Solida systems SL-1000 User manual
!
!
!
!
!
!
!
!
!
! !
!
!
!
!
USER!MANUAL!
Version!1.0!
January!2017!
WWW.SOLIDASYSTEMS.COM
SL-1000!Security!Appliance!
2
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
Table!of!Contents!
1.#INTRODUCTION#....................................................................................................................................................#4!
1.1!REPUTATION!BASED!DETECTION!.........................................................................................................................................!4!
1.2!INTRUSION!DETECTION!AND!PREVENTION!.........................................................................................................................!4!
1.3!MONITORING!AND!LOGGING!..................................................................................................................................................!4!
2.#HARDWARE#INSTALLATION#.............................................................................................................................#5!
2.1!TYPICAL!CONFIGURATION!......................................................................................................................................................!6!
3.#ACCESSING#THE#WEB#APPLICATIONS#............................................................................................................#7!
3.1!MANAGEMENT!PORT!...............................................................................................................................................................!7!
3.2!MANAGING!USERS!....................................................................................................................................................................!8!
4.#CONFIGURING#THE#APPLIANCE#.......................................................................................................................#9!
4.1!ETHERNET!PORT!CONFIGURATION!......................................................................................................................................!9!
4.2!APPLIANCE!NAME!....................................................................................................................................................................!9!
4.3!DEEP!PACKET!INSPECTION!CONFIGURATION!..................................................................................................................!10!
4.4!EMAIL!NOTIFICATION!..........................................................................................................................................................!11!
4.4.1$Setting$Up$Email$Notification$..................................................................................................................................$11!
4.4.2$Email$Notification$.........................................................................................................................................................$11!
4.4.3$Instant$Critical$...............................................................................................................................................................$12!
4.4.4$Current$Email$Addr$......................................................................................................................................................$12!
4.4.5$New$Email$Addr$.............................................................................................................................................................$12!
4.4.6$Event$Notification$Emails$..........................................................................................................................................$12!
4.4!REPUTATION!THREAT!LIST!UPDATES!..............................................................................................................................!13!
4.4.1$About$Tor$Exit$Nodes$...................................................................................................................................................$14!
4.5!SET!MOBILE!APPLICATION!PASSWORD!............................................................................................................................!14!
4.5!SETTING!THE!TIME!ZONE!...................................................................................................................................................!15!
5.#REPUTATION#BASED#DETECTION#.................................................................................................................#16!
5.1!OVERVIEW!..............................................................................................................................................................................!16!
5.2!DGA!!LIST!...............................................................................................................................................................................!16!
5.3!LIST!UPDATES!.......................................................................................................................................................................!17!
6.#INTRUSION#DETECTION#AND#PREVENTION#RULES#................................................................................#19!
6.1!RULE!OVERVIEW!...................................................................................................................................................................!19!
6.2!RULE!LIST!...............................................................................................................................................................................!19!
6.3!RULE!SETS!..............................................................................................................................................................................!20!
6.4!ACTIVATING!A!RULE!SET!.....................................................................................................................................................!20!
6.5!OPERATING!MODE!................................................................................................................................................................!21!
6.6!CREATING!CUSTOM!RULES!..................................................................................................................................................!21!
6.7!RULE!ID!...................................................................................................................................................................................!22!
7.#EVENTS#AND#EVENT#SEVERITY#......................................................................................................................#23!
7.1!EVENT!OVERVIEW!................................................................................................................................................................!23!
7.2!EVENT!SEVERITY!...................................................................................................................................................................!23!
7.2.1$Low$severity$(colored$green$in$the$GUI)$.............................................................................................................$24!
7.2.2$Medium$severity$(colored$orange$in$the$GUI)$..................................................................................................$24!
7.2.3$Critical$severity$(colored$red$in$the$GUI)$............................................................................................................$24!
7.3!SOURCE!AND!DESTINATION!IP!ADDRESSES!.....................................................................................................................!24!
8.#RESPONDING#TO#CRITICAL#EVENTS#.............................................................................................................#25!
9.#SYSTEM#SOFTWARE#UPDATES#.......................................................................................................................#26!
3
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
10.#SUPPORT#BUNDLE#GENERATION#...............................................................................................................#28!
10.1!GENERATING!A!SUPPORT!BUNDLE!...................................................................................................................................!28!
