Features
Network Anomalies & Attack Detection
ASN
If your Linux server connects to ASN AS41231 (Canonical), this is fine—but if it starts connecting to Hetzner, OVH or Fastly, it may indicate poor sysadmin practices or a compromised host. The same applies to Windows servers.
- Alerts on traffic outside of whitelisted ASNs
DHCP
DHCP monitoring tracks and analyzes network DHCP traffic in order to create alerts on:
- Rogue DHCP servers
- Excessive DHCP requests
- Hostname/MAC flipping
- Known hostnames
DNS
DNS is a fundamental part of the Internet, but it can also be used to map a network or exfiltrate data. Monitoring DNS traffic enables the detection of potential threats and anomalies through:
- Excessive A/AAAA/HTTPS queries
- Excessive PTR/TXT queries
- Querying known bad names (IOCs integrated from MISP)
- Possible DGA domains What is DGA?
- Known bad IPs
- Known bad DNS names
LDAP
Monitoring LDAP traffic can reveal signs of unauthorized enumeration or suspicious directory service activity.
- Alerts on excessive LDAP queries
Samba
- Alerts on SMB connections directed the the Internet
Tor
Alerts on known Tor relays can be created by identifying traffic to the Tor network.
User-Agent
Analyzing user-agent strings helps uncover automated tools, telemetry and unauthorized applications operating in the environment, triggering alerts on:
- User-agents for known attack tools
- Unusual user-agents
Password Brute-Forcing
Observing authentication traffic helps detect brute-force attempts targeting login-protected services:
- Alers on excessive connections to password-protected services
Inter-Network Movement
Monitoring traffic across network boundaries can identify lateral movement or violations of network segmentation policies:
- Alerts on connections between different network segments
Honeypot Functionality
Honeypot agent accepts incoiming connections:
- TCP & UDP alerts
Escaping Isolated Networks
An alert is sent to the client if an egress agent accesses the Internet from an air-gapped network segment.
Lateral Movement
- Alerts on workstation-to-workstation movement on defined ports
- Alerts on server-to-workstation movement on defined ports
New Devices
In some networks, like public Wi-Fi, devices appear constantly. You may want alerts only for new devices on your servers or in your admin workstation segment.
- Alerts for new devices per network
Port-Scanning
- Alerts on ARP scans
- Alerts on port scans (either multiple ports per host or a single port across many hosts)
- Detects both TCP connect and SYN scans
Metadata Analysis
All TCP connections and DNS queries can be logged to a central database (if configured). When you suspect data exfiltration or a compromised host, these logs let you reconstruct:
- How many connections, bytes, and packets originated from a machine in a given timeframe
- What DNS names were queried
- Which countries and ASNs the traffic went to
These tools are also great for network troubleshooting.
