Configuring Modular Sensor Profiles

A modular sensor profile allows you to easily add the features you like to your profiles. This helps simplify your profiles and lets you manage the VM requirements for the sensors based on the modular features they use. As we add new modular features, you can choose to add them to your sensor profiles.

Modular sensor profiles can only be applied to modular sensors. You can:

Add a modular sensor profile
Customize the profile features

Adding a Modular Sensor Profile

Whether you add or edit a modular sensor profile you have the same options, except you cannot edit the profile name. Use the following procedure to add a modular sensor profile:

Click System | Collection | Sensor Profiles. The Sensor Profile Configuration page appears, with the Sensor Profiles tab displayed by default.
Click Create and select Add Modular Sensor Profile. The ADD SENSOR PROFILE screen appears.
Enter the Profile Name. We recommend that you establish a naming convention so you can easily understand the intent of each profile by looking at the name. This field can only contain alphanumeric characters, underscores, spaces, and dashes.
Choose at least one Receiver. Each sensor profile must have at least one receiver, which is the destination of the data it collects. You can add one receiver of each type: packet and JSON.

See the Receiver configuration page for more information on creating and maintaining receivers.
Customize the settings for the profile. The available settings are explained below.
Click Submit. The profile is active immediately .

Keep in mind the following:

Log Collector and Log Forwarder are always enabled in Modular Sensor Profiles.
The Sandbox and IDS features can only be enabled if Network Traffic is enabled.

Customizing Modular Sensor Profile Features

You can customize these modular sensor profile features:

Log forwarder
Network traffic
Sandbox
IDS
Aggregator
Tenable Nessus

Log Forwarder

Modular sensor profiles include a log forwarder by default. You can configure:

Workers
Data filtering
Forward to external server
Compression
HTTP JSON parser
Multi-Tenant Log Ingestion
Raw Log Capture
Buffering

Log Forwarder Workers

Configure the number of log forwarder workers and batch size:

Number of Workers – Set the number of workers. (Default=4)

Adjust this setting based on a minimum requirement of 1 CPU and 1GB of memory for each worker, up to a maximum of half the number of CPUs and memory available on the sensor(s) to be associated with this profile. Ensure there are sufficient resources on the sensors for the number you set. Do not exceed the total CPUs and sensor memory.

Note: The Number of Workers option no longer appears starting with the 4.3.5 release. Instead, the system sets the number of workers automatically based on available sensor resources and the number of features enabled. You can see the number of workers assigned using the show logforwarder command in the Sensor CLI.
Batch Size – Set the record batch size. The default is 100 records. The range is 1-10000.

The sensor batches log records to make transmission more efficient. If your network has high throughput, increase the Batch Size to increase that efficiency.

Data Filtering

Add log filters to filter traffic out before sending it to the DP. You can create log filters at System | Collection | Log Filters.

Stellar Cyber recommends configuring no more than 50 Log Forwarder filters in this field for one sensor profile. Exceeding this recommended maximum can affect sensor performance.

Forward to External Server

You can enable this option to send unparsed logs to an external server, pre-normalization. Logs are still also sent to the DP when this feature is enabled.

Configure external log forwarding as follows:

Click Forward to External Server.
Enter the IP address or domain name of the external server to which you want to forward unparsed logs.
Enter the port.
Uncheck Send Metadata if you don't want the sensor to add metadata to the logs forwarded to your external server. If you leave it checked, the sensor adds the log source IP address, ingestion port number, and log source type to the original log in JSON format.

Logs containing non-printing characters, such as Netflow and IPFIX, cannot be forwarded to an external server.

All log lines are truncated to 1024 characters, per RFC 3164.

Compression

Enable Compression for the sensor to compress the parsed logs before sending to the DP. This uses the CPU on the sensor to compress the logs, and the CPU on the DP to decompress. Enable compression to save bandwidth at the expense of CPU on the sensor and DP.

HTTP JSON Parser

Enable the HTTP JSON Parser if you are sending logs via HTTP.

Multi-Tenant Log Ingestion

Enable Multi-Tenant Log Ingestion to allow CEF (Infocyte), Cylance, and selected Stellar JSON parsers to receive logs from multiple tenants. In addition to this setting, the incoming data file must follow specific guidelines described in: Single Sensor Multi-tenant Log Ingestion . Supported parsers are also described in this topic.

Raw Log Capture

Raw Log Capture can be enabled if you want the sensor to store both raw and processed logs on the DP for built-in parsers. This can be useful in troubleshooting situations when you may want to compare a processed log to its corresponding raw log. Note that the feature only applies to built-in parsers. Custom parsers have their own settings within the parsers themselves.

