Home
N2OS Configuration
The N2OS Configuration - Reference Guide.
Protocols
Configure protocols

Configure protocols

Configure iec104s encryption key


Product	Guardian
Syntax	`conf.user configure probe protocol iec104s tls private_key <ip> <location>`
Description	Add a private key associated to the device running iec104s. For more information, see Configure IEC-62351-3.
Parameters	`ip`: The IP of the device `location`: The absolute location of the key
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set variable namespace for iec101 protocol decoder


Product	Guardian
Syntax	`conf.user configure probe protocol iec101 var_namespace <namespace>`
Description	iec101 CA size can vary across implementations, with this configuration rule the user can customize the setting for its own environment
Parameters	`size`: Namespace to be used in variable definition. It can be la or ca (default: ca)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set CA size for iec101 protocol decoder


Product	Guardian
Syntax	`conf.user configure probe protocol iec101 ca_size <size>`
Description	iec101 CA size can vary across implementations, with this configuration rule the user can customize the setting for its own environment
Parameters	`size`: The size in bytes of the CA. Accepted values: 1,2 (default: 1)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set LA size for iec101 protocol decoder


Product	Guardian
Syntax	`conf.user configure probe protocol iec101 la_size <size>`
Description	iec101 LA size can vary across implementations, with this configuration rule the user can customize the setting for its own environment
Parameters	`size`: The size in bytes of the LA. Accepted values: 1,2 (default: 1)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set IOA size for iec101 protocol decoder


Product	Guardian
Syntax	`conf.user configure probe protocol iec101 ioa_size <size>`
Description	iec101 IOA size can vary across implementations, with this configuration rule the user can customize the setting for its own environment
Parameters	`size`: The size in bytes of the IOA. Accepted values: 1,2,3 (default: 2)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set a dictionary file


Product	Guardian
Syntax	`conf.user configure probe protocol <protocol> dictionary <dictionary_file_name>`
Description	Based on the dictionary file set with this command, friendly names are associated to the extracted variables, for the specific protocol in scope.
Parameters	`protocol`: The protocol can be can-bus or mvb `dictionary_file_name`: The path for the dictionary file
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set an arbitrary amount of bytes to skip before decoding iec101 protocol


Product	Guardian
Syntax	`conf.user configure probe protocol iec101 bytes_to_skip <amount>`
Description	Based on the hardware configuration iec101 can be prefixed with a fixed amount of bytes, with this setting Guardian can be adapted to the peculiarity of the environment.
Parameters	`amount`: The amount of bytes to skip
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable the Red Electrica Espanola semantic for iec102 protocol


Product	Guardian
Syntax	`conf.user configure probe protocol iec102 ree [enabled\|disabled]`
Description	There is a standard from Red Electrica Española which changes the semantic of the iec102 protocol, after enabling (choosing option enabled) this setting the iec102 protocol decoder will be compliant to the REE standard.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the subnet in which the iec102 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol iec102 subnet <subnet>`
Description	The detection of iec102 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific subnet
Parameters	`subnet`: A subnet in the CIDR notation
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable iec102 on the specified port


Product	Guardian
Syntax	`conf.user configure probe protocol iec102 port <port>`
Description	The detection of iec102 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific port
Parameters	`port`: The TCP port
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the subnet in which the iec103 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol iec103 subnet <subnet>`
Description	The detection of iec103 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific subnet
Parameters	`subnet`: A subnet in the CIDR notation
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable iec103 on the specified port


Product	Guardian
Syntax	`conf.user configure probe protocol iec103 port <port>`
Description	The detection of iec103 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific port
Parameters	`port`: The TCP port
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Force iec101 semantics inside iec103 protocol


Product	Guardian
Syntax	`conf.user configure probe protocol iec103 force_iec101_semantics true`
Description	Forces change of semantics for iec103 protocol to use ASDUs of iec101
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Allow to recognize as iec103 very fragmented sessions


Product	Guardian
Syntax	`conf.user configure probe protocol iec103 accept_on_fragmented true`
Description	Allow to accept as iec103 those packets that are always incomplete, thus allowing situations where the protocol is heavily fragmented to be recognized.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable the detection of plain text passwords in HTTP payloads


Product	Guardian
Syntax	`conf.user configure probe protocol http detect_uri_passwords [true\|false]`
Description	Guardian is able to detect if plain text passwords and login credentials are present in HTTP payloads, such as strings containing `ftp://user:password@example.com`. The feature is disabled by default. Choose `true` to enable the feature and false to disable it.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the subnet in which the tg102 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol tg102 subnet <subnet>`
Description	The detection of tg102 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific subnet
Parameters	`subnet`: A subnet in the CIDR notation
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the port range in which the tg102 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol tg102 port_range <src_port>-<dst_port>`
Description	The detection of tg102 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific port range
Parameters	`src_port`: The starting port of the range `dst_port`: The ending port of the range
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the subnet in which the tg800 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol tg800 subnet <subnet>`
Description	The detection of tg800 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific subnet
Parameters	`subnet`: A subnet in the CIDR notation
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set the port range in which the tg800 protocol will be enabled


