Managing the Sensor component

The Sensor component receives data from network traffic and mail traffic.

You can install the Sensor and Central Node components on the same server or on separate servers. The Sensor component installed on a standalone server must be connected to the server with the Central Node component. A connection request is created during component installation.

If the Sensor component is installed on the same server as the Central Node component, you can configure the Sensor component in the web interface of Kaspersky Anti Targeted Attack Platform. If the Sensor component is installed on a standalone server, in the web interface of Kaspersky Anti Targeted Attack Platform, you can only process connection requests from this component and view information about the component in the table of servers with the Sensor component. Other component settings can be edited in the administrator menu.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Viewing the table of servers with the Sensor component

The table of servers with the Sensor component is located in the Sensor servers section of the application web interface window.

The Certificate fingerprint field displays the fingerprint of the TLS certificate of the Central Node server.

The Server list table contains the following information:

• IP/name—IP address or domain name of the server with the Sensor component.
• Type—Type of Sensor component. Possible values:
  • Central Node—The Sensor component is installed on the same server as the Central Node component.
  • Remote—The Sensor component is installed on a different server or a mail sensor is used as the Sensor component.
• Certificate fingerprint—Fingerprint of the TLS certificate used to establish an encrypted connection between servers with the Sensor and Central Node components.
• KSN/KPSN—Status of the connection to the KSN/KPSN reputation databases.
• SPAN—Status of SPAN traffic processing.
• SMTP—Status of integration with a mail server via SMTP.
• ICAP—Status of integration with a proxy server via ICAP.
• POP3—Status of integration with a mail server via POP3.
• State—Status of the connection request.

Processing a connection request from the Sensor component

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can accept, decline, or revoke a previously accepted connection request from the Sensor component.

To process a connection request from the Sensor component:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table displays the already connected Sensor components, and connection requests.

2. In the line containing the connection request of the Sensor component, perform one of the following actions:
   • If you want to connect the Sensor component, click the Accept button.
   • If you do not want to connect the Sensor component, click the Reject button.
3. In the confirmation window, click Yes.

The connection request from the Sensor component will be processed.

Configuring the maximum size of a scanned file

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure the maximum size of a scanned file:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure the maximum size of a scanned file.

   This opens the Sensor component settings page.

3. Select the General settings section.
4. If you want the application to scan files of any size, select the Unlimited check box.
5. If you want to set a maximum size for files that the application will scan:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a file.
   3. In the drop-down list to the right of the field, select the unit of measurement.
6. Click Apply.

The maximum size of a scanned file will be configured.

Configuring receipt of mirrored traffic from SPAN ports and the http-body parameter

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure receipt of mirrored traffic from SPAN ports:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor server for which you want to configure the receipt of mirrored traffic from SPAN ports.

   This opens the Sensor server settings page.

3. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

4. In the row of the network interface from which you want to configure the receipt of mirrored traffic, set the toggle switch in the SPAN traffic scanning column to Enabled.
5. Under Dump HTTP body:
   • If you want to enable the http-body parameter in the Suricata configuration file, set the toggle switch to Enabled. By default, the toggle switch is in the Enabled position.
   • If you want to disable the http-body parameter in the Suricata configuration file, set the toggle switch to Disabled.
6. Click Apply.

Receipt of mirrored traffic from SPAN ports and the http-body parameter are configured.

Selecting network protocols for receiving mirrored traffic from SPAN ports

Kaspersky Anti Targeted Attack Platform can receive and process mirrored traffic, and extract objects and protocol metadata. You can configure receipt of mirrored traffic from SPAN ports.

To select network protocols for receiving mirrored traffic from SPAN ports:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure traffic capture → Setup capture protocols section using the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

   This opens a window where you can enable or disable receipt of mirrored traffic from SPAN ports for the following network protocols:

   • DNS
   • FTP
   • HTTP
   • HTTP2
   • SMTP
   • SMB
   • NFS

     To analyze NFS traffic, you must mount the NFS partition and specify the version of the protocol.

