Detection and blocking tab

Detection

Deep packet inspection

If Enabled, the Sensor utilizes its full campaign detection system capabilities. It applies deep packet inspection heuristics to identify malicious interactions on the network.

When Disabled, the Sensor only performs basic reputation checks and netflow processing on the contacted endpoints.

On-the-wire webpage inspection

If Enabled, the Sensor captures web content transiting in the network and submits it for in-depth analysis. It inspects all HTML and JavaScript content: if any suspicious element is detected, the content is submitted for in-depth analysis. Information on analyzed web content is available in the URLs view of the User Portal. If suspicious content is detected by this analysis, a network event will be generated. These network events may also lead to notification if notifications are configured for network trigger type Suspicious URL.

Sensor feed location

The Sensor supports monitoring the traffic between clients and proxy or between proxy and internet. This section contains two toggles to change how the Sensor manages traffic depending on where it is physically located in the data center. When the Sensor is deployed on a network segment that has visibility into the traffic generated upstream from the HTTP proxy, enable the Monitor HTTP requests from an HTTP proxy. When the Sensor is deployed on a network segment that has visibility into the interactions between clients and an HTTP proxy, enable the Monitor HTTP requests towards an HTTP proxy.

Monitor HTTP requests from an HTTP proxy

You can monitor the traffic generated by the proxy towards the internet. If you do not enable this switch, the traffic monitoring from the proxy to the internet will report all the devices located behind the proxy as if they had the IP address of the proxy. This can create a degree of confusion in the correlation of threats, as the proxy's IP address may be erroneously attributed as the source of the threat.

If Enabled, the actual client address is extracted from the X-Forwarded-For header set by the proxy. Note that the system trusts X-Forwarded-For header values only for hosts that belong to the home network. Therefore, make sure that the IP address of the proxy that will be seen by the appliance belongs to the home network IP range. For more information on home network configuration, see Home network tab.

This option should be enabled whenever you are monitoring traffic upstream from an HTTP proxy, for example, when the Sensor is deployed between the proxy and the Internet.

Monitor HTTP requests towards an HTTP proxy

You can monitor the traffic from the clients to the proxy.

If Enabled, the actual destination is extracted from the HTTP request sent to the proxy. This option should be enabled whenever the Sensor is deployed on a network segment that allows monitoring interactions between HTTP clients and an HTTP proxy. For correlation purposes, the hostname of the website or resource being accessed will provide more valuable information for detecting and responding to threats.

Blocking locations

The Sensor can block content at different locations in the network. You can select to block traffic within the home network, traffic outbound from the home network, and/or traffic inbound to the home network. You can select more than one blocking location.

The blocking pipeline used by the Sensor supports receiving feedback from slower detection mechanisms such as IDS rules or URL malicious reputation lists. The analysis may not be processed quickly enough to respond to the initial flow that triggered it. Therefore the first malicious request towards an endpoint may not be successfully blocked. To maximize the blocking success rate, blocking of slower detection pipelines is stateful. Once a given endpoint is flagged as malicious, all similar interactions with the endpoint are considered malicious and are blocked.

The scope of similar interactions can be selected:

• Flow blocking — The blocking action is limited to the same 4-tuple (src_ip, src_port, dst_ip, dst_port) that triggered the original alert.

• Host service blocking — The blocking action is extended to further interactions between the same client and the service (src_ip, dst_ip, and dst_port).

• Service blocking — Block any further interactions with the specific destination (dst_ip and dst_port).

Select the blocking locations and scope:

Within home network

If Enabled, the Sensor blocks traffic within the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.

Outbound from home network

If Enabled, the Sensor blocks traffic outbound from the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.

Inbound to home network

If Enabled, the Sensor blocks traffic inbound to the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.

Block timeout(seconds)

Set the blocking timeout. The default is 600 seconds. When an endpoint causes an alert, any requests during the timeout will be blocked.

Blocking

The following options allow you to configure various blocking techniques on potentially malicious traffic detected by the Sensor.

Block test mode

If Enabled, the Sensor logs all blocking actions but will not actually perform a block action. This allows you to ensure that the expected behavior occurs before you make changes to the user environment.

TCP Blocking: RST injection

If Enabled, the Sensor blocks connections that have been detected to be malicious (for example, a connection to a malware command and control server).

HTTP blocking: HTTP redirection

If Enabled, the Sensor redirects all HTTP traffic to the provided URL. You must enter a redirection URL in the textbox, for example https://lastline.example.com/blocked.php.

UDP blocking: ICMP port unreachable injection

If Enabled, the Sensor returns an ICMP port unreachable response to malicious port requests.

DNS blocking: sinkholing

If Enabled, the Sensor returns the sinkhole IP address in response to any DNS request. You must provide an IP address for a sinkhole server in the textbox.

When DNS blocking: sinkholing is enabled, NX injection is disabled and cannot be changed.

DNS Blocking: NX injection

If Enabled, the Sensor intercepts domain look-ups. It injects a DNS response with the NX error flag set (domain does not exist) for any DNS request for a low reputation domain.

When DNS blocking: NX injection is enabled, sinkholing is disabled and cannot be changed.

Payload and metadata upload

This section allows you to control what data is uploaded to the VMware backend or to your On-Premises Manager:

Binaries upload

If Enabled, the Sensor uploads all binaries that are going over the network so that they can be automatically analyzed in-depth. This service is ideal for detecting unknown, targeted attacks. Attacks that make use of malicious binaries to compromise organizations can be dynamically analyzed with the high-resolution malware analysis components and detected.

Alert pcap upload

If Enabled, the Sensor uploads alert PCAPS. Whenever a malicious connection is detected, the network packet capture of the connection that caused this detection is uploaded. The uploaded PCAPs are automatically analyzed to refine the detection.

The PCAPs are displayed and can be downloaded on the Network event details page. This information assists administrators with their forensic analysis of the detection.

NTA data upload

This toggle controls the upload of Network Traffic Analysis (NTA) data. These records are then analyzed to identify anomalous activity. In certain cases, you may want to limit the NTA processing to make your data node requirements more manageable.

Note:

Disabling the upload of any of these records may reduce the number of anomalies that are identified.

If Disabled, the Sensor stops uploading NTA data. This also disables and hides Kerberos upload, Passive DNS upload, Netflow upload, SMB upload, TLS upload, and Web request upload.

Kerberos upload

If Enabled, the Sensor extracts Kerberos records and summarizes key information about the Kerberos requests and responses it observes.

SMB upload

If Enabled, the Sensor extracts SMB records and summarizes key information about the SMB transactions it observes.

TLS upload

If Enabled, the Sensor extracts TLS records and summarizes key information about the TLS requests and responses it observes.

Netflow upload

If Enabled, the Sensor extracts flow records and summarizes the traffic flows it observes.

Passive DNS upload

If Enabled, the Sensor extracts passive DNS records and summarizes the DNS requests and responses it observes.

Web request upload

If Enabled, the Sensor extracts web request records and summarizes key information about the web requests and responses it observes.

Data enrichment

Resolve hostnames

If Enabled, the Sensor is configured to resolve internal IP addresses to domain names. Internal IP addresses are defined by the home network setting. For this feature to work, the Sensor needs to be configured with a DNS server providing such mapping.

If the home network is not defined, the Sensor defaults to performing reverse resolution for private networks.

When you are done, click the Save and deploy button to enable your changes. Otherwise click Cancel to discard any changes.

If you have not made any changes, click the Retrigger configuration button to reload the appliance configuration.

Click Back to appliance list to return to the Overview tab