Filtering External-to-Internal Traffic

September 16, 2022
F
Filtering External-to-Internal Traffic

RITA, both as a standalone program and as a background tool in AC-Hunter, includes a setting called FilterExternalToInternal . This setting controls whether you will end up seeing connections that start out on the Internet and land on one of your internal systems or not seeing these.

As Threat Hunting tools, both RITA and AC-Hunter focus on outbound traffic – traffic from an Internal IP address to an External IP address – as they look for Command and Control traffic and related Threats. Inbound traffic (from an External IP address to an Internal IP address) would rarely – if ever – fall into this same category of C&C Threats. The problem is that you may see a large number of entries in AC-Hunter caused by incoming portscans that make it more difficult to see the actual threats. For this reason, our best recommendation for most networks is to ignore inbound traffic.

To decide how to set this value, please use these guidelines:

– If you do not 1) have any servers with public IPs you’ve declared as Internal, 2) do not allow port forwarding from your router back to internal machines, and 3) use no other technologies like VPNS to bring in connections, there are no circumstances where you’ll see Inbound traffic, so this setting will have no effect on your copy of AC-Hunter.

– If you do have Inbound traffic:

– …and are using AC-Hunter 6.1.0 or lower, you’ll see the inbound traffic by default.
– …and are using AC-Hunter 6.2.0 or higher, you will not see inbound traffic by default.
– …and set FilterExternalToInternal to “true” you will override the default and you will not see inbound traffic.
– …and set FilterExternalToInternal to “false” you will override the default and you will see inbound traffic.

To see how to set this value, see the “Analyzing incoming traffic” section of the AC-Hunter install guide, and set FilterExternalToInternal to your preferred value.

The downside of seeing this inbound traffic is that you’re likely to see a large number of incoming scans from the Internet that may push legitimate Threats out of your view. The downside of hiding this inbound traffic is that there’s a small chance that an Inbound connection could carry command and control traffic or a related Threat.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=5132

Category: Server Configurations & Functionality
Tags: