2.1. GCap

2.1.1. GCap functions

The functions of the GCap include:

  • Connecting to the TAP and retrieving duplicate packets from the network flow seen by the TAP

  • Rebuilding the files from the corresponding packets using a detection engine, also referred to as Sigflow

  • Intrusion detection (vulnerabilities...) is performed by several detection engines:

    • The first is the Sigflow engine. It is located in the GCap

    • The others are located in GCenter.
      It recovers the network flow sent by the GCap to perform this analysis:

      • Shellcode et Malicious Powershell Detect

      • Malcore and Retroanalyzer

      • Beacon Detect

      • Dga Detect

      • Ransomware Detect

      • Retrohunt (optional)

      • Active CTI (optional)

  • The transmission of files, codes and events to GCenter

  • Communication between GCap and GCenter including receiving configuration files, rulesets, and the like

2.1.2. The Sigflow engine

Sigflow performs:

  • The recovery of network flows entering the Gcap via the `monx` capture interfaces

  • Intrusion detection, statistical analysis of network flows to reduce the number of false positives and identify possible protocol malformations, SQL injection attempts, and so on.

  • The creation of alerts or log files

The use of rules enables the Sigflow engine to define what to monitor, hence to raise alerts.
For more information, please refer to the table Manage the detection engine.

2.1.2.1. Filtering of the captured flow

Certain parts of the captured flow cannot be detected or reconstructed: for example, encrypted flows.
If nothing is done, the system will monopolize resources to achieve a result known in advance.
To avoid this, it is possible to create rules to filter the flow to be captured.

Note

The visualization of the rules is done locally (show advanced-configuration packet-filtering)
Packet filtering must be configured in `GCaps profiles` menu of GCenter.

2.1.3. Counters of GCap activity

In order to view this information, the show eve-stats command enables the following counters to be viewed:

  • counter `Alerts` - Number of Sigflow alerts found

  • counters `Files` - Files extracted by Sigflow

  • Counters `Codebreaker samples` - Files analyzed by Codebreaker

  • Counters `Protocols` - List of protocols seen by Sigflow

  • Counters `Detection Engine Stats` - Sigflow statistics (monitoring-engine)

For more information, please refer to the table Monitoring the GCAP.