2.1. GCap

2.1.1. GCap functions

The functions of the GCap include:

  • Connecting to the TAP and retrieving duplicate packets from the network flow seen by the TAP

  • Rebuilding the files from the corresponding packets using a detection engine, also referred to as Sigflow

  • Intrusion detection (vulnerabilities...) is performed by several detection engines:

    • The first is the Sigflow engine. It is located in the GCap

    • The others are located in GCenter. It recovers the network flow sent by the GCap to perform this analysis:

      • Shellcode and Malicious Powershell Detect

      • Malcore and Retroanalyzer

      • Beacon Detect

      • Dga Detect

      • Ransomware Detect

      • Retrohunt (optional)

      • Active CTI (optional)

  • The transmission of files, codes and events to GCenter

  • Communication between GCap and GCenter including receiving configuration files, rulesets, and the like

2.1.2. The Sigflow engine

Sigflow performs:

  • The recovery of network flows entering the Gcap via the monx capture interfaces

  • Intrusion detection, statistical analysis of network flows to reduce the number of false positives and identify possible protocol malformations, SQL injection attempts, and so on

  • The creation of alerts or log files

The use of rules enables the Sigflow engine to define what to monitor, hence to raise alerts.
For more information, please refer to the table Managing the detection engine.

2.1.2.1. Filtering of the captured flow

Certain parts of the captured flow cannot be detected or reconstructed: for example, encrypted flows.
If nothing is done, the system will monopolise resources to achieve a result known in advance.
To avoid this, it is possible to create rules to filter the flow to be captured.

Note

show/set advanced-configuration packet-filtering command has been removed.
Packet filtering must be configured in GCaps profiles menu of GCenter.

2.1.3. Counters of GCap activity

In order to view this information, the `show eve-stats' command enables the following counters to be viewed:

  • Counter Alerts - Number of Sigflow alerts found

  • Counters Files - Files extracted by Sigflow

  • Counters Codebreaker samples - Files analysed by Codebreaker

  • Counters Protocols - List of protocols seen by Sigflow

  • Counters Detection Engine Stats - Sigflow statistics (monitoring-engine)

For more information, please refer to the table Monitoring the detection engine.