You can search for raw logs by looking for the parser_raw_msg field in InterFlow records.

Keep in mind that when this feature is enabled, built-in parsers store both raw and processed logs, requiring more storage resources on the DP.

Buffering

Enable this to enable buffering on the data sensors. If you enable buffering, the data sensor buffers the logs sent to Stellar Cyber. If the logs are received successfully, the sensor deletes the buffered logs. If the buffer is full, the sensor stops buffering logs. The Buffer Size parameter lets you specify the maximum size for all logs buffered:

Buffer Size—The total logs buffered, in MB

When you disable buffering, any data in the buffer is immediately deleted. Ensure that the sensor has a stable connection to the DP for long enough to transmit all data in the buffer.

Network Traffic

Enable the Network Traffic option to ingest network traffic. When this option is enabled, you can also enable the Sandbox and IDS features. You can configure:

Application identification
Application session
Application metadata
Process correlation
Packet deduplication
Stream slicing
Handshake failure
Flood attack
Buffering

Application Identification

Enable this option for the network sensor to identify applications associated with events.

Application Session

Enable this option for the sensor to identify the length of individual network sessions. The parameters specify how often to report the session information and the amount of idle time that can pass before concluding that a session has ended.

If you disable Application Session, network and agent sensors stop sending data to the DP but data sensors continue to process traffic.

If you enable Session Combine, UDP sessions from the specified port to the same destination are combined into a single session.

Application Metadata

Enable this to control how application information is collected and which applications are included.

You can disable the collection of application metadata to increase sensor performance and save storage space, but that limits collected data to:

Basic session information
Packet and byte counts
IP address
Port

You can set the Metadata Collection Level to Limited Evidence, Minimum, Standard, or Maximum. This controls how many of the information fields are collected.

Click to see the fields collected by Limited Evidence :

0zz0 login
0zz0 password
activesync login
aim_express contact_login
aim_express login
aims login
archive login
archive password
badongo login
badongo password
badoo contact_login
badoo login
badoo password
bebo login
bebo password
dhcp agent
dhcp chaddr
dhcp ciaddr
dhcp client_fqdn
dhcp domain_name
dhcp dns_server
dhcp end
dhcp end_status
dhcp giaddr
dhcp host_name
dhcp inherit_parent
dhcp ip_lease_time
dhcp message_type
dhcp option
dhcp option_type
dhcp option_value_buffer
dhcp request
dhcp router
dhcp siaddr
dhcp sname
dhcp subnetmask
dhcp xid
dhcp yiaddr
dimp login
dimp password
dns dns_entry
dns dns_query
dns end
dns tunneling
dns flags
dns host
dns host_addr
dns host_addr6
dns host_type
dns message_type
dns name
dns query
dns query_type
dns reply_code
dns reverse_addr
dns reverse_addr6
dns section_type
dns transaction_id
dns ttl
ebuddy contact_login
ebuddy login
ebuddy password
facebook login
facebook password
facebook_mail login
friendster login
friendster password
ftp content_type
ftp data_port
ftp filename
ftp filesize
ftp index
ftp loadway
ftp login
ftp password
ftp method
ftp return_code
ftp transfer_duration
gmail_basic login
gmail_chat login
gmail_mobile login
gmail_mobile password
gmx login
hi5 login
hi5 password
http auth_username
http auth_password
http code
http index
http method
http proxy_auth
http proxy_login
http proxy_realm
http referer
http server
http uri
http filename
http file_type
http forward_addr
http forward_addr6
http host
http mime_type
http part_content_type
http user_agent
ica login_info
ica login_info_utf16
icmp code
icmp message
icmp rtt
icmp type
kakaotalk login
krb5 error_code
krb5 login
krb5 server
krb5 message_type
krb5 service
laposte_webmail login
ldap hostname
ldap name
linkedin login
live_groups login
live_hotmail login
livemail_mobile login
mailru login
maktoob login
mimp login
mimp password
msn contact_login
msn login
mysql login
mysql query
mysql request
mysql result_set
mysql sqlstate_code
mysql number_columns
mysql number_rows
mysql query_id
netflix login
netlog login
netlog password
nfs filename
nfs filesize
nfs type_string
nfs symlink_name
nfs uid
niconico_douga login
nntp login
nntp password
odnoklassniki login
odnoklassniki password
oovoo login
orangemail login
owa login
paltalk contact_login
paltalk login
paltalk_transfer login
pap login
pap password
perfspot login
perfspot password
pop3 password
postgres authentification_type
postgres error
postgres login
postgres password
postgres query
postgres query_id
postgres sqlstate_code
postgres number_columns
postgres number_rows
qq contact_login
qq login
qq_transfer login
radius login_ipv6_host
radius login
rambler login
rambler password
rambler_webmail rambler_webmail
rapidshare login
rapidshare password
rdp default_username
rdp username_ascii
rdp username_raw
rlogin client_login
rlogin server_password
rsh login
rsh remote_login
rsync login
rsync password
rtmp page_url
secondlife login
skyblog login
skyblog password
slsk login
slsk password
smb login
smb user_id
smb nt_status
smb command_string
smpp receiver
smpp sender
smtp login
smtp password
smtp response_code
snpp login
snpp password
socks5 login
socks5 password
spdy server_agent
spdy user_agent
squirrelmail login
squirrelmail password
ssh version
ssl common_name
ssl issuer
ssl subject_alt_name
ssl validity_not_after
ssl version
ssl validity_not_before
tagged login
tagged password
tango login
tchatche login
tchatche password
tds login
tds password
tds sqlstate_code
tds query
tds query_id
tds number_columns
tds number_rows
teamspeak login
teamspeak password
telnet login
telnet password
tftp filename
tftp filesize
tftp query
tftp request_filename
tns login
tns password
tns query
tns sqlstate_code
twitter login
twoo login
twoo password
ustream login
ustream password
viadeo login
viadeo password
vkontakte login
vkontakte password
winmx login
yahoo_groups login
yandex login
yandex password
yandex_webmail login
ymail2 login
ymail_classic login
ymail_mobile_new login
ymail_mobile_new password
ymsg_conf login
ymsg contact_login
ymsg login
ymsg_transfer login
ymsg_video login
ymsg_webmessenger contact_login
ymsg_webmessenger login
youtube login
youtube password
zimbra login
zimbra password
zimbra_standard login
zimbra_standard password

