Frequently Asked Questions
What is Xcitium Sensor?
Xcitium Sensor is a passive network sensor image which is used to collect and analyze network traffic for the purpose of identifying suspicious events. Hence, Xcitium Sensor is distributed as an ISO image, it can be easily installed on both physical server devices and any virtualization environment. The sensor has inbuilt PF_RING support as packet capture accelerator in order to increase packet capture performance and decrease packet loss.
The primary purpose of the Xcitium Sensor is to collect raw network traffic via mirror port configuration, or using hub or tap devices. Our sensor combines signature and heuristics based IDS, which provides a strong mechanism for SOC teams to run network analysis and security monitoring. Xcitium Sensor also provides a log forwarder service to collect supported third-party network device logs, normalize them and forward to our Xcitium NDR servers using our common event model.
Xcitium Sensor provides external threat intelligence integration capability. Additionally, it has Valkyrie integration for advanced extracted file analysis.
Xcitium Sensor also provides passive OS and service fingerprinting. All the collected information about the network is sent to Xcitium servers to be presented to users over Xcitium portal. Xcitium Sensor tuning and maintenance operations such as managing new signatures, tuning the signature sets to keep event volume at acceptable levels, minimizing false-positives, and maintaining up/down health status of sensors and managing data feeds are performed regularly by Comodo SOC team.
Which Services are Running on Xcitium Sensor?
In addition to the default CentOS 7
services, there's also PF_RING support for BRO IDS and Suricata IDS.
There are also custom Comodo services for integration, management and
updates.
The following table shows open
ports and related programs and whether or not the sensor firewall
blocks the connection:
|
Port |
Program |
Firewall Blocking Status |
|
22 |
sshd |
Allowed |
|
68 |
dhclient |
Allowed |
|
80 |
httpd |
Allowed |
|
514 |
rsyslogd |
Allowed |
Which configurations must be done at first install?
It is essential to set IP Address, Gateway and Network Token as the first step of installing Xcitium sensor.
Which Network Interfaces are Active on a Hardware Sensor?
“eth0” interface is active and being used for management and communication to Xcitium Servers.
“eth1” interface is responsible for listening network traffic coming from mirror interface. Therefore it works on promiscuous mode.
Which Rule-set do IDS Services Use?
IDS services are using mainly Emerging Threats Pro Ruleset which are customized and improved by Xcitium team.
What is the Log Forward Feature?
In addition to collecting information about network security, Xcitium sensor also collects and forwards logs from other products in the network.
Which External IPs or Domains does Xcitium Sensor Need to Access?
For remote management:
Domain: sensor.mssp.Xcitium.com
Address: 35.169.33.2
For rule update:
Domain: rules.emergingthreatspro.com
Address: 204.12.217.18, 96.43.137.98
For Amazon Kinesis:
Domain: kinesis.us-east-1.amazonaws.com
Address: 52.119.196.103
Domain: monitoring.us-east-1.amazonaws.com
Address: 52.94.238.171
DNS address:
Default DNS is set as 8.8.8.8. If the customer wants to use this dns, it should to be allowed. If the customer wants to use their own DNS, that should be allowed only after we are sure that the hosts above are resolved correctly by that DNS.