5.6.14. Web UI `Config - Gcaps profiles`
screen
`Gcaps profiles`
command from the `Config`
menu, the following screen is displayed.Item |
Function |
See |
---|---|---|
1 |
Name of the GCap associated with the GCenter |
|
2 |
`Detection Rulesets` buttonmanages the application of rulesets to paired GCaps
|
`Detection Rulesets` section of the `Config Gcaps profiles` menu |
3 |
`Base variables` buttonmanages the configuration of the advanced GCap parameters
|
`Base variables` section of the `Config Gcaps profiles` menu |
4 |
`Net variables` buttonmanages the network variables used in Sigflow rules
|
|
5 |
`Flow timeouts` buttonconfigures the time Sigflow keeps a flow in memory depending on its status
|
|
6 |
`File rule management` buttonconfigures the file types that the GCap will extract for a given protocol
|
`File rule management` section of the `Config Gcaps profiles` menu |
7 |
`Packet filters` buttonadjusts the GCap capture parameters using Sigflow's advanced features
|
`Packet filters` section of the `Config Gcaps profiles` menu |
8 |
`Reset to default configuration` buttonresets the configuration and loads the profile selected in the
`GCaps pairing and status` screen |
|
9 |
`ADD GCAP` buttondisplays the screen for adding a GCap
|
`Admin-GCaps pairing and status` screen of the legacy Web UI |
Note
`APPLY`
button triggers sending the global configuration to the selected GCap.5.6.14.1. `Detection Rulesets`
section of the `Config Gcaps profiles`
menu
`Detection Rulesets`
screen enables:Configuring the detection modes for each of the three options below:
`single tenant`
`multi-tenant by interface`
`multi-tenant by vlan`
Apply the Sigflow rulesets previously created to the GCap paired on the GCenter
Enable the Codebreaker engine (Shellcodes, Powershell detection)
For more information, refer to Detection Rulesets.
Item |
Function |
---|---|
1 |
Link to return to the |
2 |
Message area informing that the selected ruleset has been updated. |
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
5.6.14.2. `Base variables`
section of the `Config Gcaps profiles`
menu
`GCenter`
.`Base Variables`
screen consists of the following fields:5.6.14.2.1. `Stream analysis and file extraction`
zone
The `Stream analysis and file extraction`
zone enables you to control how the Sigflow engine handles maximum stream and file extraction sizes.
5.6.14.2.1.1. Description of the `Stream analysis and file extraction`
zone
This zone includes the following items:
Item |
Function |
---|---|
1 |
`File extraction (on/off)` : enables the control of the size of stored files.See `File rule management` section of the `Config Gcaps profiles` menu to specify which files are extracted
|
2 |
`Stream reassembly depth (MB)` : maximum size of the network stream in megabytes.The default value is a parameter that can be overridden by the protocol analysers performing the file extraction.
The inspection will be ignored if this value is reached for a particular flow.
Setting this value to 0 enables any flow size to be stored.
|
3 |
`MQTT Max message length (MB)` . maximum size of an MQTT message to be parsed.Beyond this value, the message will not be parsed.
|
4 |
`File-store stream depth (MB)` : maximum size of a reconstructed and stored file in megabytes.If this value is reached, the file may be truncated and not entirely stored.
This implies that after this value, the HTTP session will no longer be tracked.
A negative value disables the option. A value of 0 enables any file size to be stored.
If this option is not enabled, then the value of 'Stream reassembly depth (Mb)' will be taken into account.
This value must be greater than the value of
`Stream reassembly depth (Mb)` . |
5 |
`SMB Stream Depth (MB)` . maximum size of the network stream in megabytes.Beyond this value, no reconstruction will be undertaken.
If this value is reached, the file may be truncated and not entirely stored.
This implies that after this value, the SMB session will no longer be tracked. Additionally, negative values disable the option.
Setting this value to 0 enables any file size to be stored.
|
Astuce
Too high a value for these parameters increases detection but decreases performance.
Prudence
Changing these parameters may cause the solution to malfunction. This section is reserved for support staff and advanced users.
Only the `file_store_stream_depth_mb`
variable can be modified, never exceeding 100 MB.
