Netify Intelligence Plugin
The Netify Intelligence Plugin adds specific analytical capabilities to the Netify Agent. This module introduces SASE functionality, integrates cyber risk indicators, and utilizes alternate heuristics alongside stateful flow inspection for traffic analysis. It also provides event-driven insights and supports secondary flow inspections for context-aware network monitoring.
The plugin is designed to work hand-in-hand with other plugins, allowing integrators to send events using any of the standard Telemetry Sink plugins as well as a level of integration with the Netify Processor Flow Actions plugin for implementing network policies.
The Netify Intel plugin was first released in Q4 - 2025. You must be running Netify Agent version 5.2 or later to be able to install and run this plugin.
License
Netify Intel Plugin is a proprietary plugin requiring a license. Please contact us for details.
Installation
Netify plugins are distributed through the same packaging workflow as the Netify Agent, allowing for a consistent installation experience using standard package manager syntax. While pre-compiled binaries are readily available for x86_64 architectures via our public mirrors, support for ARM, MIPS, and other specialized architectures is available upon request. Please contact us for details.
Step 1 - Select your installation target:
Step 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/debian/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/debian/12/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/debian/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/debian/11/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/debian/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/debian/10/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/ubuntu/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/ubuntu/noble/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/ubuntu/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/ubuntu/jammy/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
curl -fsSL https://download.netify.ai/5/ubuntu/apt-gpg-key-netify.asc | sudo apt-key add -
echo 'deb http://download.netify.ai/5/ubuntu/focal/ /' | sudo tee /etc/apt/sources.list.d/netify.list > /dev/nullStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/24.10/x86' >> /etc/opkg/customfeeds.confStep 3 - Install Netify Intelligence:
opkg update
opkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/23.05/x86' >> /etc/opkg/customfeeds.confStep 3 - Install Netify Intelligence:
opkg update
opkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/22.03/x86' >> /etc/opkg/customfeeds.confStep 3 - Install Netify Intelligence:
opkg update
opkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/21.02/x86' >> /etc/opkg/customfeeds.confStep 3 - Install Netify Intelligence:
opkg update
opkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
wget https://download.netify.ai/5/openwrt/key-build.pub -O /etc/opkg/keys/b18c240cb821dad2
echo 'src/gz netify https://download.netify.ai/5/openwrt/19.07/x86' >> /etc/opkg/customfeeds.confStep 3 - Install Netify Intelligence:
opkg update
opkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
sudo rpm --import https://download.netify.ai/5/opensuse/15.5/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/opensuse/netify.repo -o /etc/zypp/repos.d/repo-netify.repoStep 3 - Install Netify Intelligence:
sudo zypper update
sudo zypper install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
sudo rpm --import https://download.netify.ai/5/almalinux/9/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/almalinux/9/netify.repo -o /etc/yum.repos.d/netify.repoStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
sudo rpm --import https://download.netify.ai/5/almalinux/8/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/almalinux/8/netify.repo -o /etc/yum.repos.d/netify.repoStep 3 - Install Netify Intelligence:
sudo apt update
sudo apt install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
sudo rpm --import http://download.netify.ai/5/rockylinux/9/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/rockylinux/9/netify.repo -o /etc/yum.repos.d/netify.repoStep 3 - Install Netify Intelligence:
sudo yum update
sudo yum install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
sudo rpm --import http://download.netify.ai/5/rockylinux/8/stable/RPM-GPG-KEY-netify
sudo curl https://download.netify.ai/5/rockylinux/8/netify.repo -o /etc/yum.repos.d/netify.repoStep 3 - Install Netify Intelligence:
sudo yum update
sudo yum install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/opnsense/25.7",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOFStep 3 - Install Netify Intelligence:
pkg update
pkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/opnsense/24.7",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOFStep 3 - Install Netify Intelligence:
pkg update
pkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/freebsd/15.0",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOFStep 3 - Install Netify Intelligence:
pkg update
pkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/freebsd/14.0",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOFStep 3 - Install Netify Intelligence:
pkg update
pkg install netify-proc-intelStep 2 - Add Netify's package signing key and repository:
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/freebsd/14.0",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOFStep 3 - Install Netify Intelligence:
pkg update
pkg install netify-proc-intelSetup
All plugins are disabled by default, and the Netify Intelligence plugin is no different. Use the --enable-plugin and --disable-plugin parameters to enable/disable the plugin:
netifyd --enable-plugin proc-intel
netifyd --disable-plugin proc-intelAlternatively, you can edit /etc/netifyd/plugins.d/10-netify-proc-intel.conf and set enable to yes.
[proc-intel]
enable = no
plugin_library = ${path_plugin_libdir}/libnetify-proc-intel.so.0.0.0
conf_filename = ${path_state_persistent}/netify-proc-intel.jsonUpdates
To ensure your deployment benefits from the latest intelligence and detection improvements, it's recommended to regularly update the Netify Intel plugin. Updates may include new or improved core indicators, lists, performance optimizations, and enhanced detection logic.
Indicators
What Are Indicators?
Indicators are defined elements within the Netify Intel plugin that evaluate real-time network flows to detect patterns, assess risks, and identify actionable insights. Each indicator represents a distinct analytical rule or heuristic designed to match a specific set of conditions observed in live traffic.
Indicators may serve various functions, including:
- Detecting anomalies or policy violations
- Identifying security threats or behavioral risks
- Providing context for SASE (Secure Access Service Edge) and cyberrisk assessments
- Enhancing stateful flow inspection with advanced heuristics
Core Indicators
Core indicators are developed, maintained, and validated by the eGloo team. They are included with each release of the Netify Intel plugin and are designed to deliver consistent and reliable analytics across deployments.
