7.4.2. Configure GCap Sigflow module specific parameters (Base variables)

7.4.2.1. Introduction

The `Base variables` section enables configuring the parameters of the Sigflow module of the GCap.
The different configuration parameters are the following:
  • Setting the size of the streams and files reconstructed by the GCap

  • Setting of the `X-Forwarded-For` function

  • Setting fields in events such as payload, payload printable, packet, HTTP body, and HTTP body printable

  • Setting up the `Community ID` field

  • Setting up the alerting and logging of the different protocols available on the GCap

  • Setting up the advanced functions of the Sigflow module

Attention

Changing some of these parameters will cause the detection engine to restart, making the capture unavailable for the duration of the restart.

See Web UI `Config - Gcaps profiles` screen.

For

go to the

Change in file reconstruction size

Procedure to change the reconstruction size of files

Configuring the fields in the events

Procedure to configure the fields present in the events

Configuring alerting and protocol logging

Procedure to configure the alerting and logging protocol


7.4.2.2. Prerequisites

User : member of Operator group


7.4.2.3. Preliminary operations


7.4.2.4. Procedure to change the reconstruction size of files

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
../../_images/GCAP_00.PNG
  • Click on the `Base variables` button (3).

  • From the `Base variables` interface, section `Stream analysis and file extraction`, check the `File extraction (On/Off)` choice is activated (1).

../../_images/GCAP_02-1.PNG
  • Change the value of the `File-store stream depth (MB)` field (4) (default is 10MB) (4)

  • Click on the `Apply` button.

Note

The value choice is important - the higher the value configured, the greater the impact on performance.


7.4.2.5. Procedure to configure the fields present in the events

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `Base variables` button (3).
    From the `Base variables` interface, section `Payload`, activate the fields that will appear in the events.
    ../../_images/GCAP_02-3.PNG
  • Disable fields that will not appear in events.

  • Click on the `Apply` button.

Note

In some SIEMs, too high an event size can lead to truncation.


7.4.2.6. Procedure to configure the alerting and logging protocol

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `Base variables` button (3).
    From the `Base variables` interface, section `Alerting and logging` :
    ../../_images/GCAP_02-5.PNG
  • Tick the hash types that will appear in events (md5, sha1 and sha256) (1).

  • Enable alerting for protocols that will raise alerts (4).

  • Disable alerting for protocols that should not raise alerts (4).

  • Enable logging for protocols that will need to raise metadata (5).

  • Disable logging for protocols that should not raise metadata (5).

  • Click on the `Apply` button.