Manager settings
These are the general steps to configuring a new Manager:
- Deploy the appliance and attach it to the network.
- Configure network settings via the console to access the Web UI.
- Configure installation-specific settings on the system configuration screen.
- License the Manager
Network Ports
The Manager supports the following ports for inbound connections:
- 80/TCP and 443/TCP for connecting to the Manager Web UI.
- 22/TCP for maintenance purposes.
- 161/UDP for SNMP monitoring
Outgoing connections to the internet via the following ports are also supported:
- 53/UDP for DNS
- 123/UDP for NTP
However, it is strongly recommended that the users configure the system to use their own DNS and NTP infrastructure (if necessary).
For outgoing connections to the Spectra Intelligence database at https://appliance-api.reversinglabs.com, the destination port is 443/TCP.
The DNS name is appliance-api.reversinglabs.com and the connection supports HTTPS only.
Configuration via the Manager Web Interface
After logging in, access the Administration ‣ Spectra Detect Manager page from the main Manager menu. The page contains dialogs with options for configuring the Manager. When done updating the settings in the configuration dialogs, click Save. The appliance will be restarted and begin using the new settings.
General
| Network settings | |
| Application URL | The URL that can be used to access the Web UI of the Manager. The application URL must be configured to use the HTTPS protocol. |
| Allowed hosts | A list of strings, one per line, representing the host/domain names that this appliance installation can serve. Values in this list can be fully qualified names (e.g., "www.example.com"), in which case they will be matched against the request’s host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: ".example.com" will match "example.com", "www.example.com", and any other subdomain of "example.com". A value of "*" will match anything. Examples: .reversinglabs.com, 89.201.174.154, 89.201.174.152 |
| Select SSL certificate | Clicking Browse allows the user to upload a file containing a custom SSL certificate to replace the self-signed certificate generated by the Manager. |
| Select SSL certificate key | Clicking Browse allows the user to upload a file containing the key that corresponds to the certificate uploaded in the option above. |
| Synchronization | |
| Enable YARA ruleset synchronization | Select the checkbox to allow synchronizing YARA rulesets between the appliances connected to the Manager. This setting is a global switch that affects all Spectra Analyze and Spectra Detect Worker appliances. For this functionality to work, YARA synchronization must also be enabled on connected Spectra Analyze appliances. See the YARA Sync Page section for more details. |
| SSH | |
| Permit root SSH login | Select the checkbox to allow root SSH access to the Manager. This setting can be used for automated password management. |
| SWAP | |
| Disable SWAP memory | Checking this option will disable the usage of SWAP memory. Not applicable if appliance is deployed as a Docker image. Enabled by default. |
SMTP
| SMTP hostname | The host to use for sending email. For the SMTP service to function properly, this field must not be empty. |
| SMTP port | Port of the host used for sending email. For the SMTP service to function properly, this field must not be empty. |
| Username; Password | SMTP username and password for authentication. |
| Default "from" email address | The email address used by the appliance as the "from" address when sending email (for password resets, error alerts…). |
| Use TLS | Select the checkbox to use a secure connection (TLS; Transport Layer Security) when communicating with the SMTP server. |
SNMP & system alerting
| Enable SNMP service | Select the checkbox to enable Simple Network Management Protocol service. |
| Community | Enter the name of an SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. The SNMP service will not function properly if this field is not configured. |
| Enable trap sink | Select the checkbox to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances. |
| Trap community | Enter the SNMP trap community string. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
| Trap sink server | Enter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps will be sent. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required. |
| SNMP trap thresholds | A set of configuration fields allowing the user to set the thresholds (values that will trigger an SNMP trap) for supported types of events. Thresholds can be configured for average system load in 1, 5, and 10 minutes (as a percentage), used memory and used disk space (as a percentage). |
| System Alerting | |
