Detection and blocking tab

The Configuration: Detection and blocking tab is available for the Sensor or All-In-One (Pinbox). It includes the following options:

Network traffic sniffing

If Enabled, the Sensor will sniff traffic. Disabling this option automatically disables all options that depending on the traffic sniffing capabilities of the Sensor, including Detection, Sensor feed location, Blocking locations, Blocking, Payload and metadata upload, and Data enrichment.

Enable this option for a sniffing Sensor. It can be left disabled for a Sensor performing active protocol monitoring, such as ICAP, email MTA, etc.

Detection

Deep packet inspection

If Enabled, the Sensor utilizes its full campaign detection system capabilities. It applies deep packet inspection heuristics to identify malicious interactions on the network.

When Disabled, the Sensor only performs basic reputation checks and netflow processing on the contacted endpoints.

On-the-wire webpage inspection

If Enabled, the Sensor captures web content transiting in the network and submits it for in-depth analysis. It inspects all HTML and JavaScript content: if any suspicious element is detected, the content is submitted for in-depth analysis. Information on analyzed web content is available in the URLs view of the User Portal. If suspicious content is detected by this analysis, a network event will be generated. These network events may also lead to notification if notifications are configured for network trigger type Suspicious URL.

Sensor feed location

This section contains two toggles to change how the Sensor manages traffic depending on where it is physically located in the data center. When the Sensor is deployed on a network segment that has visibility into the traffic generated upstream from the HTTP proxy, enable the Monitor HTTP requests from an HTTP proxy. When the Sensor is deployed on a network segment that has visibility into the interactions between clients and an HTTP proxy, enable the Monitor HTTP requests towards an HTTP proxy.

Monitor HTTP requests from an HTTP proxy: If Enabled, the actual client address is extracted from the X-Forwarded-For header set by the proxy. This option should be enabled whenever you are monitoring traffic upstream from an HTTP proxy, for example, when the Sensor is deployed between the proxy and the Internet.
Monitor HTTP requests towards an HTTP proxy: If Enabled, the actual destination is extracted from the HTTP request sent to the proxy. This option should be enabled whenever the Sensor is deployed on a network segment that allows monitoring interactions between HTTP clients and an HTTP proxy.

Blocking locations

The Sensor can block content at different locations in the network. You can select to block traffic within the home network, traffic outbound from the home network, and/or traffic inbound to the home network. You can select more than one blocking location.

The blocking pipeline used by the Sensor supports receiving feedback from slower detection mechanisms such as IDS rules or URL malicious reputation lists. The analysis may not be processed quickly enough to respond to the initial flow that triggered it. Therefore the first malicious request towards an endpoint may not be successfully blocked. To maximize the blocking success rate, blocking of slower detection pipelines is stateful. Once a given endpoint is flagged as malicious, all similar interactions with the endpoint are considered malicious and are blocked.

The scope of similar interactions can be selected:

Flow blocking — The blocking action is limited to the same 4-tuple (src_ip, src_port, dst_ip, dst_port) that triggered the original alert.
Host service blocking — The blocking action is extended to further interactions between the same client and the service (src_ip, dst_ip, and dst_port).
Service blocking — Block any further interactions with the specific destination (dst_ip and dst_port).

Select the blocking locations and scope:

Within home network: If Enabled, the Sensor blocks traffic within the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.
Outbound from home network: If Enabled, the Sensor blocks traffic outbound from the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.
Inbound to home network: If Enabled, the Sensor blocks traffic inbound to the home network. Select the scope by clicking the radio button for Flow blocking, Host service blocking, or Service blocking.
Block timeout(seconds): Set the blocking timeout. The default is 600 seconds. When an endpoint causes an alert, any requests during the timeout will be blocked.

Blocking

The following options allow you to configure various blocking techniques on potentially malicious traffic detected by the Sensor.

Note:

Depending on your network configuration, some of these blocking techniques might not be effective. If this is the case, please discuss your network setup with VMware Support.

Block test mode

If Enabled, the Sensor logs all blocking actions but will not actually perform a block action. This allows you to ensure that the expected behavior occurs before you make changes to the user environment.

TCP Blocking: RST injection

If Enabled, the Sensor blocks connections that have been detected to be malicious (for example, a connection to a malware command and control server).

HTTP blocking: HTTP redirection

If Enabled, the Sensor redirects all HTTP traffic to the provided URL. You must enter a redirection URL in the textbox, for example https://lastline.example.com/blocked.php.

UDP blocking: ICMP port unreachable injection

If Enabled, the Sensor returns an ICMP port unreachable response to malicious port requests.

DNS blocking: sinkholing

If Enabled, the Sensor returns the sinkhole IP address in response to any DNS request. You must provide an IP address for a sinkhole server in the textbox.

When DNS blocking: sinkholing is enabled, NX injection is disabled and cannot be changed.

DNS Blocking: NX injection

If Enabled, the Sensor intercepts domain look-ups. It injects a DNS response with the NX error flag set (domain does not exist) for any DNS request for a low reputation domain.

When DNS blocking: NX injection is enabled, sinkholing is disabled and cannot be changed.

Payload and metadata upload

This section allows you to control what data is uploaded to the VMware backend or to your On-Premises Manager:

Binaries upload

If Enabled, the Sensor uploads all binaries that are going over the network so that they can be automatically analyzed in-depth. This service is ideal for detecting unknown, targeted attacks. Attacks that make use of malicious binaries to compromise organizations can be dynamically analyzed with the high-resolution malware analysis components and detected.

Alert pcap upload

If Enabled, the Sensor uploads alert PCAPS. Whenever a malicious connection is detected, the network packet capture of the connection that caused this detection is uploaded. The uploaded PCAPs are automatically analyzed to refine the detection.

The PCAPs are displayed and can be downloaded on the Network event details page. This information assists administrators with their forensic analysis of the detection.

NTA data upload

This toggle controls the upload of Network Traffic Analysis (NTA) data. These records are then analyzed to identify anomalous activity. In certain cases, you may want to limit the NTA processing to make your data node requirements more manageable.

Note:

Disabling the upload of any of these records may reduce the number of anomalies that are identified.

If Disabled, the Sensor stops uploading NTA data. This also disables and hides Kerberos upload, Passive DNS upload, Netflow upload, SMB upload, TLS upload, and Web request upload.

Kerberos upload

If Enabled, the Sensor extracts Kerberos records and summarizes key information about the Kerberos requests and responses it observes.

SMB upload

If Enabled, the Sensor extracts SMB records and summarizes key information about the SMB transactions it observes.

TLS upload

If Enabled, the Sensor extracts TLS records and summarizes key information about the TLS requests and responses it observes.

Netflow upload

If Enabled, the Sensor extracts flow records and summarizes the traffic flows it observes.

Passive DNS upload

If Enabled, the Sensor extracts passive DNS records and summarizes the DNS requests and responses it observes.

Web request upload

If Enabled, the Sensor extracts web request records and summarizes key information about the web requests and responses it observes.

Data enrichment

Resolve hostnames

If Enabled, the Sensor is configured to resolve internal IP addresses to domain names. Internal IP addresses are defined by the home network setting. For this feature to work, the Sensor needs to be configured with a DNS server providing such mapping.

If the home network is not defined, the Sensor defaults to performing reverse resolution for private networks.

When you are done, click the Save and deploy button to enable your changes. Otherwise click Cancel to discard any changes.

If you have not made any changes, click the Retrigger configuration button to reload the appliance configuration.

Click Back to appliance list to return to the Overview tab