7.4.4. Configure File Reconstruction Rules (File rules management)

7.4.4.1. Introduction

The `File rule management` section enables configuring the file reconstruction rules used by the GCap detection engine.
Reconstruction is based on several parameters: the protocol, the file type, and the file type value.

See section: Web UI `Config - Gcaps profiles` screen.

For

go to the

Setting up the file reconstruction

Procedure to set up the file reconstruction

Loading a saved configuration

Procedure to load a saved configuration

Adding a reconstruction rule

Procedure to add a rebuilding rule


7.4.4.2. Prerequisites

User : member of Operator group


7.4.4.3. Preliminary operations


7.4.4.4. Procedure to set up the file reconstruction

  • From the navigation bar, click successively on :

    • the `Config` button

    • the `Gcaps profiles` button of the `Sigflow` menu.
      The `Gcaps profiles` window is displayed.
      ../../_images/GCAP_00.PNG
  • Click on the `File rule management` button (6).

../../_images/GCAP_05.PNG
  • For each rule, validate that the `protocol` (3), `type` (4), `value` (5) fields match the desired values.

  • Enable or disable the desired rules using the enable button in the `Enable` (8) field.

  • Completely remove the unnecessary rules.

  • If necessary, insert rules using the `ADD FILE RULE` button (see Procedure to add a rebuilding rule).

  • Click on the `Apply` button (11).


7.4.4.5. Procedure to load a saved configuration

Note

This procedure can be used to load the configuration from one GCap to another or to save the configuration.

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `File rule management` button (6).

../../_images/GCAP_05.PNG
  • On the first GCap:

  • Perform the previous procedure to configure the file rebuilding rules

  • Click on the `DOWNLOAD TEMPLATE` (9) button and save the configuration file

  • On the second GCap:

  • Click on the `LOAD CONFIG` (7) button and select the configuration file

  • Once loaded, the configuration of the first GCap is loaded on the second

  • Click on the `Apply` button (11).

Or

  • Retrieve a previously saved template.

  • Click on the `LOAD CONFIG` (7) button and select the configuration file.

  • Click on the `Apply` button (11).


7.4.4.6. Procedure to add a rebuilding rule

  • From the navigation bar, click successively on :

  • The `Config` button

  • The `Gcaps profiles` button of the `Sigflow` menu.
    The `Gcaps profiles` window is displayed.
    ../../_images/GCAP_00.PNG
  • Click on the `File rule management` button (6).

../../_images/GCAP_05.PNG
  • Click on the `ADD FILE RULE` button (6).

  • In the popup that appears:

  • Enable or disable the rule

  • Specify the protocol on which the rule will be applied

  • Choose the type of reconstruction - by extension or by filemagic

  • Enter the value corresponding to the type chosen above

  • Click on the `Add` button

  • Click on the `Apply` button.