Netagent
Considerations
Before deploying Netagent, consider the following:
- If you haven't done it recently, start by reviewing your network documentation.
- Consider the amount of network traffic on your LAN. Do you need 10G/25G network cards and matching hardware, or is it a typical office network with low Office 365 traffic?
- If network traffic volume is unknown, it's best to install LibreNMS or Cacti to determine the actual traffic load.
- Evaluate how the network is segmented and decide how many Netagents you need to install.
- If installing on a VM, ensure that a separate physical Ethernet adapter is directly assigned to the VM.
Hardware requirements
Current filtering does not require much CPU or RAM. Any recent 1U low end server is more than capable. If installed together with Security Onion or Arkime, refer to their hardware requirements.
Installation
Debian
Configuration
The initial example (not default) configuration for Netagent can be created in the web application under Agents > Add new network agent
. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-netagent/etc/config.json
. Once in place, Netagent will request an updated configuration from the web application every minute.
Admin protocols scan
An attacker can use protocols such as SSH, SMB, RDP, or WinRM to move between workstations. If these protocols are typically not initiated from ordinary workstations, any connection originating outside the expected network blocks may indicate attacker activity. The MonitorPorts
value allows you to define the ports to be analyzed by the module. The Workstations
setting specifies the network blocks where ordinary workstations reside and from which admin protocol connections are not expected. The ExcludeSrc
and ExcludeDST
values let you precisely define the source and destination IP addresses that should be excluded from the analysis.
"AdmProtocolScan": {
"LoadAdmProtocolScanModule": true,
"MonitorPorts": [
22,
3389,
5985,
5986
],
"Workstations": [
"192.168.1.96/28",
"192.168.1.150/32",
"192.168.1.171/32"
],
"ExcludeSrc": [
"192.168.1.10"
],
"ExcludeDST": [
"192.168.1.90",
"192.168.1.99"
]
}
ARP scan
An attacker can use ARP requests to discover and identify devices on the network. The RequestIPThreshold
and ExcludeIP
values allow you to define the maximum number of ARP requests allowed per specified time period and specify IP addresses whose ARP requests should be excluded from the analysis.
"ARPScan": {
"LoadARPScanModule": true,
"RequestIPThreshold": 100,
"ExcludeIP": [
"192.168.1.117"
]
}
DHCP scan
When analyzing DHCP queries, it is possible to detect machines with known suspicious hostnames, such as hacking operating systems (e.g., “kali”, “parrot”) or unauthorized devices (e.g., “raspberrypi”). The BadHostnames
setting allows you to flag such hostnames, which can help identify attackers who make operational security (OPSEC) mistakes or employees who install unauthorized virtual machines or bring personal devices onto the network.
Additionally, various attack methods or anomalies based on the DHCP protocol can be detected. The AllowedServers
setting defines the permitted DHCP servers. The QueryThreshold
and QueryCountDetection
values allow you to set the maximum number of queries within the last 5 minutes.
The same logic applies to SameHostDetection
and SameMacDetection
, which track repeated queries from the same host or MAC address.
"DHCPScan": {
"LoadDHCPScanModule": true,
"AllowedServers": [
"192.168.1.1"
],
"BadHostnames": [
"kali",
"parrot",
"localhost",
"raspberrypi"
],
"QueryThreshold": 30,
"QueryCountDetection": false,
"SameHostThreshold": 20,
"SameHostDetection": true,
"SameMacThreshold": 5,
"SameMacDetection": true
}
DNS scan
DNS queries can be used by attackers for network enumeration, internal mapping, and command-and-control (C2) communication. A high number of PTR record queries may indicate internal network reconnaissance, while excessive TXT record queries can signal C2 traffic or data exfiltration. A and AAAA queries up to a certain point may simply indicate a power user, but beyond a certain threshold, they can suggest anomalies or DNS brute-forcing attempts.
