Probe Registration¶
Registering a Stamus Network Probe¶
Before registering a Stamus probe, you have to have a one time password for registration. To do so you need to connect to the probe
and start sudo stamus_config
on the probe. Then select Register probe
. This will output a password that you will have to use in the
interface.
On Stamus Central Server, click on Appliances
major menu -> Select Add appliance
under Appliance handling
form the left hand side menu. Make sure the Type
selected is Stamus Probe
(default). Enter
Name, Description, select a ruleset or template, type in the probes management IP address, select probes type, enter one time password obtained via stamus_config
-> click on the button Submit
.
Important
After registering successfully a Stamus Networks Probe, some additional configuration needs to be done.
* at least one protocol needs to be set active. (see procedure)
* the correct sniffing network interface needs to be activated. (see procedure)
If those two conditions are not met, the subsequent Apply changes
task for the Probe can fail.
Register a Stamus Network Probe via SSL VPN¶
Before registering a Stamus probe, you have to have a one time password for registration. To do so you need to connect to the probe
and start sudo stamus_config
on the probe.
A Stamus probe can be registered via SSL VPN as well with the benefit of being able to traverse firewalls/routers without the need to make configurational changes on those.
In order to use VPN on probes, you first need to enable VPN for probes: from the drop down menu on the left upper side corner(Stamus Networks logo), click on Appliances Global Settings
-> go to the VPN
tab and select the checkbox Enable VPN network for probes
.
In the Listening Port
drop down, you can choose between enabling UDP and TCP ports. Note that using port 443/TCP breaks the IP address logging of connections to SCS.
NOTE: You need to enable listening to port 443/TCP if you want to configure and apply VPN proxy settings on a probe.
After enabling VPN network for probes, on Stamus Central Server, click on Appliances
major menu -> Select Add appliance
under Appliance handling
form the left hand side menu. Make sure the Type
selected is Stamus Probe
(default). Enter
Name, Description, select a ruleset or template, select Establish a VPN
-> click on the button Submit
.
After the task is finished the VPN certificate can be downloaded from the detailed view page of the probe. Click on Appliances
major menu -> select the probe, click on View
(right corner), click on VPN certificate
under Action
on the left hand side panel and download the certificate.
Copy the certificate over to the Stamus probe under /home/snuser
(or any folder of choice). Log in to the Stamus probe (using the one time password) , elevate as root sudo -i
. Import and set up the VPN certificate - example: stamus_vpn_register /home/snuser/vpn-conf-SNProbe1.tar.gz
. Upon successful completion the probe should now be registered with Stamus Central Server.
Enable VPN proxy on Network Probes¶
To enable VPN proxy on a Probe, you have to add/register a Stamus Probe via SSL VPN and enable it on port 443. In order to configure the proxy settings, click on Appliances
major menu -> select a probe -> click on the drop down button on the right side of the View button -> select Edit probe
.
On the Appliance edition
page -> go to VPN
tab -> select checkbox Connect through a proxy when VPN is enabled on port 443
.
In the VPN tab, you can configure the IP address and port of the proxy, the vpn proxy username and password, and also choose between three options of vpn proxy authentication
:
None
Basic
NTLM
- ‘NTLM Authorization Proxy Server’ (APS) is a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol
NOTE: You need to have at least one interface prior to submitting proxy configuration.
In the Appliance edition
page -> go to Interfaces
tab in order to add a new interface or choose between existing.
NOTE: Once you configure the VPN proxy settings, you have to recreate the VPN certificate and register the Probe.
After you have configured and submitted the VPN proxy settings, in the Action
panel -> click on VPN certificate
-> in Advanced
panel -> click on Regenerate certificate
.
When the task is finished you need to register the probe with the new certificate.
Finish registration of a Stamus Probe¶
The Stamus probe name has to be chosen carefully, it must follow the guideline of a DNS hostname. And it will be used as an identifier to get access to the logs.
NOTE: A name must not be included in another name to avoid potential conflicts during log fetching.
You can select a template to link the probe to or a ruleset to use with the probe. For more information on template see Probe Templates.
Once the registration task is complete in the detailed probe page click on Edit settings
under the Action tab
on the left hand side panel. Please confirm the settings especially in terms of protocol and interfaces enabled. Click Submit
if changes are made.
Once the registration task is complete to enforce and activate the changes/editions made - in the detailed probe page click on Apply changes
under the Pending modifications
section on the left hand side panel. You will be presented with a choice to schedule the action or apply immediately.
Stamus appliances/probes are fully managed using Stamus Central Server. For Suricata sensors only the ruleset and log shipping is managed. A Suricata sensor can be any linux distribution that runs Suricata as a service. Please see Register a Suricata Sensor.
Remove/delete a probe¶
To completely remove or delete a probe from SCS click on Appliances
major menu -> Select the desired probe - as available under name
from the Stamus Probes
list.
In the left menu side select sub menu Delete
under the Action
menu. Click on delete the appliance
button.
Retry probe registration¶
In certain cases the Probe registration might get corrupted and connection keys need to be regenerated.
Note
To make sure that a Probe is properly connected to the SCS (Stamus Central Server) run a troubleshoot task.
To do that first get a new first time registration password. Connect to the probe’s shell and start sudo stamus_config
. Then select Register probe
. This will output a password that you will have to use in the GUI.
After you have the password, click on Appliances
major menu -> Select the desired probe - as available under name
from the Stamus Probes
list.
Go to Latest connections errors
tab -> click on the Retry ssh key upload
button -> in the Password
field input the password retrieved earlier and hit the Submit
button to finish the registration process.