5.6.12. Web UI `Config - Metadata rate limiter` screen

In addition to alerts, GCaps generate metadata events on analyzed network flows.
This information can be useful in surveys, but in a certain context, it can quickly exceed the indexing capabilities of GCenter.
In order to reduce the amount of metadata while maintaining most information exchanges, it is possible to enable the limiters defined below.

Astuce

Use the hunting tool (hunting > Metadata) to understand what kind of metadata should be optimized first.

This screen allows you to configure metadata rate limiters.
This screen is only accessible to members of the administrator group.

Note

For administrator group members, the following message is displayed: `Error 403:Insufficient permissions`.

After pressing the `Metadata rate limiter` command in the `Config` menu, the following screen is displayed.
This screen allows you to:

  • Enable metadata limiters

  • Define on which protocols they are activated

  • Define the metadata filtering rule

../../_images/METADATA-01.PNG

The screen contains the following parts:

Item

Name

Function

1

`DNS`

Configure DNS metadata. This includes:

13

  • `Aggressivity level`

Filtration level. Includes the following choices:

  • Level 1: Removes metadata from DNS queries, but retains responses

  • Level 2: Remove metadata related to DNS queries.
    If a response is type A, AAAA or PTR with a response code NOERROR, keeps only one response per domain name and source IP, with a 1 minute mobile window
  • Level 3: Remove metadata related to DNS queries.
    For all responses with a NOERROR response code, keep only one response per domain name and source IP, with a 1-hour mobile window

5

  • `Enabled -Disabled`

Enable Selector - Disable `DNS`

2

`HTTPS`

Configures HTTPS metadata. This includes:

13

  • `Aggressivity level`

Filtration level. Includes the following choices:

  • Level 1: For connection-related events, only keeps a record by source IP, destination IP and TLS subject, with a 1-minute mobile window.
    For other events, only keeps a record by source IP and destination IP with a 1-minute mobile window.
  • Level 2: For connection-related events, only keeps a record by source IP, destination IP and TLS subject, with a 1-hour mobile window.
    For other events, only keeps a record by source IP and destination IP with a 1 hour mobile window.

6

  • `Enabled -Disabled`

Enable Selector - Disable `HTTPS`

3

`HTTP`

Configures HTTP metadata. This includes:

13

  • `Aggressivity level`

Filtration level. Includes the following choices:

  • Level 1: for events with status code 200, only keeps a single request per source IP, method, destination port, destination IP and URL, with a 1-minute mobile window.

  • Level 2: For events with status code 200, keeps only one request per source IP, method, destination hostname, with a 1 hour mobile window.

  • Level 3: keeps only events with status code different from 200.

7

  • `Enabled -Disabled`

Enable Selector - Disable `HTTP`

4

`SMB`

Configures SMB metadata. This includes:

13

  • `Aggressivity level`

Filtration level. Includes the following choices:

  • Level 1: for each SMB session and for different SMB commands from READ and WRITE, only keeps 100 records per command type on a 1-minute mobile window

  • Level 2: for each SMB session and for different SMB commands from READ and WRITE, keeps only 10 records per command type on a 1-hour mobile window

8

  • `Enabled -Disabled`

Enable Selector - Disable `SMB`

9

button `APPLY`

Saves configuration. The following message is displayed after recording `Metadata rate limiting successfully applied!`

For implementation, see the Configuring Metadata Rate Limiters.