| Send system alert messages to syslog server | Select the checkbox to enable sending alerts about the status of critical system services on the connected appliances to the syslog server. |
| Host | Host address of the remote syslog server to send alerts to. |
| Port | Port of the remote syslog server. |
| Protocol | Communication protocol to use when sending alerts to a remote syslog server. Options are TCP (default) and UDP. |
| Enable audit logs to be sent to syslog server | Audit logs will be automatically sent to the syslog server in addition to other system messages. Enabling this will increase the traffic between the Manager and the syslog server. |
Authentication
| Duration of login session | How long an authenticated user session will remain active; set in days, hours, minutes, or seconds. Default is 7 days, and the minimum is 1 minute. |
LDAP
| Connection | |
| LDAP server host | Hostname or IP address of the server providing LDAP authentication. Example: ldap.example.com |
| LDAP server port | LDAP server host port. Default: 389 (LDAP) or 636 (LDAPS). |
| TLS; TLS require certificate | Select the TLS checkbox to use a secure connection when communicating with the LDAP server. To verify the TLS certificate, select TLS require certificate. |
| Select TLS CA Certificate file | The dialog that opens when clicking Browse allows the user to upload their own TLS certificate for verifying the LDAP host identity. The certificate must be in PEM file format. To apply the certificate, the options TLS and TLS require certificate must be enabled. |
| Bind DN or user | User to log into LDAP. DN stands for Distinguished Name. Example: "user@example.com" or "cn=user,dc=example,dc=com". |
| Password | Password for the Bind user account. |
| User Schema; Group Schema | |
| Base DN | Root node in LDAP from which to search for users/groups. Example: "cn=users,dc=example,dc=com". |
| Scope | Scope of the user/group directory searches (base, one level, subordinate, subtree). |
| User/Group Object Class | The objectClass value is used when searching for users/groups. Example: "user" or "group". |
| User/Group Name Attribute | The user name/group name field. Examples: "sAMAccountName" or "cn". |
| Group Type | Available options are "Member" and "Unique Member". See [this link](https://ldapwiki.com/wiki/GroupOfUniqueNames vs groupOfNames) for an explanation of differences. |
| User attribute mapping | |
| First name; Last name | Fields to map to a user’s first and last name. |
| Field to map to email. | |
| User access | |
| Active flag group | Group DN. Users will be marked as active only if they belong to this group. Example: "cn=active,ou=users,dc=example,dc=com". |
| Superuser flag group | Group DN. Users will be marked as superusers only if they belong to this group. Example: "cn=admins,ou=groups,dc=example,dc=com". |
| Require group | Group DN. Authentication will fail for any user that does not belong to this group. Example: "cn=enabled,ou=groups,dc=example,dc=com". |
| Deny group | Group DN. Authentication will fail for any user that belongs to this group. Example: "cn=disabled,ou=groups,dc=example,dc=com". |
OAuth 2.0 / OpenID Connect
| OAuth 2.0 / OpenID Connect client | |
| Client ID | Client Identifier value for the application that was previously registered with Active Directory Federation Services (AD FS). This should be provided to the appliance administrator by the OpenID Connect provider. |
| Client Type | Specifies if the will be configured as a public or a confidential application. Possible values are Public (do not use Client Secret) and Confidential (use Client Secret). If set to Confidential, the Client secret must be provided in the next field. |
| Verify SSL certificate | If this checkbox is selected, the OpenID Connect client will verify the SSL certificate of the provider responses. |
| Config URL | Fetch configuration via URL. |
| Claim Source | Claims are name/value pairs that contain information about a user. For example, "email": "name.surname@example.com". Depending on the configuration, there are several sources from which this information can be obtained. If you select Access Token, additional fields will become available. Audience (aud field in an ID token) is the intended recipient of your token (usually the URL of your Manager). Relying Party ID/Resource is the identifier that can be found in the Relying Party Trust section of your AD FS console. Finally, Issuer (iss field in an ID token) is usually the URL of your authorization server. |
| OpenID Connect provider | |
| Verify SSL certificate | If this checkbox is selected, the OpenID Connect client will verify the SSL certificate of the provider responses. |
| Config URL | Can be optionally used to populate configuration fields by providing the URI discovery mechanism URL of the Identity Provider and clicking the Get button. |
