Configuration
Spectra Analyze > Administration > Configuration & Update > Configuration
Overview
Under Configuration, set up the system configuration settings. The available settings are divided into configuration dialogs described below.
Configuration through Spectra Detect Manager
You can also apply preconfigured settings using Spectra Detect Manager. For more information, see Configuration management using Spectra Detect Manager.
If the local.yaml configuration file on the appliance contains local configuration settings, a warning is displayed at the top of the page. In case of issues when configuring the appliance, inspect the existing values in local.yaml, as they may conflict with the values set in the configuration dialogs.
When done updating the settings, click Save. The appliance is restarted and begins using the new settings.
note
- Settings marked with an asterisk (*) are required. To complete the initial configuration of the appliance, all settings marked with an asterisk should be changed.
- ReversingLabs sends Spectra Intelligence settings and credentials to the users separately for enabling full file reputation and classification by the appliance.
General
| Setting | Description |
|---|---|
| General | |
| Appliance domain* | Appliance domain name or IP address, used for creating links back to the appliance. This should not include the protocol, for example, http, but should include any non-default port. For example, example.com, 192.168.128.42, 192.168.128.42:8080 |
| Allowed hosts* | A list of strings, one per line, representing the host/domain names that this appliance installation can serve. Values in this list can be fully qualified names, for example, www.example.com, in which case they are matched against the request’s host header exactly using case-insensitive matching, and not including port. A value beginning with a period can be used as a subdomain wildcard, for example, .example.com matches example.com, www.example.com, and any other subdomain of example.com. A value of “*” matches anything, for example, .reversinglabs.com, 89.201.174.154, 89.201.174.152 |
| Page size | Default number of items per page to use in paged lists or tables, for example, on the Submissions page. Users can manually change this directly on each page. |
| Web server protocol | Configure HTTPS, HTTPS and HTTP, or just HTTP for the protocol by which the appliance can be accessed. Note: The value configured here determines which protocol must be used in requests to Spectra Analyze APIs. Click SSL configuration to generate a new self-signed SSL certificate or upload a custom one. For more information, see options below. |
| SSL configuration | Displayed as the link next to the Web server protocol option. Click it to open the Update SSL certificate page. |
| Generate new SSL certificate | Select and click Submit to generate a new self-signed SSL certificate for the server to use. |
| Upload certificate | Click Choose File to upload a file containing a custom SSL certificate to replace the self-signed certificate generated by Spectra Analyze. Note: Firefox users might encounter issues with custom certificates. The support section explains how to resolve them. |
| Upload certificate private key | Click Choose File to upload a file containing the key that corresponds to the certificate uploaded in the previous option. |
| File Size Limit | The maximum file size in MB that can be submitted to the appliance. The default and maximum value is 2000 MB. Other file size restrictions still apply. |
| Reverse proxy configuration | If the appliance is behind a reverse proxy, the following two settings must be configured in order to use the Authentication > Login security > Block login for specific IP address option. |
| HTTP header containing originating IP address | If the appliance is behind a reverse proxy, specify the HTTP header used to identify the originating IP address of a client connecting to the appliance through the reverse proxy. The most commonly used header is X-Forwarded-For. |
| Number of trusted reverse proxies | If the appliance is behind a reverse proxy, specify the number of trusted reverse proxies. This setting is used when the originating IP address header is present to identify the correct client IP address. |
| Password list | The appliance uses the passwords defined in this list when attempting to decrypt password-protected compressed files submitted for analysis. Prior to submitting password-protected compressed files to the appliance, users can add the password for each file to this list. Enter one password per line. |
| Enable Root Login via SSH | Select to permit SSH root logins to the appliance. Contact ReversingLabs Support for additional information and guidance. |
| Disable SWAP memory | Select to disable the usage of SWAP memory on the appliance. |
SMTP
| Setting | Description |
|---|---|
| Enable SMTP | Select to enable the SMTP (Simple Mail Transfer Protocol) service on the appliance. This allows the appliance to send email notifications to a configured email address. If the SMTP service is configured correctly, it is visible under External Services Connectivity on the System Status page. |
| SMTP server | The host to use for sending email. This field is empty by default. For the SMTP service to function properly, the user needs to input the host. |
