Configuration

These are the general steps to configuring a new Manager:

  1. Deploy the appliance and attach it to the network.

  2. Configure network settings via the console to access the Web UI.

  3. Configure installation-specific settings on the system configuration screen.

  4. License the Manager

Network Ports

The Manager supports the following ports for inbound connections:

  • 80/TCP and 443/TCP for connecting to the Manager Web UI.

  • 22/TCP for maintenance purposes.

  • 161/UDP for SNMP monitoring

Outgoing connections to the internet via the following ports are also supported:

  • 53/UDP for DNS

  • 123/UDP for NTP

However, it is strongly recommended that the users configure the system to use their own DNS and NTP infrastructure (if necessary).

For outgoing connections to the Spectra Intelligence database at https://appliance-api.reversinglabs.com, the destination port is 443/TCP.

The DNS name is appliance-api.reversinglabs.com and the connection supports HTTPS only.

Configuration via the Manager Web Interface

After logging in, access the Administration ‣ Spectra Detect Manager page from the main Manager menu. The page contains dialogs with options for configuring the Manager. When done updating the settings in the configuration dialogs, click Save. The appliance will be restarted and begin using the new settings.

GENERAL

Network settings

Application URL

The URL that can be used to access the Web UI of the Manager. The application URL must be configured to use the HTTPS protocol.

Allowed hosts

A list of strings, one per line, representing the host/domain names that this appliance installation can serve. Values in this list can be fully qualified names (e.g., “www.example.com”), in which case they will be matched against the request’s host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: “.example.com” will match “example.com”, “www.example.com”, and any other subdomain of “example.com”. A value of “*” will match anything. Examples: .reversinglabs.com, 89.201.174.154, 89.201.174.152

Select SSL certificate

Clicking Browse allows the user to upload a file containing a custom SSL certificate to replace the self-signed certificate generated by the Manager.

Select SSL certificate key

Clicking Browse allows the user to upload a file containing the key that corresponds to the certificate uploaded in the option above.

Synchronization

Enable YARA ruleset synchronization

Select the checkbox to allow synchronizing YARA rulesets between the appliances connected to the Manager. This setting is a global switch that affects all Spectra Analyze and Spectra Detect Worker appliances. For this functionality to work, YARA synchronization must also be enabled on connected Spectra Analyze appliances. See the YARA Sync Page section for more details.

SSH

Permit root SSH login

Select the checkbox to allow root SSH access to the Manager. This setting can be used for automated password management.

SWAP

Disable SWAP memory

Checking this option will disable the usage of SWAP memory. Not applicable if appliance is deployed as a Docker image. Enabled by default.

SMTP

SMTP hostname

The host to use for sending email. For the SMTP service to function properly, this field must not be empty.

SMTP port

Port of the host used for sending email. For the SMTP service to function properly, this field must not be empty.

Username; Password

SMTP username and password for authentication.

Default “from” email address

The email address used by the appliance as the “from” address when sending email (for password resets, error alerts…).

Use TLS

Select the checkbox to use a secure connection (TLS; Transport Layer Security) when communicating with the SMTP server.

SNMP & SYSTEM ALERTING

Enable SNMP service

Select the checkbox to enable Simple Network Management Protocol service.

Community

Enter the name of an SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. The SNMP service will not function properly if this field is not configured.

Enable trap sink

Select the checkbox to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances.

Trap community

Enter the SNMP trap community string. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required.

Trap sink server

Enter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps will be sent. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required.

SNMP trap thresholds

A set of configuration fields allowing the user to set the thresholds (values that will trigger an SNMP trap) for supported types of events. Thresholds can be configured for average system load in 1, 5, and 10 minutes (as a percentage), used memory and used disk space (as a percentage). Read more about SNMP Trap Thresholds.

System Alerting

Send system alert messages to syslog server

Select the checkbox to enable sending alerts about the status of critical system services on the connected appliances to the syslog server. Read more about which services are supported in the System Alerting section.

Host

Host address of the remote syslog server to send alerts to.

Port

Port of the remote syslog server.

Protocol

Communication protocol to use when sending alerts to a remote syslog server. Options are TCP (default) and UDP.

Enable audit logs to be sent to syslog server

Audit logs will be automatically sent to the syslog server in addition to other system messages. Enabling this will increase the traffic between the Manager and the syslog server.

AUTHENTICATION

Duration of login session

How long an authenticated user session will remain active; set in days, hours, minutes, or seconds. Default is 7 days, and the minimum is 1 minute.

LDAP

Connection

LDAP server host

Hostname or IP address of the server providing LDAP authentication. Example: ldap.example.com

LDAP server port

LDAP server host port. Default: 389 (LDAP) or 636 (LDAPS).

