Skip to content

Netagent

Considerations

Before deploying Netagent, consider the following:

  • If you haven't done it recently, start by reviewing your network documentation.
  • Consider the amount of network traffic on your LAN. Do you need 10G/25G network cards and matching hardware, or is it a typical office network with low Office 365 traffic?
  • If network traffic volume is unknown, it's best to install LibreNMS or Cacti to determine the actual traffic load.
  • Evaluate how the network is segmented and decide how many Netagents you need to install.
  • If installing on a VM, ensure that a separate physical Ethernet adapter is directly assigned to the VM.

Hardware requirements

Current filtering does not require much CPU or RAM. Any recent 1U low end server is more than capable. If installed together with Security Onion or Arkime, refer to their hardware requirements.

Installation

Debian

sudo apt install ./intrudect-netagent-x.y.z.arch.deb

Configuration

The initial example (not default) configuration for Netagent can be created in the web application under Agents > Add new network agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-netagent/etc/config.json. Once in place, Netagent will request an updated configuration from the web application every minute.

Admin protocols scan

An attacker can use protocols such as SSH, SMB, RDP, or WinRM to move between workstations. If these protocols are typically not initiated from ordinary workstations, any connection originating outside the expected network blocks may indicate attacker activity. The MonitorPorts value allows you to define the ports to be analyzed by the module. The Workstations setting specifies the network blocks where ordinary workstations reside and from which admin protocol connections are not expected. The ExcludeSrc and ExcludeDST values let you precisely define the source and destination IP addresses that should be excluded from the analysis.

"AdmProtocolScan": {
  "LoadAdmProtocolScanModule": true,
  "MonitorPorts": [
    22,
    3389,
    5985,
    5986
  ],
  "Workstations": [
    "192.168.1.96/28",
    "192.168.1.150/32",
    "192.168.1.171/32"
  ],
  "ExcludeSrc": [
    "192.168.1.10"
  ],
  "ExcludeDST": [
    "192.168.1.90",
    "192.168.1.99"
  ]
}

ARP scan

An attacker can use ARP requests to discover and identify devices on the network. The RequestIPThreshold and ExcludeIP values allow you to define the maximum number of ARP requests allowed per specified time period and specify IP addresses whose ARP requests should be excluded from the analysis.

"ARPScan": {
  "LoadARPScanModule": true,
  "RequestIPThreshold": 100,
  "ExcludeIP": [
    "192.168.1.117"
  ]
}

DHCP scan

When analyzing DHCP queries, it is possible to detect machines with known suspicious hostnames, such as hacking operating systems (e.g., “kali”, “parrot”) or unauthorized devices (e.g., “raspberrypi”). The BadHostnames setting allows you to flag such hostnames, which can help identify attackers who make operational security (OPSEC) mistakes or employees who install unauthorized virtual machines or bring personal devices onto the network.

Additionally, various attack methods or anomalies based on the DHCP protocol can be detected. The AllowedServers setting defines the permitted DHCP servers. The QueryThreshold and QueryCountDetection values allow you to set the maximum number of queries within the last 5 minutes. The same logic applies to SameHostDetection and SameMacDetection, which track repeated queries from the same host or MAC address.

"DHCPScan": {
  "LoadDHCPScanModule": true,
  "AllowedServers": [
    "192.168.1.1"
  ],
  "BadHostnames": [
    "kali",
    "parrot",
    "localhost",
    "raspberrypi"
  ],
  "QueryThreshold": 30,
  "QueryCountDetection": false,
  "SameHostThreshold": 20,
  "SameHostDetection": true,
  "SameMacThreshold": 5,
  "SameMacDetection": true
}

DNS scan

DNS queries can be used by attackers for network enumeration, internal mapping, and command-and-control (C2) communication. A high number of PTR record queries may indicate internal network reconnaissance, while excessive TXT record queries can signal C2 traffic or data exfiltration. A and AAAA queries up to a certain point may simply indicate a power user, but beyond a certain threshold, they can suggest anomalies or DNS brute-forcing attempts.

The DNSTXTThreshold, DNSPTRThreshold, and DNSAThreshold values define the maximum number of TXT, PTR, and A / AAAA record queries allowed over the last 5 minutes. The ExcludeIP option allows specific source IP addresses to be exempt from this analysis, preventing them from being flagged.

