7.4.2. Configure GCap Sigflow module specific parameters (Base variables)
7.4.2.1. Introduction
`Base variables`
section enables configuring the parameters of the Sigflow module of the GCap.Setting the size of the streams and files reconstructed by the GCap
Setting of the
`X-Forwarded-For`
functionSetting fields in events such as payload, payload printable, packet, HTTP body, and HTTP body printable
Setting up the
`Community ID`
fieldSetting up the alerting and logging of the different protocols available on the GCap
Setting up the advanced functions of the Sigflow module
Attention
Changing some of these parameters will cause the detection engine to restart, making the capture unavailable for the duration of the restart.
See Web UI `Config - Gcaps profiles` screen.
For |
go to the |
---|---|
Change in file reconstruction size |
|
Configuring the fields in the events |
|
Configuring alerting and protocol logging |
7.4.2.2. Prerequisites
User : member of Operator group
7.4.2.3. Preliminary operations
Login to GCenter via a browser (see Connection to the GCenter web interface via a web browser)
7.4.2.4. Procedure to change the reconstruction size of files
From the navigation bar, click successively on :
Click on the
`Base variables`
button (3).From the
`Base variables`
interface, section`Stream analysis and file extraction`
, check the`File extraction (On/Off)`
choice is activated (1).
Change the value of the
`File-store stream depth (MB)`
field (4) (default is 10MB) (4)Click on the
`Apply`
button.
Note
The value choice is important - the higher the value configured, the greater the impact on performance.
7.4.2.5. Procedure to configure the fields present in the events
From the navigation bar, click successively on :
- Click on the
`Base variables`
button (3).From the`Base variables`
interface, section`Payload`
, activate the fields that will appear in the events. Disable fields that will not appear in events.
Click on the
`Apply`
button.
Note
In some SIEMs, too high an event size can lead to truncation.
7.4.2.6. Procedure to configure the alerting and logging protocol
From the navigation bar, click successively on :
- Click on the
`Base variables`
button (3).From the`Base variables`
interface, section`Alerting and logging`
: Tick the hash types that will appear in events (md5, sha1 and sha256) (1).
Enable alerting for protocols that will raise alerts (4).
Disable alerting for protocols that should not raise alerts (4).
Enable logging for protocols that will need to raise metadata (5).
Disable logging for protocols that should not raise metadata (5).
Click on the
`Apply`
button.