The Netify Intelligence resource section offers a comprehensive overview of the available indicators, providing insights into underlying features and associated cybersecurity risks.
Custom Indicators
Custom indicators can be defined by users or integrators to meet specific organizational or deployment needs. They allow administrators to extend the detection framework by introducing new conditions, thresholds, or behaviors beyond the core set provided by eGloo.
Configuration
Once the plugin has been enabled, it can be configured using the JSON configuration file specified in the plugin loader configuration. Indicators are initially defined and controlled
in the configuration file:
/etc/netifyd/netify-proc-intel.json
Each indicator entry may include the following options:
- Enabled/Disabled - Controls whether the indicator is active.
- Tweaks - Optional parameters that modify indicator behavior, such as sensitivity, thresholds, or reporting level.
- Metadata - Descriptive information (e.g., category, severity, source).
Administrators can fine-tune indicators to align with network policies or sensitivity requirements. Any configuration changes are applied dynamically on a Netify agent reload event.
A full list of currently supported indicators, including descriptions and configuration parameters, is provided in the following section.
{
"indicator_defaults": {
"sink": {
"flow_metadata": "none"
},
"criteria": {
"min_bytes": 0,
"min_score": 0,
"trigger_on_east_west": true,
"trigger_on_wan": true
},
"event_filter": [
"dpi_complete"
]
},
"indicators": {
"credentials_cleartext": {
"enabled": false,
"indicator_driver": "credentials_cleartext",
"sink_targets": [ "default-socket" ]
},
"crypto_application": {
"enabled": false,
"indicator_driver": "crypto_application",
"sink_targets": [ "default-socket" ]
},
"crypto_protocol": {
"enabled": false,
"indicator_driver": "crypto_protocol",
"criteria": {
"flow_expr": "!detection_guessed && local_bytes > 200 && other_bytes > 200;"
},
"sink_targets": [ "default-socket" ]
},
"crypto_server": {
"enabled": false,
"indicator_driver": "crypto_server",
"sink_targets": [ "default-socket" ]
},
"custom_games": {
"enabled": false,
"indicator_driver": "custom",
"criteria": {
"flow_expr": "protocol != 'DNS' && category == 'games';"
},
"score": 50,
"sink_targets": [ "default-socket" ]
},
"doh_scanner": {
"enabled": false,
"indicator_driver": "doh_scanner",
"query": "google.com",
"routes": [
"/dns-query",
"/"
],
"timeout": 5,
"cache_size_positive": 1000,
"cache_size_negative": 1000,
"cache_path_positive": "${path_state_persistent}/doh-positive.csv",
"cache_path_negative": "${path_state_persistent}/doh-negative.csv",
"sink_targets": [ "default-socket" ]
},
"dox_server": {
"enabled": false,
"indicator_driver": "dox_server",
"proc_targets": [ "proc-nfa" ],
"sink_targets": [ "default-socket" ]
},
"protocol_insecure": {
"enabled": false,
"indicator_driver": "protocol_insecure",
"sink_targets": [ "default-socket" ]
},
"tls_cipher_external": {
"enabled": false,
"indicator_driver": "tls_cipher_score",
"criteria": {
"flow_expr": "other_type == other_remote;"
},
"sink_targets": [ "default-socket" ]
},
"tls_cipher_internal": {
"enabled": false,
"indicator_driver": "tls_cipher_score",
"criteria": {
"flow_expr": "other_type != other_remote;"
},
"sink_targets": [ "default-socket" ]
},
"tls_cert_expired": {
"enabled": false,
"indicator_driver": "tls_cert_expired",
"sink_targets": [ "default-socket" ]
},
"tls_cert_mismatch": {
"enabled": false,
"indicator_driver": "tls_cert_mismatch",
"sink_targets": [ "default-socket" ]
},
"tls_cert_validity_too_long": {
"enabled": false,
"indicator_driver": "tls_cert_validity_too_long",
"sink_targets": [ "default-socket" ]
},
"tls_cert_self_signed": {
"enabled": false,
"indicator_driver": "tls_cert_self_signed",
"sink_targets": [ "default-socket" ]
},
"tor_bridge": {
"enabled": false,
"indicator_driver": "tor_bridge",
"sink_targets": [ "default-socket" ]
},
"tor_exit": {
"enabled": false,
"indicator_driver": "tor_exit",
"sink_targets": [ "default-socket" ]
},
"tor_relay": {
"enabled": false,
"indicator_driver": "tor_relay",
"sink_targets": [ "default-socket" ]
},
"vpn_application_business": {
"enabled": false,
"indicator_driver": "vpn_application_business",
"sink_targets": [ "default-socket" ]
},
"vpn_application_consumer": {
"enabled": false,
"indicator_driver": "vpn_application_consumer",
"sink_targets": [ "default-socket" ]
},
"vpn_protocol": {
"enabled": false,
"indicator_driver": "vpn_protocol",
"sink_targets": [ "default-socket" ]
},
"vpn_server_consumer": {
"enabled": false,
"indicator_driver": "vpn_server_consumer",
"sink_targets": [ "default-socket" ]
}
},
"sink_targets": {
"default-socket": {
"sink": "sink-socket",
"channels": {
"default": {
"enabled": false,
"flow_metadata": "full",
"dispatch_flags": [
"format_json",
"append_linefeed",
"prepend_length_header"
]
}
}
}
}
}Indicator Defaults
Defaults to apply to all indicators if not specifically set.