"DNSScan": {
  "LoadDNSScanModule": true,
  "DNSTXTThreshold": 100,
  "DNSPTRThreshold": 100,
  "DNSAThreshold": 1000,
  "ExcludeIP": [
    "192.168.1.10"
  ]
}

LDAP scan

The LDAP protocol allows attackers to enumerate all domain objects, including users, groups, and computers. Excessive LDAP queries may indicate reconnaissance activity within the network.

Tools like BloodHound and PingCastle leverage LDAP queries to map Active Directory structures, helping attackers identify privilege escalation paths and potential misconfigurations. Monitoring LDAP query activity can help detect such enumeration attempts.

CNQThreshold defines the maximum number of LDAP queries allowed within the last 5 minutes before triggering detection. ExcludeIP specifies IP addresses that should be excluded from analysis.

"LDAPScan": {
  "LoadLDAPScanModule": true,
  "ExcludeIP": [
    "192.168.1.10"
  ],
  "CNQThreshold": 100
}

Port scan

Port scanning is one of the most common methods that attackers use for network mapping or identifying potentially vulnerable attack surfaces. The LoadPortScanModule sets whether the corresponding module should be activated. The SYNThreshold and RSTThreshold values define the maximum allowed number of SYN and RST packets over the last 5 minutes. The PortThreshold determines the number of different ports, beyond which it can be considered as a port scan.

"PortScan": {
  "LoadPortScanModule": true,
  "SYNThreshold": 500,
  "RSTThreshold": 500,
  "PortThreshold": 500
}

SMB scan

This module monitors SMB connections to external IP addresses. Attackers can exploit various methods to trick local network computers into connecting to an attacker controlled SMB server. This can lead to the capture of NetNTLMv2 hashes, which may be crackable, potentially exposing cleartext passwords.

The ExcludeIP setting allows you to specify trusted SMB server IP addresses that should be excluded from analysis.

"SMBScan": {
  "LoadSMBScanModule": true,
  "ExcludeIP": [
    "192.168.1.200"
  ]
}

TOR scan

The use of the Tor network is not always an indicator of malicious activity. However, certain malware families—such as WhiteSnake, Raspberry Robin, and Agent Tesla—are known to communicate with their command-and-control (C2) servers via the Tor network.

The ExcludeIP setting allows you to specify trusted IP addresses from which Tor-related queries are allowed, preventing them from being flagged during analysis.

"TORScan": {
  "LoadTORScanModule": true,
  "ExcludeIP": [
    "192.168.1.113"
  ]
}

User agent scan

A malicious actor may use tools associated with known user agents when carrying out an attack. The MonitorPorts and BadUA values allow you to set the ports monitored by the module and the user agent values to search for. The ExcludeIPUA and ExcludeIPHostHeader values allow you to define more specific rules for certain IP addresses, excluding their user agents or host headers from the analysis. The ExcludeHostHeader and ExcludeUA values allow you to specify allowed host headers and user agents within the internal network.

"UserAgentScan": {
  "LoadUAScanModule": true,
  "MonitorPorts": [
    80,
    5000,
    8000
  ],
  "BadUA": [
    "powershell",
    "ms-office",
    "MSOffice",
    "curl",
    "wget",
    "feroxbuster",
    "sqlmap"
  ],
  "ExcludeIPUA": [
    {
      "IP": "192.168.1.101",
      "UserAgent": "HomeAssistant/2024.5.5 httpx/0.27.0 Python/3.12"
    }
  ],
  "ExcludeIPHostHeader": [
    {
      "IP": "192.168.1.101",
      "HostHeader": "checkonline.home-assistant.io"
    }
  ],
  "ExcludeHostHeader": [
    ".adobe.com",
    ".amazontrust.com",
    "certs.apple.com",
    ".digicert.com",
    "dl.delivery.mp.microsoft.com",
    "dl.google.com",
    "drivers.amd.com",
    "go.microsoft.com",
  ],
  "ExcludeUA": [
    "ubuntu"
  ]
}

Network interface

The NetworkInterface defines the network adapter used by Netagent.

"NetworkInterface": "eth1"

Logging

Netagent can log all DNS, TCP, DHCP, and HTTP traffic into separate log files. Use full path when specifing file names.

"LogDNSFlow": "/opt/intrudect/logs/dns.log",
"LogTCPFlow": "/opt/intrudect/logs/tcp.log",
"LogDHCPFlow": "/opt/intrudect/logs/dhcp.log",
"LogHTTPFlow": "/opt/intrudect/logs/http.log"