5.6.14.2.1.2. Default configuration of the `Base variables`
section
Variables |
Values |
---|---|
File extraction (On/Off) |
Enabled |
File-store stream depth (MB) |
10 |
Stream reassembly depth (MB) |
10 |
SMB Stream Depth (MB) |
10 |
MQTT Max message length (MB) |
10 |
5.6.14.2.2. `HTTP Proxy`
zone
`HTTP Proxy`
zone enables enhanced metadata and alerts for streams mandated with the X-Forwarded-For (XFF) http header.5.6.14.2.2.1. Description of the `HTTP Proxy`
zone
This zone includes the following items:
Item |
Function |
---|---|
1 |
`XFF (On/Off)` selector: enabling the management of the HTTP X-Forwarded-For header by adding a new field orby overwriting the source or destination IP address, depending on the direction of the flow, with the IP indicated in this header.
The behavior, either adding a field or overwriting, is handled by the
`XFF mode` directive.This directive is helpful when processing flows behind a reverse proxy for example.
|
2 |
`XFF deployment` : type of XFF deployment. Two types of deployment are available(reverse or forward).In a reverse deployment, the IP address used is the last one, while in a forward deployment, the IP address used is the first one.
|
3 |
`XFF mode` : expected behavior when XFF is activated.Two types of operating modes are available, extra-data or overwrite.
Note that in overwrite, if the IP address reported in the HTTP X-Forwarded-For header is a different version of the received packet, then it will switch to 'extra-data' mode
|
4 |
`XFF header` : This is the name of the HTTP header where the real IP address is present.If there is more than one IP address present then the last IP address is taken into account.
|
5.6.14.2.2.2. Default configuration of the `HTTP Proxy`
zone settings
Variables |
Values |
---|---|
XFF (On/Off) |
Enabled |
XFF mode |
Extra-data |
XFF deployment |
Reverse |
XFF header |
X-Forwarded-For |
5.6.14.2.3. `Payload`
zone
The `Payload`
zone enables alerts to be enriched with the content of the stream that triggered them.
Note
5.6.14.2.3.1. Description of the `Payload`
zone
This zone includes the following items:
Item |
Function |
---|---|
1 |
|
2 |
`Http body` : adds a field containing the body of HTTP requests encoded in base64.This parameter requires metadata to work.
|
3 |
|
4 |
`Http body printable` : adds a field containing the body of HTTP requests in ASCII format.This parameter requires metadata to work.
|
5 |
|
6 |
|
5.6.14.2.3.2. Default configuration of the `Payload`
zone settings
Variables |
Values |
---|---|
Payload |
Enabled |
Payload printable |
Enabled |
Packet |
Enabled |
Http body |
Disabled |
Http body printable |
Disabled |
Payload buffer size |
4096 |
5.6.14.2.4. `Community ID`
zone
This zone enables:
Activating the
`Community ID`
field in events. This enables identifying the network streams being analyzedConfiguring the "seed" to be identical to other tools in the same information system
5.6.14.2.4.1. Description of the `Community ID`
zone
This zone includes the following items:
Item |
Function |
---|---|
1 |
|
2 |
|
5.6.14.2.4.2. Default configuration of the `Community ID`
zone settings
Variables |
Values |
---|---|
On/Off |
Enabled |
Community ID seed |
0 |
5.6.14.2.5. `Alerting and logging`
zone
This zone enables configuring the `alerting`
and `logging`
of the protocols used by the GCap.
Note
GCap is one version ahead of the GCenter, it is possible that some protocols are not yet implemented in the latter.
This is discussed in more detail in the GCAP-documentation in the section Sigflow detection engine > Rebuilding files.
5.6.14.2.5.1. Description of the `Alerting and logging`
zone
This zone includes the following items:
Item |
Function |
---|---|
1 |
Selector for choosing the hash function for reconstructed files (md5, sha1 and sha256).
By default, md5 is selected. The sha256 hash will in all cases be added by the Malcore module.
|
2 |
List of protocols. For each of these protocols, the following are listed:
|
Using the
`GCaps pairing and status`
command in the `Admin-GCaps pairing and status` screen of the legacy Web UI.