10.2!DOWNLOADING!A!SUPPORT!BUNDLE!.............................................................................................................................!28!
11.#DATA#LOGGING#.................................................................................................................................................#30!
11.1!PACKET!LOGGING!...............................................................................................................................................................!30!
11.2!DROPPED!PACKET!LOGGING!............................................................................................................................................!30!
11.3!EVENT!LOGGING!.................................................................................................................................................................!30!
11.4!HTTP!LOGGING!..................................................................................................................................................................!31!
11.5!DOWNLOADING!LOG!FILES!...............................................................................................................................................!31!
11.8!DELETING!LOG!FILES!.........................................................................................................................................................!32!
12.#REMOTE#MONITORING#..................................................................................................................................#33!
12.1!SOLIDA!MULTI!INTRODUCTION!.......................................................................................................................................!33!
12.2!SETTING!UP!REMOTE!MONITORING!...............................................................................................................................!33!
4
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
1.!Introduction!
!
This!manual!contains!instructions!for!how!to!configure!and!use!the!following!Solida!System!
network!security!appliances:!
!
!SL-1000! Dual!Gigabit!Ethernet!ports!
! !
!
The!SL-1000!appliance!represents!the!latest!in!network!security!technology.!It!combines!
functionality!otherwise!requiring!several!different!devices.!This!next!generation!firewalls!offers!
reputation!based!detection,!intrusion!detection!and!prevention,!network!traffic!monitoring!and!
packet!logging.!
!
The!next!sections!will!describe!what!some!of!these!features!mean!for!your!network.!
!
1.1!Reputation!Based!Detection!
!
Solida!Systems!provides!reputational!threat!intelligence!in!the!form!of!a!data!feed!hosted!in!the!
cloud.!This!threat!feed!is!updated!hourly!and!includes!malicious!URLs,!domain!names!and!IP!
addresses.!These!are!harvested!from!various!international!threat!intelligence!sources.!!
!
The!threat!feed!includes!information!about!current!threats!such!as!ransomware,!phishing!sites,!
trojans!and!many!other!threat!categories.!
!
1.2!Intrusion!Detection!and!Prevention!
!
Intrusion!detection!and!prevention!is!implemented!through!a!rule!engine!and!deep!packet!
inspection!(DPI).!Solida!Systems!provide!pre-defined!rules!and!rule!sets!through!the!cloud!based!
threat!feed.!A!simple!and!intuitive!configuration!page!is!provided!for!users!interested!in!writing!
custom!rules.!
!
1.3!Monitoring!and!Logging!
!!!
Tools!are!available!to!facilitate!monitoring!and!evidence!collection.!Logs!and!evidence!files!are!
written!in!PCAP!format!and!are!compatible!with!most!industry!standard!analysis!tools.!
!
!
5
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
2.!Hardware!Installation!
!
The!appliances!include!a!set!of!four!Gigabit!Ethernet!ports.!They!are!located!at!the!back!of!the!
appliance.!
!
!
!
!
!
!
!
Figure 2.1 SL-1000 backside view.
!
The!Ethernet!ports!to!the!right!side!in!the!back!are!the!high-speed!ports!used!for!the!network!
traffic!and!for!the!management.!!The!connectors!to!the!left!(USB,!VGA,!COM)!are!not!used!and!
must!be!left!unplugged.!
!
The!appliance!includes!a!12!Volt!power!supply.!Connect!this!power!source!to!the!small!circular!
connector!on!the!bottom!left!side.!
!
The!high-speed!Ethernet!ports!are!named!Port!0!and!Port!1!on!the!SL-1000.!The!management!port!
is!marked!MGNT!!
!
The!default!factory!configuration!for!the!high-speed!Ethernet!ports!is:!
!
! Port!0! (WAN)!! WAN!side! Internet!connected!router!
! Port!1! (LAN1)!! LAN!side!LAN!side!network!switch!
! Port!2! (LAN2)!! MGNT!! Configuration!and!monitoring!
! Port!3! (LAN3)!! Unused! !
!
!
The!default!factory!settings!can!be!changed!through!the!web!configuration!utility!that!is!accessed!
through!a!browser!over!the!management!port.!The!default!IP!address!for!this!management!port!is!
192.168.1.250.!This!address!can!be!changed!through!the!configuration!application.!!
!
To!access!the!configuration!tool,!enter!the!following!in!the!browser:!
