Basic configuration rules
Set traffic filter
| Product | Guardian |
| Syntax | conf.user configure bpf_filter <bpf_expression> |
| Description | Set the Berkeley Packet Filter (BPF) filter to apply on incoming traffic to limit the type and amount of data processed by the sensor. |
| Parameters | bpf_expression: the Berkeley Packet Filter expression to apply on
incoming traffic. A BPF syntax reference can be accessed on the sensor at
https://<sensor_ip>/#/bpf_guide
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Enable or disable management filters
| Product | Guardian |
| Syntax | conf.user configure mgmt_filters [on|off] |
| Description | With this rule you can switch off the filters on packets that come from/to N2OS itself. Choose 'off' if you want to disable the management filters (default: on). |
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Enable or disable TCP/UDP deduplication
| Product | Guardian |
| Syntax | conf.user configure probe deduplication enabled [true|false] |
| Description | It can enable or disable the deduplication analysis that N2OS does on TCP/UDP packets. it can be either true, to enable the feature, or false, to disable it. (default: true) |
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Set TCP deduplication time delta
| Product | Guardian |
| Syntax | conf.user configure probe deduplication tcp_max_delta
<delta> |
| Description | Set the desired maximum time delta, in milliseconds, to consider a duplicated TCP packet. |
| Parameters | delta: The value of the maximum time delta (default: 1)
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Set UDP deduplication time delta
| Product | Guardian |
| Syntax | conf.user configure probe deduplication udp_max_delta
<delta> |
| Description | Set the desired maximum time delta, in milliseconds, to consider a duplicated UDP packet. |
| Parameters | delta: The value of the maximum time delta (default: 1)
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Rename fallback zones
| Product | Guardian |
| Syntax | conf.user configure vi zones default [private|public]
<zone_name> |
| Description | Set the private or public fallback zone name, for nodes not matching any zone. Details on zones feature can be viewed in the Graph page in Network.Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide. |
| Parameters | zone_name: the name of the private or public fallback
zone
|
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Add Zone
| Product | Guardian |
| Syntax | ids configure vi zones create <subnet>[,<subnet>]
<zone_name> |
| Description | Add a new zone containing all the nodes in one or more specified subnetworks.
More subnetworks can be concatenated using commas. The subnetworks can be specified
using the CIDR notation (<ip>/<mask>) or by indicating
the end IPs of a range (both ends are included:
<low_ip>-<high_ip>). Remark: zones can be
configured through the GUI, which is the preferred way. Refer to Zone
configurations, in the Administrator Guide. |
| Parameters |
|
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Assign a level to a zone
| Product | Guardian |
| Syntax | ids configure vi zones setlevel <level>
<zone_name> |
| Description | Assigns the specified level to a zone. All nodes pertaining to the given zone will be assigned the level. Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide |
| Parameters |
|
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Set the nodes ownership for a zone
| Product | Guardian |
| Syntax | ids configure vi zones setis_public [true|false]
<zone_name> |
| Description | Sets the specified nodes ownership for a zone. It can be either true, for public ownership, or false, for private ownership. All nodes belonging to the given zone are overwritten inheriting the value. Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide |
| Parameters | zone_name: The name of the zone
|
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Assign a security profile to a zone
| Product | Guardian |
| Syntax | ids configure vi zones setsecprofile [low|medium|high|paranoid]
<zone_name> |
| Description | Assigns the specified security profile to a zone. The visibility of the alerts generated within the zone will follow the configured security profile. Refer to Security profile, in the Administrator Guide. |
| Parameters | zone_name: The name of the zone
|
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Add custom protocol
| Product | Guardian |
| Syntax | conf.user configure probe custom-protocol <name> [tcp|udp]
<port> |
| Description | Add a new protocol specifying a port and a transport layer. Names shall always be unique, so when defining a custom protocol both for udp and tcp, use two different names. |
| Parameters |
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Disabling a protocol
| Product | Guardian |
| Syntax | conf.user configure probe protocol <name> enable false |
| Description | Completely disables a protocol. This can be useful to fine tune the sensor for specific needs. |
| Parameters | name: The name of the protocol to disable |
| Where | CLI |
| To apply | It is applied automatically |
Set IP grouping
| Product | Guardian |
| Syntax | conf.user configure probe ipgroup <ip>/<mask> |
| Description | This command permits to group multiple ip addresses into one single node. This command is particularly useful when a large network of clients accesses the SCADA/ICS system. To provide a clearer view and get an effective learning phase, you can map all clients to a unique node simply by specifying the netmasks (one line for each netmask). Configure trace will still show the raw IPs in the provided trace files. Warning: This command merges all nodes information into one in an irreversible way, and the information about original nodes is not kept. |
| Parameters | ip/mask: The subnetwork identifier used to group the IP
addresses
|
| Where | CLI |
| To apply | In a shell console, execute both: service n2osids stop AND
service n2ostrace stop |
Set IP grouping for Public Nodes
| Product | Guardian |
| Syntax | conf.user configure probe ipgroup public_ips <ip> |
| Description | This command permits to group all public IP addresses into one single node (for instance, use 0.0.0.0 as the 'ip' parameter). This command is particularly useful when the monitored network includes nodes that have routing to the Internet. The Configure trace, will still show the raw IPs in the provided trace files. Warning: This command merges all nodes information into one in an irreversible way, and the information about original nodes is not kept. |
| Parameters | ip: The ip to map all Public Nodes to
|
| Where | CLI |
| To apply | In a shell console, execute both: service n2osids stop AND
service n2ostrace stop |
Skip Public Nodes Grouping for a subnet
| Product | Guardian |
| Syntax | conf.user configure probe ipgroup public_ips_skip
<ip>/<mask> |
| Description | This is useful when the monitored network has a public addressing that has to be monitored (i.e. public addressing used as private or public addresses that are in security denylists). |
| Parameters | ip/mask: The subnetwork identifier to skip
|
| Where | CLI |
| To apply | In a shell console, execute both: service n2osids stop AND
service n2ostrace stop |
Set special Private Nodes allowlist
| Product | Guardian |
| Syntax | conf.user configure vi private_ips <ip>/<mask> |
| Description | This rule will set the is_public property of nodes matching the provided mask to false. This is useful when the monitored network has a public addressing used as private (e.g. violation of RFC 1918). |
| Parameters | ip/mask: The subnetwork identifier to treat as private; both
IPv4 and IPv6 are supported
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Set GUI logout timeout
| Products | CMC, Guardian |
| Syntax | conf.user configure users max_idle_minutes
<timeout_in_minutes> |
| Description | Change the default inactivity timeout of the GUI. This timeout is used to decide when to log out the current session when the user is not active. |
| Parameters | timeout_in_minutes: amount of minutes to wait before logging out. The
default is 10 minutes.
