In addition to editing of the EtherSensor Analyser configuration file directly, you can configure it in the graphic interface of the Microolap EtherSensor utility (the ethersensor_console.exe provided with the software).
Disk quotas for the storage of intercepted objects
Intercepted objects may be saved by the EtherSensor Analyser service in the file system for further analysis. The form in the left configurator window can be used to configure disk quotas for the storage of such objects (the ethersensor_console.exe provided with Microolap EtherSensor):
Figure 44. EtherSensor Analyser service settings.
Disk quotas are active:
Enabling/disabling quota usage. If it is setup in No, unlimited disk space is assumed as available.
Initial parse error:
Logging of pre-parsing errors of extracted objects: TCP session was reconstructed successfully, but when the object was being parsed an error occurred, usually caused by protocol violations (for example, a browser add-on sets the 00 end-of-line byte in the POST request instead of 0D0A). The objects are saved to the [INSTALLDIR]\data\results\errors\preparse directory.
RAW-filter rejected data
Logging of data rejected by the RAW filter Is used to debug or test the logic of the RAW filter. The objects are saved to the [INSTALLDIR]\data\results\errors\rawfiltered directory.
RAW-filter runtime error
Logging of RAW filter runtime errors. The objects are saved to the [INSTALLDIR]\data\results\errors\rawfilter directory.
Final parsing error
Logging of parsing errors of extracted objects: The TCP session was reconstructed successfully, but when the object was being parsed an error occurred, usually caused by protocol violations (for example, a browser add-on sets the 00 end-of-line byte in the POST request instead of 0D0A). The objects are saved to the [INSTALLDIR]\data\results\errors\parse directory.
Unknown message format
Logging of errors caused by the fact that the system does not recognize the format of the object: TCP session data have been reconstructed successfully, but there is no detector for this message type in the current version. The objects are saved to the [INSTALLDIR]\data\results\unknown directory.
Successfully recognized messages
Logging events for successfully recognized objects: >TCP session data has been reconstructed successfully, the message is recognized and passed to the EtherSensor Transfer service for delivery to the consumer system. The objects are saved to the [INSTALLDIR]\data\results\detect\ok directory.
Unknown message data
Logging errors related to objects that were recognized but contain unknown data: the TCP session has been reconstructed successfully, the corresponding detector for this message type has been triggered, but it is unable to extract all the data - most likely the message format has changed. The objects are saved to the [INSTALLDIR]\data\results\detect\unknown directory.
Message detection errors
Logging messages detection errors. The objects are saved to the [INSTALLDIR]\data\results\errors\detect directory.
The data contain no useful information
Logging data that have been successfully recognized but contain no useful data for further processing. The objects are saved to the [INSTALLDIR]\data\results\detect\noobjects directory.
Data not subject to further processing
Logging data that initially carry no useful information, since these are service data transmitted during the interaction of the user with the Internet service. Such data are not intended for further processing. The objects are saved to the [INSTALLDIR]\data\results\detect\filtered directory.
Message filter runtime error
Logging of message filtering errors. The objects are saved to the [INSTALLDIR]\data\results\errors\msgfilter directory.
Prefiltering of HTTP objects
Filtering of intercepted HTTP queries can be configured in the HTTP objects filters configurator window:
Figure 45. HTTP object filtering management.
Prefiltering of HTTP objects is mainly used to reduce the load on the sensor. This feature is described in more detail in the "Prefiltering of HTTP queries" section.
Filtering of reconstructed messages
Filtering of intercepted messages can be configured in the Messages filters configurator window. Filter rules for intercepted objects are stored in XML files in the [INSTALLDIR]\data\statistics\YYYY-MM-DD\filters directory.
Figure 46. Message filtering management.
The filter is edited in the right window; you can also edit the active filter. In order for the EtherSensor Analyser service to start using a modified filter you need to make this filter active and restart the service.
Creating filters is described in more detail in the "Messages filtering" section.
DNS
You may need to use domain names in filter rules, while only IP addresses are available in the attributes of intercepted objects.
In order to be able to use this feature in real time during filtering (dynamic DHCP assignment of IP addresses should also be taken into account), you need to define and configure available DNS servers in the DNS section.
Figure 47. DNS configuration.
In order to add, delete or edit DNS server properties or change the order in which they are used, click the button to the right of The list of addresses ...:
Figure 48. Detailed DNS configuration.
DNSBL
You may also need to categorize messages during filtration. For this purpose, Microolap EtherSensor supports DNSBL servers capable of detecting spam messages in the SMTP stream. This feature is configured identically to DNS server.
Anonymizers
The current version of Microolap EtherSensor (5.1.0.13519) supports monitoring the use of anonymizer service domains. You can create the list of such domains by adding each domain in a separate line or specifying a comma-separated list of domains in one line.
Figure 49. Setting up the list of anonymizer domains.
Microolap EtherSensor and EtherSensor Agent
The EtherSensor Agent service is used to bind TCP connections created by local processes on user workstations to their current names and IP addresses, including terminal servers.
Figure 50. Setting up the interaction between Microolap EtherSensor and EtherSensor Agent.