The DNSTXTThreshold
, DNSPTRThreshold
, and DNSAThreshold
values define the maximum number of TXT, PTR, and A / AAAA record queries allowed over the last 5 minutes. The ExcludeIP
option allows specific source IP addresses to be exempt from this analysis, preventing them from being flagged.
"DNSScan": {
"LoadDNSScanModule": true,
"DNSTXTThreshold": 100,
"DNSPTRThreshold": 100,
"DNSAThreshold": 1000,
"ExcludeIP": [
"192.168.1.10"
]
}
LDAP scan
The LDAP protocol allows attackers to enumerate all domain objects, including users, groups, and computers. Excessive LDAP queries may indicate reconnaissance activity within the network.
Tools like BloodHound and PingCastle leverage LDAP queries to map Active Directory structures, helping attackers identify privilege escalation paths and potential misconfigurations. Monitoring LDAP query activity can help detect such enumeration attempts.
CNQThreshold
defines the maximum number of LDAP queries allowed within the last 5 minutes before triggering detection.
ExcludeIP
specifies IP addresses that should be excluded from analysis.
Port scan
Port scanning is one of the most common methods that attackers use for network mapping or identifying potentially vulnerable attack surfaces. The LoadPortScanModule
sets whether the corresponding module should be activated. The SYNThreshold
and RSTThreshold
values define the maximum allowed number of SYN and RST packets over the last 5 minutes. The PortThreshold
determines the number of different ports, beyond which it can be considered as a port scan.
"PortScan": {
"LoadPortScanModule": true,
"SYNThreshold": 500,
"RSTThreshold": 500,
"PortThreshold": 500
}
SMB scan
This module monitors SMB connections to external IP addresses. Attackers can exploit various methods to trick local network computers into connecting to an attacker controlled SMB server. This can lead to the capture of NetNTLMv2 hashes, which may be crackable, potentially exposing cleartext passwords.
The ExcludeIP
setting allows you to specify trusted SMB server IP addresses that should be excluded from analysis.
TOR scan
The use of the Tor network is not always an indicator of malicious activity. However, certain malware families—such as WhiteSnake, Raspberry Robin, and Agent Tesla—are known to communicate with their command-and-control (C2) servers via the Tor network.
The ExcludeIP
setting allows you to specify trusted IP addresses from which Tor-related queries are allowed, preventing them from being flagged during analysis.
User agent scan
A malicious actor may use tools associated with known user agents when carrying out an attack. The MonitorPorts
and BadUA
values allow you to set the ports monitored by the module and the user agent values to search for. The ExcludeIPUA
and ExcludeIPHostHeader
values allow you to define more specific rules for certain IP addresses, excluding their user agents or host headers from the analysis. The ExcludeHostHeader
and ExcludeUA
values allow you to specify allowed host headers and user agents within the internal network.
"UserAgentScan": {
"LoadUAScanModule": true,
"MonitorPorts": [
80,
5000,
8000
],
"BadUA": [
"powershell",
"ms-office",
"MSOffice",
"curl",
"wget",
"feroxbuster",
"sqlmap"
],
"ExcludeIPUA": [
{
"IP": "192.168.1.101",
"UserAgent": "HomeAssistant/2024.5.5 httpx/0.27.0 Python/3.12"
}
],
"ExcludeIPHostHeader": [
{
"IP": "192.168.1.101",
"HostHeader": "checkonline.home-assistant.io"
}
],
"ExcludeHostHeader": [
".adobe.com",
".amazontrust.com",
"certs.apple.com",
".digicert.com",
"dl.delivery.mp.microsoft.com",
"dl.google.com",
"drivers.amd.com",
"go.microsoft.com",
],
"ExcludeUA": [
"ubuntu"
]
}
Network interface
The NetworkInterface
defines the network adapter used by Netagent.
Logging
Netagent can log all DNS, TCP, DHCP, and HTTP traffic into separate log files. Use full path when specifing file names.