| SMTP port | Port of the host used for sending email. This field is empty by default. For the SMTP service to function properly, the user needs to input the port. |
| Username | SMTP user name for authentication. |
| Password | SMTP password associated with the specified user name. |
| Default “from” email address | The email address used by the appliance as the “from” address when sending email. This is usually used for password resets, error alerts, and other. |
| Use TLS | Select to use a secure TLS (Transport Layer Security) connection when communicating with the SMTP server. |
System Time
| Setting | Description |
|---|---|
| Enable network time synchronization | Select to enable server clock synchronization via NTP, which uses port 123. |
| Timezone | Select the timezone of the appliance. |
| NTP servers | A list of servers, one per line, to use for system clock synchronization. |
Authentication
| Setting | Description |
|---|---|
| Session duration | |
| Duration of login session | How long an authenticated user session remains active on the appliance, set in minutes, hours or days. Minimum: 1 minute; maximum: 90 days. The default is 7 days. |
| Session expire at browser close | When selected, the session for every logged-in user expires when the user closes their browser, requiring the user to log in every time they start their browser. This setting may be overridden by local web browser settings. |
| Session inactivity timeout | |
| Automatically log out inactive users | When selected, the session for every logged-in user expires after the configured period of inactivity in minutes, hours or days. |
| Period of inactivity before signout | How long an authenticated user session can be inactive on the appliance before being signed out. Set in minutes, hours or days. |
| CSRF settings | |
| Use session-based CSRF cookies | When selected, the CSRF (Cross-Site Request Forgery) cookies expire when the user closes their browser. By default, persistent CSRF cookies are used, and cookie age is approximately 1 year. This setting may be overridden by local web browser settings. |
| Password requirements | Criteria configured here apply to passwords for all accounts on the appliance. Federated (single sign-on) accounts are not affected by the criteria configured here. All settings are optional and can be used in combination with other password requirements. Define the following password requirements: Minimum password length, Must contain at least 1 uppercase character, Must contain at least 1 lowercase character, Must contain at least 1 decimal digit, Don't allow passwords from list of commonly used passwords. |
| Login security | Criteria configured here apply to all accounts on the appliance instance. Requests to the authentication API are also affected by the criteria configured here. |
| Temporarily block user login after certain number of failed login attempts | Select to enable temporary account locking for every account that consecutively fails to log into the appliance. If this option is not selected, other login security options cannot be configured and do not apply. |
| Number of failed login attempts | Specify the maximum allowed amount of consecutive failed login attempts. If a user's login attempts exceed the number configured here, their account is temporarily locked and prevented from logging in. When an account is locked, appliance administrators cannot unlock it. The user whose account is locked has to wait until the login delay expires. The login delay is configured under Block timeout. |
| Block timeout | Specify how long a user's account remains locked after the maximum allowed amount of failed login attempts is exceeded. The time interval can be defined in seconds, minutes, or hours. When an account is locked, appliance administrators cannot unlock it. The account is automatically unlocked after the login delay configured here expires. |
| Block login for specific IP address | The appliance tracks IP addresses from which users are attempting to log in. If this option is selected, users who consecutively fail to log in are blocked by their current IP address. They are unable to log in from the IP address detected in failed login attempts, but they can still log in from any other IP address. If this option is not selected, users are blocked based on their account username regardless of the IP address, and they can't log in from any IP address. The login delay interval set up under Block timeout and the allowed Number of failed login attempts apply to accounts blocked in this way. If the appliance is behind a reverse proxy, make sure that reverse proxy settings in under General are properly configured so that the users' IP addresses can be identified. When an account is blocked in this way, appliance administrators cannot unblock it. The account is automatically unlocked after the configured login delay expires. |
| Send notification email to administrator when login block occurs | Select to automatically send email notifications when an account is locked based on configured login security criteria. Email Alerting and SMTP must be enabled and configured on the appliance in order to send notification emails. The emails are sent to the address configured in System Alerting. |
The remainder of this section describes how to configure single sign-on login options selected under User Directory.
