Configuring recording of mirrored traffic from SPAN ports
With Kaspersky Anti Targeted Attack Platform, you can save mirrored traffic from SPAN ports for investigation and detection of malicious activity within the perimeter of your corporate LAN. With mirrored traffic recording, you can perform retrospective analysis of network events and investigate the actions of hackers. Traffic is saved as dumps in PCAP format.
To save mirrored traffic from SPAN ports, enable the recording of such traffic and configure it in the web interface of the application or in the administrator menu of the Sensor component. You can also select network protocols for receiving traffic.
Selecting network protocols for receiving mirrored traffic from SPAN ports
You can select network protocols for receiving mirrored traffic from SPAN ports in the Kaspersky Anti Targeted Attack Platform web interface or in the administrator menu of the Sensor component.
If you are using the
and , perform the configuration actions in the web interface of the PCN or SCN server to which the Sensor component is connected.To select network protocols for receiving mirrored traffic from SPAN ports in the administrator menu of the Sensor component:
- Enter the management console of the Sensor server via the SSH protocol or through a terminal.
- When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.
This opens the settings menu for the Sensor component. If the menu does not open, enter the
kata-admin-menu
command andpress
- Go to the Program settings → Configure traffic capture → Setup capture protocols section using the ↑, ↓, and ENTER keys. The selected row is highlighted in red.
This opens a window where you can enable or disable receipt of mirrored traffic from SPAN ports for the following network protocols:
- DNS
- FTP
- HTTP
- HTTP2
- SMTP
- SMB
- NFS
To analyze NFS traffic, you must mount the NFS partition and specify the version of the protocol.
Example:
for NFS v.4:
mount -t nfs -o vers=4 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir
for NFS v.3:
mount -t nfs -o vers=3 -O uid=1000,iocharset=utf-8 <address>:/from/dir /to/dir
If receipt of mirrored traffic from a SPAN port via a network protocol is enabled, [x] is displayed to the right of the network protocol name. If receiving mirrored traffic from a SPAN port is disabled for a particular network protocol, [ ] is displayed to the right of the name of that protocol.
By default, receipt of mirrored traffic from SPAN ports is enabled for all network protocols except HTTP2.
- If you want to enable or disable the receipt of mirrored traffic from SPAN ports for a particular network protocol, select that using the ↑, ↓ keys and press ENTER.
- Select the line containing Apply and Exit and press ENTER.
Network protocols for receiving mirrored traffic from SPAN ports are selected.
Page topConfiguring the recording of mirrored traffic from SPAN ports using the web interface
If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.
To enable and configure the recording of mirrored traffic from SPAN ports:
- Connect and configure external storage.
- Select the Sensor servers section in the window of the application web interface.
- Click the card of the relevant Sensor component.
This opens a window with information about the component.
- Click Edit.
- Go to the External storage tab.
This tab is not displayed if an external storage is not connected.
In the External storage section, the Oldest packet field displays the date and time of the first saved dump in the external storage. The Newest packet field displays the date and time of the last dump saved to external storage.
- If you want to use the external storage, set the Record traffic toggle switch to Enabled.
By default, the toggle switch is in the Disabled position.
- In the Path for saving traffic field, specify the path to the directory in which you want the application to save traffic dumps.
- Do the following:
- Under Maximum storage size, specify the maximum size of traffic dumps that will be stored in the storage.
If the size of dumps in the storage exceeds the specified value, the earliest dumps are deleted, the total size of which is equal to the size of the new dumps.
If you reduce the maximum dump storage size, the earliest dumps are deleted, the total size of which is equal to the change of the setting.
- If you want to limit the capture of data in traffic, under Traffic filtering upon capture, set the BPF filtering toggle switch to Enabled. Traffic filtering can reduce the size of dumps in dump storage and facilitate traffic analysis.
In the BPF filtering rules, the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filtering expression:
tcp port 102 or tcp port 502
- If you want to configure the traffic dump storage duration, in under Storage duration, set the Enable storage duration toggle switch to Enabled. In the Storage time (days) field, enter the number of days for which you want to store traffic dumps. Traffic dumps that are stored longer than the specified duration are deleted from the storage.
- Click Save.
- Under Maximum storage size, specify the maximum size of traffic dumps that will be stored in the storage.
The recording of mirrored traffic from SPAN ports is configured.
Page topConfiguring the recording of mirrored traffic from SPAN ports using the administrator menu of the Sensor component
To enable recording of mirrored SPAN traffic in the administrator menu of the Sensor component:
- Connect and configure external storage.
- Enter the management console of the Sensor server via the SSH protocol or through a terminal.
- When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.
This opens the settings menu for the Sensor component. If the menu does not open, enter the
kata-admin-menu
command and press Enter. - Go to the Program settings → Configure traffic capture section.
To select a row, you can use the ↑, ↓, and Enter keys. The selected row is highlighted in red.
- This opens a window, in that window, select the Enabled traffic storage line and press Enter.
[x] is displayed to the right of the title of the line.
Raw network traffic recording on the standalone server with the Sensor component will be enabled.
- If necessary, edit raw network traffic recording settings:
- Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.
The minimum value is set to 100 GB by default. The maximum value is 1,000,000 TB. For correct operation of the application, the connected drive must have at least the specified amount of free disk space. If the number entered in this field exceeds the free disk space on the connected drive, an error is displayed.
- Select the OK button and press Enter.
- Select the Traffic capture BPF-filter line and press Enter. This opens a window; in that window, enter the filtering rule. The BPF filtering rule is written in the libpcap format. For more details about the syntax, please refer to the pcap-filter manual page.
Example of a filtering expression:
tcp port 102 or tcp port 502.
- Select the OK button and press Enter.
- Select the Traffic storage duration (in days) line and press Enter. This opens a window; in that window, enter the storage duration for raw network traffic dumps in the storage, in days.
- Select the OK button and press Enter.
- Select the Traffic storage size line and press Enter. This opens a window; in that window, specify the maximum total size of stored raw traffic dumps, in terabytes.
The recording of mirrored SPAN traffic is configured in the administrator menu of the Sensor component.
Page top