Frequently Asked Questions
- What is SOCaaP Sensor?
- Which Services are Running on SOCaaP Sensor?
- Which configurations must be done at first install?
- Which Network Interfaces are Active on a Hardware Sensor?
- Which Rule-set do IDS Services Use?
- What is the Log Forward Feature?
- Which External IPs or Domains does SOCaaP Sensor Need to Access?
What is SOCaaP Sensor?
SOCaaP Sensor is a passive network sensor
image which is used to collect and analyze network traffic for the purpose of
identifying suspicious events. Hence, SOCaaP Sensor is distributed as an ISO
image, it can be easily installed on both physical server devices and any
virtualization environment. The sensor has inbuilt PF_RING support as packet
capture accelerator in order to increase packet capture performance and
decrease packet loss.
The primary purpose of the SOCaaP Sensor is
to collect raw network traffic via mirror port configuration, or using hub or
tap devices. Our sensor combines signature and heuristics based IDS, which
provides a strong mechanism for SOC teams to run network analysis and security
monitoring. SOCaaP Sensor also provides a log forwarder service to collect
supported third-party network device logs, normalize them and forward to our
SOCaaP NDR servers using our common event model.
SOCaaP Sensor provides external threat
intelligence integration capability. Additionally, it has Valkyrie integration
for advanced extracted file analysis.
SOCaaP Sensor also provides passive OS and
service fingerprinting. All the collected information about the network is sent
to SOCaaP servers to be presented to users over SOCaaP portal. SOCaaP Sensor
tuning and maintenance operations such as managing new signatures, tuning the
signature sets to keep event volume at acceptable levels, minimizing
false-positives, and maintaining up/down health status of sensors and managing
data feeds are performed regularly by Xcitium SOC team.
Which Services are Running on SOCaaP Sensor?
In addition to the default CentOS 7
services, there's also PF_RING support for BRO IDS and Suricata IDS. There are
also custom Xcitium services for integration, management and updates.
The following table shows open ports and related programs and whether or not the sensor firewall blocks the connection:
Port |
Program |
Firewall Blocking Status |
22 |
sshd |
Allowed |
68 |
dhclient |
Allowed |
80 |
httpd |
Allowed |
514 |
rsyslogd |
Allowed |
Which configurations must be
done at first install?
It is essential to set IP Address, Gateway
and Network Token as the first step of installing SOCaaP sensor.
Which Network Interfaces are
Active on a Hardware Sensor?
“eth0” interface is active and being used for management and communication to SOCaaP Servers.
“eth1” interface is responsible for
listening network traffic coming from mirror interface. Therefore it works on
promiscuous mode.
Which Rule-set do IDS Services
Use?
IDS services are using mainly Emerging
Threats Pro Ruleset which are customized and improved by Xcitium SOCaaP team.
What is the Log Forward
Feature?
In addition to collecting information about
network security, SOCaaP sensor also collects and forwards logs from other
products in the network.
Which External IPs or Domains does SOCaaP Sensor Need to Access?
For
remote management:
Domain: sensor.mssp.Xcitium.com
Address: 35.169.33.2
For rule update:
Domain: rules.emergingthreatspro.com
Address: 204.12.217.18, 96.43.137.98
For Amazon Kinesis:
Domain: kinesis.us-east-1.amazonaws.com
Address: 52.119.196.103
Domain: monitoring.us-east-1.amazonaws.com
Address: 52.94.238.171
Domain: firehose.us-east-1.amazonaws.com
Address: Dynamic Amazon load balancing
DNS address:
Default DNS is set as 8.8.8.8. If the customer wants to use this dns, it should to be allowed. If the customer wants to use their own DNS, that should be allowed only after we are sure that the hosts above are resolved correctly by that DNS.