LDAP
| Setting | Description |
|---|---|
| Connection | |
| LDAP server host | Host name or IP address of the server providing LDAP authentication. For example, ldap.example.com. Click Test to verify the connection to the server. |
| LDAP server port | LDAP server host port. The defaults are 389 (LDAP) or 636 (LDAPS). |
| TLS | Select to use a secure (TLS) connection when communicating with the LDAP server. |
| TLS require certificate | Select to require TLS certificate verification when communicating with the LDAP server. |
| Select CA certificate | Click Choose File to upload a TLS certificate for verifying the LDAP host identity. The certificate must be in .pem format. To apply the certificate, the options TLS and TLS require certificate must be enabled. It is also possible to upload certificates through the Central Configuration Management section on Spectra Detect Manager if the appliance is connected and authorized on the Manager. |
| Bind DN or user | User to log into the LDAP server for searches. DN stands for Distinguished Name. For example, user@example.com or cn=user,dc=example,dc=com |
| Password | Password for the Bind user account. |
| User Schema | |
| Base DN | Root node in LDAP from which to search for users. For example, cn=users,dc=example,dc=com. |
| Scope | Scope of the user directory searches. The available options are base, one level, subordinate, subtree. |
| User object class | The objectClass value used when searching for users. For example, user. |
| User name attribute | The user name field. For example, sAMAccountName or cn. |
| Group Schema | The majority of fields in this section are the same as in the User Schema section, except the settings relate to groups. |
| Base DN | Root node in LDAP from which to search for groups. For example, cn=groups,dc=example,dc=com. |
| Scope | Scope of the group directory searches. The available options are base, one level, subordinate, subtree. |
| Group object class | The objectClass value used when searching for groups. For example, group. |
| Group name attribute | The group name field. For example, cn. |
| Group type | LDAP group membership attribute. The available options are Member, Unique Member. |
| User attribute mapping | |
| First name | Field to map to a user's first name. For example, givenName. |
| Last name | Field to map to a user's last name. For example, sn. |
| Field to map to email. For example, mail. | |
| User access | |
| Active flag group | Group DN. Users are marked as active only if they belong to this group. For example, cn=active,ou=users,dc=example,dc=com. |
| Superuser flag group | Group DN. Users are marked as superusers only if they belong to this group. For example, cn=admins,ou=groups,dc=example,dc=com. |
| Require group | Group DN. Authentication fails for any user that does not belong to this group. For example, cn=enabled,ou=groups,dc=example,dc=com. |
| Deny group | Group DN. Authentication fails for any user that belongs to this group. For example, cn=disabled,ou=groups,dc=example,dc=com. |
OAuth 2.0 / OpenID Connect
For more information, see OpenID guide.
SAML
For more information, see SAML guide.
Spectra Intelligence
Best practice
Multiple Spectra Analyze instances should not be configured to use the same cloud account, as this can interfere with appliance functionality, and particularly with YARA ruleset synchronization. It is advised to use these settings only if there is just one Spectra Analyze appliance in the configuration group.
| Setting | Description |
|---|---|
| Spectra Intelligence URL * | The host address for the Spectra Intelligence service. Click Test to check for any connectivity issues. The default URL is https://appliance-api.reversinglabs.com |
| Username * | Spectra Intelligence username for authentication. Every appliance instance must be connected to its own Spectra Intelligence account. Note: Sharing accounts between multiple instances can interfere with the functionality of the appliance, particularly with YARA rule synchronization. |
| Password * | Spectra Intelligence password for authentication. Every appliance instance must be connected to its own Spectra Intelligence account. Note: Sharing accounts between multiple instances can interfere with the functionality of the appliance, particularly with YARA rule synchronization. |
| Timeout | Default Spectra Intelligence service connection timeout in seconds. Maximum is 1000. Note: It is highly recommended to set this timeout to 1 second in air-gapped networks. |
| Proxy host | Optional proxy host name for routing requests from the appliance to Spectra Intelligence, for example, 192.168.1.15. If configured, this proxy is also used by the Local URL crawling method and all integrations on the Spectra Analyze appliance: ReversingLabs Cloud Sandbox and Auxiliary Analysis, Joe Sandbox, FireEye, CAPE, Cuckoo, Cisco Secure Malware Analytics, VMRay. |
| Proxy port | Optional proxy port number, for example, 1080. |
| Proxy username | Username for proxy authentication, if proxy is configured. |
| Proxy password | Password for proxy authentication, if proxy is configured. |
| Maximum fetch file size | Maximum size of an individual file in MiB that is allowed to be downloaded from the cloud to Spectra Analyze. The default value is 500 MiB, the minimum is 1 MiB, and the maximum is 2000 MiB. Files exceeding the size configured here have a special indicator icon in the Spectra Analyze interface. This limit also affects URL submissions using the Spectra Intelligence crawling method, where it applies to individual files downloaded from the submitted URL. Files going over this limit are skipped during URL analysis. |
| Automatic Upload to Spectra Intelligence | Allow files to be automatically uploaded to the cloud whenever they are uploaded to the appliance. |