|
| Where | CLI |
| To apply | It is applied automatically |
Enable Syslog capture feature
| Product | Guardian |
| Syntax | conf.user configure probe protocol syslog capture_logs
[true|false] |
| Description | With this configuration rule you can enable (option true) the passively capture of the syslog events. It is useful when you want to forward them to a SIEM, for more details see Syslog forwarder integration in the Administrator Guide. |
| Where | CLI |
| To apply | It is applied automatically |
Enable Guardian HA
| Product | Guardian |
| Syntax | conf.user configure guardian replica-of
<other_guardian_id> |
| Description | With this configuration rule you can enable the Guardian HA mode for two Guardians that sniff the same traffic and are connected to the same CMC. During normal operations, only the primary Guardian syncs with the CMC; if it stops synchronizing the secondary Guardian will start synchronize the records from the last primary Guardian update. This rule should only be configured on the secondary sensor. |
| Parameters | other_guardian_id: The id of the other Guardian, it can be found on
the CMC with the query appliances | where host == <appliance_hostname>
| select id
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Disabling Vulnerability Assessment for some nodes
| Product | Guardian |
| Syntax | conf.user configure va_notification matching
[id|label|zone|type|vendor]=<value> discard |
| Description | With this configuration rule you can disable Vulnerability Assessment for node matching the specified rules. The effect of this configuration rule is to discard the matching of CVE identifiers. The types are as follows.
|
| Parameters |
These operators must be specified right after the Examples:
|
| Where | CLI |
| To apply | In a shell console execute: service n2osva stop |
Enabling IPv6 Assets
| Product | Guardian |
| Syntax | conf.user configure vi ipv6_assets [enabled|disabled] |
| Description | With this configuration rule you can enable assets generation also when nodes are IPv6. By default, this feature is disabled. |
| Where | CLI |
| To apply | It is applied automatically |
| Note | You can also change this configuration from the Web UI. |
Change the maximum percentage of Variables in the Network Elements pool
| Product | Guardian |
| Syntax | conf.user configure vi machine_limits_variables_quota
<n> |
| Description | With this configuration rule you can change the maximum percentage of Variables in the Network Elements pool, the default is 0.6 meaning that no more than 60% of Network Elements can be Variables. |
| Parameters | n: the percentage of variables expressed as a number from 0.0 to 1.0,
e.g. vi machine_limits_variables_quota 0.7
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |
Tuning Backend Web Server workers
| Products | CMC, Guardian |
| Syntax | conf.user configure http_workers <n> |
| Description | With this configuration rule you can change the number of Ruby Web Server workers. With a higher workers count the CMC/Guardian can handle more Web UI requests concurrently, at the expense of increased memory footprint. |
| Parameters | n: The new number of workers
|
| Where | CLI |
| To apply | In a shell console execute: service webserver stop |
Configure how Threat Intelligence contents are handled
| Product | Guardian |
| Syntax | conf.user configure vi contents <json_value> |
| Description | This command configures how Threat Intelligence contents are to be loaded. The JSON object can have the following attributes:
Contents available are:
As an example, the following command will completely disable contents loading:
As a further example, the following command will allow only stix_indicators rules to be loaded:
As another example, the following command will configure the usage of the system database for storing STIX indicators related information, reducing the application memory footprint:
|
| Parameters | json_value: A JSON object to configure how Threat Intelligence
contents are loaded
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop
|
Configure which files detected on the networks are sent to sandbox
| Product | Guardian |
| Syntax | conf.user configure vi sandbox_extraction <json_value> |
| Description | The json object can have the following attributes: * disabled_protocols - A JSON array of protocol that are disabled with regards files detection * enabled_protocols - A JSON array of protocol that are enabled with regards files detection * disabled_file_extensions - A JSON array of file extensions that are disabled with regards files detection * enabled_file_extensions - A JSON array of file extensions that are enabled with regards files detection |
| Parameters |
|
| Where | CLI |
| To apply | In a shell console execute: service n2osids stop |