Skip to content

Network Agent

Package name: intrudect-netagent

This package listens on network interface where network traffic is mirrored from switches and attempts to identify anomalies or IOCs. It centrally logs metadata about TCP, DNS, DHCP and HTTP traffic.

Considerations

Before deploying Network Agent, consider the following:

  • If you haven't done it recently, start by reviewing your network documentation.
  • Consider the amount of network traffic on your LAN. Do you need 10G/25G network cards and matching hardware, or is it a typical office network with low Office 365 traffic?
  • If network traffic volume is unknown, it's best to install LibreNMS or Cacti to determine the actual traffic load.
  • Evaluate how the network is segmented and decide how many Network Agent instances you need to install.
  • If installing on a VM, ensure that a separate physical Ethernet adapter is directly assigned to the VM.

Configuration

The initial example (not default) configuration for Network Agent can be created in the web UI under Agents > Add new network agent. After saving and downloading it, store the configuration on the machine running the agent at /opt/intrudect-netagent/etc/config.json. Once in place, Network Agent will request an updated configuration from the web UI regularly.

All monitoring options are configured via Web UI -> Monitoring menu.

Network interface

The NetworkInterface defines the network adapter(s) used by Netagent.

 "NetworkInterfaces": [
    "enx00e04c02eb61",
    "docker0"
  ],

Logging

Packets related to alert can be saved to PCAP file. SendPCAP indicates if related packets are sent as an attachemnt with alert or no. Should always be true. SaveLocalPCAP option to save alert related PCAP files into machine running network agent. They may have more information as alert is sent when incidend is detected, but when alerted activity is still ongoing packets are added to the PCAP file. 

"SendPCAP": true,
"SaveLocalPCAP": false

Metadata logging.

Remote indicates that metadata is sent to Web UI. Local can point to local file, empty value disables local logging.

Note

It is good idea to exclude traffic from network agent machine to web UI. Also exclude IP camera -> DVR and other similar high volume known good traffic.

 "ReverseLookups": true,
  "DNSFlow": {
    "Local": "",
    "Remote": true,
    "IgnoreDomains": [
      "unifi"
    ],
    "BatchSize": 5000,
    "BatchTimeM": 5
  },
  "TCPFlow": {
    "Local": "",
    "Remote": true,
    "ExcludeDstIPPort":  [
      "192.168.19.191:8000",
      "10.0.0.95:8000"
    ],,
    "ExcludeSrcIPDstIPPort": null,
    "BatchSize": 5000,
    "BatchTimeM": 5
  },
  "HTTPFlow": {
    "Local": "",
    "Remote": true,
    "BatchSize": 1000,
    "BatchTimeM": 5
  },
  "DHCPFlow": {
    "Local": "",
    "Remote": true,
    "BatchSize": 500,
    "BatchTimeM": 1
  },
  "SendPCAP": true,
  "SaveLocalPCAP": false