| Claim Source | Specifies which source will be used to authenticate and authorize users. Supported values are Use ID Token (OpenID), Use UserInfo endpoint (OpenID) and Use Access Token. |
| Audience | Visible only if Claim Source is set to Use Access Token. Specifies the expected value of the Audience (aud) field in the token to confirm its validity. |
| Relying Party ID/Resource | Visible only if Claim Source is set to Use Access Token. The ID of the application requesting user authentication from the Identity Provider. In this case, it should be set to the identifier assigned to the Manager in the Identity Provider’s configuration. |
| Issuer | Visible only if Claim Source is set to Use Access Token. Specifies the expected value of the Issuer (iss) field in the token to confirm its validity. |
| OpenID Connect provider | |
| Authorization Endpoint | URL of the OpenID Connect provider authorization endpoint. This endpoint handles the authentication and authorization of users. |
| Token Endpoint | URL of the OpenID Connect provider token endpoint. This endpoint can be used by a client application to request and obtain ID, refresh, and access tokens. |
| UserInfo endpoint | Visible only if Claim Source is set to Use UserInfo endpoint (OpenID). URL of the OpenID Connect provider UserInfo endpoint. The UserInfo endpoint is a protected resource from which client applications can retrieve information about claims for the logged-in user. |
| Scopes | Provide one or more scopes that should be requested during login. |
| Signature verification | |
| Signature algorithm | Select which algorithm should be used to sign ID tokens. Supported options are RS265 and HS256. If RS256 is selected as the algorithm, the Signature public key or the JKWS Endpoint must also be configured. |
| Signature public key | The key used to sign ID tokens when using the RS256 signature algorithm. |
| JKWS Endpoint | URL of the JKWS (JSON Web Key Set) endpoint configured by the OpenID Connect provider. |
| Claim mapping | |
| Username | Short name of the claim containing the unique username for identifying the user. |
| Short name of the claim containing the unique email address of the user. | |
| First name | Short name of the claim containing the first name of the user. |
| Last name | Short name of the claim containing the last name of the user. |
| Groups | Name of the claim that contains a list of user groups. |
| User access | |
| Active flag group | Accepts the name of the group containing active users. If a user is not in this group, they will be marked as inactive. |
| Superuser flag group | Accepts the name of the group containing superusers (administrators). Users will be marked as superusers only if they are in this group. |
| Require group | Accepts the name of the group containing users who have access to the appliance. Authentication will fail for every user that is not in this group. |
| Deny group | Accepts the name of the group containing users who are not allowed to access the appliance. Authentication will fail for every user that is in this group. |
| Miscellaneous | |
| Always prompt for login | Select the checkbox to require the authorization server to always re-authenticate the user, even if the user is already authenticated. If this option is enabled, the prompt=login parameter will be added to the authentication query. The "Keep me signed in" checkbox will not be visible in the AD FS login form. Note that this option should not be used as a security measure, because the parameter can be removed by users to bypass re-authentication. |
The full configuration guide for AD FS on Windows Server 2016 and OpenID Connect can be found in the OpenID Configuration Guide.
Spectra Intelligence
| Enable Spectra Intelligence | Select the checkbox to enable the connection to Spectra Intelligence. Spectra Detect Manager needs to be connected to the Spectra Intelligence cloud in order to automatically retrieve system updates and appliance upgrades. When connected, the Manager polls the cloud once every 60 minutes. |
| Username; Password | Username and password for authenticating to Spectra Intelligence. |
| Timeout | Specify how long to wait before the Spectra Intelligence connection times out (in seconds; the maximum allowed value is 1000). |
| Proxy host | Proxy hostname for routing requests from the appliance to Spectra Intelligence (e.g., 192.168.1.15). |
| Proxy port | Proxy port number (e.g., 1080). |
| Proxy username; Proxy password | Username and password for proxy authentication. |
Dashboard configuration
-
Enable Central Logging
Enabling central logging will completely change the home page to show statistics on the number of processed files and their classifications. This feature is also resource-intensive. Ensure at least 32 GB RAM and 1 TB disk for optimal performance.
