The tools in the toolkit are implemented as command-line tools that function as stand-alone processes. When run, they first establish a connection to a FlowTraq Server, examine the Server's forensic history to establish baselines, and then begin detecting and logging behaviors.
The CLI tools are installed with FlowTraq Server in the /path/to/flowtraq/nbitools directory. You don't have to run the CLI tools from the host on which you installed FlowTraq Server.
Below is an overview of the detectors in the Toolkit.
-
ftbfg The FlowTraq Behavioral Fingerprint Generator alerts on connections which it finds "unusual" based on baseline behavior observed during a learning period. Generally a training period is specified (last month, last year, ...), and optionally a filter (monitor outbound, 1 specific server, all non-HTTP, etc). FTBFG quickly uses historical data to train, and applies smart behavioral algorithms to recognize related subnets, typical relationships, and external CDNs.
-
ftdos The FlowTraq Denial-of-Service detector alerts on unusually high levels of incoming connections from one or more sources. As such, it can be used to detect both DDoS attempts as well as brute-force attacks such as password-guessing or "fuzzing". This detector can be configured to monitor a range of addresses and destination ports or simply to monitor all inbound traffic.
-
ftscan The FlowTraq Scan detector detects both vertical (port) and horizontal (host) scans. Any host connecting to an unusually high number of ports, or an unusually high number of other hosts, is logged. Threats such as worm propagation, advanced persistent threats, and cyber reconnaissance are detected with ftscan, as can spam relays.
-
fttcv The FlowTraq Typical Connection Volume detector alerts on substantial changes in connection volume (either inbound or outbound) for any IP address in the monitored range. Time-of-day and time-of-week information is included in the behavioral signature to recognize periodic patterns intelligently. This detector can also pick up on new hosts in your network, hosts that disappear, and DNS amplification attacks.