Select a default profiles such as Minimal, Balanced, MPL, Paranoid, and Intuitio: in order from most to least permissive
This profile is loaded into the GCap with the`Update`
button.From this moment on, this profile is loaded into the selected GCap. It can therefore be viewed in the`Base variables`
window.
- If necessary, use the
`Reset to default configuration`
command to reload this default profile with the default values.In addition to these protocols, it is also possible to generate`Netflow`
data and enable`fingerprint JA3`
.Both options are disabled by default (`Balanced`
profile).
Avertissement
Enabling NetFlow data generation will create a great deal of metadata.
5.6.14.2.5.2. Default settings for existing profiles available
Protocols |
Minimal |
Balanced |
MPL |
Paranoid |
Intuitio |
---|---|---|---|---|---|
dns_udp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
dns_tcp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
http2 |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
tls |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
smb |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
nfs |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
ftp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
tftp |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
ssh |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
kerberos |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
dhcp |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
snmp |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
rdp |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
rfb |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
ikev2 |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
sip |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
modbus |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
dhp3 |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
dcerpc |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
mqtt |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
ntp |
Disabled |
Enabled |
Disabled |
Enabled |
Disabled |
enip |
Disabled |
Enabled |
Disabled |
Enabled |
Disabled |
Protocols |
Minimal |
Balanced |
MPL |
Paranoid |
Intuitio |
---|---|---|---|---|---|
dns_udp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
dns_tcp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http2 |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
tls |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smb |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
nfs |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
ftp |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
tftp |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
ssh |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
kerberos |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
dhcp |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
snmp |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
rdp |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
rfb |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
ikev2 |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
sip |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
dhp3 |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
dcerpc |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
mqtt |
Disabled |
Disabled |
Disabled |
Enabled |
Disabled |
5.6.14.3. `Net variables`
section of the `Config Gcaps profiles`
menu
5.6.14.3.1. Information on the `Net variables`
section
In the structure of a rule, just after 'alert' and the protocol keyword, it is possible to use variables that will enable defining groups of IP addresses.
In the following example:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”GPL SCAN NULL”; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
Variables adapt as needed and rules can change according to the specified values:
`list`
: enables the action of the rule to be defined in relation to the variable`default (equals to HOME_NET)`
: enables defining the action of the rule in relation to the addresses given in the HOME_NET environment`exclude (opposite of HOME_NET)`
: Enables the rule to be used for all addresses that are not part of the HOME_NET environment
Note
Good practice for the $EXTERNAL_NET variable is to choose the value "Opposite of HOME_NET", anything that is not $HOME_NET by definition.
The `Net variables`
area enables defining the contents of these variables used in Sigflow rules.
5.6.14.3.2. Description of the `Net variables`
zone
This zone includes the following items:
Item |
Function |
Settings |
---|---|---|
1 |
GCAP selected |
|
2 |
Variable areas: these are listed below: |
|
|
CIDR address / CIDR address / CIDR address |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
|
List / Equals to HOME_NET / Opposite of HOME_NET |
|
3 |
|
|
4 |
|
|
5 |
|
5.6.14.3.3. Default configuration of the `Net variables`
section
Variables |
Settings |
by default |
---|---|---|
home_net |
CIDR address, CIDR address, CIDR address |
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 |
external_net |
List / Equals to HOME_NET / Opposite of HOME_NET |
Opposite of HOME_NET |
http_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
smtp_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
sql_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
dns_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
telnet_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
aim_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
dnp3_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
modbus_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
modbus_clients |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
enip_servers |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
enip_clients |
List / Equals to HOME_NET / Opposite of HOME_NET |
Equals to HOME_NET |
Attention
When pairing a GCap, the `Net variables`
have the above default values (3 home_net declared and active by default).
5.6.14.4. `Flow timeouts`
section of the `Config Gcaps profiles`
menu
The `Flow timeouts`
section enables configuring the time in seconds that Sigflow keeps a flow in memory depending on its status.
