2.2.7. Sigflow detection engine

To analyse the captured flow, the following steps must be taken:

  • Activate one or more capture interfaces on the GCap

  • Pairing the GCap with GCenter

  • Activation of the Sigflow detection engine, by default it is deactivated


2.2.7.1. Activate one or more capture and monitoring interfaces on the GCap

2.2.7.1.1. CLI commands

Managing the capture interfaces is done using the CLI commands listed in the Manage the network table.

2.2.7.1.2. Use case procedures

To view or configure the capture interfaces, refer to the Procedure for managing capture interface settings monx.


2.2.7.2. Aggregating capture and monitoring interfaces monx

For more information on this aggregation, see the paragraph Capture and monitoring interfaces monx between TAP and GCap: aggregation capability

For more information on how to configure this aggregation, refer to the paragraph Configuring the capture and monitoring interfaces: aggregation.


2.2.7.3. Pairing the GCap with GCenter

Once the network configuration is done, it is necessary to pair the GCap with GCenter.

For more information on pairing, refer to the procedure Pairing between a GCap and GCenter.


2.2.7.4. Activating the Sigflow monitor engine

By default the GCap monitor engine is disabled.


2.2.7.4.1. Checking the status of the Sigflow monitor engine (activating procedure)

The status of the monitor engine can be checked with the command show status.


2.2.7.4.2. Starting the Sigflow analysis engine

It is essential to start the Sigflow monitor engine (detection engine).

The flow capture only takes place after this start.

To do this:

(gcap-cli) monitoring-engine start

The system displays the following message indicating that the engine started.

Starting Detection Engine...
This operation may take a while... Please wait.
Detection Engine has been successfully started.

Once the monitor engine is activated, the configuration possibilities of the GCap probe change. Some of them cannot be configured while the engine is running.

Note

The eve-stats command in the show subgroup enables displaying the Sigflow (monitoring-engine) statistics.


2.2.7.4.3. Grace period

If the number of rules loaded by the analysis engine is significant then the maximum start-up time must be modified via the CLI.


2.2.7.5. Deactivating the Sigflow monitor engine

2.2.7.5.1. Checking the status of the Sigflow monitor engine (deactivating procedure)

The status of the engine can be checked with the show status command.


2.2.7.5.2. Stopping the Sigflow monitor engine

In the same way, stopping is carried out with the monitoring-engine stop command:

(gcap-cli) monitoring-engine stop

The system displays the following message indicating that the engine started.

Stopping Detection Engine...
This operation may take a while... Please wait.
Detection Engine has been successfully stopped.

2.2.7.6. Compatibility mode

The compatibility mode between the GCap and GCenter must be specified via the CLI.


2.2.7.7. MTU

The Maximum Transfer Unit (MTU) of each GCap capture interface can be adjusted via the CLI.

Indeed, the maximum packet size to be captured at one time on an interface is configurable.


2.2.7.7.1. Display of the current MTU value

The MTU value can be displayed using the show advanced-configuration mtu command:

(gcap-cli) show advanced-configuration mtu

Current Monitoring Network MTU configuration:
	- mon0: 1500
	- monvirt: 1500

The administrator can change the MTU's value in bytes of the GCap capture interfaces. This setting must be between 1280 and 9000 bytes.

Note

Note that Load Balancing and XDP Filtering features are not supported if the MTU > 3000.


2.2.7.7.2. Changing the current MTU value

Regarding the modification of the MTU, this is done with the set advanced-configuration mtu command followed by the parameters:

  • name of the interface, for example mon0

  • value, for example 1300

Note

To change the MTU of the `mon0` interface to 1300 :
  • enter the set advanced-configuration mtu mon0 1300 command

  • validate

(gcap-cli) set advanced-configuration mtu mon0 2500

The system displays the parameter update information.

Updating Monitoring Network MTU configuration to:
	- mon0: 2500

2.2.7.8. Rebuilding files

Rebuilding files occurs on the GCap thanks to its monitor engine (Sigflow).

These files are rebuilt under certain conditions that can be set from GCenter. These conditions include the following:

  • the size of the observed file

  • the type of file observed, based either on the extension or on the filemagic

In addition, file reconstruction is only possible on certain protocols, the list of which varies according to the different GCap versions.

Here is the list of protocols supported by the GCap:

  • HTTP

  • SMTP

Other protocols are available from GCenter. Please refer to the GCenter documentation for more information.

Note

Namely, the protocols on which it is possible to rebuild depends on the GCap and not the GCenter. If the GCenter configuration instructs the GCap to rebuild a certain file type but the GCap is not capable of doing so, the rebuild will not take place.

The administrator can add a local rule from the CLI with the local-rules command if necessary.

An example of rule syntax for these protocols is as follows:

alert ftp-data any any -> any any (msg:"[ Message regle FTP ] FTP filestore all"; filestore; ftpdata_command:retr; sid:13371340; rev:1;)

alert smb any any -> any any (msg:"[ Message regle SMB ] SMB filestore all"; filestore; ftpdata_command:retr; sid:13371341; rev:1;)