Using the Sensor Overview

The System | Collection | Sensors page provides a list of all known sensors that are connected to the Stellar Cyber Data Processor.

When a sensor is installed, it is configured with the IP address of the Data Processor. When the sensor comes up, it connects to the Data Processor and appears in the Sensor table automatically.

The Sensor table provides the following functions:

  • List the known sensors with basic information such as host name, sensor ID, IP address, and software version
  • View information such as operational status, authorization, and traffic counters
  • Manage authorization and other attributes
  • Configure sensors with the use of Sensor Profiles
  • Remote upgrade of sensors
  • Remove a sensor from the system
  • Launch the CLI for sensors.
  • Apply CA certificates to sensors.
  • Download sensor logs for troubleshooting

Sensor Overview List

When the Sensor Overview page appears, it shows a table of known sensors. The table is scrollable and provides standard table functionality. In addition, you can click the Sensor Name for any listed sensor to drill to its Sensor Details page, with detailed performance metrics and configuration information.

Data Sensor List

Each sensor is listed in the table with its own row. The columns include:

  • [ ] Check box to select sensors to Upgrade, open CLI Access, or Manage. Buttons for these features appear above the table appear when one or more sensors are selected.

  • Name—The host name where the sensor is located. This value may not be unique within the system since it depends on the configuration done on the system where the sensor runs. Click the name to see sensor details.

  • Sensor Status—The current status of the sensor is indicated with a color-coded LED. Refer to About the Sensor Status LEDs for details on the different conditions each of the sensor status LEDs can indicate.

  • Messages — Status message, if any, for the sensor.

  • Internal Sensor ID—A unique ID of the sensor, as assigned by the Data Processor.

  • Sensor ID—A unique ID of the sensor, as configured by the user.

  • Authorization—The authorization status of the sensor.

  • IP Address—The current IP address of the sensor in use. Communication from the Data Processor to the sensor will use this address.

  • Traffic Input—Total number bytes the Sensor has received. This represents the raw data received by the sensor.

  • Traffic Metadata Output—Total number of bytes sent from the Sensor to the DP. This is the amount of data sent after the raw data received has been enriched, deduplicated, and converted to Interflow.

  • License—The current license type.

  • Sensor Profile—The sensor profile that is applied to the sensor. A sensor profile contains configuration information that is shared between any number of sensors. See the Sensor Profiles page for more information.

  • Software Version—The version of software that is running.

  • Log Forwarder — Log forwarding is enabled

  • EditEdit the settings for a selected sensor. Details are below

  • DeleteDiscard the selected sensor.

  • More options - Click this  button to display a menu option to Download Debug Logs. Select this menu to download a gzip of the debug logs available for that sensor. The download is saved according to your browser settings for download files. The unpacked zip will appear similar to this example:

    You can also use this menu to recollect the latest debug logs for the sensor before downloading them.

Additional columns, not displayed by default, Closedare available.

  • APT

  • Feature

  • Feedback

  • IDS

  • Last Seen

  • Location

  • Log Forwarder

  • Malware Analyze Result

  • Mode

  • Need Upgrade

  • Note

  • OS

  • Packet Forwarding Interface

  • Platform

  • Reduction Ratio

  • SSH Tunnel

  • Tenant ID

  • Tenant Name

  • Timezone

  • Tunnel info

  • Upgrade Result

  • VM Name

See the Tables page for more information on working with Tables.

About the Sensor Status LEDs

The Sensor Status column displays color-coded LEDs indicating the health of each sensor at a glance:

  • Green – The sensor is operating normally and there are no danger or warning conditions detected.

  • Yellow – At least one warning condition is affecting the sensor.

  • Red – At least one danger condition is affecting the sensor.

Data Sensor Edit

Some of the information associated with each sensor can be edited by clicking the button at the right side of a sensor's entry in the table:

Data Sensor Edit

Most fields are read-only. The available fields include:

  • Sensor ID —The internal ID for the sensor.

  • Tenant Name—The tenant for the sensor.