Minimum collects everything in Limited Evidence. There is currently no difference between Minimum and Limited Evidence.

Standard collects everything in Minimum and:

amqp class
amqp type
amqp method
amqp replyto
amqp routing_key
dhcp circuit_id
dhcp remote_id
dhcp remote_id_subtype
dhcp remote_id_type
dns web_application_info
dns ancount
dns arcount
dns nscount
dns opcode
dns qdcount
ftp return_content
ftp offset
ftp inherit_parent
ftp data_port_end_offset
ftp data_port_start_offset
ftp_data inherit_key
http cache_control
http connection_header
http content_disposition
http content_encoding
http content_len
http cookie
http date
http end
http etag
http expires
http image_type
http is_webdav
http location
http ntlm_domain
http ntlm_user
http ntlm_workstation
http part_filename
http part_header_name
http part_header_value
http part_name
http request
http request_size
http server_agent
http set_cookie
http smb_client
http version
http video_type
http video_url
icmp seq
icmp typeval
icmp wrong_crc
krb5 err_cname_name
krb5 err_sname_name
krb5 realm
ldap krb5_enc_data
ldap krb5_enc_data_type
ldap krb5_err_cname
ldap krb5_err_cname_name
ldap krb5_err_cname_type
ldap krb5_err_crealm
ldap krb5_err_data
ldap krb5_error_code
ldap krb5_err_realm
ldap krb5_err_sname
ldap krb5_err_sname_name
ldap krb5_err_sname_type
ldap krb5_err_text
ldap krb5_kdcoptions
ldap krb5_message
ldap krb5_message_type
ldap krb5_pa_data
ldap krb5_pa_data_type
ldap krb5_pa_data_value
ldap krb5_realm
ldap krb5_server
ldap krb5_service
ldap krb5_ticket
ldap krb5_ticket_enc_part
ldap krb5_ticket_name
ldap krb5_ticket_name_type
mysql end
mysql bind_variable
mysql variable_id
mysql variable_type
mysql variable_value
nfs current_state
nfs gid
nfs mode
nfs procedure
nfs status
nfs type
nfs version
pop3 attach_filename
pop3 file_type
pop3 login_server
pop3 login
pop3 received_by_name
pop3 received_date
pop3 receiver
pop3 received_from_name
pop3 receiver_email
pop3 sender
pop3 sender_email
pop3 subject
postgres variable_format
postgres variable_id
postgres variable_type
postgres variable_value
postgres base
postgres proto_version
postgres server_version
rpc message_type
rpc procedure
rpc program
rpc xid
sip authorization_username
smb filename
smb filesize
smb file_type
smb directory
smb domain
smb file_id
smb host
smb krb5_error_code
smb krb5_err_text
smb krb5_ticket
smb loadway
smb native_os
smb path
smtp attach_filename
smtp attach_size
smtp file_type
smtp received_by_name
smtp received_date
smtp received_from_name
smtp receiver
smtp receiver_email
smtp sender
smtp sender_email
smtp server
smtp subject
snmp method
snmp name
snmp oid
snmp value_raw
snmp version
spdy location
spdy mime_type
ssl certif_sha1
ssl handshake_type
ssl organization_name
ssl parent_common_name
ssl protocol_version
ssl server_name
syslog code
tds bind_variable
tds variable_id
tds variable_type
tds variable_value
telnet term_type
tftp mode
tns client_hostname
tns server_hostname
tns bind_variable
tns variable_id
tns variable_type
tns variable_value