| Allow Upload of API statistics to Spectra Intelligence | Allow ReversingLabs to collect anonymous API usage statistics related to the cloud. Click Show Example Data to see an example of data being logged and sent. |
T1000 File Reputation Appliance
| Setting | Description |
|---|---|
| T1000 URL * | The host address for the on-premise T1000 File Reputation appliance. Click Test to check for any connectivity issues. |
| Username * | T1000 user name for authentication. Note: This user name needs to be created via the T1000 Web administration application. |
| Password * | T1000 password for authentication. Note: This password needs to be created via the T1000 Web administration application. |
| Timeout | Default T1000 service connection timeout in seconds. Maximum is 60. |
| Proxy host | Proxy host name for routing request from the appliance to T1000. For example, 192.168.1.15. |
| Proxy port | Proxy port number. For example, 1080. |
| Proxy username | Username for proxy authentication, if proxy is configured. |
| Proxy password | Password for proxy authentication, if proxy is configured. |
Metrics
| Setting | Description |
|---|---|
| SNMP settings | |
| Enable SNMP service | Select to enable the Simple Network Management Protocol service. Note: This must be enabled if the appliance is to be connected to the Spectra Detect Manager. |
| Community | Enter the name of an SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. Note: The SNMP service does not function properly if this field is not configured. If the appliance is connected to the Spectra Detect Manager, the Manager is not be able to retrieve accurate appliance status information if this field is not configured. |
| SNPM trap settings | |
| Enable trap sink | Select to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances. The Spectra Analyze appliance supports traps for the events listed in this configuration dialog. |
| Trap community | Enter the SNMP trap community string. If Enable SNMP service and Enable trap sink are selected, this field is required. |
| Trap sink server | Enter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps are sent. If Enable SNMP service and Enable trap sink are selected, this field is required. |
| Supported events | A set of configuration fields allowing the user to set the thresholds for supported types of events. Thresholds are values that trigger an SNMP trap, and they can be configured for Average system load, Used memory, Used disk space, Spectra Detect queue size and Classifications queue size. For more information, see SNMP trap thresholds. |
| Prometheus settings | |
| Enable Prometheus metrics | Select to enable Prometheus monitoring for this instance of Spectra Analyze. |
System Alerting
| Setting | Description |
|---|---|
| System alerting | |
| Enable | Select to receive alerts about the status of critical system services to the syslog server. For more information, see System alerting. |
| Host | Host address of the remote syslog server to send alerts to. |
| Port | Port of the remote syslog server. |
| Protocol | Communication protocol to use when sending alerts to remote syslog server. The available options are TCP (default) and UDP. |
| Enable audit logs to be sent to syslog server | Select to enable forwarding appliance audit logs to the configured syslog server. This option is disabled by default, which means that audit logs are not automatically sent to syslog. Enabling this option increases the traffic between the appliance and the syslog server. |
| Email alerting | |
| Enable | Select to receive alerts about the status of critical system services to the configured email address. |
| Email error alerts to | The appliance administrator’s email address for receiving error alerts. |
Spectra Detect Processing Settings
| Setting | Description |
|---|---|
| Processing settings | Processing settings determine which file formats are unpacked by Spectra Core for detailed analysis. The available options are Fast, Best, and Normal. Best fully processes all formats supported by the appliance. Normal and Fast both process a limited set of file formats, but Normal supports more formats than Fast. When Fast or Normal is selected, a list of formats that will not be fully processed is displayed. The Spectra Analyze displays only a basic set of information on the Sample Details page for those file formats. |
| Enable ReversingLabs file reputation | Allow Spectra Core to retrieve classification information from Spectra Intelligence or T1000 during sample analysis. This option is enabled by default. If both file reputation services are configured on the appliance, T1000 has priority and is used by Spectra Core to classify samples. When this option is enabled, classification information on the Sample Details > Summary and Sample Details > Timeline pages indicates that the sample was classified by Spectra Core Spectra Intelligence. All samples classified in this way are automatically assigned a system tag called cloud. |
| Enable classification propagation | This option is enabled by default. Spectra Core performs file unpacking during analysis, then analyzes and classifies those unpacked children files along with their parent file. When this option is enabled, classification propagation makes it possible to classify parent files based on the content extracted from them. This means that a file containing a malicious/suspicious file is also considered malicious/suspicious. |
| Maximum duration of temporary report retention period | When sample analysis reports are created on the appliance, they are collected in a queue before storing report metadata in the appliance database. After the metadata is successfully stored, report files are deleted from the appliance. To prevent premature removal of those report files, the report retention period can be configured by adjusting this value. Increase this value if large samples fail to process. If disk consumption is high, decrease this value. The value should be configured in minutes. The default is 7200 (5 days). Allowed values are 30 to 20160 (14 days). |
