Warning: You are viewing an older version of this documentation. Most recent is here: 39.0.0
Capture Settings¶
For all settings related to capture, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task
list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Change interface settings for a probe¶
This will effectively allow you to enable/disable interfaces on the probe.
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. Click on subsection Interfaces. Select the desired sniffing interfaces for the remote probe and then click on Submit.
You should be able to
verify the change as displayed in the NSM settings sub menu on the right hand side panel view. Click on Apply change(s) under the sub menu Pending modification(s) from
the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented - you will be informed of
the details of the task execution - status, duration, started, retries, etc.
NOTE: In case there is a no interface displayed, you can use (Re)discover system parameters under Special actions sub menu from the left hand side panel. This will try
a discovery of the different parameters of the probes.
Add Berkeley packet filter to adjust probes inspection¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under Interface settings
click on the interface you would like to add the BPF (Berkeley packet filter) add the filter expression in the Berkeley Packet Filter section - > click on the Submit button.
Click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the
Apply button. In the task list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
For example, to be able to negate traffic from a given host or port, you could do the following:
not (host 10.28.1.30 or host 10.28.1.24)
or
not (port 80 or 8080)
Add threads to an interface inspection on a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under Interface settings
click on the interface you would like to edit -> adjust the number of threads in the Threads section - > click on the Submit button.
Click on
Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply
button. In the task list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Network card load balancing¶
In case your system has a network card with available load balancing features for sniffing you can activate the Network card load balancing that will trigger the usage of this feature
as well as a series of optimizations. If this option is unset, then the load balancing between threads will be done by the kernel.
Activating this option is not recommended for virtual probes.
NSM settings¶
For all settings related to Network Security Monitoring, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task
list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Change NSM settings for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. On the right hand side under NSM settings you can choose/click a particular output for further Basic (enable/disable) or Advanced editing.
Change NSM settings proto/alert¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. On the right hand side under NSM settings you can choose/click a particular output for further Basic (enable/disable) or Advanced editing.
Enable or disable protocols for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. Click on subsection Protocols. Select (or deselect) the desired protocols for the remote probe and then click on Submit.You should be able to
verify the change as displayed in the NSM settings sub menu on the right hand side panel view.
Click on Apply change(s) under the sub menu Pending modification(s) from
the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented - you will be
informed of the details of the task execution - status, duration, started, retries, etc.
Add custom or extended HTTP information¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under NSM settings
click on the HTTP icon. Click on the Advanced subsection and select the desired option. If you would like to add custom fields make sure Custom logging is selected and add the
desired fields in the List of fields section.
Custom fields can be any of these below:
accept
accept-charset
accept-datetime
accept-encoding
accept-language
accept-range
age
allow
authorization
cache-control
connection
content-encoding
content-language
content-length
content-location
content-md5
content-range
content-type
cookie
date
dnt
etags
from
last-modified
link
location
max-forwards
origin
pragma
proxy-authenticate
proxy-authorization
range
referrer
refresh
retry-after
server
set-cookie
te
trailer
transfer-encoding
upgrade
vary
via
warning
www-authenticate
x-forwarded-proto
x-requested-with
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented -
you will be informed of the details of the task execution - status, duration, started, retries, etc.
Add custom or extended SMTP information¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under NSM settings
click on the SMTP icon. Click on the Advanced subsection and select the desired option. If you would like to add custom fields make sure Custom logging is selected and add the
desired fields in the List of fields section.
Custom fields can be any of these below:
bcc
content_md5
date
importance
in_reply_to
message_id
organization
priority
received
references
reply_to
sensitivity
subject
user_agent
x_mailer
x_originating_ip
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented -
you will be informed of the details of the task execution - status, duration, started, retries, etc.
Add custom DNS information¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under NSM settings
click on the DNS icon. Click on the Advanced subsection and select the desired option. If you would like to add custom fields make sure Custom logging is selected and add the
desired fields in the List of fields section.
Custom fields can be any of these below:
A
AAAA
CNAME
MX
NS
PTR
TXT
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented -
you will be informed of the details of the task execution - status, duration, started, retries, etc.
Add packet data or payload to the alerts information¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under NSM settings
click on the ALERT icon. Click on the Advanced subsection and select the desired option. Click on the Submit button.
To apply immediately, click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task list presented -
you will be informed of the details of the task execution - status, duration, started, retries, etc.
File handling capabilities¶
For all settings related to file handling, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately. Click on the Apply button. In the task
list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Enable or disable file extraction for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. Click on subsection Settings. Select (or deselect) the Activate file extraction for the remote probe and enter maximum file size (just a number indicates MB).
Click on Submit.
To apply immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately.
Click on the Apply button. In the task list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Change file extraction max size for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. Click on sub menu Edit under Action form the
left hand side panel. Click on subsection Settings. Make sure the Activate file extraction is selected for the remote probe and enter maximum file size (just a number indicates MB).
Click on Submit.
To apply immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately.
Click on the Apply button. In the task list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Add MD5 or file magic information¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list. On the right hand side under NSM settings
click on the FILES icon. Click on the Advanced subsection and select the desired option. Click on the Submit button.
To apply immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply immediately.
Click on the Apply button. In the task list presented - you will be informed of the details of the task execution - status, duration, started, retries, etc.
Rule Activity for a probe¶
Review rules activity for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list.You are presented with an overview of the rules activity for
that particular probe over a period of time.You can click on the settings icon to the right to select or change the timespan shown.
Under the Rule Activity section you will have a summary aggregation of the different rules subdivided by - Sid, Msg, Category Hits and the alerts each rules has generated for that
particular probe.
If you would like to see the rule itself yo can click on the Msg for that particular rule.
To see one particular rule activity’s:
rule definition
activity (including) on other probes
Status in the ruleset
you can click on the sid number for that rule under Sid row under Rule Activity sub section. You can subsequently enable, disable that rule or delete the generated alerts by that rule.
Delete generated alerts by a rule of a particular probe¶
Click on Appliances major menu -> Select the desired probe - as available under name form the Stamus Probes list.You are presented with an overview of the rules activity for
that particular probe over a period of time.You can click on the settings icon to the right to select or change the timespan shown.
Under the Rule Activity section you will have a summary aggregation of the different rules subdivided by - Sid, Msg, Category, Hits and the alerts each rules has generated for that particular probe. You can click on the sid number for the rule in question under Sid row. Click on Delete generated alerts under sub menu Action from the left hand side panel. Confirm by clicking on the Delete alerts button.