2.2.7. Sigflow detection engine
To analyse the captured flow, the following steps must be taken:
Activate one or more capture interfaces on the GCap
Pairing the GCap with GCenter
Activation of the Sigflow detection engine, by default it is deactivated
2.2.7.1. Activate one or more capture and monitoring interfaces on the GCap
2.2.7.1.1. CLI commands
Managing the capture interfaces is done using the CLI commands listed in the Manage the network table.
2.2.7.1.2. Use case procedures
To view or configure the capture interfaces, refer to the Procedure for managing capture interface settings monx.
2.2.7.2. Aggregating capture and monitoring interfaces monx
For more information on this aggregation, see the paragraph Capture and monitoring interfaces monx between TAP and GCap: aggregation capability.
For more information on how to configure this aggregation, refer to the paragraph Configuring the capture and monitoring interfaces: aggregation.
2.2.7.3. Pairing the GCap with GCenter
Once the network configuration is done, it is necessary to pair the GCap with GCenter.
For more information on pairing, refer to the procedure Pairing between a GCap and GCenter.
2.2.7.4. Activating the Sigflow monitor engine
By default the GCap monitor engine is disabled.
2.2.7.4.1. Checking the status of the Sigflow monitor engine (activating procedure)
The status of the monitor engine can be checked with the command show status.
2.2.7.4.2. Starting the Sigflow analysis engine
It is essential to start the Sigflow monitor engine (detection engine).
The flow capture only takes place after this start.
To do this:
Enter the monitoring-engine start command
Validate
(gcap-cli) monitoring-engine start
The system displays the following message indicating that the engine started.
Starting Detection Engine...
This operation may take a while... Please wait.
Detection Engine has been successfully started.
Once the monitor engine is activated, the configuration possibilities of the GCap probe change.
Some of them cannot be configured while the engine is running.
Note
The eve-stats command in the show subgroup enables displaying the Sigflow (monitoring-engine) statistics.
2.2.7.4.3. Grace period
The grace period is the sum of:
The maximum starting time
The maximum stopping time
In order to be able to load the rules of the detection engine before starting the engine, the engine cannot start until a certain time called maximum start time or start-up grace period (start-timeout).
The current value is displayed using the show monitoring-engine start-timeout command.
If the number of rules loaded by the analysis engine is large then the maximum start time must be changed via the set monitoring-engine start-timeout command.
Similarly, there is the maximum stopping time or grace period when the engine shuts down (stop-timeout).
The current value is displayed via the show monitoring-engine stop-timeout command.
The modification of the current value is done via the set monitoring-engine stop-timeout command.
2.2.7.5. Deactivating the Sigflow monitor engine
2.2.7.5.1. Checking the status of the Sigflow monitor engine (deactivating procedure)
The status of the engine can be checked with the show status command.
2.2.7.5.2. Stopping the Sigflow monitor engine
In the same way, stopping is carried out with the monitoring-engine stop command:
(gcap-cli) monitoring-engine stop
The system displays the following message indicating that the engine started.
Stopping Detection Engine...
This operation may take a while... Please wait.
Detection Engine has been successfully stopped.
2.2.7.6. Compatibility mode
The compatibility mode between the GCap and GCenter must be specified via the CLI.
2.2.7.7. MTU
The Maximum Transfer Unit (MTU) of each GCap capture interface can be adjusted via the CLI.
Indeed, the maximum packet size to be captured at one time on an interface is configurable.
2.2.7.7.1. Display of the current MTU value
The MTU value can be displayed using the show interfaces command:
The administrator can change the MTU's value in bytes of the GCap capture interfaces.
This setting must be between 1280 and 9000 bytes.
Note
Note that XDP Filtering features is not supported if the MTU > 3000.
2.2.7.7.2. Changing the current MTU value
Regarding the modification of the MTU, this is done with the set advanced-configuration mtu command followed by the parameters:
Name of the interface, for example enp4s0
Value, for example 1300
Note
To change the MTU of the `enp4s0` interface to 1300 :
Enter the set advanced-configuration mtu enp4s0 1300 command
Validate
(gcap-cli) set advanced-configuration mtu enp4s0 1300
The system displays the parameter update information.
Updating Network MTU configuration to:
- enp4s0: 1300
2.2.7.8. Rebuilding files
Rebuilding files occurs on the GCap thanks to its monitor engine (Sigflow).
These files are rebuilt under certain conditions that can be set from GCenter.
These conditions include the following:
The size of the observed file
The type of file observed, based either on the extension or on the filemagic
In addition, file reconstruction is only possible on certain protocols, the list of which varies according to the different GCap versions.
Here is the list of protocols supported by the GCap:
HTTP
SMTP
SMB
Other protocols are available from GCenter.
Please refer to the GCenter documentation for more information.
Note
Namely, the protocols on which it is possible to rebuild depends on the GCap and not the GCenter.
If the GCenter configuration instructs the GCap to rebuild a certain file type but the GCap is not capable of doing so, the rebuild will not take place.