!
!192.168.1.250/config!
!
To!access!the!monitoring!tool!,!enter!only!the!IP!address!in!the!browser:!
!
!192.168.1.250!
!
See!chapter!3.!Accessing!the!Web!Applications!below,!for!further!information.!
6
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
!
!
2.1!Typical!Configuration!
!
The!most!common!setup!is!using!the!Solida!appliance!as!an!endpoint!device.!This!allows!for!all!
incoming!and!outgoing!data!packets!to!be!inspected.!This!offers!the!best!protection!against!any!
type!of!malicious!traffic.!The!SL-1000!appliance!operates!in!stealth!mode.!It!does!not!require!any!
IP!addresses!for!its!ports!other!than!for!the!MGNT!(management)!port.!!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 2.2 Typical Installation
!
For!larger!networks!it!might!be!necessary!to!protect!multiple!sections!of!the!network!with!
dedicated!security!appliances.!For!those!installations!make!sure!that!the!WAN!port!is!connected!
upwards!(towards!the!Internet!router!side).!Conversely!make!sure!the!LAN!side!is!connected!to!
the!sub-partitioned!network.!!
!
7
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
3.!Accessing!the!Web!Applications!
!
The!appliance!contains!two!different!applications.!One!application!is!used!for!system!configuration!
and!another!for!monitoring.!Both!applications!are!password!protected!to!prevent!unauthorized!
use.!These!applications!are!both!accessed!through!the!appliance!management!port.!!
!
3.1!Management!Port!
!
To!access!the!configuration!and!monitoring!applications,!connect!the!management!port!to!a!
switch!on!the!LAN!side!of!the!network.!Open!a!browser!on!a!computer!connected!to!the!same!
network.!Enter!the!MGNT!port!IP!address!in!the!browser!as!follows:!
!
!192.168.1.250/config!! for!the!configuration!application!
!192.168.1.250!! ! for!the!monitoring!application!
!
If!everything!is!configured!correctly,!a!login!page!will!appear!in!the!browser!window.!Enter!the!
supplied!user!name!and!password!to!log!in.!Some!networks!might!use!another!IP!address!range!
other!than!192.168.x.x,!for!example!10.32.x.x.!If!this!is!the!case!it!will!be!required!to!change!the!
management!ports!IP!address!before!the!appliance!is!connected!to!the!LAN!side!switch.!!
!
To!change!the!default!IP!address,!direct!connect!a!computer!with!the!appliance!through!an!
Ethernet!cable.!Make!sure!the!computers!IP!address!is!set!manually!since!direct!connecting!
bypasses!any!DHCP!server.!Start!the!configuration!utility!by!entering!the!default!IP!address!into!
the!browser!followed!by!/config!(http://192.168.1.250/config)!
!
Log!into!the!application!and!then!navigate!to!the!page!named!“Configuration”.!Locate!the!box!
called!“Change!Management!Port!IP!Settings”.!Change!the!IP!address,!netmask!and!gateway!fields!
to!match!the!ones!used!in!the!network.!An!example!is!shown!below:!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 3.1 Change management port IP setting box.
!
8
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
!
Once!the!“Activate”!button!is!pressed,!the!appliance!will!be!reconfigured!with!this!new!address!
information.!Remove!the!direct!connected!computer!and!connect!the!appliance!to!the!LAN!side!
switch.!
!
3.2!Managing!Users!
!
The!first!time!the!user!logs!into!either!Web!application!a!default!factory!username!and!password!
will!be!used.!After!the!first!login!it!is!recommended!to!create!new!users!that!will!be!allowed!to!
login!to!the!applications.!
!
Creating!and!managing!the!user!credentials!is!done!through!the!configuration!application.!First!
navigate!to!the!“Configuration”!page!and!then!locate!the!box!named!“Manage!Users”.!To!create!a!
new!user,!press!the!button!named!“Add!User”!and!enter!the!new!credentials!in!the!indicated!
fields.!!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 3.2 Add new user box.
!
The!drop!down!menu!at!the!top!of!the!“Add!New!User”!window!contains!two!options.!
“Monitoring!Only”!and!“Configuration!&!Monitoring”.!Select!“Monitoring!Only”!for!users!that!are!
only!allowed!to!log!into!the!monitoring!application.!The!monitoring!application!does!not!allow!for!
changing!any!configuration!parameters!or!modifying!the!detection!rules.!