5.6.14.4.1. Description of the `Flow timeouts`
section
This section includes the following items:
Item |
Function |
---|---|
1 |
GCap selected |
2 |
List of protocols. For each of these protocols, the following are listed:
|
9 |
|
Prudence
TCP protocol (11):
`New`
`Established`
`Closed`
UDP (10) and ICMP protocols (12):
`New`
`Established`
`Emergency_new`
, `Emergency_established`
and `Emergency_closed`
are the emergency modes for the three states of TCP, UDP, and ICMP.
5.6.14.4.2. Default configuration of the `Flow timeouts`
section
The default configuration used depending on the protocol (all values are in seconds):
Protocol |
New |
Established |
Closed |
Emergency new |
Emergency established |
Emergency closed |
---|---|---|---|---|---|---|
udp |
30 |
300 |
10 |
100 |
||
tcp |
30 |
300 |
0 |
10 |
100 |
0 |
icmp |
30 |
300 |
10 |
100 |
||
default |
30 |
300 |
10 |
100 |
5.6.14.5. `File rule management`
section of the `Config Gcaps profiles`
menu
5.6.14.5.1. Information on the `File rule management`
section
`Files rules management`
section enables configuring the file types that the probe will retrieve for a given protocol.Time stamp
Source/destination IP address
Protocol
Source/destination port
Size
md5sum, etc.
`Files rules management`
section corresponds to an extraction rule for a file type.Note
Too many file extraction rules can have a significant impact on the performance of the GCap.
Note
Changes to this section require the GCap configuration to be backed up and implemented via the `Apply`
button.
5.6.14.5.2. Description the `File rule management`
section
This section includes the following items:
Item
Function
1
Defining a file rule: it includes the following fields:
The
`Protocole`
field (3) enables selecting the protocol for which the file will be extracted from among FTP, HTTP, HTTP2, NFS, SMB, SMTP.The
`Type`
field (4) enables defining the way Sigflow recognizes the file. The choices are available:
The
`extension`
choice: taking into account the file extensionThe
`filemagic`
choice: taking into account the type of the extracted file. The`file`
command under Linux enables obtaining this information. See note below.The
`Value`
field (5): identifier of the file that will be rebuilt according to the previously configured type
if the choice
`extension`
in the type field is selected then this extension must be specified, e.g.:
for a Javascript file, enter
`js`
for a Windows executable file, enter
`exe`
if the choice
`filemagic`
in the type field is selected then this information must be specified, e.g.:
for a javascript file, enter
`Javascript`
for a windows executable file, enter
`PE32 executable`
The
`ENABLE`
choice (8): selector to activate this ruleThe
`DELETE`
choice (9) delete this line2
GCAP selected
6
`ADD FILE RULE`
button adds a new rule. In the window that opens, fill in the information - Protocol, Type, Value, Enable bullet...7
`LOAD CONFIG`
button enables importing a pre-configured configuration file. (Excel type file)9
`DOWNLOAD TEMPLATE`
button: enables a template configuration file to be uploaded and populated. See DOWNLOAD TEMPLATE note.11
`Apply`
button enables the settings to be saved and makes the rulesets available to GCapsNote
The
`file`
command under Linux enables obtaining this information.shell xxx@debian:~$ file ~/Téléchargements/xxx.exe /home/xxx/Téléchargements/xxx.exe: PE32 executable (console) Intel 80386, for MS Windows
Note
It is strongly recommended to use the filemagic type. This is more accurate because it is based on the file's content and not on its extension. A file is therefore reconstructed for what it really is.