Product	Guardian
Syntax	`conf.user configure probe protocol tg800 port_range <src_port>-<dst_port>`
Description	The detection of tg800 can lead to false positives, this rules give the possibility to the user to enable the detection on a specific port range
Parameters	`src_port`: The starting port of the range `dst_port`: The ending port of the range
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Disable variable extraction for a Siemens S7 area and type


Product	Guardian
Syntax	`conf.user configure probe protocol s7 exclude <area> <type>`
Description	For performance reasons or to reduce noise it's possible to selectively exclude variables extraction for some areas and type.
Parameters	`area`: The area, some examples are: DB, DI, M, Q `type`: The type of the variable, some examples are: INT, REAL, BYTE
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable the full TLS inspection mode


Product	Guardian
Syntax	`conf.user configure probe tls-inspection enable [true\|false]`
Description	TLS inspection is normally performed only on https and iec104s traffic. Enabling (choosing the option `true`) the full inspection mode provides the following additional features: TLS traffic found on any TCP port is inspected an alert is raised when TLS-1.0 is used (when this mode is disabled, this is an https only check) an alert is raised on expired certificates an alert is raised on weak cipher suites session ID, cipher suite and certificates are extracted into the relative link events
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable or disable the persistence of the connections for Ethernet/IP Implicit


Product	Guardian
Syntax	`conf.user configure probe protocol ethernetip-implicit persist-connection [true\|false]`
Description	The Ethernet/IP Implicit decoder of Guardian is able to detect handshakes that are then used to decode variables. In some scenarios these handshakes are not common but it's very important to persist them so that Guardian can continue to decode variables after a reboot or an upgrade. By enabling (chosing option true) this option Guardian will store on disk the data needed to autonomously reproduce the handshake phase after a reboot.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable detection of SSH banners flood


Product	Guardian
Syntax	`conf.user configure probe protocol ssh enable_banner_flood_detection [true\|false]`
Description	With this option enabled, if an SSH servers send too many banners to a client per time interval an alert is raised. By default this option is disabled.
Where	CLI
To apply	In a shell console execute: `n2os_ids_stop`

Enable or disable fragmented packets for modbus protocol


Product	Guardian
Syntax	`conf.user configure probe protocol modbus enable_full_fragmentation [true\|false]`
Description	Modbus protocol is usually not fragmented, so this option is by default disabled (option false). If fragmented modbus packets can be present in the network, then full fragmentation can be enabled (choosing option true) to avoid generation of unexpected alerts.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable or disable the support for LACBUS-RTU


Product	Guardian
Syntax	`conf.user configure probe protocol modbus lacbus-rtu-protocol [true\|false]`
Description	LACBUS-RTU is a protocol that extends Modbus. By default, this protocol is not parsed by Guardian. It can be enabled using this configuration, in which case LACBUS-RTU transmissions are still tagged as 'modbus', but the function codes specific to LACBUS-RTU will be processed, and the corresponding variables extracted.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Import the ge-egd produced data XML file for variables extraction


Product	Guardian
Syntax	`conf.user configure probe protocol ge-egd produced-data-xml <path>`
Description	The ge-egd protocol can extract process variables only after the XML file describing the produced data for the involved nodes is imported. Multiple imports are allowed as long as the XML files do not provide overlapping information for any producer node.
Parameters	`path`: The path of the produced data XML file to import
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Disable file extraction for SMB protocol


Product	Guardian
Syntax	`conf.user configure probe protocol smb file_extraction false`
Description	The SMB protocol decoder is able to extract files and analyze them for malware in a sandbox. If not needed, the user can disable such feature and improve the performance of the system especially in environments where SMB file transfer is heavily used.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Activate the extraction of GE asset information from modbus registers


Product	Guardian
Syntax	`conf.user configure probe protocol modbus ge_asset_info_from_registers true`
Description	Some General Electric devices send asset information (product name, firmware version, serial number, label, and FPGA version) encoded in register values with the Modbus protocol. By enabling this setting, Guardian is instructed to extract this data and enrich the corresponding nodes with it. This data is also used to produce CPEs for the corresponding devices.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable byte scan of traffic by unrecognized protocols in order to detect executables


Product	Guardian
Syntax	`conf.user configure probe enable-executable-extraction [true\|false]`
Description	When this option is enabled, the traffic from unrecognized protocols is scanned in order to detect the presence of executables. If an executable is found, it is extracted and sent to Sandbox for analysis. This option is enabled by default. However, when a lot of traffic is flowing through unknown protocols, disabling it can improve performance.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Configure ARP flood