!
!
!
9
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
4.!Configuring!The!Appliance!
!
The!configuration!page!contains!several!different!user!configurable!areas.!Each!configuration!
window!includes!a!help!button!that!provides!a!detailed!help!for!the!option.!!
!
4.1!Ethernet!Port!Configuration!
!
The!two!network!packet!transferring!ports,!port!0!and!1!can!be!configured!to!either!face!the!
Internet!side!or!the!LAN!side.!It!makes!no!technical!difference!how!these!ports!are!configured.!It!is!
recommended!to!keep!the!factory!default!setting.!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure'4.1'Ethernet'Port'Configuration'
!
!
Operating!Mode!–!The!only!supported!operation!mode!is!Single!LAN/WAN!ports.!
!
Port!0!usage!–!Selects!if!port!0!should!be!facing!the!Internet!side!or!the!LAN!side.!
!
Port!1!usage!–!Selects!if!port!0!should!be!facing!the!Internet!side!or!the!LAN!side.!
!
4.2!Appliance!Name!
!
An!appliance!should!be!given!a!name.!The!name!can!be!used!as!an!identifier!if!more!than!one!
appliance!is!installed!in!a!network!or!if!Solida!Multi!will!be!used!for!multi!appliance!monitoring.!
The!name!can!refer!to!the!appliance!geographical!location!or!be!a!simple!name!such!as!solida_1.!
!
The!below!figure!shows!how!to!set!the!application!name:!
!
!
10
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
!
!
!
!
!
!
!
!
!
Figure'4.2'Setting'the'appliance'name.'
!
Enter!the!desired!name!and!press!the!Activate!button.!
!
!
4.3!Deep!Packet!Inspection!Configuration!
!
Deep!packet!inspection!(DPI)!refers!to!the!process!that!inspects!all!incoming!and!outgoing!
network!packets.!The!factory!default!setting!applies!DPI!on!all!packets,!including!incoming!and!
outgoing!packets.!Only!under!very!special!circumstances!should!the!factory!default!be!changed.!
Changing!the!factory!default!will!prohibit!the!appliance!from!detecting!all!possible!malwares!and!
other!threats.!
!
To!change!the!factory!default!setting,!start!the!configuration!utility!and!navigate!to!
“Configuration”.!Locate!the!block!titled!“Deep!Packet!Inspection!Configuration”.!It!will!look!as!
shown!in!the!picture!below.!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 4.3 Deep packet inspection configuration window.
!
!
The!following!settings!are!available:!
!
! Packets!from!the!Internet! -! Inspect!all!packets!(Factory!default)!
-Disable!Inspection!
!
11
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
Packets!from!the!LAN!! -! Inspect!all!packets!(Factory!
default)!
-Disable!Inspection!
!
Malformed!Packets! ! -! Drop!all!malformed!packets!(Factory!default)!
-Do!not!drop!malformed!packets!
!
Hackers!sometimes!intentionally!generate!network!packets!that!are!malformed.!The!reason!might!
be!to!try!and!confuse,!or!even!crash!the!system!stacks!in!the!computers!connected!to!the!
network.!Letting!the!appliances!drop!these!packets!guarantees!that!they!will!not!cause!any!
damage!in!the!protected!LAN.!
!
4.4!Email!Notification!
!
The!appliances!have!support!for!sending!regular!emails!containing!information!about!the!number!
of!events!in!the!system!and!their!severity.!This!is!a!useful!feature!since!it!will!not!be!required!to!
constantly!monitor!the!appliance!through!the!monitoring!application.!
!
4.4.1!Setting!Up!Email!Notification!
!
To!set!up!email!notification,!login!to!the!configuration!application!and!navigate!to!Admin!–!
Configuration.!Locate!the!box!called!“Email!Notifications.!The!box!will!look!as!follows:!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 4.4 Email notification setup box.
!
4.4.2!Email!Notification!
!
This!dropdown!box!contains!four!options.!!
!
Disabled!!! ! ! -!Email!notification!disabled.!
Enabled,!once!per!day! -!Generates!one!email!per!day!with!event!information.!
Enabled,!once!per!6!hours!! -!Generates!four!emails!per!day!with!event!information.!
12
©!SOLIDA!SYSTEMS!INTERNATIONAL!2016!
