Configuring Modular Sensor Profiles

A modular sensor profile allows you to easily add the features you like to your profiles. This helps simplify your profiles and lets you manage the VM requirements for the sensors based on the modular features they use. As we add new modular features, you can choose to add them to your sensor profiles.

Modular sensor profiles can only be applied to modular sensors. You can:

Keep in mind that VM resource requirements increase as you add more features to the Modular Sensor Profile. Refer to Modular Sensor Specifications for details on the resources required to run different combinations of features in a Modular Sensor Profile, as well as how to use the show module and show module request CLI commands to compare provisioned resources against those required to run specific feature combinations. Stellar Cyber only enables a Modular Sensor Profile on a sensor if the host VM's resources can support it.

Adding a Modular Sensor Profile

Whether you add or edit a modular sensor profile you have the same options, except you cannot edit the profile name. Use the following procedure to add a modular sensor profile:

  1. Click System | Collection | Sensor Profiles. The Sensor Profile Configuration page appears, with the Sensor Profiles tab displayed by default.

  2. Click Create and select Add Modular Sensor Profile. The ADD SENSOR PROFILE screen appears.

    Add Sensor Profile

  3. Enter the Profile Name. We recommend that you establish a naming convention so you can easily understand the intent of each profile by looking at the name. This field can only contain alphanumeric characters, underscores, spaces, and dashes.
  4. Choose at least one Receiver. Each sensor profile must have at least one receiver, which is the destination of the data it collects. You can add one receiver of each type: packet and JSON.

    See the Receiver configuration page for more information on creating and maintaining receivers.

  5. Customize the settings for the profile. The available settings are explained below.
  6. Click Submit. The profile is active immediately .

Keep in mind the following:

  • Log Collector and Log Forwarder are always enabled in Modular Sensor Profiles.

  • The Sandbox and IDS features can only be enabled if Network Traffic is enabled.

Customizing Modular Sensor Profile Features

You can customize these modular sensor profile features:

Log Forwarder

Modular sensor profiles include a log forwarder by default. You can configure:

Log Forwarder Workers

Configure the batch size:

  • Batch Size – Set the record batch size. The default is 100 records. The range is 1-10000.

    The sensor batches log records to make transmission more efficient. If your network has high throughput, increase the Batch Size to increase that efficiency.

Data Filtering

Add log filters to filter traffic out before sending it to the DP. You can create log filters at System | Collection | Log Filters.

Stellar Cyber recommends configuring no more than 50 Log Forwarder filters in this field for one sensor profile. Exceeding this recommended maximum can affect sensor performance.

Forward to External Server

You can enable this option to send unparsed logs to an external server, pre-normalization. Logs are still also sent to the DP when this feature is enabled.

Configure external log forwarding as follows:

  1. Click Forward to External Server.

  2. Enter the IP address or domain name of the external server to which you want to forward unparsed logs.

  3. Enter the port.

  4. Uncheck Send Metadata if you don't want the sensor to add metadata to the logs forwarded to your external server. If you leave it checked, the sensor adds the log source IP address, ingestion port number, and log source type to the original log in JSON format.

Logs containing non-printing characters, such as Netflow and IPFIX, cannot be forwarded to an external server.

All log lines are truncated to 1024 characters, per RFC 3164.

Compression

Enable Compression for the sensor to compress the parsed logs before sending to the DP. This uses the CPU on the sensor to compress the logs, and the CPU on the DP to decompress. Enable compression to save bandwidth at the expense of CPU on the sensor and DP.

HTTP JSON Parser

Enable the HTTP JSON Parser if you are sending logs via HTTP.

Multi-Tenant Log Ingestion

Enable Multi-Tenant Log Ingestion to allow CEF (Infocyte), Cylance, and selected Stellar JSON parsers to receive logs from multiple tenants. In addition to this setting, the incoming data file must follow specific guidelines described in:  Single Sensor Multi-tenant Log Ingestion . Supported parsers are also described in this topic.

Raw Log Capture

Raw Log Capture can be enabled if you want the sensor to store both raw and processed logs on the DP for built-in parsers. This can be useful in troubleshooting situations when you may want to compare a processed log to its corresponding raw log. Note that the feature only applies to built-in parsers. Custom parsers have their own settings within the parsers themselves.

You can search for raw logs by looking for the parser_raw_msg field in InterFlow records.