TLS; TLS require certificate

Select the TLS checkbox to use a secure connection when communicating with the LDAP server. To verify the TLS certificate, select TLS require certificate.

Select TLS CA Certificate file

The dialog that opens when clicking Browse allows the user to upload their own TLS certificate for verifying the LDAP host identity. The certificate must be in PEM file format. To apply the certificate, the options TLS and TLS require certificate must be enabled.

Bind DN or user

User to log into LDAP. DN stands for Distinguished Name. Example: “user@example.com” or “cn=user,dc=example,dc=com”.

Password

Password for the Bind user account.

User Schema; Group Schema

Base DN

Root node in LDAP from which to search for users/groups. Example: “cn=users,dc=example,dc=com”.

Scope

Scope of the user/group directory searches (base, one level, subordinate, subtree).

User/Group Object Class

The objectClass value is used when searching for users/groups. Example: “user” or “group”.

User/Group Name Attribute

The user name/group name field. Examples: “sAMAccountName” or “cn”.

Group Type

Available options are “Member” and “Unique Member”. See this link for an explanation of differences.

User attribute mapping

First name; Last name

Fields to map to a user’s first and last name.

Email

Field to map to email.

User access

Active flag group

Group DN. Users will be marked as active only if they belong to this group. Example: “cn=active,ou=users,dc=example,dc=com”.

Superuser flag group

Group DN. Users will be marked as superusers only if they belong to this group. Example: “cn=admins,ou=groups,dc=example,dc=com”.

Require group

Group DN. Authentication will fail for any user that does not belong to this group. Example: “cn=enabled,ou=groups,dc=example,dc=com”.

Deny group

Group DN. Authentication will fail for any user that belongs to this group. Example: “cn=disabled,ou=groups,dc=example,dc=com”.

OAUTH 2.0 / OPENID CONNECT

OAuth 2.0 / OpenID Connect client

Client ID

Client Identifier value for the application that was previously registered with Active Directory Federation Services (AD FS). This should be provided to the appliance administrator by the OpenID Connect provider.

Client Type

Specifies if the will be configured as a public or a confidential application. Possible values are Public (do not use Client Secret) and Confidential (use Client Secret). If set to Confidential, the Client secret must be provided in the next field.

Verify SSL certificate

If this checkbox is selected, the OpenID Connect client will verify the SSL certificate of the provider responses.

Config URL

Fetch configuration via URL.

Claim Source

Claims are name/value pairs that contain information about a user. For example, "email": "name.surname@example.com". Depending on the configuration, there are several sources from which this information can be obtained. If you select Access Token, additional fields will become available. Audience (aud field in an ID token) is the intended recipient of your token (usually the URL of your Manager). Relying Party ID/Resource is the identifier that can be found in the Relying Party Trust section of your AD FS console. Finally, Issuer (iss field in an ID token) is usually the URL of your authorization server.

OpenID Connect provider

Verify SSL certificate

If this checkbox is selected, the OpenID Connect client will verify the SSL certificate of the provider responses.

Config URL

Can be optionally used to populate configuration fields by providing the URI discovery mechanism URL of the Identity Provider and clicking the Get button.

Claim Source

Specifies which source will be used to authenticate and authorize users. Supported values are Use ID Token (OpenID), Use UserInfo endpoint (OpenID) and Use Access Token.

Audience

Visible only if Claim Source is set to Use Access Token. Specifies the expected value of the Audience (aud) field in the token to confirm its validity.

Relying Party ID/Resource

Visible only if Claim Source is set to Use Access Token. The ID of the application requesting user authentication from the Identity Provider. In this case, it should be set to the identifier assigned to the Manager in the Identity Provider’s configuration.

Issuer

Visible only if Claim Source is set to Use Access Token. Specifies the expected value of the Issuer (iss) field in the token to confirm its validity.

OpenID Connect provider

Authorization Endpoint

URL of the OpenID Connect provider authorization endpoint. This endpoint handles the authentication and authorization of users.

Token Endpoint

URL of the OpenID Connect provider token endpoint. This endpoint can be used by a client application to request and obtain ID, refresh, and access tokens.

UserInfo endpoint

Visible only if Claim Source is set to Use UserInfo endpoint (OpenID). URL of the OpenID Connect provider UserInfo endpoint. The UserInfo endpoint is a protected resource from which client applications can retrieve information about claims for the logged-in user.

Scopes

Provide one or more scopes that should be requested during login.

Signature verification

Signature algorithm

Select which algorithm should be used to sign ID tokens. Supported options are RS265 and HS256. If RS256 is selected as the algorithm, the Signature public key or the JKWS Endpoint must also be configured.