Enabled,!once!per!hour! -!Generates!one!email!per!hour!with!event!
information.!
!
4.4.3!Instant!Critical!
This!option,!if!enabled,!will!send!out!one!email!each!time!a!critical!event!is!generated.!These!
critical!events!require!user!intervention.!Therefore!it!is!important!that!such!events!are!forwarded!
to!the!user!with!minimum!delay.!
!
4.4.4!Current!Email!Addr!
This!text!box!shows!the!current!email!address!in!use,!assuming!this!feature!is!enabled.!This!
address!will!be!the!recipient!for!the!event!status!emails.!
!
4.4.5!New!Email!Addr!
Enter!a!valid!email!address!into!this!box.!This!is!the!new!address!that!will!be!used!to!receive!these!
emails.!
!
Once!the!above!fields!have!been!filled!in,!press!the!“Activate”!button.!This!will!activate!the!new!
configuration.!
!
4.4.6!Event!Notification!Emails!
The!event!notification!emails!are!short!but!contain!vital!information!a!user!will!need.!
!
!
Figure 4.5 Example of an event notification email.
!
!
13
©SOLIDA SYSTEMS INTERNATIONAL
2016
!
The!most!recent!events!for!the!past!hour!and!the!past!6!hours!are!shown!separately!to!give!a!
clearer!overview!of!the!current!status.!Critical!events!require!immediate!user!intervention!and!are!
therefore!marked!clearly!as!critical!for!easy!identification.!
!
!
4.4!Reputation!Threat!List!Updates!
!
The!Solida!appliances!obtain!their!threat!information!by!downloading!proprietary!threat!list!from!
a!cloud-based!server.!There!are!three!categories!of!lists.!They!are!domain!reputation!blacklist,!IP!
reputation!blacklist!and!Tor!exit!node!list.!The!factory!default!is!to!allow!for!all!these!lists!to!be!
included!in!the!cloud!updates.!Changing!this!factory!default!should!only!be!done!in!very!special!
cases.!Disabling!a!list!results!in!the!possibility!of!malicious!packets!being!able!to!penetrate!the!
network!and!cause!escalating!damage.!
!
To!change!the!factory!default!setting,!start!the!configuration!utility!and!navigate!to!
“Configuration”.!Locate!the!block!titled!“Reputation!Threat!List!Updates”.!It!will!look!as!shown!in!
the!picture!below.!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 4.6 Reputation threat list updates window
!
!
The!following!settings!are!available:!
!
Domain!Reputation!Blacklist!!! -! Enabled!–!update!once!per!hour!(default)!
! ! ! ! ! -! Disabled!
!
IP!Reputation!Blacklist! ! -! Enabled!–!update!once!per!hour!(default)!
! ! ! ! ! -! Disabled!
!
Tor!Exit!Nodes! ! ! -! Enabled!–!update!once!per!hour!(default)!
14
©SOLIDA SYSTEMS INTERNATIONAL
2016
! ! ! ! ! -! Disabled!
4.4.1!About!Tor!Exit!Nodes!
!
The!Tor!exit!nodes!list!contain!IP!addresses!of!known!Tor!network!end!point!IP!addresses.!It!is!
common!by!hackers!to!use!Tor!exit!nodes!for!their!attack!traffic!to!mask!its!origin.!In!some!rare!
cases,!the!use!of!the!Tor!network!is!valid.!Examples!would!be!in!countries!that!censor!their!citizens!
Internet!traffic.!In!those!circumstances!the!Tor!network!can!be!used!to!circumvent!such!
censorship.!Then!it!is!recommended!to!disable!the!inclusion!of!Tor!endpoints!in!the!IP!blacklist.!
!
!
4.5!Set!Mobile!Application!Password!
!
The!appliance!can!be!monitored!with!a!mobile!phone!application.!This!application!requires!a!
password!to!log!into!the!cloud!server!that!will!provide!the!events!and!notifications!to!the!
application.!!
!
!
Figure'4.7'Setting'the'mobile'application'password'
!
!
!
!
!
!
!
!
!
!
15
©SOLIDA SYSTEMS INTERNATIONAL
2016
4.5!Setting!The!Time!Zone!
!
The!appliance!use!time!stamps!for!various!events.!Therefore!it!is!required!to!set!the!time!zone,!
which!the!appliance!is!operating!in.!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure'4.7'Setting'the'time'zone'
!