    Note that if you change a sensor's tenant assignment, any CA certificates assigned to the sensor are automatically cleared without any notification in the user interface.

  • IP Address —The IP address of the sensor.

  • Host Name—The host name of the sensor. This value will be used in the first column of the sensor list described above. This field does not support multibyte characters.

  • DNS Name—The DNS Name of the sensor. This field does not support multibyte characters.

  • VM Name—The name of the VM in which the sensor is running.

  • Sensor Profile—This field is a drop-down menu of the available sensor profiles.

  • Primary Aggregator—This field is a drop-down menu of the available data aggregators.

  • Location ID—The gateway IP address. Stellar Cyber automatically detects the gateway IP address, but this lets you set it manually.

  • Timezone—The timezone in which the sensor is operating.

    You can only change the timezone for device sensors. The Timezone option is hidden for Server Sensors.

    See Timezones and Log Ingestion for information on how the sensor's timezone is used during log ingestion.

  • PKT Forwarding Interface—The VXLAN interface number.

  • Syslog TLS Enabled—Enable to ingest TLS-encrypted logs. See Ingesting Logs Via TLS for more information. In general:

    • Click the adjacent CA Certificate button to download the self-signed certificate from the sensor for installation on your log source.

    • If your log source does not support the self-signed certificate, you can apply a commercial server certificate to the sensor for TLS log ingestion by first uploading the certificate to Stellar Cyber in the Certificates page and then applying it to the sensor in this page using the Apply Certificate | Apply Certificate to Log Forwarder button.

  • AWS Mirror—Enable this to monitor traffic from a mirror port you configured on AWS. See Configuring AWS Port Mirroring for details.  

    If you enable AWS Mirror, the following additional fields appear:

    • Physical Ethernet Port—This is the index number of the physical interface the UDP traffic arrives on.

    • Port—The UDP port for the traffic.

    • VNI—This is the VXLAN ID you configured on AWS.

  • Note—Use this to keep notes about the sensor. This field does not support multibyte characters.

To make changes, edit the fields as desired and click SUBMIT to save.

Timezones and Log Ingestion

Stellar Cyber converts all log timestamps to UTC during log ingestion. Timezones are handled as follows:

  • If a log includes the timezone, Stellar Cyber preserves that time setting during the conversion to UTC.

  • If a log does not include a timezone, Stellar Cyber uses the timezone of the receiving sensor.

During installation, the timezone for sensors are automatically set to UTC+0. Since the logs for some security products may only include the local time without a timezone, Stellar Cyber recommends that you set the sensor timezone to the same timezone as your security product.

Refer to Best Practices for NTP and Timezones for more information.

Deleting a Sensor

You can click the button at the right of a sensor's entry in the table to remove it from the list. If you delete the sensor, the sensor is removed from the list, and the sensor deletes its configuration so it will not be discovered by Stellar Cyber.

Upgrading Software

Stellar Cyber has the capability to upgrade sensors remotely. To upgrade sensors:

  1. Select the Manage | Software Upgrade option. A dialog box similar to the following appears:
    Sensor Software Upgrade

  2. Select the software package and version for the upgrade from the AVAILABLE SOFTWARE list. The available upgrades depend on which ADS server the DP is connected to.

  3. Select the sensors to upgrade from the TARGET SENSORS list. Some older sensors might not be able to be upgraded remotely.

  4. Click Submit. The upgrade begins, and can take several minutes.

  5. Refresh the Sensor table to see the results. If you do not see the Upgrade Result column:

    1. Click the "hamburger" button available in any column heading.

    2. Scroll to the bottom of the list.

    3. Click on Upgrade Result. That column is immediately added to the table.

    4. Click outside of the list to close the column selection tool and return to the table.

  Note that when you upgrade a sensor from the Sensor Overview page, all configuration settings are preserved across the upgrade, including the CM IP address, aggregator addresses, tenant ID, log level settings, and DHCP server log settings.  