     Example: for NFS v.4: mount -t nfs -o vers=4 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir for NFS v.3: mount -t nfs -o vers=3 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir

   If receipt of mirrored traffic from a SPAN port via a network protocol is enabled, [x] is displayed to the right of the network protocol name. If receiving mirrored traffic from a SPAN port is disabled for a particular network protocol, [ ] is displayed to the right of the name of that protocol.

   By default, receipt of mirrored traffic from SPAN ports is enabled for all network protocols except HTTP2.

4. If you want to enable or disable the receipt of mirrored traffic from SPAN ports for a particular network protocol, select that using the ↑, ↓ keys and press ENTER.
5. Select the line containing Apply and Exit and press ENTER.

Network protocols for receiving mirrored traffic from SPAN ports are selected.

Configuring integration with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over SMTP:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via SMTP.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled.
5. In the Destination domains field, specify the name of the mail domain or subdomain. The application will scan email messages sent to mailboxes of the specified domains.

   To disable a domain or subdomain, enclose it in the !domain.tld form.

   If you leave the mail domain name blank, the application will receive messages sent to any email address.

6. In the Clients field, specify the IP addresses of hosts and/or masks of subnets (in CIDR notation) with which the application is allowed to interact over the SMTP protocol.

   To disable a host or subnet, enclose the address in the !host form.

   If you leave this field blank, the application will receive the following messages:

   • From any email addresses if you specified email domains in the Destination domains field.
   • From a mail server in the same subnet as the server with the Sensor component if no domain is indicated in the Destination domains field.
7. If you want the application to receive messages of any size, in the Message size limit settings group, select the Unlimited check box.
8. If you want to set a maximum allowed size of incoming messages:
   1. Clear the Unlimited check box.
   2. In the field under the check box, enter the maximum allowed size of a message.
   3. In the drop-down list to the right of the field, select the unit of measurement.
9. Click Apply.

Integration with a mail server via SMTP will be configured. The application will scan email messages received over the SMTP protocol according to the defined settings.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with the mail server.

To configure high availability integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.

Configuring TLS encryption of connections with a mail server via SMTP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure TLS encryption of connections with the mail server over SMTP:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure TLS encryption of connections with the mail server over the SMTP protocol.

   This opens the Sensor component settings page.

3. Select the SMTP integration section.
4. In the State field, set the toggle switch to Enabled if it is disabled.
5. In the Client TLS security level settings group, select one of the following options:
   • No TLS encryption.

     The application will not employ TLS encryption of connections with a mail server.

   • Allow TLS encryption for incoming messages.

     The application will support TLS encryption of the connection, but encryption will not be mandatory.

   • Require TLS encryption for incoming messages.

     The application will receive messages only over encrypted channels.

6. Click the Download TLS certificate button to save the TLS certificate of the server with the Sensor component on the computer in the browser's downloads folder.

   This certificate is required for authentication on the mail server.

7. In the Requesting client TLS certificate settings group, select one of the following options:
   • Do not request.

     The application will not verify the TLS certificate of the mail server.

   • Request.

     The application will request a TLS certificate from the mail server, if one is available.

   • Require.

     The application will receive messages only from those mail servers that have a TLS certificate.

8. Click Apply.

TLS encryption of connections with the mail server over the SMTP protocol will be configured.

Configuring integration with a proxy server via ICAP

Integration with a proxy server over ICAP with feedback allows you to prevent malicious objects from entering the corporate LAN and prevent users of the host from visiting malicious or phishing websites. Kaspersky Anti Targeted Attack Platform acts as an ICAP server, and your proxy server acts as an ICAP client. The proxy server sends ICAP requests to the ICAP server. The ICAP server runs a scan and returns the result to the proxy server. If any threats are detected, a notification HTML page is displayed to the user on the host.