Maximum collects everything in Standard and:

amqp correlation_id
amqp exchange_type
amqp revision
amqp server_major_version
amqp server_minor_version
ica application
ica application_utf16
ica priority
ica service
mysql base
pop3 attach_disposition
pop3 attach_transfer_encoding
pop3 date
pop3 received_by_ip
pop3 received_from_ip
pop3 received_server_agent
pop3 received_with
pop3 receiver_alias
pop3 receiver_type
pop3 sender_alias
pop3 user_agent
rpc program_version
rpc state
rpc version
sip inherit_key
sip inherit_parent
sip method
sip reply_code
sip request_call_id
sip user_agent
smb attributes
smb ext_attributes
smb file_attributes
smb file_chunk_data_offset
smb file_chunk_len
smb krb5_enc_data
smb krb5_enc_data_type
smb krb5_err_cname
smb krb5_err_cname_name
smb krb5_err_cname_type
smb krb5_err_crealm
smb krb5_err_data
smb krb5_err_realm
smb krb5_err_sname
smb krb5_err_sname_name
smb krb5_err_sname_type
smb krb5_kdcoptions
smb krb5_message
smb krb5_message_type
smb krb5_pa_data
smb krb5_pa_data_type
smb krb5_pa_data_value
smb krb5_realm
smb krb5_server
smb krb5_service
smb krb5_ticket_enc_part
smb krb5_ticket_name
smb krb5_ticket_name_type
smb search_attributes
smb search_pattern
smb security_blob
smb service
smb service_data
smb session_key
smb share_access
smtp attach_disposition
smtp attach_transfer_encoding
smtp content_language
smtp content_transfer_encoding
smtp date
smtp received_by_ip
smtp received_from_ip
smtp received_server_agent
smtp received_with
smtp receiver_alias
smtp receiver_type
smtp replyto
smtp sender_alias
smtp server_agent
smtp start_time
smtp stop_time
smtp user_agent
tns base
tns client_os
tns client_program_name
tns client_program_path
tns response_size
tns server_os
tns server_port
tns version

Collection Scope allows you to filter specific metadata that is sent to the Data Processor.

Select All applications for no traffic filtering
Select Exclude certain applications to collect metadata for all content except the applications and application groups you specify in the selector box. .
Select Only collect certain applications to exclude all metadata except that for the applications and application groups you specify in the selector box.

When you select an option other than All applications, the selector box accordingly updates for you to then Exclude or Include the following applications or application groups. Begin typing in the selector box to display a list of configured Application Groups and Applications. Applications Groups are listed first; scroll through the list to get to the set of Applications. When you select an Application Group, the label for it is has a prefix (Group: ) to distinguish it from Applications. In the above image, all the selections are applications except analytics.

In previous releases, Application Groups were referred to as Tags.

Metadata Summarization allows you to reduce traffic to the DP. If you enable this, the sensor groups similar metadata from chatty applications into a single JSON file before sending to the DP.

Finally, you can enable SMB Reduction to reduce the amount of metadata collected for SMB commands. This is especially helpful in increasing your compression ratio if your network has a great deal of SMB traffic. If you enable this, metadata is only collected for:

session setup
logoff
read
write

Process Correlation

Enable this to build correlations between processes running on the sensor and host, and the IP address/port visible in traffic. The processes monitored include:

log forwarder
IDS
maltrace
aella_flow
SSHD
HTTP

You can set the sampling time interval.

Packet Deduplication

Enable this for the sensor to perform packet deduplication. This reduces storage by removing duplicate data. However, it uses processing power on the sensor to analyze the data and can significantly slow system performance. When this option is enabled, you can also set the deduplication time window.

Enable with caution.

If you have no need for deduplication (for example, if you have a sensor for every network segment), disable it.

Stream Slicing

Enable this to perform stream slicing, which truncates sessions at the specified length. This can reduce the bandwidth used.

This has no effect if you use local file assembly.

