Commit a custom record to monitor suspicious port activity

The ExtraHop platform can help you gain visibility and real-time access to early attack indicators on your network. One proactive security measure you can take is to monitor ports that you consider vulnerable to trojans and other malware.

For example, because 12345 is an easy-to-remember sequence, this number is often selected when configuring a default port number for a server or a program, making that port value a popular target with attackers.

In this walkthrough, you will write a trigger that commits each transaction over a suspicious port value to a record, and then you will create a query to view the collected records.

Prerequisites

  • You must have access to an ExtraHop system with a user account that has system and access administration privileges.
  • Your ExtraHop system must be connected to a recordstore.
  • Your network must be configured to allow traffic through port 12345.
  • Familiarize yourself with the concepts in this walkthrough by reading the Records and Triggers.
  • Familiarize yourself with the processes of creating triggers by completing the Trigger Walkthrough.

Write the trigger

In the following steps, you will write a trigger that looks for server traffic over port 12345 and then commits a custom record of each transaction to a recordstore.

  1. Log in to an ExtraHop system that is connected to a recordstore.
  2. Click the System Settings icon , and then click Triggers.
  3. Click Create.
  4. In the Name field, type Suspicious Port Activity.
  5. In the Events field, select FLOW_CLASSIFY.
  6. In the right pane, add the following trigger code to the editor:
    if (Flow.server && Flow.server.port === 12345) {
        commitRecord('Trojan', {
            description: 'Possible NetBus or other trojan',
            protocol:Flow.l7proto
        });
    }

    To capture all transactions over the port, the trigger invokes the Flow class. The trigger specifies "Trojan" as the record type and adds two properties to the record contents: a description and the protocol of the transaction, if known.

  7. Click Save.
  8. Click Show Advanced Options and then select Assign to all devices.
    Important:When creating your own triggers, assign triggers only to the specific devices that you need to collect metrics from to minimize the performance impact of your triggers on the ExtraHop system.
  9. Click Save and Close, and then let the trigger run for at least ten minutes.

Query and view the custom records

In the following steps, you will search for the custom records committed to the recordstore and create a saved record query based on the search criteria.

  1. From the top-level navigation, click Records.
  2. From the Any Record Type drop-down menu, select Trojan.
  3. Click View Records.
  4. From the Fields drop-down menu, select Select All.
  5. Click the Verbose View icon.
    The content pane displays the custom record fields. In addition to the description and protocol fields specified in the trigger, the record includes the following properties:
    • flowID
    • client
    • clientAddr
    • clientPort
    • server
    • serverAddr
    • serverPort
  6. Click the Save icon from the top right of the page.
  7. In the Name field, type Possible Trojans, and click Save.

Check records for malware indicators

If your system is hit by a malware attack or you learn about new malware that is circulating, you can check your records to see if your system has been targeted.

For example, if you learn that a new trojan is often sent through port 12345, you can open the saved Possible Trojans query you created above and check for the following activity:

  • Transactions occurring over unexpected protocols. For example, you might expect to see IMAP traffic over port 12345, but not SSH traffic.
  • Transactions occurring over unclassified protocols, which are displayed in the query results as tcp:12345. Unclassified protocols are not recognized by the ExtraHop system and might be suspicious.
  • Client IP addresses associated with transactions over unexpected or unclassified protocols, and if the IP address originated from an untrusted locale.
  • Time stamps of the transactions that you find questionable and that occurred during non-business hours.

Narrowing down suspicious transactions helps you determine if you have a malware problem so that you can get started on a resolution.

Last modified 2024-01-26