!
Select!the!desired!time!zone!and!press!the!Activate!button.!
!
!
!
16
©SOLIDA SYSTEMS INTERNATIONAL
2016
5.!Reputation!Based!Detection!
!
5.1!Overview!
!
The!most!basic!form!of!intrusion!and!malware!detection!goes!under!the!category!of!reputation-
based!detection.!This!type!of!detection!is!performed!by!attempting!to!identify!communication!
with!unfriendly!hosts!on!the!Internet.!These!are!ones!that!are!believed!to!be!malicious,!based!
upon!a!reputation!for!previous!or!ongoing!malicious!activities.!
!
Reputation!based!detection!is!performed!by!comparing!requested!IP!addresses!or!domain!names,!
against!a!reputation!list!of!hosts!with!negative!reputations.!Solida!appliances!allow!for!
downloading!lists!based!on!domain!names!and!IP!addresses.!The!data!in!these!lists!are!processed!
and!stored!in!hash!tables,!so!that!fast!lookups!can!be!performed!against!them!in!real!time.!These!
lists!are!automatically!downloaded!from!a!cloud-based!service!provided!by!Solida!Systems.!
!
Both!DNS!queries!and!HTTP!requests!are!monitored!and!compared!against!the!reputation!list.!If!a!
hit!is!detected!the!request!can!be!either!flagged!as!suspicious!or!completely!dropped.!It!is!
important!to!recognize!that!a!hit!in!a!reputation!blacklist!doesn’t!always!mean!a!host!is!malicious.!
Hosts!that!were!previously!infected!might!have!been!cleaned!up,!and!the!maintainers!of!the!
reputation!lists!might!not!yet!have!registered!this.!
!
!
5.2!DGA!!List!
!
The!most!important!data!in!the!threat-feed,!is!the!list!of!Domain!Generation!Algorithm!(DGA)!
generated!domain!names.!Many!ramsomware!and!other!serious!malware,!use!DGAs!to!generate!a!
large!number!of!domain!names.!These!domain!names!are!used!to!try!and!connect!with!their!
command!and!control!servers!(C2).!The!large!number!of!auto!generated!domain!names!makes!it!
difficult!to!track!and!shut!down!these!C2!servers.!
!
Most!DGA!engines!use!time!as!the!deciding!factor!for!what!domain!name!to!generate.!Using!this!
method,!a!hacker!will!be!able!to!predict!what!domain!names!their!malware!will!generate.!So!they!
can!be!ready!when!the!malware!attempts!to!connect!to!it!at!any!given!time.!When!the!hacker!
decides!it!is!time!to!provide!C2!access!to!his!malware.!The!hacker!simply!registers!a!domain!name!
with!a!commercial!DNS!service,!for!a!domain!that!the!malware!DGA!will!generate!in!the!near!
future.!When!the!malware!tries!this!specific!DGA!generated!domain,!a!connection!will!suddenly!be!
made.!At!that!point!the!malware!knows!it!has!found!its!C2!server.!
!
The!Solida!threat!list!contains!a!very!large!amount!of!DGA!domain!names.!These!domain!names!
are!generated!from!actual!DGA!engines,!harvested!from!malwares!collected!from!the!Internet.!
These!DGA!engines!are!running!in!a!server,!generating!their!time!based!domain!names.!This!way!it!
is!possible!to!know!in!advance!what!domain!names!similar!malwares!will!generate!in!the!wild!at!!
!
17
©SOLIDA SYSTEMS INTERNATIONAL
2016
any!given!point!in!time.!The!threat!feed!contains!in!average!750,000!
domain!names,!covering!a!time!window!of!UTC!–!48!hours!to!UTC!+!24!hours.!This!gives!a!72-hour!
sliding!window!that!covers!all!time!zones!worldwide.!These!domain!names!are!written!to!a!
blacklist!in!the!security!appliances.!All!outgoing!DNS!queries!and!URLs!are!verified!against!this!list!
and!dropped!if!a!match!is!found.!
!
5.3!List!Updates!
!
The!reputation!lists!are!constantly!being!updated!through!a!cloud!based!threat!feed!offered!by!