Product	Guardian
Syntax	`conf.user configure probe protocol arp flood <json_value>`
Description	A json object to configure ARP flood `enable` - Enable or disable flood detection. Possible values `true` or `false` by default is `false`. `packet_limit` - Define the number of packets per seconds (n) that trigger a flood detection (default = 1000). `packet_increase_limit` - Define the increase in the number of packets per seconds that trigger a flood detection (default = 1000). The difference between packet_limit and packet_increase_limit is that the first one checks the number of packets per second while the second checks the increase in the number of packets per second. For example if packet_limit = 3000 and packet_increase_limit = 500 if the arp packets increase by 100 each second no alert is triggered until they reach the threshold of 3000 packets per second, but if they increase in one second of 600, for example they pass from 1000 to 1600, then the flood is triggered. `packet_ratio_limit` - Define the ratio between the number of arp and total packets that trigger the flood . The flood is triggered when the ratio is greater than the specified value. In order to enable this detection method there is the need to enable also the counting of the total packets that can be done with probe packet-monitor enable true. A value of 0.1 means that the flood is triggered when the number of arp packets is 10% of the total packets. Default value is 1.0 (all packets are arp) in such a way that this threshold is disabled by default. `strict_mode` - When true all the above checks have to be verified at the same time to trigger the detection, while when strict_mode is false it is enough for a single check to trigger the flood. Possible values `true` or `false` by default is `false`. `repeat_mode` - Define how subsequent triggers are handled. Default value is `mute_for_period`. Possible values are: `repeat`: alerts are raised at each detection `mute_for_period`: after the first detection alerts are muted for a specified period `mute_until_passes` no subsequent alerts are raised until the flood passes `mute_seconds` - The meaning depends on the repeat mode (default = 300 seconds): `repeat_mode == mute_for_period` : It defines the number of seconds for which the alert is muted `repeat_mode == mute_until_passes` : It defines the number of second for which the flood has to stay undetected in order to be considered passed `conf.user configure probe protocol arp flood {"enable": true} conf.user configure probe protocol arp flood {"enable":true,"packet_limit":5} conf.user configure probe protocol arp flood {"enable":true,"packet_limit":100000,"packet_increase_limit":100000,"packet_ratio_limit":0.2} conf.user configure probe packet-monitor enable true`
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable or disable the counting of all the packets to be used as reference for arp flood


Product	Guardian
Syntax	`conf.user configure probe packet-monitor enable [true\|false]`
Description	When this option is enabled, all the packets are counted to be used as reference for the relative ratio limit (default = false)

Set the maximum number of subnets per MAC address that can be stored in the ARP table reconstructed from the processed traffic


Product	Guardian
Syntax	`conf.user configure arp_tables max_subnets_per_mac <size>`
Description	This setting controls the maximum number of subnets per MAC address that can be stored in the ARP table reconstructed from the processed traffic. `enable` - Enable or disable flood detection. Possible values `true` or `false` by default is `false`. `packet_limit` - Define the number of packets per seconds (n) that trigger a flood detection (default = 1000). `packet_increase_limit` - Define the increase in the number of packets per seconds that trigger a flood detection (default = 1000). The difference between packet_limit and packet_increase_limit is that the first one checks the number of packets per second while the second checks the increase in the number of packets per second. For example if packet_limit = 3000 and packet_increase_limit = 500 if the arp packets increase by 100 each second no alert is triggered until they reach the threshold of 3000 packets per second, but if they increase in one second of 600, for example they pass from 1000 to 1600, then the flood is triggered. `packet_ratio_limit` - Define the ratio between the number of arp and total packets that trigger the flood . The flood is triggered when the ratio is greater than the specified value. In order to enable this detection method there is the need to enable also the counting of the total packets that can be done with probe packet-monitor enable true. A value of 0.1 means that the flood is triggered when the number of arp packets is 10% of the total packets. Default value is 1.0 (all packets are arp) in such a way that this threshold is disabled by default. `strict_mode` - When true all the above checks have to be verified at the same time to trigger the detection, while when strict_mode is false it is enough for a single check to trigger the flood. Possible values `true` or `false` by default is `false`. `repeat_mode` - Define how subsequent triggers are handled. Default value is `mute_for_period`. Possible values are: `repeat`: alerts are raised at each detection `mute_for_period`: after the first detection alerts are muted for a specified period `mute_until_passes` no subsequent alerts are raised until the flood passes `mute_seconds` - The meaning depends on the repeat mode (default = 300 seconds): `repeat_mode == mute_for_period` : It defines the number of seconds for which the alert is muted `repeat_mode == mute_until_passes` : It defines the number of second for which the flood has to stay undetected in order to be considered passed `conf.user configure probe protocol arp flood {"enable": true} conf.user configure probe protocol arp flood {"enable":true,"packet_limit":5} conf.user configure probe protocol arp flood {"enable":true,"packet_limit":100000,"packet_increase_limit":100000,"packet_ratio_limit":0.2} conf.user configure probe packet-monitor enable true`
Where	CLI
To apply	In a shell console execute: `service n2osids stop`