Signature public key

The key used to sign ID tokens when using the RS256 signature algorithm.

JKWS Endpoint

URL of the JKWS (JSON Web Key Set) endpoint configured by the OpenID Connect provider.

Claim mapping

Username

Short name of the claim containing the unique username for identifying the user.

E-mail

Short name of the claim containing the unique email address of the user.

First name

Short name of the claim containing the first name of the user.

Last name

Short name of the claim containing the last name of the user.

Groups

Name of the claim that contains a list of user groups.

User access

Active flag group

Accepts the name of the group containing active users. If a user is not in this group, they will be marked as inactive.

Superuser flag group

Accepts the name of the group containing superusers (administrators). Users will be marked as superusers only if they are in this group.

Require group

Accepts the name of the group containing users who have access to the appliance. Authentication will fail for every user that is not in this group.

Deny group

Accepts the name of the group containing users who are not allowed to access the appliance. Authentication will fail for every user that is in this group.

Miscellaneous

Always prompt for login

Select the checkbox to require the authorization server to always re-authenticate the user, even if the user is already authenticated. If this option is enabled, the prompt=login parameter will be added to the authentication query. The “Keep me signed in” checkbox will not be visible in the AD FS login form. Note that this option should not be used as a security measure, because the parameter can be removed by users to bypass re-authentication.

The full configuration guide for AD FS on Windows Server 2016 and OpenID Connect can be found in OpenID Configuration Guide.

Spectra Intelligence

Enable Spectra Intelligence

Select the checkbox to enable the connection to Spectra Intelligence. Spectra Detect Manager needs to be connected to the Spectra Intelligence cloud in order to automatically retrieve system updates and appliance upgrades. When connected, the Manager polls the cloud once every 60 minutes.

Username; Password

Username and password for authenticating to Spectra Intelligence.

Timeout

Specify how long to wait before the Spectra Intelligence connection times out (in seconds; the maximum allowed value is 1000).

Proxy host

Proxy hostname for routing requests from the appliance to Spectra Intelligence (e.g., 192.168.1.15).

Proxy port

Proxy port number (e.g., 1080).

Proxy username; Proxy password

Username and password for proxy authentication.

Dashboard configuration

Enable Central Logging

Enabling central logging will completely change the home page to show statistics on the number of processed files and their classifications. This feature is also resource-intensive. Ensure at least 32 GB RAM and 1 TB disk for optimal performance.

Retention period

How long to keep the collected logs on the Manager.

Enable Central File Storage

Enables file storage on the Manager. If enabled, connected Workers will store samples on the Manager. Stored samples can later be analyzed with Spectra Analyze by clicking on “Analyze with Spectra Analyze” on the analytics page. Enabling this feature may require additional disk space. The required storage depends on the size of the samples coming from the connected Workers and their retention period. Samples larger than the file limit threshold will not be stored.

File Size Limit

File size limit in MiB. Samples larger than the set threshold will not be stored. The default is 400, the maximum supported file size on Spectra Analyze.

Sample Retention Period

Time, in hours, after which the uploaded samples will be removed from the Central File Storage.

Minimum Disk Space

The minimum allowed free disk space in GiB. If the remaining disk space is below the configured threshold, new sample uploads will be rejected. For example, to use 900 GiB of space for central file storage on a 1000 GiB disk, set the value to 100.

Enable Deep Cloud Analysis

Enabling Multi-Scanning instructs Workers to upload samples to the Cloud using their respective account and usage quota. Samples are uploaded only if they pass the filtering criteria: up to 2GB in size. If a sample already exists in the Cloud, the Manager monitors data changes in the data change feed and updates the dashboard accordingly. Enabling this feature impacts the final verdict - classification, risk score and threat name, resulting in increased detection rate and reduced remediation time. Additionally, up to 5 antivirus engine scanners can be selected to be listed on the dashboard.

System time

Enable network time synchronization

Select the checkbox to enable clock synchronization via NTP (Network Time Protocol).

NTP servers

A list of server addresses, separated by a new line, to use for system clock synchronization. Click Test connection to verify that time synchronization functions properly.

System Alerting

If system alerting is enabled in the System Alerting configuration dialog, the following system operations and services will be monitored. Syslog notifications are sent when any of the services or operations meet the condition(s) defined in the table.

