Functionality description

<< Click to Display Table of Contents >>

Navigation:  Microolap EtherSensor >

Functionality description

Microolap EtherSensor consists of a set of services running on a dedicated hardware or a virtual server (the "sensor").

The sensor is connected either to the Ethernet port of an active network appliance where network traffic duplication from specific ports is configured (mirroring, rx and tx packets), or to a network tap. The Packet Sniffer SDK Microolap Technologies proprietary technology is used to intercept traffic with zero loss of packets with a 20GBps+ load.

The sensor server has several network interfaces, one of which is an administrative interface, while the others are used to accept tapped network traffic. The OS network stack on the sensor is only configured on the administrative network interface which is also used to transmit intercepted messages to external consumers over the protocols configured in transport profiles.

The policy of the sensor is stored in its configuration files and contains rules which define the interception of IP packets, analysis of the contents of application-level intercepted messages and, depending on the result, the format, method and direction of transmission of intercepted results.

The following services run on the sensor:

Services which operate on data sources.

Service for extracting application-level messages from Ethernet traffic (EtherSensor EtherCAP, ethersensor_ethercap.exe)

Is used for passive traffic interception  on one or more Ethernet adapters and for traffic processing from PCAP files. The EtherSensor EtherCAP service extracts application-level (according to the OSI) messages from the processed traffic model and transmits these messages for further processing to the EtherSensor Analyser service.

Service for extracting application-level messages from data provided by ICAP clients (EtherSensor ICAP, ethersensor_icap.exe)

Receives traffic over the ICAP protocol in the REQMOD+RESPMOD mode from any ICAP clients (Squid, Blue Coat Proxy SG, Cisco WSA, etc.). Forwards objects received from ICAP clients to the EtherSensor Analyser service for further analysis.

Service for extracting messages from Lotus Notes Transaction Log (EtherSensor LotusTXN, ethersensor_lotustxn.exe)

The EtherSensor LotusTXN service is used to monitor and reconstruct messages from the Lotus Notes system by extracting them from the Lotus Notes Transaction Log. The service extracts messages from Lotus Notes Transaction Log files and forwards these messages for further analysis to the EtherSensor Analyser service.

Service for analyzing messages extracted from Ethernet traffic (EtherSensor Analyser, ethersensor_analyser.exe)

The EtherSensor Analyser service is used to detect, analyze and filter intercepted messages and network events. The service analyses OSI model application-level protocol objects received from the EtherSensor EtherCAP, EtherSensor ICAP and EtherSensor LotusTXN services in order to detect messages and network events transmitted over the network.

When that is done, the filter engine of the service takes one of the following decisions, based on user-defined rules:

1. Stop message processing.

2. Transmit the message to the consumer system (DLP, UEBA, archive, eDiscovery system, Enterprise Search, etc.).

3. Generate an arbitrary string based on data extracted from the message (usually a syslog-string for the SIEM system).

The EtherSensor Analyser service also interacts with EtherSensor Agent instances, which mark sessions to associate them with the workstation when NAT, terminal services, etc. are used.

Traffic analysis results delivery service (EtherSensor Transfer, ethersensor_transfer.exe)

EtherSensor Transfer is a Microolap EtherSensor subsystem used to transmit interception  results (either intercepted messages themselves or the pre-configured syslog string) to various consumers over any of a number of protocols based on pre-defined profiles.

EtherSensor Logging Service (EtherSensor Watcher, ethersensor_watcher.exe)

EtherSensor Watcher is a Microolap EtherSensor subsystem used to work with logs and monitor the current state of Microolap EtherSensor.

The Microolap EtherSensor update service (EtherSensor Updater, ethersensor_updater.exe)

Is used to download and install Microolap EtherSensor updates and license files whenever new versions and/or patches are released.

You can use EtherSensor Configuration Editor (ethersensor_console.exe) from the Microolap EtherSensor installation directory to view sensor statistics.

You can also use EtherSensor Configuration Editor to manage sensor policy or edit sensor service configuration files in the [INSTALLDIR]\config directory.