User Tools

Site Tools


cisco_umbrella_top-1m_domains_list

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

cisco_umbrella_top-1m_domains_list [2020/04/01 16:37] (current)
navaneeth created
Line 1: Line 1:
 +====== Cisco Umbrella Top 1M Domains List ======
 +
 +This app helps with providing guidelines for installing Cisco Umbrella Top 1M Domains List app in Trisul Network Analytics.
 +
 +**
 +To create a Domain Topper Counter that can be used in NSM to train the spotlight on least common domains seen in your network traffic.
 +**
 +
 +{{:​tips:​cisco-umbrella-app.png?​200|}}
 +
 +Some of the uses can be
 +
 +  - Visibility - To know the usage patterns outside the Top-1M in your enterprise.
 +  - Detect Outliers - To detect rare domains, those created by DGA, typically used by malware.
 +  - Iterative - To add white-list based on your enterprise and fine tune this list.
 +
 +<​note>​Added Quantcast-Top-1M to this as well. So any domain that is not in either of the lists can be truly said to be outside Top-1M</​note>​
 +
 +===== Installing =====
 +
 +  * To install this App logon as admin, then select App from //Web Admin > Manage > Apps > Umbrella Top1M//.
 +{{:​umbrella-top-1m.png?​600|}}
 +  * Post install , Run the '​installfeed.sh'​ script to keep the FireHOL list updated as shown below.
 +
 +**Pre-Requisites**
 +You need to install a few packages namely
 +  * Luajit - apt install luajit.
 +  * Unzip - apt install unzip.
 +  * Libleveldb - apt install libleveldb1v5.
 +
 +<​note>​For Ubuntu-18.04,​You should add the universe repository using 'sudo add-apt-repository universe'​.</​note>​
 +
 +===== Installing the Feed =====
 +
 +  * You must run the '​installfeed.sh'​ script in this folder to download the Umbrella-Top-1M list and keep it updated.
 +  * Run the following command,
 +
 +<​code>#​curl -O  https://​raw.githubusercontent.com/​trisulnsm/​apps/​master/​analyzers/​umbrella-top-1m/​installfeed.sh
 +#bash ./​installfeed.sh
 +</​code> ​
 +
 +<note important>​Please ensure you restart the probe after this step.</​note>​
 +
 +===== Viewing Data =====
 +
 +This APP adds a new counter group called '​Outside Umbrella Top-1M'​.To view the metrics,
 +
 +  - Go to //Retro > Retro Counters.//
 +  - Select a desired Time-frame and select '​Outside Umbrella Top-1M'​ COunter-group.
 +
 +{{:​tips:​outside-umbrella-counter.png?​600|}}
 +
 +
  
cisco_umbrella_top-1m_domains_list.txt · Last modified: 2020/04/01 16:37 by navaneeth