| Enable classification scanners | These technologies work together to determine what the final file classification should be. Enabling/disabling these scanners or suppressing certain low-risk threat types allows fine-tuning of the final classification outcome. Enabling classification detection suppression for any of the threat types makes the engine report the detected threat, but this detection is ignored during file classification. Should this detection be the only one, with no higher risk detections within the same package, the file is considered graylisted due to user configuration. |
| Images | Image format threat detection. Spectra Core applies image format specific signatures and heuristics to detect threats. Signatures are applied during format validation to detect known exploits. As opposed to them, heuristics can detect client or server-side code embedded in the image stream or data properties. Heuristics are predictive detection technologies and they refer to both manually written and machine learning algorithms. When a detection is made with this technology, the scanner name is reported as Spectra Core /<UnpackerName> Unpacker. |
| PECOFF | Windows executable format validation and threat detection. PECOFF is a complex executable format for which Spectra Core has a dedicated parser. This technology performs in-depth format validation and is capable of detecting malformations that can be related to threat detection evasion attempts. Existence of such data structures and header values can be sufficient to declare the file suspicious. However, it is possible that files damaged during transport exhibit the same kind of traits as malformed ones. If there’s a high likelihood of data corruption during file collection, this option can be disabled to reduce unwanted detections. When a detection is made with this technology, the scanner name is reported as Spectra Core PECOFF Validator. |
| Documents | Document format threat detection. Spectra Core applies document format-specific signatures and heuristics to detect threats. Signatures are applied during format validation to detect known exploits. Other types of threats are detected with heuristics. These refer to predictive detection technologies and they cover both manually written and machine learning algorithms. Heuristic algorithms are typically applied to scripts and macros within documents to identify threats that are hard to describe using conventional signatures. When a detection is made with this technology, the scanner name is reported as Spectra Core Document Classifier. |
| Certificates | Digital certificate validation and threat detection. Certificates are used to sign documents, archives, applications and software packages. Their digital signatures guarantee the origin and integrity of the file they are signing. Spectra Core performs digital certificate chain validation and can both blocklist and allowlist files based on digital signatures. During validation, additional checks are performed to ensure that the certificate is properly formed and that it hasn’t been revoked. Issues that the engine encounters during validation can be translated to classification. For example, if a file fails integrity validation, it is classified as suspicious due to tampering after it was signed. However, it is possible that files damaged during transport exhibit the same kind of traits as tampered ones. If there’s a high likelihood of data corruption during file collection, this option can be disabled to reduce unwanted detections. When a detection is made using this technology, the scanner name is reported as Spectra Core Certificate Validator. |
| Hyperlinks | Embedded hyperlink threat detection. Spectra Core performs static analysis to collect embedded hyperlinks from supported file types during extraction. Hyperlinks are identified both generically, from any file type, and specifically, from formats that have dedicated parsers. Collected hyperlinks are then classified with heuristic algorithms that look for spoofed, typosquatted, open redirect risks that could trick the user into visiting misleading websites. In addition to heuristics, Spectra Core has an offline database of blocklisted domains that are used to enhance the hyperlink classification coverage. When a detection is made using this technology, the scanner name is reported as Spectra Core URL Classifier. |
| Emails | Phishing and email threat detection. Spectra Core applies email content specific heuristics to dangerous messages. These threat detection heuristics look for patterns commonly found in phishing attacks, such as deceptive senders and email bodies that resemble popular service providers. In addition to heuristics, Spectra Core has an offline database of blocklisted domains that are used to enhance the email classification coverage. When a detection is made with this technology, the scanner name is reported as Spectra Core Email Classifier. |
| Ignore the following threat types | Select threat types to exclude from the final classification decision. Should this skipped detection be the only one with no higher risk detections within the same package, the file is considered Goodware, and the classification reason is Graylisting. |
| Ignore adware | Ignore classification result that matches adware. |
| Ignore packer | Ignore classification result that matches packers. |
| Ignore riskware (PUA) | Ignore classification result that matches riskware. |
| Ignore hacktool | Ignore classification result that matches hacktool. |
| Ignore spyware | Ignore classification result that matches spyware. |
| Ignore spam | Ignore classification result that matches spam. |