Enabling and disabling integration with a proxy server via ICAP

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

When a standalone proxy server is used, Kaspersky Anti Targeted Attack Platform does not provide encryption of ICAP traffic or authentication of ICAP clients by default. The application administrator must take steps to ensure a secure network connection between your proxy server and Kaspersky Anti Targeted Attack Platform by using traffic tunneling or iptables.

To enable or disable integration with a proxy server via ICAP on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Click the localhost Sensor component.

   This opens the Sensor component settings page.

3. Select the ICAP integration with proxy server section.
4. In the Settings> <name of the server with the Sensor component> section, in the State field, do one of the following:
   • If you want to enable integration with a proxy server via ICAP, move the toggle switch to Enabled.

     By default, the toggle switch is in the Disabled position.

   • If you want to disable integration with a proxy server via ICAP, move the toggle switch to Disabled.
5. The Host field displays the URL of the Response Modification (RESPMOD) service that processes inbound traffic; the URL has the following format: icap://<host>:1344/av/respmod, where <host> is the IP address of the server where the Sensor component is installed. To configure integration with Kaspersky Anti Targeted Attack Platform, copy this URL and paste it in the settings of the proxy server that your organization used.

Integration with a proxy server via ICAP is enabled.

To enable or disable integration with a proxy server via ICAP on an individual server with the Sensor component:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window, in that window, select the Enabled line and press the ENTER key.

   [x] is displayed to the right of the Enabled setting.

5. In the settings of your proxy server, enter the URL from the RESPMOD field.

Integration with the proxy server and an individual server with the Sensor component via ICAP is configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high-availability integration with a proxy server.

To configure the high-availability integration with the proxy server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the proxy server settings.

Integration with the proxy server will be configured based on the domain name. The proxy server will communicate with a random server in the cluster. If this server fails, the proxy server will communicate with another healthy server in the cluster.

Enabling or disabling real-time scanning of ICAP traffic

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic on a server with the Central Node and Sensor components installed:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Click the localhost Sensor component.
3. Select the ICAP integration with proxy server section.

   When integration is enabled in the Settings > <Sensor server name>, the Real-time scanning section is displayed.

4. Under Real-time scanning, select one of the following options:
   • Disabled.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Enabled, standard ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

   • Enabled, advanced ICAP traffic scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

5. Under Extract user name:
   • If you want to get the user name from the ICAP server, set the toggle switch in the State field to Enabled. If you want to use Base64 decoding, in the Header name field, select the Use Base64 decoding check box. By default, the toggle switch in the State field is set to Disabled.
   • If you do not want to get the user name from the ICAP server, set the toggle switch in the State field to Disabled.
6. Click Apply.
7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, the Host field displays the URL of the Request Modification (REQMOD) service that processes outbound traffic in the following format: icap://<host>:1344/av/reqmod, where <host> is the IP address of the server where the Sensor component is installed. To configure integration with Kaspersky Anti Targeted Attack Platform, copy this URL and paste it in the settings of the proxy server that your organization used.

Real-time scanning of ICAP traffic is enabled or disabled.

To enable or disable real-time scanning of ICAP traffic on an individual server with the Sensor component installed:

1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

3. Go to the Program settings → Configure ICAP integration section.

   To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

4. This opens a window; in that window, make sure that [x] is displayed to the right of the Enabled setting.
5. Select one of the following options:
   • Disable real-time scanning.

     If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

   • Standard ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Anti-Malware Engine and YARA modules.

   • Advanced ICAP scanning.

     When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules.

6. Select an option and press ENTER. (O) is displayed to the right of the selected option.

   To select a row, you can use the ↑ and ↓ keys. The selected row is highlighted in red.

7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, specify the URL from the REQMOD field in the settings of your proxy server.

Real-time scanning of ICAP traffic on an individual server with the Sensor component is enabled or disabled.

If you enabled real-time scanning of ICAP traffic, scanning does not work if integration with the proxy server is disabled. All ICAP traffic scanning settings are saved. When you re-enable integration with the proxy server, ICAP traffic scanning is also enabled.

