So, you have a homegrown system that you'd like ExtraHop to monitor, but it relies on a custom protocol. Maybe you wish you could track metrics communicated to a group of devices but the protocol isn't supported natively by the ExtraHop system. Or, you'd really like to go beyond header information and look for strings in payloads that indicate malware or security vulnerabilities. Not possible, right?
You're in luck! The ExtraHop system supports universal payload analysis (UPA) triggers, which parse the message and transaction payloads communicated over almost any TCP or UDP-based protocol, even if it's custom or unsupported.
To get you acquainted with UPA, I've written a step-by-step walkthrough in which you'll create a trigger that parses transactions over the Network Time Protocol (NTP), which isn't supported natively by the ExtraHop system.
NTP can be vulnerable to amplification attacks through NTP monlist commands, so the trigger analyzes the payload of NTP transactions for responses to one of these commands. If one occurs, the trigger sends an alert-level message to a remote syslog server through an open data stream. Don't worry, the walkthrough will show you how to set that up, too.
After you've completed the walkthrough, you can leverage the trigger to tighten controls around NTP responses. For example, you can create custom metrics based on information extracted with the trigger. With those custom metrics, you can create a dashboard to track NTP server activity or configure an alert that notifies you of responses to monlist commands.
We hope the walkthrough helps you discover what is possible with UPA to get the most out of your ExtraHop system. Let us know how it works out, or if you have any questions!