Note
DOWNLOAD TEMPLATE
`DOWNLOAD TEMPLATE`
button downloads a .csv file to the user's PC.Use the
`GCaps pairing and status`
command in the WEB UISelect a default profiles such as Minimal, Balanced, MPL, Paranoid, and Intuitio
`Reset to default configuration`
command.5.6.14.5.3. Rules applied depending on the GCap profile used
Protocols |
Type |
Values |
Minimal |
Balanced |
LPM |
Paranoid |
Intuitio |
---|---|---|---|---|---|---|---|
ftp |
filemagic |
7-zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
COM executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Composite Document File V2 |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
DOS batch |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
ELF |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Java archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Javascript |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
ftp |
filemagic |
MS Windows shortcut |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
MS-DOS executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Mach-O |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Macromedia Flash |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft Cabinet archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft Excel |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft OOXML |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft Office Document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft PowerPoint |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Microsoft Word |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Node.js script text |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
OS/2 REXX batch file |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
OpenDocument |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
PDF document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
PE32 executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
PE32 executable (DLL) |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
PE32+ executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
POSIX tar archive |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
RAR archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
Zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
ftp |
filemagic |
gzip compressed data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
7-zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
COM executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Composite Document File V2 |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
DOS batch |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
ELF |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Java archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Javascript |
Disabled |
Enabled |
Disabled |
Enabled |
Enabled |
http |
filemagic |
MS Windows shortcut |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
MS-DOS executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Mach-O |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Macromedia Flash |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft Cabinet archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft Excel |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft OOXML |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft Office Document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft PowerPoint |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Microsoft Word |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Node.js script text |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
OS/2 REXX batch file |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
OpenDocument |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
PDF document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
PE32 executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
PE32 executable (DLL) |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
PE32+ executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
POSIX tar archive |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
RAR archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
Zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
http |
filemagic |
gzip compressed data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
nfs |
filemagic |
7-zip archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
COM executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Composite Document File V2 |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
DOS batch |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
ELF |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Java archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Javascript |
Disabled |
Disabled |
Disabled |
Disabled |
Enabled |
nfs |
filemagic |
MS Windows shortcut |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
MS-DOS executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Mach-O |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Macromedia Flash |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft Cabinet archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft Excel |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft OOXML |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft Office Document |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft PowerPoint |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Microsoft Word |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Node.js script text |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
OS/2 REXX batch file |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
OpenDocument |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
PDF document |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
PE32 executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
PE32 executable (DLL) |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
PE32+ executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
POSIX tar archive |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
RAR archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
Zip archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
nfs |
filemagic |
gzip compressed data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
7-zip archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
COM executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Composite Document File V2 |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
DOS batch |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
ELF |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Java archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Javascript |
Disabled |
Disabled |
Disabled |
Disabled |
Enabled |
smb |
filemagic |
MS Windows shortcut |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
MS-DOS executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Mach-O |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Macromedia Flash |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft Cabinet archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft Excel |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft OOXML |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft Office Document |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft PowerPoint |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft Word |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Node.js script text |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
OS/2 REXX batch file |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
OpenDocument |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
PDF document |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
PE32 executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
PE32 executable (DLL) |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
PE32+ executable |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
POSIX tar archive |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
RAR archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
Zip archive data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smb |
filemagic |
gzip compressed data |
Disabled |
Disabled |
Disabled |
Enabled |
Enabled |
smtp |
filemagic |
7-zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
COM executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Composite Document File V2 |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
DOS batch |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
ELF |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Java archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Javascript |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
MS Windows shortcut |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
MS-DOS executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Mach-O |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Macromedia Flash |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smb |
filemagic |
Microsoft Cabinet archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Microsoft Excel |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Microsoft OOXML |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Microsoft Office Document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Microsoft PowerPoint |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Microsoft Word |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Node.js script text |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
OS/2 REXX batch file |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
OpenDocument |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
PDF document |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
PE32 executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
PE32 executable (DLL) |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
PE32+ executable |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
POSIX tar archive |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
RAR archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
Zip archive data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
smtp |
filemagic |
gzip compressed data |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
Note
`Value`
field are those present in the Libmagic library.5.6.14.6. `Packet filters`
section of the `Config Gcaps profiles`
menu
5.6.14.6.1. Information on the `Packet filters`
section
`Packet filters`
section enables specific traffic to be ignored directly at the GCap network card level.Packet filtering is only active:
For active interfaces monX on the GCap
With an MTU of less than 3000 bytes
With the monitoring engine enabled
5.6.14.6.2. Description the `Packet filters`
section
This section includes the following items:
Item |
Function |
---|---|
1 |
GCAP selected |
2 |
Defining a packet filtering rule: it includes the following fields:
|
8 |
The |
9 |
|
11 |
|
Note
If an interface can use `Packet filtering`
then a line is displayed in the filter list with the various fields empty.