Configuring real-time scanning of ICAP traffic

Real-time ICAP traffic scanning on standalone servers with the Sensor component can only be configured in Technical Support Mode. To perform actions in Technical Support Mode, we recommend contacting Technical Support.

You can configure real-time ICAP traffic scanning on a server with the Central Node and Sensor components for anti-virus scanning of data. Scan results are displayed to the user of the host on a notification HTML page.

To configure real-time ICAP traffic scanning:

1. In the window of the application web interface, select the Settings section, ICAP traffic scanning subsection.

   The ICAP traffic scanning settings page is displayed.

   By default, under Notifications, pages corresponding to the following events are loaded:

   • The page uploaded in the Link blocked field is displayed if a threat is detected at the address requested by the user.
   • The page uploaded in the File blocked field is displayed if a threat is detected in a scanned file.
   • The page uploaded in the Scan file field is displayed if a file scan is started. If the file is safe, the user can click a link to download the file.
   • The page uploaded in the File expired field is displayed if the file was scanned, but the storage duration for that file has expired.

   By default, HTML pages from the distribution kit are loaded in Kaspersky Anti Targeted Attack Platform. You can upload your own notification pages and configure how they must be displayed. The size of a notification page must not exceed 1.5 MB. If the uploaded notification page is larger than 1.5 MB, an error is displayed.

2. Under File block threshold, in the Sandbox detection severity field, select a value from the drop-down list. These values correspond to the possible impact of the alert on the security of a computer or your corporate network based on the expert opinion of Kaspersky.

   This setting can take one of the following values:

   • High for a high importance alert. This option is selected by default.
   • Medium for a medium-importance alert.
   • Low for a low-importance alert.
3. Under Scan timeout, in the Timeout field, specify the time after which the link to the scanned file is unblocked and downloading the scanned file becomes possible.

   The default value is 10 minutes. You can set any value greater than 1 minute.

4. Click Apply.

The scan is performed with the specified settings.

Configuring raw network traffic recording

With Kaspersky Anti Targeted Attack Platform, you can save raw network traffic for investigation and detection of malicious activity within the perimeter of your corporate LAN. With raw network traffic recording, you can perform retrospective analysis of network events and investigate the actions of hackers. Raw network traffic is saved as dumps in PCAP format.

To start storing raw network traffic, you need to enable and configure raw network traffic recording.

Enabling and configuring raw network traffic recording on a server with the Sensor and Central Node components installed

If you are using the distributed solution and multitenancy mode, follow the steps on the PCN or SCN server that you want to configure.

To enable and configure raw network traffic recording on a server with the Central Node and Sensor components installed:

1. Connect and configure external storage.
2. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

3. Select the Sensor component with the name localhost.

   This opens the Sensor component settings page.

4. Select the SPAN traffic processing section.

   The Network interfaces table is displayed.

5. Go to the Traffic recording tab.
6. In the Record traffic field, set the toggle switch to Enabled.

   By default, the toggle switch is in the Disabled position.

   Raw network traffic recording on the server with the Central Node and Sensor components installed is enabled. Raw traffic recording settings are displayed.

   By default, raw network traffic is saved to the /mnt/kaspersky/nta/dumps directory. You cannot change the directory for raw network traffic recording. You can view raw network traffic dumps in the /data/ volumes/dumps directory.

7. If necessary, edit raw network traffic recording settings:
   1. Under Dump storage size, in the Maximum storage size field, specify the maximum size of raw traffic dumps to be stored in dump storage.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space.

      If the size of dumps in dump storage exceeds the Maximum storage size value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.

      If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the Maximum storage size change.

   2. If you want to restrict data capture in raw network traffic, under Traffic filtering upon saving, in the State field, set the toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.

      If you have set the toggle switch in the State field to Enabled, enter the filtering rule in the BPF filtering rule field. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502

   3. If you want to set a storage duration for raw network traffic dumps, under Dump storage duration, in the State field, set the toggle switch to Enabled. In the Store for field, enter the raw network traffic dump storage duration in days. Raw network traffic dumps that are stored longer than the specified duration are deleted from the storage.
   4. Click Apply.

