flag such hostnames, which can help identify attackers who make operational security (OPSEC) mistakes or employees who install unauthorized virtual machines or bring personal devices onto the network.
Additionally, various attack methods or anomalies based on the DHCP protocol can be detected. The AllowedServers setting defines the permitted DHCP servers. The QueryThreshold and QueryCountDetection values allow you to set the maximum number of queries within the last 5 minutes.
The same logic applies to SameHostDetection and SameMacDetection, which track repeated queries from the same host or MAC address.
"DHCPScan": {
"LoadDHCPScanModule": true,
"AllowedServers": [
"192.168.1.1"
],
"BadHostnames": [
"kali",
"parrot",
"localhost",
"raspberrypi"
],
"QueryThreshold": 30,
"QueryCountDetection": false,
"SameHostThreshold": 20,
"SameHostDetection": true,
"SameMacThreshold": 5,
"SameMacDetection": true
}
DNS scan
DNS queries can be used by attackers for network enumeration, internal mapping, and command-and-control (C2) communication. A high number of PTR record queries may indicate internal network reconnaissance, while excessive TXT record queries can signal C2 traffic or data exfiltration. A and AAAA queries up to a certain point may simply indicate a power user, but beyond a certain threshold, they can suggest anomalies or DNS brute-forcing attempts.
The DNSTXTThreshold, DNSPTRThreshold, and DNSAThreshold values define the maximum number of TXT, PTR, and A / AAAA record queries allowed over the last 5 minutes. The ExcludeIP option allows specific source IP addresses to be exempt from this analysis, preventing them from being flagged.
"DNSScan": {
"LoadDNSScanModule": true,
"DNSTXTThreshold": 100,
"DNSPTRThreshold": 100,
"DNSAThreshold": 1000,
"ExcludeIP": [
"192.168.1.10"
]
}
LDAP scan
The LDAP protocol allows attackers to enumerate all domain objects, including users, groups, and computers. Excessive LDAP queries may indicate reconnaissance activity within the network.
Tools like BloodHound and PingCastle leverage LDAP queries to map Active Directory structures, helping attackers identify privilege escalation paths and potential misconfigurations. Monitoring LDAP query activity can help detect such enumeration attempts.
CNQThreshold defines the maximum number of LDAP queries allowed within the last 5 minutes before triggering detection.
ExcludeIP specifies IP addresses that should be excluded from analysis.
Port scan
Port scanning is one of the most common methods that attackers use for network mapping or identifying potentially vulnerable attack surfaces. The LoadPortScanModule sets whether the corresponding module should be activated. The SYNThreshold and RSTThreshold values define the maximum allowed number of SYN and RST packets over the last 5 minutes. The PortThreshold determines the number of different ports, beyond which it can be considered as a port scan.
"PortScan": {
"LoadPortScanModule": true,
"SYNThreshold": 500,
"RSTThreshold": 500,
"PortThreshold": 500
}
SMB scan
This module monitors SMB connections to external IP addresses. Attackers can exploit various methods to trick local network computers into connecting to an attacker controlled SMB server. This can lead to the capture of NetNTLMv2 hashes, which may be crackable, potentially exposing cleartext passwords.
The ExcludeIP setting allows you to specify trusted SMB server IP addresses that should be excluded from analysis.
TOR scan
The use of the Tor network is not always an indicator of malicious activity. However, certain malware families — such as WhiteSnake, Raspberry Robin, and Agent Tesla — are known to communicate with their C2 servers via the Tor network.
The ExcludeIP setting allows you to specify trusted IP addresses from which Tor-related queries are allowed, preventing them from being flagged during analysis.
User agent scan
A malicious actor may use tools associated with known user agents when carrying out an attack. The MonitorPorts and BadUA values allow you to set the ports monitored by the module and the user agent values to search for. The ExcludeIPUA and ExcludeIPHostHeader values allow you to define more specific rules for certain IP addresses, excluding their user agents or host headers from the analysis. The ExcludeHostHeader and ExcludeUA values allow you to specify allowed host headers and user agents within the internal network.
"UserAgentScan": {
"LoadUAScanModule": true,
"MonitorPorts": [
80,
5000,
8000
],
"BadUA": [
"powershell",
"ms-office",
"MSOffice",
"curl",
"wget",
"feroxbuster",
"sqlmap"
],
"ExcludeIPUA": [
{
"IP": "192.168.1.101",
"UserAgent": "HomeAssistant/2024.5.5 httpx/0.27.0 Python/3.12"
}
],
"ExcludeIPHostHeader": [
{
"IP": "192.168.1.101",
"HostHeader": "checkonline.home-assistant.io"
}
],
"ExcludeHostHeader": [
".adobe.com",
".amazontrust.com",
"certs.apple.com",
".digicert.com",
"dl.delivery.mp.microsoft.com",
"dl.google.com",
"drivers.amd.com",
"go.microsoft.com",
],
"ExcludeUA": [
"ubuntu"
]
}
need väärtused tuleb veel lahti seletada
IOC scan
IOC module inspects network traffic against a dataset of known Indicators of Compromise, alerting on matches to support rapid threat detection and response. Use ExcludeSrcIP to define a list of source IPs that should be ignored during.
"IOCScan": {
"LoadIOCScanModule": true,
"ExcludeSrcIP": ["192.168.1.1", "192.168.2.1"],
"Level": 30
}
DNS and TCP flows
DNSFlow and TCPFlow collect DNS and TCP connection metadata either into local file or into central database.
Local- specify local file with full pathRemote- boolean, indication central data coollectionInterval- data is buffered, this is sync interval in seconds if buffer is not full due to low trafficIgnoreDomains- if some local domains fill the database, then there is an option to ignore themIgnoreDstIPPort- array of destionation IP/Port combination to ignore.
"DNSFlow": {
"Local": "",
"Remote": true,
"Interval": 500,
"IgnoreDomains": []
},
"TCPFlow": {
"Local": "",
"Remote": false,
"Interval": 1000,
"IgnoreDstIPPort": []
}
Password scan
This module monitors specified TCP ports for signs of brute-force attacks. The Threshold defines how many connection attempts from a single source IP are allowed before triggering an alert. MonitorPorts lists the TCP ports to monitor (e.g., SSH, RDP, SMTP, database ports). ExcludeSrcIP specifies source IPs to ignore, such as internal systems or scanners, while ExcludeDSTIP lists destination IPs that should be excluded from detection.
"PasswordScan": {
"LoadPasswordScanModule": true,
"Threshold": 30,
"MonitorPorts": [
22,
3389,
465,
589,
3306,
5432,
1433,
110,
143,
993,
995
],
"ExcludeSrcIP": [
"192.168.1.10"
],
"ExcludeDSTIP": [
"192.168.1.90",
"192.168.1.99"
],
"Level": 20
}
Network interface
The NetworkInterface defines the network adapter used by Netagent.
Logging
Netagent can log DHCP requests, and HTTP user agents into separate log files. Use full path when specifing file names.