7.4.1. Configure Codebreaker then apply the Sigflow rulesets to the GCaps
7.4.1.1. Introduction
`Detection Rulesets`
section enables applying Rulesets Sigflow to the GCap paired with the GCenter.Note
It is necessary to generate rules for a ruleset before applying it to GCaps. Failure to do so will result in no rules being applied.
Note
Codebreaker is not configurable via `Detection Rulesets`
menu with the CIE license.
As a reminder, the `Detection Rulesets`
menu has three configuration options:
`single tenant`
:
assigning a ruleset for all GCap monitoring interfaces
Enable/disable codebreaker for all GCap monitoring interfaces.
`multi-tenant by interface`
:
assigning a ruleset per GCap monitoring interface
Enable/disable codebreaker per Gap monitoring interface.
`multi-tenant by vlan`
:
assigning one ruleset per vlan
assigning a ruleset for the default vlan for those VLANs not created via the interface
Enable/disable codebreaker per VLAN
disable codebreaker for the default vlan for those VLANs not created via the interface
Note
See section Web UI `Config - Gcaps profiles` screen.
For |
go to |
---|---|
Single-tenant configuration |
|
Configuring multi-tenant by interface |
|
Configuring multi-tenant by vlan |
7.4.1.2. Prerequisites
User : member of Operator group
7.4.1.3. Preliminary operations
Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)
7.4.1.4. Procedure to setup the `single-tenant`
From the navigation bar, click successively on :
Click on the
`Detection rulesets`
button.
Click on the
`Single-tenant`
tab (3).Select a ruleset (12) to apply to all interfaces.
Enable or disable shellcode detection (11) for all interfaces.
Enable or disable powershell detection (10) for all interfaces.
Apply the configuration by clicking the
`Save`
button (9).
7.4.1.5. Procedure to setup the `Multi-tenant by interface`
From the navigation bar, click successively on :
Click on the
`Detection rulesets`
button.
Click on the
`Multi-tenant by interface`
tab (4).Select a ruleset to apply for each interface.
Enable or disable shellcode detection for each interface.
Enable or disable powershell detection for each interface.
Apply the configuration by clicking the
`Save`
button.
Configuration example:
interface mon0:
Click on mon0.
Choose the desired rule set.
Enabling shellcode and powershell detection.
interface mon1:
Click on mon1.
Choose the desired rule set.
Disable detection of shellcodes and powershells.
Note
Detection will differ between traffic received on interfaces mon0 and mon1 because the rulesets themselves are different.
7.4.1.6. Procedure to setup the `Multi-tenant by vlan`
From the navigation bar, click successively on :
Click on the
`Detection rulesets`
button.
Click on the
`Multi-tenant by vlan`
tabSelect a ruleset to apply to the
`default`
vlanEnable or disable shellcode detection for the
`default`
vlanEnable or disable powershell detection for the
`default`
vlanCreate a vlan by clicking on the
`New vlan`
buttonin the popup that appears:
Name the vlan. The vlan name must match the vlan number between 0 and 4096.
Select a ruleset to apply
Enable or disable shellcode detection for each vlan
Enable or disable powershell detection for each vlan
Click on the
`Add`
button
Apply the configuration by clicking the
`Save`
button.
Configuration example:
vlan
`default`
:
Click on
`default`
Choose the desired rule set
Enabling shellcode/powershell detection
Click on the
`Add`
button
vlan
`110`
:
Click on the
`New vlan`
buttonName the vlan
`110`
Choose the desired rule set
Disable shellcode/powershell detection
Click on the
`Add`
button