Using the Sensor CLI

You can select one or more sensors in the Sensor Overview table and click the >_CLI Access button to open a command line session with the corresponding sensor(s) in the Sensor CLI Access window, as illustrated in the figure below:

Note the following:

  • The available CLI commands are a subset of the full suite of CLI commands available when connected directly to a sensor. Refer to Available Commands in the Sensor CLI Access Window for a summary of the available commands.

  • You can only use the CLI Access feature with sensors that are connected and running a minimum version of 4.2.x. Sensors do not need to be authorized for CLI access.

  • You can use your browser's right-click context menu to copy text from the Sensor CLI Access window and paste it for use elsewhere. The window is scrollable, too, so you can see the output of commands that do not fit entirely in the window.

  • You can select multiple sensors before clicking the >_CLI Access button. When you use this technique, the CLI issues any command to all connected sensors and returns the results under a heading indicating each sensor's name. For example, the illustration below show the partial results of a show system command issued to three separate sensors.

Sensor CLI Access Commands

The following types of commands are available in the Sensor CLI Access window:

  • show – You use show commands to see the settings and statuses for different options on the sensor.

  • set – You use set commands to configure options on the sensor.

You can type any of the following to see the available commands of the corresponding type:

  • show ? or show help

  • set ? or set help

You can also use the ? with a specific command to see its available arguments. For example:

sds-a > set ntp ?

<NTP server> Specify NTP server name or IP address

Refer to Available Commands in the Sensor CLI Access Window for a summary of the available commands.

Applying CA Certificates to Sensors

You can select one or more sensors in the Sensor Overview table and click the Apply Certificate | Apply CA Certificate button to assign a CA certificate to them. In response, a dropdown appears listing the CA certificates you've added to Stellar Cyber in the System | Administration | Certificates page that match the selected sensor's tenant, allowing you to click the one you want to apply.

Prior to the 5.1.1 release, the button was just named Apply CA Certificate.

If you are assigning the same CA certificate to multiple sensors belonging to the same tenant, you can use the Change Columns button to add the Tenant Name column to the display, click in the column heading to sort on it, and then select all of the tenant's sensors to which you want to apply the CA certificate.

You only need to apply CA certificates to those sensors that sit behind firewalls using an SSL inspection service. Without the CA certificate from the SSL inspection service applied, the sensor cannot retrieve the necessary package for upgrading. Make sure you choose the CA certificate used by the SSL inspection service on the firewall protecting the sensor(s).

Note that it is possible that your sensors may be behind a different firewall than the DP. Make sure you assign the CA certificate from the correct firewall to the sensor(s).

DPs behind firewalls using an SSL inspection service also require a CA certificate. You assign certificates to DPs using the CA Certificate entry in the Data Processor section of the System | Administration | Settings page.

If a certificate you expect to see doesn't appear when you select the Apply CA Certificate option, make sure you uploaded it with the correct tenant assignment in the System | Administration | Certificates page.

Applying Certificates to Sensor Log Forwarders for TLS Log Ingestion

You can select one or more sensors in the Sensor Overview table and click the Apply Certificate | Apply Certificate to Log Forwarder button to use a certificate obtained from a service provider to secure communications with TLS-enabled log sources. In response, a dropdown appears listing the Server certificates you've added to Stellar Cyber in the System | Administration | Certificates page, allowing you to click the one you want to apply.

Using a Server Certificate for TLS log ingestion is an alternative to the self-signed certificate used for this purpose in previous releases and is useful in situations where a vendor's deployment does not trust the self-signed certificate provided by Stellar Cyber (for example, Palo Alto Cortex).

Certifiably Logged

The user interface does not let you apply a certificate to a log forwarder on a Server Sensor.

 In response, the selected sensor uses the selected certificate as the TLS certificate for all parser ports on the selected sensor, including those configured in the System | Collection | Log Sources page.

Removing a Certificate from a Sensor

You can also remove an applied certificate from a Sensor in the Sensor Overview table. The procedure is similar for both CA Certificates and Log Forwarder certificates.

