7.4.1. Configure Codebreaker then apply the Sigflow rulesets to the GCaps

7.4.1.1. Introduction

The `Detection Rulesets` section enables applying Rulesets Sigflow to the GCap paired with the GCenter.
It is also possible to configure the codebreaker module for the GCap that includes enabling or disabling shellcode and powershell detection separately.

Note

It is necessary to generate rules for a ruleset before applying it to GCaps. Failure to do so will result in no rules being applied.

Note

Codebreaker is not configurable via `Detection Rulesets` menu with the CIE license.

As a reminder, the `Detection Rulesets` menu has three configuration options:

  • `single tenant`:

  • assigning a ruleset for all GCap monitoring interfaces

  • Enable/disable codebreaker for all GCap monitoring interfaces.

  • `multi-tenant by interface`:

  • assigning a ruleset per GCap monitoring interface

  • Enable/disable codebreaker per Gap monitoring interface.

  • `multi-tenant by vlan`:

  • assigning one ruleset per vlan

  • assigning a ruleset for the default vlan for those VLANs not created via the interface

  • Enable/disable codebreaker per VLAN

  • disable codebreaker for the default vlan for those VLANs not created via the interface

Note

These configuration options are exclusive.
This means that it will not be possible to apply a single tenant and multi-tenant per vlan configuration at the same time.

See section Web UI `Config - Gcaps profiles` screen.

For

go to

Single-tenant configuration

Procedure to setup the `single-tenant`

Configuring multi-tenant by interface

Procedure to setup the `Multi-tenant by interface`

Configuring multi-tenant by vlan

Procedure to setup the `Multi-tenant by vlan`


7.4.1.2. Prerequisites

User : member of Operator group


7.4.1.3. Preliminary operations


7.4.1.4. Procedure to setup the `single-tenant`

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `Detection rulesets` button.

../../_images/GCAP_01.PNG
  • Click on the `Single-tenant` tab (3).

  • Select a ruleset (12) to apply to all interfaces.

  • Enable or disable shellcode detection (11) for all interfaces.

  • Enable or disable powershell detection (10) for all interfaces.

  • Apply the configuration by clicking the `Save` button (9).


7.4.1.5. Procedure to setup the `Multi-tenant by interface`

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `Detection rulesets` button.

../../_images/GCAP_01.PNG
  • Click on the `Multi-tenant by interface` tab (4).

  • Select a ruleset to apply for each interface.

  • Enable or disable shellcode detection for each interface.

  • Enable or disable powershell detection for each interface.

  • Apply the configuration by clicking the `Save` button.

Configuration example:

  • interface mon0:

  • Click on mon0.

  • Choose the desired rule set.

  • Enabling shellcode and powershell detection.

  • interface mon1:

  • Click on mon1.

  • Choose the desired rule set.

  • Disable detection of shellcodes and powershells.

Note

Detection will differ between traffic received on interfaces mon0 and mon1 because the rulesets themselves are different.


7.4.1.6. Procedure to setup the `Multi-tenant by vlan`

  • From the navigation bar, click successively on :

    • the `Config` button

    • the `Gcaps profiles` button of the `Sigflow` menu.
      The `Gcaps profiles` window is displayed.
      ../../_images/GCAP_00.PNG
  • Click on the `Detection rulesets` button.

../../_images/GCAP_01.PNG
  • Click on the `Multi-tenant by vlan` tab

  • Select a ruleset to apply to the `default` vlan

  • Enable or disable shellcode detection for the `default` vlan

  • Enable or disable powershell detection for the `default` vlan

  • Create a vlan by clicking on the `New vlan` button

  • in the popup that appears:

  • Name the vlan. The vlan name must match the vlan number between 0 and 4096.

  • Select a ruleset to apply

  • Enable or disable shellcode detection for each vlan

  • Enable or disable powershell detection for each vlan

  • Click on the `Add` button

  • Apply the configuration by clicking the `Save` button.

Configuration example:

  • vlan `default`:

  • Click on `default`

  • Choose the desired rule set

  • Enabling shellcode/powershell detection

  • Click on the `Add` button

  • vlan `110`:

  • Click on the `New vlan` button

  • Name the vlan `110`

  • Choose the desired rule set

  • Disable shellcode/powershell detection

  • Click on the `Add` button