Keep in mind that when this feature is enabled, built-in parsers store both raw and processed logs, requiring more storage resources on the DP.

Buffering

Enable this to enable buffering on the data sensors. If you enable buffering, the data sensor buffers the logs sent to Stellar Cyber. If the logs are received successfully, the sensor deletes the buffered logs. If the buffer is full, the sensor stops buffering logs. The Buffer Size parameter lets you specify the maximum size for all logs buffered:

  • Buffer Size—The total logs buffered, in MB

When you disable buffering, any data in the buffer is immediately deleted. Ensure that the sensor has a stable connection to the DP for long enough to transmit all data in the buffer.

Network Traffic

Enable the Network Traffic option to ingest network traffic. When this option is enabled, you can also enable the Sandbox and IDS features. You can configure:

Application Identification

Enable this option for the network sensor to identify applications associated with events.

Application Session

Enable this option for the sensor to identify the length of individual network sessions. The parameters specify how often to report the session information and the amount of idle time that can pass before concluding that a session has ended.

If you disable Application Session, network and agent sensors stop sending data to the DP but data sensors continue to process traffic.

If you enable Session Combine, UDP sessions from the specified port to the same destination are combined into a single session.

Application Metadata

Enable this to control how application information is collected and which applications are included.

You can disable the collection of application metadata to increase sensor performance and save storage space, but that limits collected data to:

  • Basic session information

  • Packet and byte counts

  • IP address

  • Port

You can set the Metadata Collection Level to Limited Evidence, Minimum, Standard, or Maximum. This controls how many of the information fields are collected.

Minimum collects everything in Limited Evidence. There is currently no difference between Minimum and Limited Evidence.

Collection Scope allows you to filter specific metadata that is sent to the Data Processor.

  • Select All applications for no traffic filtering

  • Select Exclude certain applications to collect metadata for all content except the applications and application groups you specify in the selector box. .

  • Select Only collect certain applications to exclude all metadata except that for the applications and application groups you specify in the selector box.

When you select an option other than All applications, the selector box accordingly updates for you to then Exclude or Include the following applications or application groups. Begin typing in the selector box to display a list of configured Application Groups and Applications. Applications Groups are listed first; scroll through the list to get to the set of Applications. When you select an Application Group, the label for it is has a prefix (Group: ) to distinguish it from Applications. In the above image, all the selections are applications except analytics.

In previous releases, Application Groups were referred to as Tags.

Metadata Summarization allows you to reduce traffic to the DP. If you enable this, the sensor groups similar metadata from chatty applications into a single JSON file before sending to the DP.

Finally, you can enable SMB Reduction to reduce the amount of metadata collected for SMB commands. This is especially helpful in increasing your compression ratio if your network has a great deal of SMB traffic. If you enable this, metadata is only collected for:

  • session setup
  • logoff
  • read
  • write

Process Correlation

Enable this to build correlations between processes running on the sensor and host, and the IP address/port visible in traffic. The processes monitored include:

  • log forwarder
  • IDS
  • maltrace
  • aella_flow
  • SSHD
  • HTTP

You can set the sampling time interval.

Packet Deduplication

Enable this for the sensor to perform packet deduplication. This reduces storage by removing duplicate data. However, it uses processing power on the sensor to analyze the data and can significantly slow system performance. When this option is enabled, you can also set the deduplication time window.

Enable with caution.

If you have no need for deduplication (for example, if you have a sensor for every network segment), disable it.

Stream Slicing

Enable this to perform stream slicing, which truncates sessions at the specified length. This can reduce the bandwidth used.

This has no effect if you use local file assembly.

Handshake Failure

Enable this to detect handshake failures and allocate resources for that effort:

  • Time(s)—amount of time the sensor collects failures to get to the threshold
  • Threshold—the number of failures over the specified time before this detection is triggered
  • Report Interval(s)—interval between reports to the DP if there are multiple failures
  • Memory Limit (%)—maximum percentage of memory used by aella_flow for this detection

Flood Attack

Enable this to report flood attacks:

  • Flood Threshold (Source)—the number of new session requests per second from a single source before an attack is reported
  • Flood Threshold (Destination)—the number of new session requests per second from any source before an attack is reported
  • Flood Expire Time(s)—the number of seconds without new session requests after which we stop considering it an attack, and the sensor sends a session_end message to the DP
  • Flood Report Interval(s)—during an attack, the interval at which the sensor reports the attack to the DP (so that the DP isn't flooded with reports of the flood attack)
  • TCP Syn Flag Check—only counts session requests if the SYN flag in the packet is set

Buffering

If you enable buffering, the sensor buffers the data sent to Stellar Cyber. If the buffered data is received successfully, the sensor deletes the buffered data. If the buffer is full, the sensor stops buffering. The Buffer Size specifies the maximum amount of data buffered.

