Event and Object Analysis > Manual Setup (Config File)

The EtherSensor Analyser service configuration is stored in the analyser.xml and quotas.xml files in the common configuration directory - Microolap EtherSensor [INSTALLDIR]\config.

An example of the analyser.xml configuration file:

<?xml version="1.0" encoding="utf-8"?>
<AnalyserConfig version="4.5">
<MaxFileSizeInMemory>10485760</MaxFileSizeInMemory>
<AgentsServer enabled="false">
<UdpPort>44444</UdpPort>
<SessionTimeOut>10</SessionTimeOut>
</AgentsServer>
<RawFilter enabled="false" filename="" />

<MessageFilter enabled="false" filename="">
<Dns>
<AttemptsCount>3</AttemptsCount>
<TtlForUnknown>3600</TtlForUnknown>
<MinTtl>300</MinTtl>
<MaxTtl>604800</MaxTtl>
<Server ipaddress="208.67.220.220" port="53" />
</Dns>

<DnsBl>
<AttemptsCount>3</AttemptsCount>
<TtlForUnknown>3600</TtlForUnknown>
<MinTtl>300</MinTtl>
<MaxTtl>604800</MaxTtl>
<Server ipaddress="208.67.222.222" port="53" />
</DnsBl>
</MessageFilter>

<Anonymous>
<Host />
</Anonymous>
</AnalyserConfig>

AnalyserConfig tag

The root tag of the service configuration. Its version attribute specifies the configuration version.

MaxFileSizeInMemory tag

The MaxFileSizeInMemory tag is nested within the AnalyserConfig tag and specifies the size in bytes of the cache stored in OS memory. Cache objects are OSI model application-level protocol objects received from the EtherSensor EtherCAP and EtherSensor ICAP services. The service analyzes cache object to detect messages exchanged by network participants. Use this parameter to minimize the load on the file system. All the objects in the cache with the size less than specified by this setting will be processed without the file system.

AgentsServer

The AgentsServer tag is nested within the AnalyserConfig tag and specifies the settings of the Microolap EtherSensor server communicating with the EtherSensor Agent instances.
EtherSensor Agent delivers the information about connections created by network users. The Microolap EtherSensor server uses this information to identify the user when the intercepted message is being processed.

UdpPort tag

The UdpPort tag is nested within the AgentsServer tag and specifies the number of the UDP port listened by the Microolap EtherSensor server.

SessionTimeOut tag

The SessionTimeOut tag is nested within the AgentsServer tag and specifies the idle time of the connection being tracked. The connection will be removed from the cache of tracked connections after this period. The value of this parameter is specified in minutes and may be in the range between 1 and 59.

RawFilter tag

The RawFilter tag is nested within the AnalyserConfig tag. It specifies a description of the HTTP request filter settings. The enabled attribute specifies the HTTP request filter usage status. If set to false, the HTTP request filter is not used in the message processing. The filename attribute specifies the name of the filter settings file to use. The filter configuration is stored in the .xml file located in the Microolap EtherSensor [INSTALLDIR]\config\filter\http configuration directory.

MessageFilter tag

The MessageFilter tag is nested within the AnalyserConfig tag. It specifies a description of the messages filter settings. The enabled attribute specifies the messages filter usage status. If set to false, the messages filter is not used in the message processing. The filename attribute specifies the name of the filter settings file to use. The filter configuration is stored in the .xml file located in the Microolap EtherSensor [INSTALLDIR]\config\filter configuration directory.

Dns tag

The Dns tag is nested within the Filter tag and is used to set up the DNS module used by the filtering mechanism to resolve DNS names of network communication participants.

Example of the DNS module configuration:

DNS module properties

AttemptsCount

Specifies the number of attempts to query the DNS name of the host. Example: 3.

TtlForUnknown

Specifies the time (in seconds) of storage of an unresolved DNS name in the local DNS cache if the host DNS name was not resolved within the specified number of attempts. Example: 3600.

MinTtl

Specifies the minimum time (in seconds) of storage of a DNS name record in the local DNS cache. Example: 300.

MaxTtl

Specifies the maximum time (in seconds) of storage of a DNS name record in the local DNS cache. Example: 604800.

Server

Specifies the DNS server address and port. Example: ipaddress="208.67.222.222" port="53".

DnsBl tag

The DnsBl tag is nested within the Filter tag and is used to set up the DnsBl module, which in turn is used by the filtering mechanism to get the information about network communication participants from the DNSBL (DNS blacklist) service.

Example of the DNSBL module configuration:

DNSBL module properties

AttemptsCount

Specifies the number of attempts to query the DNSBL service. Example: 3.

