2.1. GCap

2.1.1. GCap functions

The functions of the GCap include:

  • connecting to the TAP and retrieving duplicate packets from the network flow seen by the TAP,

  • rebuilding the files from the corresponding packets using a detection engine, also referred to as Sigflow,

  • intrusion detection (vulnerabilities...) is performed by several detection engines:

    • the first is the Sigflow engine. It is located in the GCap

    • the others are located in GCenter. It recovers the network flow sent by the GCap to perform this analysis:

      • the second is the Codebreaker engine,

      • the third is the Malcore engine,

      • the fourth is the Retroact engine.

  • the transmission of files, codes and events to GCenter,

  • communication between GCap and GCenter including receiving configuration files, rulesets, and the like.


2.1.2. The Sigflow engine

Sigflow performs:

  • the recovery of network flows entering the Gcap via the monx capture interfaces,

  • intrusion detection, statistical analysis of network flows to reduce the number of false positives and identify possible protocol malformations, SQL injection attempts, and so on.

  • the creation of alerts or log files

The use of rules enables the Sigflow engine to define what to monitor, hence to raise alerts.

For more information, please refer to the table Managing the detection engine.

2.1.2.1. Filtering of the captured flow

Certain parts of the captured flow cannot be detected or reconstructed: for example, encrypted flows.

If nothing is done, the system will monopolise resources to achieve a result known in advance.

To avoid this, it is possible to create rules to filter the flow to be captured.

Note

To display the packet filtering rules, use the show advanced-configuration packet-filtering command.

To specify the packet filtering rules, use the set advanced-configuration packet-filtering command.


2.1.2.2. Configuration rules

Note

To display the packet filtering rules, use the show advanced-configuration local-rules command.

To specify the local rules, use the set advanced-configuration local-rules command.

2.1.2.2.1. Sigflow rules for detection

The Sigflow configuration rules are defined:

  • in GCenter and transferred from GCenter with access via the show config-files rules-scirius command

  • or locally on the GCap with access via the {show,set} advanced-configuration local-rules command

2.1.2.3. Sigflow configuration rules for rebuilding files

The Sigflow configuration rules are defined:

  • in GCenter and transferred from GCenter with access via the show config-files rules-files command

  • or locally on the GCap with access via the {show,set} advanced-configuration local-rules command

2.1.2.4. Sigflow configuration rules for managing the thresholds for the raising alarms

The Sigflow configuration rules are defined:

  • in GCenter with access via the show config-files threshold command

  • or locally on the GCap with access via the {show,set} advanced-configuration local-rules command


2.1.3. Counters of GCap activity

In order to view this information, the `show eve-stats' command enables the following counters to be viewed:

  • counter Alerts - Number of Sigflow alerts found

  • the counters Files - Files extracted by Sigflow

  • the counters Codebreaker samples - Files analysed by Codebreaker

  • counters Protocols - List of protocols seen by Sigflow

  • counters Detection Engine Stats - Sigflow statistics (monitoring-engine)

For more information, please refer to the table Monitoring the detection engine.