  1. Start by adding a column to the Sensor List of the type corresponding to the type of certificate you want to remove. Click the Columns entry at the left of the table and select one or both of the following, as illustrated below:

    • Log Forwarder Certificate

    • CA Certificate

  2. Locate the sensor whose certificate you want to remove and right-click its entry in either the Log Forwarder Certificate or CA Certificate column. Then, select the Remove Certificate option from the context menu that appears, as illustrated below. Keep in mind that you must remove all associations from a certificate before you can delete it in the System | Administration | Certificates page.

Sensor Management Menu

The Manage button is located above Sensor Overview table. Clicking it displays the menu shown below. These options are all related to the management of the sensors and each option displays its own dialog box.

Sensor Management Menu"

The following sections describe the available functions.

Authorizing Sensors

After sensors are installed and communicating to the Data Processor, they must be authorized. This process associates each sensor with a valid product license.

Display the Sensor Authorization screen by selecting the Manage | Authorization option. An example is provided below.

css

Sensor Authorization

On the top of the dialog box is a radio button set that selects one of two modes:

  • Authorize—Selected sensors will be authorized by associating them with a license.
  • Unauthorize—Selected sensors will be unassociated with any license, rendering them unauthorized.

Below the mode selection, the dialog box is divided into two sections by an Add arrow button. To authorize a sensor:

  1. Click System | Collection | Sensors. The Sensor List appears.

  2. From the Manage drop-down, choose Authorization. The AUTHORIZE SENSORS screen appears. Authorize is already selected for the Sensor Bandwidth Authorization.

  3. Select the sensor to authorize in the Select Sensor and License to Authorize box.

  4. Select the license. The available licenses appear at the bottom of the box.

  5. Click the Add arrow. The sensor moves to the Selected Sensors box.

  6. In the Selected Sensors box, click the appropriate checkboxes.

  7. Click Submit.

To unauthorize a sensor:

  1. Click System | Collection | Sensors. The Sensor List appears.

  2. From the Manage drop-down, choose Authorization. The Authorize Data Sensors screen appears. Authorize is selected for the Sensor Bandwidth Authorization.

  3. Select Unauthorize for the Sensor Bandwidth Authorization. The unauthorization options appear.

  4. Select the sensors to unauthorize in the Select Sensors to Unauthorize box.

  5. Click the Add arrow. The sensor moves to the Selected Sensors box.

  6. Click Submit.

Click the Select Sensor License field to see a list of the license types available.

Sensor Assign Profile

For operation all sensors must be assigned to a profile. Except for the default Profile other profiles are created by the user. For more information see the Sensor Profiles page.

To perform profile assignment, select the Manage | Assign Profile option. A dialog box similar to the following appears.

Sensor Assign Profile

On this dialog box the following steps may be applied:

  1. Available profiles are listed in the SENSOR PROFILES list. Select one with the radio-button control.
  2. Available sensors are listed in the SENSORS list. Select the sensor(s) to which you want to apply the profile selected in the SENSOR PROFILES list by checking their boxes.
  3. Apply the selected profile to the selected sensor(s) by clicking the Submit button.

Changes in this dialog box do not take effect until the Submit button is clicked. If the X button is used to close the dialog box no changes are made.

Sensor SSH Tunnel

Sensors can be configured to use SSH Tunnels as needed. To configure tunnels, select the Manage | SSH Tunnel option. A dialog box similar to the following appears:

Sensor SSH Tunnel

The SENSORS lists shows the available sensors. Select the entry for the sensor whose SSH tunnel you want to configure and use the options at the right to configure the tunnel.

Click Submit to apply changes.

Sensor Software Upgrade

Stellar Cyber has the capability to upgrade sensors remotely. To upgrade sensors:

  1. Select the Manage | Software Upgrade option. A dialog box similar to the following appears:
    Sensor Software Upgrade

  2. Select the software package and version for the upgrade from the AVAILABLE SOFTWARE list. The available upgrades depend on which ADS server the DP is connected to.