TtlForUnknown

Specifies the time (in seconds) of storage of an "undefined" response from the DNSBL service in the local DNS cache if the DNSQL service failed to respond to the query within the specified number of attempts. Example: 3600.

MinTtl

Specifies the minimum time (in seconds) of storage of the DNSBL service response in the local DNSBL cache. Example: 300.

MaxTtl

Specifies the maximum time (in seconds) of storage of the DNSBL service response in the local DNSBL cache. Example: 604800.

Server

Specifies the address and port of the DNSBL service. Example: "192.68.0.20" port="53".

The Anonymous

The Anonymous tag is nested within the AnalyserConfig tag and specifies the settings of the list of anonymizer domains.

Host tag

The Host tag is nested within the Anonymous tag and contains the comma-separated list of names of tracked anonymizer server domains.

Example of the Anonymous module configuration:

<Anonymous>
<Host>dostupest.ru</Host>
<Host>fastbuh.ru, arendadorogo.ru, recker.ru</Host>
</Anonymous>

An example of the quotas.xml configuration file:

<?xml version="1.0" encoding="utf-8"?>
<QuotasConfig version="1.0" enabled="true">
<NotProcessed>0</NotProcessed>
<PreParseError>10</PreParseError>
<RawFiltered>0</RawFiltered>
<RawFilterError>10</RawFilterError>
<ParseError>10</ParseError>
<UnknownObject>10</UnknownObject>
<DetectOk>-1</DetectOk>
<DetectUnknown>10</DetectUnknown>
<DetectError>10</DetectError>
<DetectNoObjects>0</DetectNoObjects>
<DetectFiltered>0</DetectFiltered>
<MessageFilterError>10</MessageFilterError>
<SendError>1000</SendError>
</QuotasConfig>

QuotasConfig tag

The root tag of the disk quota configuration. Its version attribute specifies the configuration version. The enabled attribute specifies the active status of the disk quota mechanism. If this attribute is false, disk quotas are not taken into account during message processing.

PreParseError tag

The PreParseError tag is nested within the Quotas tag and specifies the disk quota for the storage of processing results with errors related to the parsing of corresponding Internet protocol data. Data are prefiltered before the RAW filter is applied.

The RawFiltered tag is nested within the Quotas tag and specifies the disk quota for the storage of results rejected by the RAW filter. This parameter is primarily used to debug (test) the logic of the RAW filter.

The RawFilterError tag is nested within the Quotas tag and specifies the disk quota for the storage of objects for which an error occurred during filtering.

ParseError tag

The ParseError tag is nested within the Quotas tag and specifies the disk quota for the storage of processing results with errors related to the parsing of corresponding Internet protocol data. TCP session data of such result were intercepted successfully, but an error occurred during parsing, usually caused by protocol violations. For example, a browser add-on may set the 00 end-of-line byte in the POST request instead of 0D0A.

UnknownObject tag

The UnknownObject tag is nested within the Quotas tag and specifies the disk quota for the storage of objects with unrecognized format. TCP session data have been reconstructed successfully, but there is no detector for this message type in the current version of Microolap EtherSensor (5.1.0.13519).

DetectOk tag

The DetectOk tag is nested within the Quotas tag and specifies the disk quota for the storage of successfully recognized objects. TCP session data have been intercepted successfully, the message is recognized and passed to the delivery service.

DetectUnknown tag

The DetectUnknown tag is nested within the Quotas tag and specifies the disk quota for the storage of recognized objects with unknown data. TCP session data have been intercepted successfully, the corresponding detector for this message type has been triggered, but it is unable to extract all the data - most likely the message format has changed.

DetectError tag

The DetectError tag is nested within the Quotas tag and specifies the disk quota for the storage of objects with data which trigger message detection errors.

DetectNoObjects tag

The DetectNoObjects tag is nested within the Quotas tag and specifies the disk quota for the storage of objects which were recognized successfully but do not contain the required data for further processing.

DetectFiltered tag

The DetectFiltered tag is nested within the Quotas tag and specifies the disk quota for the storage of objects which initially carry no useful information, since these are service data transmitted during the interaction of the user with the Internet service.

MessageFilterError tag

The MessageFilterError tag is nested within the Quotas tag and specifies the disk quota for the storage of objects for which an error occurred during message filtering.

SendError tag

The SendError tag is nested within the Quotas tag and specifies the disk quota for the storage of intercepted messages for which an unexpected error occurred when an attempt was made to send them to an external consumer.

Manual configuration (configuration file)

Manual configuration (configuration file)