| CEF classification message logging | |
| Enable Sending CEF Messages to Syslog Server | Select to send sample classification messages to syslog. |
| CEF hash type | The available hash types to be logged are MD5, SHA1 or SHA256. |
Computer Vision Analysis
| Setting | Description |
|---|---|
| Enable Computer Vision Analysis | The Computer Vision Analysis module identifies and extracts URIs, IP addresses (IPv4 and IPv6), domains, and email addresses from images and PDFs using OCR, and from QR codes by decoding them. The extracted data and their classifications (e.g., malicious) are available on the respective Sample Summary page. |
Resource Usage Limits
| Setting | Description |
|---|---|
| Memory limit | The memory limit is compared to the percentage of used memory. Default is 90%, minimum is 75, maximum is 100. Set this value to 100 to disable the limit. |
| Processing queue limit | Queue limit is compared to the number of messages in the queue. Default is 50, minimum is 10. Set this value to 0 to disable the limit. |
| Hagent input queue limit | Queue limit is compared to the number of messages in the queue. Default is 50, minimum is 10. Set this value to 0 to disable the limit. |
| Sample submission queue limit | Queue limit is compared to the number of messages in the queue. Default is 50, minimum is 10. Set this value to 0 to disable the limit. |
| Collector queue limit | Queue limit is compared to the number of messages in the queue. Default is 50, minimum is 10. Set this value to 0 to disable the limit. |
| Classifier queue limit | Queue limit is compared to the number of messages in the queue. Default is 50, minimum is 10. Set this value to 0 to disable the limit. |
| Disk limit | The disk limit is compared to the percentage of used disk space. Default is 95, minimum is 75, maximum is 99. Set this value to 0 to disable the limit. |
Backup & Purge
| Setting | Description |
|---|---|
| Enable backup & purge | Select to enable the backup and purge features. The purge task is not triggered immediately upon being enabled. Instead, when enabled, the Backup & Purge section becomes available, allowing access to additional options. By default, a purge runs every day at midnight (00:00 UTC) and removes data according to the settings configured here. It is also possible to run the backup or purge task at any time and manage database backups from Backup & Purge. While running these tasks, the appliance enters maintenance mode and becomes unavailable. |
| Purge data older than | Choose the time interval after which the data is purged automatically. The available options are 1 week, 2 weeks, 1 month, 3 months, 6 months, 12 months. Default is 1 month. This data includes samples stored on Spectra Analyze and the database. Note: It is recommended you start with short retention periods and monitor the disk usage, then increase the retention period incrementally to accommodate observed usage patterns. Regularly monitor disk usage to avoid outages and performance issues. |
| Select at least one classification to be purged | When one or more classification statuses are selected here, only the samples with those statuses are removed from the appliance by the purge task. It is possible to select any combination of statuses. The available options are Malicious, Suspicious, Goodware, Unknown, Error State. By default, all except Malicious and Error State are selected. |
| Purge schedule | This section allows users to schedule how often the purge task should run. If available, statistics from previous purge tasks are displayed to help determine the optimal schedule. |
| The purge will be run | The available options are monthly, weekly, daily. |
| Day(s) of the month | Select which days of the month to run the purge. This option only applies if you set The purge will be run to monthly. If you choose only the 29th, 30th, and/or 31st, the purge is run only in months that have that many days. |
| Day(s) of the week | Select which days of the week to run the purge. This option only applies if you set The purge will be run to weekly. |
| Hour of the day (UTC) | The time selected here applies to the daily maintenance purge task which can't be turned off even if Enable backup & purge is not selected. The daily maintenance purge task cleans up the database and removes samples without sources, such as leftover samples that the users deleted during the previous day, which helps prevent deadlocks and process scheduling issues when attempting to delete samples from the appliance. From the drop-down list, select at which hour of the day in UTC the task should run. If not specified, or if Enable backup & purge is not selected, the task runs at midnight (00:00 UTC) by default. Otherwise, the task runs at the specified hour if the disk usage exceeds 65% and if it has not been run in the past 24 hours. While running this task, the appliance enters maintenance mode and becomes unavailable. |
| Backup database before purging | Select to enable automatic backups before purging the data. Every new backup overwrites the previous one, so make it sure to download and store them separately to a different location. If this option is not selected, only a purge is performed, which means samples are deleted without creating a backup first. |
Alert Management
| Setting | Description |
|---|---|
| Purge alerts older than | Choose the time interval after which the alerts collected on Spectra Analyze under Alerts are automatically removed. The available options are 1 month, 3 months, 6 months. Default is 3 months. |
Spectra Detect Worker Store Integration
info
If you're connecting to Spectra Detect in order to enable pivot links, it's preferable to do it through Spectra Detect Manager. However, manual configuration, for example, connecting to a single pre-processing Worker, is also possible.