Handshake Failure

Enable this to detect handshake failures and allocate resources for that effort:

Time(s)—amount of time the sensor collects failures to get to the threshold
Threshold—the number of failures over the specified time before this detection is triggered
Report Interval(s)—interval between reports to the DP if there are multiple failures
Memory Limit (%)—maximum percentage of memory used by aella_flow for this detection

Flood Attack

Enable this to report flood attacks:

Flood Threshold (Source)—the number of new session requests per second from a single source before an attack is reported
Flood Threshold (Destination)—the number of new session requests per second from any source before an attack is reported
Flood Expire Time(s)—the number of seconds without new session requests after which we stop considering it an attack, and the sensor sends a session_end message to the DP
Flood Report Interval(s)—during an attack, the interval at which the sensor reports the attack to the DP (so that the DP isn't flooded with reports of the flood attack)
TCP Syn Flag Check—only counts session requests if the SYN flag in the packet is set

Buffering

If you enable buffering, the sensor buffers the data sent to Stellar Cyber. If the buffered data is received successfully, the sensor deletes the buffered data. If the buffer is full, the sensor stops buffering. The Buffer Size specifies the maximum amount of data buffered.

Sandbox

Enable the cloud sandbox to detect malware in network traffic. You must enable Network Traffic to enable the sandbox.

You can control the type and maximum size of scanned files, as well as the region of the sandbox used:

Max File Size (MB)—The largest file that will be scanned. The default and maximum values are both 10 MB.
Exclude MIME Types—Which file types are scanned. By default all known file types are scanned. Add the file types you'd like to exclude from scanning.
Region – Secifies the geographical region of the malware sandbox used by this profile. By default, this option is set to Automatic and the sensor selects the sandbox with the lowest latency relative to its own location. You can optionally override the Automatic option and choose a sandbox in a specific geographic location from the dropdown.
Note: This feature is new in the 4.3.5 release. Sensors upgraded from previous releases all use the Automatic option by default until a new profile with a different setting for the Region option is applied.

IDS

Enable IDS to detect malicious activity in network traffic. You must enable Network Traffic to enable IDS.

You can configure:

Networks
Signature
Buffering

Networks

Choose the Home Network. If you choose Specific, you can enter the IP address range.

Choose the External Network. If you choose Specific, you can enter the IP address range.

Signature

Choose the rule sets to use. These rules are integrated by Stellar Cyber from third-party threat intelligence. You can choose which rule sets to use, but you cannot add your own rules.

Stellar Cyber regularly pushes new rule sets so that they are available for selection in a sensor profile. Click at the bottom of the Selected Rules list to see a dropdown of the rules available for selection. For example:

Buffering

Aggregator

Enable this for the sensor to act as a data aggregator for other sensors.

If you enable the aggregator for this modular sensor, you cannot configure this sensor to use another aggregator.

The modular aggregator forwards aggregated traffic to the DP configured on the modular sensor. It also uses the receivers configured for the modular sensor, so you don't have to configure an aggregator profile.

As soon as you submit the modular sensor profile, you can configure sensors to use the modular aggregator as you would a dedicated data aggregator.

The modular aggregator does not appear in the Aggregators (deprecated) list in the Sensor page.

Keep in mind that TCP Port 8080 must be open between the sensor and the aggregator for successful communications.

Tenable Nessus

This feature is supported on modular sensors running v4.3.4 or later. Stellar Cyber recommends that you provision the modular sensor with an additional 1.5 GB of RAM and 1 vCPU when you enable this option.

Enable this feature to install a tenable nessus vulnerability scanner on your Stellar Cyber modular sensor, and link it to your nessus tenable.io account. After you have linked the scanner instance, you can initiate and monitor scans from the tenable.io

Click System | Collection | Sensor Profiles. The Sensor Profile Configuration page appears, with the Sensor Profiles tab displayed by default.
Click Create and select Add Modular Sensor Profile. The ADD SENSOR PROFILE screen appears.

Log into your tenable.io account as an administrative user (https://cloud.tenable.com).
Navigate to Settings > Sensors
From the Nessus Scanners tab, select the sub-tab for Linked scanners.
Click the link to Add Nessus scanner.
From the dialog that displays, copy the Linking Key and save it to a file.
Return to the Stellar Cyber console, Modular Sensor profile you are adding or editing.
Locate the section labeled Tenable Nessus, and toggle the feature on.
In the panel that displays, enter the Linking Key.
If needed, modify the default settings for Host and Port.
Click Submit.

After this profile is associated with a sensor, you can select that sensor IP address when you create or edit a scan in the Vulnerability Management > Scans panel.