  3. Select the sensors to upgrade from the TARGET SENSORS list. Some older sensors might not be able to be upgraded remotely.

  4. Click Submit. The upgrade begins, and can take several minutes.

  5. Refresh the Sensor table to see the results. If you do not see the Upgrade Result column:

    1. Click the Change Columns button.

    2. Scroll to the bottom of the list.

    3. Click on Upgrade Result. That column is immediately added to the table.

    4. Click outside of the list to close the column selection tool and return to the table.

  Note that when you upgrade a sensor from the Sensor Overview page, all configuration settings are preserved across the upgrade, including the CM IP address, aggregator addresses, tenant ID, log level settings, and DHCP server log settings.  

Sensor Import Security Rules

You can use the Manage | Import Security Rules option to import custom Suricata (IDS) security rules from an external file for use by sensors with the ML-IDS (Malware) feature enabled in their sensor profiles.

Use the following procedure to import custom security rules:

  1. From the Sensor table, click the Manage button and select the Import Security Rules option.

    A dialog box similar to the following appears:

    Sensor Import Security Rules

  2. Select a local file by using the Choose File button. See below for details on the rule file format.

  3. Select the sensors that will use the security rules from the SENSORS list.

  4. Click the Upload and Deploy button to apply the imported security rules to the selected sensors.

Rule File Format

The rule file must follow standard Suricata rule format, with each rule on a single line. Here is an example of a custom rule in the correct format:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot Nick in IRC (USA +..)”; flow:established,to_server; flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)

Note the following important points for custom rules:

  • Because Stellar Cyber sensors with the ML-IDS feature enabled operate as an IDS rather than an IPS, the action for your security rules must be alert, as shown above.

  • The values for $HOME_NET and $EXTERNAL_NET are specified in the Sensor Profile:

  • Once imported, custom rules are stored in the custom_defined.rules signature set. They are enabled in the sensor profiles for all sensors to which you applied them by default and can be seen in the Sensor Profile under Signature | Selected Rules, as illustrated below.

    You can toggle your custom rules on and off using the custom_defined.rules entry shown below, as well.

    Sensor Import Security Rules

    Each time you import custom security rules to a sensor, the new rules completely overwrite any existing entries in the custom_defined.rules signature set. New rules are not appended to the existing rules.

Troubleshooting Custom Security Rules

  • You can check the Sensor's ids feedback message to see the result of an upload and deploy. For example, here is the result of a successful upload and deploy:

    Copy
    "ids": {
        "msg": "Success",
        "status": true,
        "timestamp": 1690000900,
        "datetime": "2023-07-21 21:41:40"
      },
  • You can keep track of IDS events and malware detections by using the show maltrace command from the Sensor's CLI. For example:

    Copy
    DataSensor> show maltrace
    Maltrace Event:
    Captured:                                   0
    Truncated:                                  0
    Prefiltered:                                0
    Verdict Found in Local Cache:               0
    Verdict Found in Remote Cache:              0
    Passed to Local Scan Engine:                0
    Filtered on Local Scan Engine:              0
    File Analyses Failure on Local Scan Engine: 0
    Local Scan Engine Failure:                  0
    Verdict Given by Local Scan Engine:         0
    Uploaded to Sandbox:                        0
    Failure Over Sandbox:                       0
    Sandbox Scan Succeeded:                     0
    Sandbox Timeout:                            0
    Sent Result to Central Manager:             0
     
    IDS Event:
    Received:        67
    Excluded:        0
    Sent Result:     0
    Unknown Score:   67
     
    Output buffering:
    Buffered:       67
    Outputed:       66

Rebooting Sensors Remotely

Sensors can be rebooted remotely. Select the Manage | Reboot option to reboot one or more sensors remotely. A dialog box similar to the following appears:

Sensor Reboot

Select the sensors to reboot by checking their boxes in the SENSORS list. Click the Submit button to start the reboot process on the selected sensors.

Rebooting a sensor does not reboot the host on which the sensor is installed.