| Setting | Description |
|---|---|
| Bucket connection mappings | Allows the use of up to 10 different mapping groups for different output buckets. Click Add Mapping to add a mapping. |
| AWS S3 buckets list | A list of S3 buckets. The name can be between 3 and 63 characters long, and can contain only lower-case characters, numbers, periods, and dashes. Each label in the name must start with a lowercase letter or number. The name cannot contain underscores, end with a dash, have consecutive periods, or use dashes adjacent to periods. The name cannot be formatted as an IP address. |
| AWS S3 access key ID | The access key ID for AWS S3 account authentication. Note: In cases where the appliance is hosted by ReversingLabs and Role ARN is used, this value is provided by ReversingLabs. |
| AWS S3 secret access key | The secret access key for AWS S3 account authentication. Note: In cases where the appliance is hosted by ReversingLabs and Role ARN is used, this value is provided by ReversingLabs. |
| AWS S3 endpoint URL | Enter the S3 endpoint URL to use S3 over HTTP. After providing the access key ID, secret access key, and endpoint URL values, click Test to verify that the appliance can successfully connect to the configured AWS S3 account. Using a custom root CA certificate can cause the connection to fail. If this happens, the custom certificate file should be uploaded to the appliance. Consult ReversingLabs Support for assistance. |
| Enable role ARN | Select to enable authentication using an external AWS role. This allows the customers to use the connector without forwarding their access keys between services. The IAM role used to obtain temporary tokens has to be created for the connector in the AWS console. These temporary tokens allow ingesting files from S3 buckets without using the customer secret access key. |
| Role ARN | The role ARN created using the external role ID and an Amazon ID. In other words, the ARN which allows the appliance to obtain a temporary token, which then allows it to connect to S3 buckets without using the customer secret access key. |
| External ID | The external ID of the assumed role. Usually, it’s an ID provided by the entity which uses but doesn’t own an S3 bucket. The owner of that bucket takes the external ID and creates an ARN with it. It is strongly recommended to use a valid External ID in production environments to maintain security. However, in non-production or test environments, you can enter a placeholder value for the External ID if your use case doesn't require a real one. This is useful when you do not want to enforce the External ID requirement while testing configurations. |
| ARN session name | Name of the session visible in AWS logs. Can be any string. |
| Token duration in seconds | How long before the authentication token expires and is refreshed. The minimum value is 900 seconds. |
| Refresh buffer | Number of seconds defined to fetch a new ARN token before the token timeout is reached. This must be a positive number, and the default value is 5. |
| AWS S3 region | Specify the correct AWS geographical region where the S3 bucket is located. The default value is us-east-1. |
| AWS S3 signature | Used to authenticate requests to the S3 service. In most AWS regions, only Signature Version 4 is supported. For AWS regions other than us-east-1, the value s3v4 must be configured here. |
| AWS S3 number of connection retries | Maximum number of retries when saving a report to an S3-compatible server. |
| Verify the HTTPS connection against the CA bundle | Select to enable SSL verification in case of an https connection. |
| CA path | Enter the path on the file system pointing to the certificate of a custom self-hosted S3 server. |
| S3 bucket folder | Enables specifying and targeting an S3 bucket folder. The folder can be up to 1024 bytes long when encoded in UTF-8, and can contain letters, numbers and special characters: "!", "-", "_", ".", "*", "'", "(", ")", "/". It must not start or end with a slash or contain leading or trailing spaces. Consecutive slashes are not allowed. |
| Spectra Detect Worker store integration behavior options | These options allow storing samples unprotected and uncompressed with the sample SHA1 as the default S3, or storing them as ZIP files. |
| Zip password | If you selected storing samples as ZIP files, you can optionally set the password to use for protecting compressed files. |
YARA Cloud Settings
| Setting | Description |
|---|---|
| Enable automatic upload of YARA ruleset to Spectra Intelligence | Disabled by default. When enabled, new YARA rulesets created on the appliance are automatically synchronized with Spectra Intelligence. Additionally, the Run ruleset continuously in Spectra Intelligence checkbox in the YARA ruleset editor is automatically selected. Selecting this option automatically selects the option Automatic disabling of Cloud enabled YARA rulesets. |
| Automatic retro run of Cloud enabled YARA rulesets | Disabled by default. When enabled, YARA rulesets that are synchronized with Spectra Intelligence are automatically scheduled for a Cloud retro scan. The Cloud retro scan is started after the ruleset is successfully validated. This applies to new rulesets created on the appliance, and to existing rulesets that are edited and synchronized with Spectra Intelligence by selecting the Run ruleset continuously in Spectra Intelligence checkbox in the YARA ruleset editor. The option does not apply to Spectra Core rulesets. |
| Automatic disabling of Cloud enabled YARA rulesets | When enabled, YARA rulesets synchronized with Spectra Intelligence are automatically de-synchronized when they reach the maximum amount of 10 000 matches in the cloud system. They stop receiving new cloud matches until at least 1000 or more matches are removed by the user from the YARA page. When 1000 matches are removed, the ruleset automatically synchronizes with Spectra Intelligence again and starts receiving new matches. This option is automatically enabled when Enable automatic upload of YARA ruleset to Spectra Intelligence is selected. |
URL Analysis
| Setting | Description |
|---|---|