SYSTEM OPERATION OR SERVICE

NOTIFICATION TRIGGER

RAM

usage is over 90% for 10 minutes

CPU

usage is over 40% for 2 minutes

CPU wait (waiting for IO)

over 20% for 2 minutes

Disk usage

over 90% for 10 minutes

UWSGI service

down for 2 minutes

NGINX service

down for 2 minutes

RABBIT-MQ service

down for 2 minutes

POSTGRES service

down for 2 minutes

MEMCACHED service

down for 2 minutes

CROND service

down for 2 minutes

SSHD service

down for 2 minutes

SUPERVISORD service

down for 2 minutes

SMTP

if enabled, but stopped for 4 minutes

NTPD

if enabled, but stopped for 4 minutes

Any of the SUPERVISORD services

if it has crashed

SNMP Trap Thresholds

The Manager can receive notifications (traps) about important system events via the Simple Network Management Protocol (SNMP). The events are “trapped” and sent to the trap sink server when their configured threshold levels are triggered.

The Manager uses the DISMAN-EVENT-MIB::mteTriggerFired SNMP trap and supports 3 different triggers. These triggers can be used to keep track of low disk space, high memory usage or high CPU load average over time.

TRIGGER IDENTIFIER

TRIGGER CONDITION

DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable

disk usage is higher than the configured threshold (the default value is 90%)

DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree

memory usage is higher than the set threshold (the default value is 80%)

DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable

average system load in the specified time frame (1, 5 or 15 minutes) is higher than the set threshold

To enable SNMP traps and configure the address of the trap sink server, adjust the values in the Settings ‣ Configuration ‣ SNMP & System Alerting dialog on the Manager.

The dialog also allows setting thresholds for supported types of events, which are described in more detail below.

Average system load

This trap is sent if the average load of the local system exceeds specified values (1-minute, 5-minute and 15-minute averages). Values should be provided as percentages, which are recalculated into appropriate thresholds as reported with uptime or top commands.

The following examples show traps triggered by a high 1-minute, 5-minute and 15-minute system load average, respectively:

2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.1
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.1 = STRING: Load-1
UCD-SNMP-MIB::laErrMessage.1 = STRING: 1 min Load Average too high (= 2.56)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.2
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.2 = STRING: Load-5
UCD-SNMP-MIB::laErrMessage.2 = STRING: 5 min Load Average too high (= 2.00)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.3
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.3 = STRING: Load-15
UCD-SNMP-MIB::laErrMessage.3 = STRING: 15 min Load Average too high (= 2.05)

Used memory

This trap is sent if used memory on the local system exceeds the specified percentage. The default value is 80%. The following example shows an event triggered by memory usage that exceeded the configured trap threshold:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8) 0:00:00.08
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::memTotalFree.0
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 2124816
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16467096 kB

Used disk space

This trap is sent if used disk space on any of the mounted disks exceeds the specified percentage. The default value is 90%. The following example shows an event triggered by a disk with less than 10% of free disk space on the /boot partition:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (25) 0:00:00.25
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::dskErrorFlag.26
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::dskPath.26 = STRING: /boot
UCD-SNMP-MIB::dskErrorMsg.26 = STRING: /boot: less than 10% free (= 8%)

Licensing on the Manager

On first login after installing or updating the appliance, the appliance must be licensed within 45 days of the release’s general availability date. This also applies to any connected appliances. While the trial license is active, Licensing options on the Manager can be accessed using the Administration > Licensing menu item.

There are two ways of licensing appliances:

By using Spectra Intelligence

Click the Activate Using Cloud button and fill out the account information. A licensing request will be sent to Spectra Intelligence and, if the account is valid, the appliance will be activated.

Individual appliances connected to the Manager can be activated using Spectra Intelligence by configuring it for appliance groups in Central Configuration.

By uploading a license file

Appliances can also be licensed offline by sending their machine IDs to ReversingLabs support via email. This can be performed from the licensing page by checking one or more boxes next to appliances and clicking the Request License button.

This opens the user’s default email client with the relevant information filled in. Make sure to send the request using an email address that is previously known to ReversingLabs.

When we respond with the requested license files, upload them using the Upload License button and click Upload. The Manager will automatically match the license files to appropriate appliances. A single license file can contain multiple machine IDs.

If an appliance instance was created by cloning a VM, administrators need to generate a new Machine ID and request a new license for every clone of the original appliance VM.

If the appliance is still in the licensing trial period, this can be done in the Administration > Licensing section.

License Expiration

  • Appliances without a license are in a trial period for 45 days from the release’s general availability date.

  • If appliances licensed using Spectra Intelligence can’t reach it, they enter a grace period of 14 days during which they will still operate normally.

  • Regenerating a machine ID of an already licensed appliance will require it to be licensed again.

  • Once the Manager trial/grace period expires, the appliance will open to the Licensing screen, and no other actions will be available.

Note

Licensing can also be configured using the Spectra Detect Manager API. Visit Help > Spectra Detect Manager API Documentation for more information. To license Spectra Detect appliances without using the Manager, refer to the API section of the Spectra Detect user guide.