2.1. GCap
2.1.1. GCap functions
The functions of the GCap include:
Connecting to the TAP and retrieving duplicate packets from the network flow seen by the TAP,
Rebuilding the files from the corresponding packets using a detection engine, also referred to as Sigflow,
Intrusion detection (vulnerabilities...) is performed by several detection engines:
The first is the Sigflow engine. It is located in the GCap
The others are located in GCenter. It recovers the network flow sent by the GCap to perform this analysis:
The second is the Codebreaker engine,
The third is the Malcore engine,
The fourth is the Retroact engine.
The transmission of files, codes and events to GCenter,
Communication between GCap and GCenter including receiving configuration files, rulesets, and the like.
2.1.2. The Sigflow engine
Sigflow performs:
The recovery of network flows entering the Gcap via the
monx
capture interfaces,Intrusion detection, statistical analysis of network flows to reduce the number of false positives and identify possible protocol malformations, SQL injection attempts, and so on.
The creation of alerts or log files
The use of rules enables the Sigflow engine to define what to monitor, hence to raise alerts.
For more information, please refer to the table Managing the detection engine.
2.1.2.1. Filtering of the captured flow
Certain parts of the captured flow cannot be detected or reconstructed: for example, encrypted flows.
If nothing is done, the system will monopolise resources to achieve a result known in advance.
To avoid this, it is possible to create rules to filter the flow to be captured.
Note
To display the packet filtering rules, use the show advanced-configuration packet-filtering
command.
To specify the packet filtering rules, use the set advanced-configuration packet-filtering
command.
2.1.2.2. Configuration rules
Note
To display the packet filtering rules, use the show advanced-configuration local-rules
command.
To specify the local rules, use the set advanced-configuration local-rules
command.
2.1.2.2.1. Sigflow rules for detection
The Sigflow configuration rules are defined:
In GCenter and transferred from GCenter with access via the
show config-files rules-scirius
commandOr locally on the GCap with access via the
{show,set} advanced-configuration local-rules
command
2.1.2.3. Sigflow configuration rules for rebuilding files
The Sigflow configuration rules are defined:
In GCenter and transferred from GCenter with access via the
show config-files rules-files
commandOr locally on the GCap with access via the
{show,set} advanced-configuration local-rules
command
2.1.2.4. Sigflow configuration rules for managing the thresholds for the raising alarms
The Sigflow configuration rules are defined:
In GCenter with access via the
show config-files threshold
commandOr locally on the GCap with access via the
{show,set} advanced-configuration local-rules
command
2.1.3. Counters of GCap activity
In order to view this information, the `show eve-stats' command enables the following counters to be viewed:
Counter
Alerts
- Number of Sigflow alerts foundThe counters
Files
- Files extracted by SigflowThe counters
Codebreaker samples
- Files analysed by CodebreakerCounters
Protocols
- List of protocols seen by SigflowCounters
Detection Engine Stats
- Sigflow statistics (monitoring-engine)
For more information, please refer to the table Monitoring the detection engine.