| Default crawling method | The default crawling method to use when submitting URLs for analysis. The available options are Local or Spectra Intelligence. For more information, see Privacy of Submitted Files and URLs. |
| Enable Local Crawl Selection | Enabling this option makes an additional Analyze Crawled Files (Local, On-Device) setting available under Submit > URL Analysis > Advanced Analysis Settings > URL Crawling. If enabled, the process initiates a website crawl directly from the Spectra Analyze host, downloading all resources at crawl depth 1. Because the crawl originates from the local host, visibility to the target site may be affected by network configurations such as firewalls. Downloaded resources are provided as a ZIP archive in the payload section of the URL analysis. Note: Local URL Analysis uses the same proxy configuration as Spectra Intelligence to perform the analysis request. |
| URL analysis timeout | The time in seconds to spend downloading a URL for analysis. This setting applies only to the Local crawl method. |
| Maximum download size | Set the maximum allowed file size in MiB that can be downloaded from each URL submitted to the appliance. The value configured here is not enforced when downloading a single file directly from a URL. It only applies when data is retrieved recursively by crawling links on the submitted URL. The default is 500 MiB, and the maximum is 2000 MiB. When using the Spectra Intelligence crawling method, individual files retrieved from the submitted URL are also compared against the Maximum Fetch File Size value in Spectra Intelligence settings and skipped if larger. |
| Maximum number of attempts | Set the maximum number of times a file download is attempted. Fatal errors like File Not Found or Connection Refused are not retried. This setting applies only to the Local crawl method. |
| Enable user agent | Allow setting a custom user agent string to be used when crawling URLs using the Local crawl method. |
| User agent string | This string is used to send information about the client OS, browser, and version. Some websites may return different results based on this information. |
| Enable Spectra Analyze Networking Toolkit | Enable the appliance to try to collect additional networking data from the following sources: whois, bgpview.io, GeoLite City and DNS services. |
System Health
| Setting | Description |
|---|---|
| System health indicator | |
| CPU load percentage limit | Default is 95. |
| Free memory percent limit | Default is 10. |
| Used disk space percent limit | Default is 70. All devices are checked and the red indicator is triggered if any of the devices is over the limit. |
| Queue limits | |
| Classifier queue limit | Default is 50. The red indicator is triggered if it contains more than the maximum number of messages. |
| Collector queue limit | Default is 50. The red indicator is triggered if it contains more than the maximum number of messages. |
| Sample retry queue limit | Default is 50. The red indicator is triggered if it contains more than the maximum number of messages. |
| Sample submission queue limit | Default is 50. The red indicator is triggered if it contains more than the maximum number of messages. |
Appliances Search
| Setting | Description |
|---|---|
| Enable Appliances Search | Note: The appliance needs to be connected to and authorized on the Spectra Detect Manager for this option to be available. Select this option to enable searching for samples on other appliances connected to the same Manager. This feature also allows searching for samples on the current appliance from other instances connected to the same Manager. Samples can be searched by file name, and single or multiple hashes from the Search Samples box. |
| Enable Syncing | Note: The appliance needs to be connected to and authorized on a Spectra Detect Manager instance with enabled synchronization for this option to be available. Select this option to enable YARA ruleset synchronization to other appliances from the current appliance, and vice versa. |
Configuration management using Spectra Detect Manager
info
All configuration options managed by Spectra Detect Manager are available through the Spectra Detect Management API, providing programmatic access for automation and integration purposes.
ReversingLabs Spectra Detect Manager allows users to create groups of preconfigured settings, and apply those settings to selected ReversingLabs appliances. This feature makes it possible to configure multiple appliances, and to ensure they all have consistent and correct settings.
Spectra Analyze appliances managed by the Spectra Detect Manager have the option to disconnect the appliance from the Manager in the top right corner of the Administration > Configuration & Update > Configuration section. Disconnecting the appliance from the Manager reconfigures Spectra Analyze.
Additionally, it is possible to confirm that the appliances are properly connected by checking the Spectra Detect Manager status on the System Status page, under External Services Connectivity.
The same SNMP Community string configured on the appliance under Administration > Configuration & Update > Configuration > SNMP dialog must be used when adding the appliance to the Spectra Detect Manager instance in the Add new appliance dialog. This ensures that Spectra Detect Manager can display the appliance status information correctly, and that changes saved on the Spectra Detect Manager can be propagated to the appliance.
When configuration values are changed on Spectra Detect Manager for a group that the appliance belongs to, the appliance is restarted.
Spectra Detect Manager Central Configuration can be used to manage the following settings on ReversingLabs Spectra Analyze appliances:
- Spectra Intelligence
Best practice
Multiple Spectra Analyze instances should not be configured to use the same cloud account, as this can interfere with appliance functionality, and particularly with YARA ruleset synchronization. It is advised to use these settings only if there is just one Spectra Analyze appliance in the configuration group.
- T1000 File Reputation Appliance
- SMTP
- SNMP
- Cuckoo Integration
- User Directory
- System Time
- Spectra Detect Worker Store Integration
- System Alerting