Sandbox

Enable the cloud sandbox to detect malware in network traffic. You must enable Network Traffic to enable the sandbox.

You can control the type and maximum size of scanned files, as well as the region of the sandbox used:

  • Max File Size (MB)—The largest file that will be scanned. The default and maximum values are both 10 MB.
  • Exclude MIME Types—Which file types are scanned. By default all known file types are scanned. Add the file types you'd like to exclude from scanning.
  • Region – Secifies the geographical region of the malware sandbox used by this profile. By default, this option is set to Automatic and the sensor selects the sandbox with the lowest latency relative to its own location. You can optionally override the Automatic option and choose a sandbox in a specific geographic location from the dropdown.

    Note: This feature is new in the 4.3.5 release. Sensors upgraded from previous releases all use the Automatic option by default until a new profile with a different setting for the Region option is applied.

IDS

Enable IDS to detect malicious activity in network traffic. You must enable Network Traffic to enable IDS.

You can configure:

Networks

Choose the Home Network. If you choose Specific, you can enter the IP address range.

Choose the External Network. If you choose Specific, you can enter the IP address range.

Signature

Choose the rule sets to use. These rules are integrated by Stellar Cyber from third-party threat intelligence. You can choose which rule sets to use, but you cannot add your own rules.

Stellar Cyber regularly pushes new rule sets so that they are available for selection in a sensor profile. Click at the bottom of the Selected Rules list to see a dropdown of the rules available for selection. For example:

Buffering

If you enable buffering, the sensor buffers the data sent to Stellar Cyber. If the buffered data is received successfully, the sensor deletes the buffered data. If the buffer is full, the sensor stops buffering. The Buffer Size sets the maximum amount of data buffered.

Aggregator

Enable this for the sensor to act as a data aggregator for other sensors.

If you enable the aggregator for this modular sensor, you cannot configure this sensor to use another aggregator.

The modular aggregator forwards aggregated traffic to the DP configured on the modular sensor. It also uses the receivers configured for the modular sensor, so you don't have to configure an aggregator profile.

As soon as you submit the modular sensor profile, you can configure sensors to use the modular aggregator as you would a dedicated data aggregator.

Only Windows Server Sensors can forward traffic to an aggregator in the 5.0.2 release.
Starting with the 5.0.4 release, Linux server sensors can forward to an aggregator, too. However, the feature can only be enabled from the Linux server sensor's CLI (set/show aggregator).

Keep in mind that TCP Port 8080 must be open between the sensor and the aggregator for successful communications.

Tenable Nessus

This feature is supported on modular sensors running v4.3.4 or later. Stellar Cyber recommends that you provision the modular sensor with an additional 1.5 GB of RAM and 1 vCPU when you enable this option.

Enable this feature to install a tenable nessus vulnerability scanner on your Stellar Cyber modular sensor, and link it to your nessus tenable.io account. After you have linked the scanner instance, you can initiate and monitor scans from the tenable.io

  1. Click System | Collection | Sensor Profiles. The Sensor Profile Configuration page appears, with the Sensor Profiles tab displayed by default.

  2. Click Create and select Add Modular Sensor Profile. The ADD SENSOR PROFILE screen appears.

    Add Sensor Profile

  1. Log into your tenable.io account as an administrative user (https://cloud.tenable.com).

  2. Navigate to Settings > Sensors

  3. From the Nessus Scanners tab, select the sub-tab for Linked scanners.

  4. Click the link to Add Nessus scanner.

  5. From the dialog that displays, copy the Linking Key and save it to a file.

  6. Return to the Stellar Cyber console, Modular Sensor profile you are adding or editing.

  7. Locate the section labeled Tenable Nessus, and toggle the feature on.

  8. In the panel that displays, enter the Linking Key.

  9. If needed, modify the default settings for Host and Port.

  10. Click Submit.

After this profile is associated with a sensor, you can select that sensor IP address when you create or edit a scan in the Vulnerability Management > Scans panel.