Event and object analysis

<< Click to Display Table of Contents >>

Navigation:  »No topics above this level«

Event and object analysis

The EtherSensor Analyser service is used to detect, filter and analyse objects extracted from traffic.

The service analyses OSI model application-level protocol objects received from the EtherSensor EtherCAP, EtherSensor ICAP and EtherSensor LotusTXN to detect messages sent by network users and attribute them to certain Internet services.  The messages extracted from the traffic are analyzed to check the following parameters:

Network addresses of communication parties.

Domain addresses of communication parties.

E-mail addresses (from, to, cc, bcc).

IDs of instant messenger users (ICQ, MRA, MSN, IRC, XMPP).

IDs of social network users.

Text field contents of messages (subject, body).

Names of transmitted attachments.

Message sizes.

The service filtering mechanism takes one of the following decisions based on pre-configured filter rules logic:

1. Stop message processing.

2. Transmit the message to the consumer system (DLP, UEBA, archive, eDiscovery system, Enterprise Search, etc.).

3. Generate an arbitrary string based on data extracted from the message (usually a syslog string for a SIEM system).

General principles of service operation EtherSensor Analyser:

Principles of the analyser service operation.
Figure 42. Principles of the EtherSensor Analyser service operation.

The service filtering mechanism is configured with a separate configuration file where logic processing logic is described for recognized messages. The message processing concept is based on chains of rules created and then combined into tables.

The message is checked against rules which may modify its contents, metadata or processing depending on whether the message is affected by the rule. This concept is similar to filter rules used in the iptables UNIX-based utility.

General diagram of message processing by the filtering mechanism:

ethersensor_analyser_2
Figure 43. The diagram of message processing by the EtherSensor Analyser service.

Command line parameter

The EtherSensor Analyser Windows service is set up for automatic start when Microolap EtherSensor is installed. But you can also start the ethersensor_analyser.exe process as a Windows application with the following command line parameter:

/process

Starts the ethersensor_analyser.exe process as a common Windows Win32 process (can be used for debugging).

/service

Starts as a Windows service.

/config

Saves the default service configuration.