Solida.!The!appliance!automatically!connects!with!this!cloud!service!once!every!hour,!to!download!
new!updated!versions!of!the!lists.!This!guarantees!that!the!appliance!always!contains!information,!
about!the!latest!threats!seen!in!the!wild.!!
!
To!monitor!the!list!update!process!and!the!list!sizes,!start!the!configuration!application!and!
navigate!to!“Threat!Intelligence!–!Threat!Lists”.!A!similar!page!is!available!at!the!same!location!in!
the!monitoring!application.!The!page!will!look!as!follows:!
!
!
!
!
!
!
Figure 5.1 Threat lists overview
!
!
In!the!box!named!“Reputation!List!Control!Center”!the!following!information!is!provided:!
!
Next!cloud!update!–!Shows!the!time!at!which!the!next!list!update!will!be!performed.!
!
DGA!Ransomware!Entries!–!The!number!of!DGA!generated!domain!names!in!this!list.!
!
18
©SOLIDA SYSTEMS INTERNATIONAL
2016
Domain!Reputation!Entries!–!The!number!of!domain!names!in!this!list.!
!
IP!Reputation!Entries!–!The!number!of!IP!addresses!(both!IPv4!and!IPv6)!in!this!list.!
!
TOR!endpoints!–!The!number!of!Tor!endpoints!provided!this!list!is!included.!
!
The!above!threat!lists!are!not!user!modifiable.!
!
!
19
©SOLIDA SYSTEMS INTERNATIONAL
2016
6.!Intrusion!Detection!and!Prevention!Rules!
!
6.1!Rule!Overview!
!
To!protect!against!intrusion!attacks,!Solida!appliances!rely!on!a!rule!engine!that!can!perform!deep!
packet!inspection!(DPI)!of!Ethernet!packets,!flowing!through!the!appliance.!The!DPI!engine!can!
inspect!all!packets!and!look!for!signatures!and!any!combination!of!data!patterns,!such!as!port!
scans,!OS!finger!printing!and!vulnerability!scans.!
!
The!DPI!engine!is!controlled!by!detection!rules.!These!rules!instruct!the!DPI!engine!what!to!look!
for!in!the!packets!and!what!action!to!take!if!a!pattern!match!is!detected.!!
!
Solida!provides!a!set!of!system!rules!that!includes!protection!from!many!types!of!penetration!
attempts.!An!expert!user!can!also!create!custom!rules.!Writing!custom!rules!requires!detailed!
knowledge!of!rule!writing,!and!the!different!types!of!packets!flowing!over!a!network.!Such!custom!
rules!can!be!created!using!the!rule!editor!in!the!Solida!configuration!application.!In!most!cases!it!is!
recommended!to!use!the!system!rules!provided!by!Solida!through!the!threat!feed.!
!
6.2!Rule!List!
!
Detection!rules!can!be!created!and!edited!trough!the!configuration!application.!Start!the!
application!and!navigate!to!“Rule!List”.!This!will!show!a!list!over!all!available!rules!in!the!appliance.!
!
!
!
20
©SOLIDA SYSTEMS INTERNATIONAL
2016
Figure 6.1 Rule list in the configuration utility.
!
The!column!named!“Category”!shows!what!rules!are!Solida!system!rules!and!which!rules!that!have!
been!created!by!the!user.!!
!
6.3!Rule!Sets!
!
A!rule!set!is!a!collection!of!rules.!Multiple!rule!sets!can!be!created,!each!containing!a!different!set!
of!rules.!The!appliance!can!be!activated!with!one!single!rule!set.!Once!a!rule!set!has!been!
activated,!the!appliance!will!start!its!packet!scanning!using!all!the!rules!included!in!the!rule!set.!
!
To!display!and!create!rule!sets,!start!the!configuration!utility!and!navigate!to!“Rule!Sets”.!This!will!
show!a!list!over!all!available!rule!sets.!
!
!
Figure 6.2 Rule set list in the GUI configuration utility.
!
6.4!Activating!a!Rule!Set!
!
To!activate!a!rule!set,!select!the!rule!set!by!clicking!on!its!row!in!the!GUI.!Then!click!the!“Activate!
Ruleset”!button.!This!will!perform!an!implicit!sanity!check!of!all!the!included!rules,!and!then!
upload!these!rules!to!the!appliance.!
!
Once!this!activation!completes,!the!appliance!will!start!using!the!new!rules!immediately.!
!
Table of contents