Raw network traffic recording on the server with the Sensor and Central Node components is performed in accordance with the specified settings.

The First saved dump field displays the date and time of the first saved raw network traffic dump, and the Last saved dump field displays the date and time of the last raw network traffic dump.

Enabling and configuring raw network traffic recording on a standalone server with the Sensor component

To enable raw network traffic recording on a standalone server with the Sensor component:

1. Connect and configure external storage.
2. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
3. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

   This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press Enter.

4. Go to the Program settings → Configure traffic capture section.

   To select a row, you can use the ↑, ↓, and Enter keys. The selected row is highlighted in red.

5. This opens a window, in that window, select the Enabled traffic storage line and press Enter.

   [x] is displayed to the right of the title of the line.

   Raw network traffic recording on the standalone server with the Sensor component will be enabled.

6. If necessary, edit raw network traffic recording settings:
   1. Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.

      The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space. If the number entered in this field exceeds the free disk space on the connected drive, an error is displayed.

   2. Select the OK button and press Enter.
   3. Select the Traffic capture BPF-filter line and press Enter. This opens a window; in that window, enter the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.

      Example of a filtering expression:

      tcp port 102 or tcp port 502.

   4. Select the OK button and press Enter.
   5. Select the Traffic storage duration (in days) line and press Enter. This opens a window; in that window, enter the storage duration for raw network traffic dumps in the storage, in days.
   6. Select the OK button and press Enter.

Raw network traffic recording on the standalone server with the Sensor component is performed in accordance with the specified settings.

Configuring integration with a mail server via POP3

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

To configure integration with a mail server over POP3:

1. Select the Sensor servers section in the window of the application web interface.

   The Server list table will be displayed.

2. Select the Sensor component for which you want to configure integration with the mail server via POP3.

   This opens the Sensor component settings page.

3. Select the POP3 integration section.
4. Set the toggle switch next to the State parameter to Enabled.
5. In the Mail server field, specify the IP address of the mail server with which you want to configure integration.
6. In the Port field, specify the port for connecting to the mail server.
7. In the Receive every field, specify the mail server connection frequency (in seconds).
8. If you want to use TLS encryption of connections with the mail server via POP3, select the Use TLS encryption check box.
9. In the User name field, specify the account name used for accessing the mail server.
10. In the Password field, specify the password for accessing the mail server.

    The mail server must support Basic Authentication.

11. In the TLS certificate drop-down list, select one of the following options:
    • Accept any.
    • Accept untrusted self-signed.
    • Accept only trusted.

    When establishing a connection with an external mail server, it is recommended to configure the acceptance of only trusted TLS certificates. If you accept untrusted TLS certificates, protection of the connection against

    MITM attacks

    Man in The Middle. An attack on the IT infrastructure of an organization in which a hacker hijacks the communication link between two access points, relays it, and modifies the connection between these access points if necessary.

    cannot be guaranteed. Even though the acceptance of trusted TLS certificates also cannot guarantee protection of the connection against MITM attacks, it is the most secure of the supported methods for integration with a mail server over the POP3 protocol.

12. If necessary, in the Cipher suite field, modify the OpenSSL settings used when establishing a connection with the mail server via POP3.

    You can view reference information on OpenSSL by clicking the Help link.

13. Click Apply.

Integration with the mail server via POP3 will be configured.

If you have deployed the Central Node and Sensor components as a cluster, you can configure high availability integration with the mail server.

To configure high availability integration with the mail server:

1. Configure Round Robin on the DNS server for the domain name corresponding to the Central Node cluster.
2. Specify this domain name in the mail server settings.

Integration with the mail server will be configured based on the domain name. The mail server will communicate with a random server in the cluster. If this server fails, the mail server will communicate with another healthy server in the cluster.