-
Retention period
How long to keep the collected logs on the Manager.
-
Enable Central File Storage
Enables file storage on the Manager. If enabled, connected Workers will store samples on the Manager. Stored samples can later be analyzed with Spectra Analyze by clicking on "Analyze with Spectra Analyze" on the analytics page. Enabling this feature may require additional disk space. The required storage depends on the size of the samples coming from the connected Workers and their retention period. Samples larger than the file limit threshold will not be stored.
-
File Size Limit
File size limit in MiB. Samples larger than the set threshold will not be stored. The default is 400, the maximum supported file size on Spectra Analyze.
-
Sample Retention Period
Time, in hours, after which the uploaded samples will be removed from the Central File Storage.
-
Minimum Disk Space
The minimum allowed free disk space in GiB. If the remaining disk space is below the configured threshold, new sample uploads will be rejected. For example, to use 900 GiB of space for central file storage on a 1000 GiB disk, set the value to 100.
-
Enable Deep Cloud Analysis
Enabling Multi-Scanning instructs Workers to upload samples to the Cloud using their respective account and usage quota. Samples are uploaded only if they pass the filtering criteria: up to 2GB in size. If a sample already exists in the Cloud, the Manager monitors data changes in the data change feed and updates the dashboard accordingly. Enabling this feature impacts the final verdict - classification, risk score and threat name, resulting in increased detection rate and reduced remediation time. Additionally, up to 5 antivirus engine scanners can be selected to be listed on the dashboard.
System time
-
Enable network time synchronization
Select the checkbox to enable clock synchronization via NTP (Network Time Protocol).
-
NTP servers
A list of server addresses, separated by a new line, to use for system clock synchronization. Click Test connection to verify that time synchronization functions properly.
System Alerting
If system alerting is enabled in the System Alerting configuration dialog, the following system operations and services will be monitored. Syslog notifications are sent when any of the services or operations meet the condition(s) defined in the table.
| SYSTEM OPERATION OR SERVICE | NOTIFICATION TRIGGER |
|---|---|
| RAM | usage is over 90% for 10 minutes |
| CPU | usage is over 40% for 2 minutes |
| CPU wait (waiting for IO) | over 20% for 2 minutes |
| Disk usage | over 90% for 10 minutes |
| UWSGI service | down for 2 minutes |
| NGINX service | down for 2 minutes |
| RABBIT-MQ service | down for 2 minutes |
| POSTGRES service | down for 2 minutes |
| MEMCACHED service | down for 2 minutes |
| CROND service | down for 2 minutes |
| SSHD service | down for 2 minutes |
| SUPERVISORD service | down for 2 minutes |
| SMTP | if enabled, but stopped for 4 minutes |
| NTPD | if enabled, but stopped for 4 minutes |
| Any of the SUPERVISORD services | if it has crashed |
SNMP Trap Thresholds
The Manager can receive notifications (traps) about important system events via the Simple Network Management Protocol (SNMP). The events are "trapped" and sent to the trap sink server when their configured threshold levels are triggered.
The Manager uses the DISMAN-EVENT-MIB::mteTriggerFired SNMP trap and supports 3 different triggers. These triggers can be used to keep track of low disk space, high memory usage or high CPU load average over time.
| TRIGGER IDENTIFIER | TRIGGER CONDITION |
|---|---|
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable | disk usage is higher than the configured threshold (the default value is 90%) |
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree | memory usage is higher than the set threshold (the default value is 80%) |
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable | average system load in the specified time frame (1, 5 or 15 minutes) is higher than the set threshold |
To enable SNMP traps and configure the address of the trap sink server, adjust the values in the Settings ‣ Configuration ‣ SNMP & System Alerting dialog on the Manager.
The dialog also allows setting thresholds for supported types of events, which are described in more detail below.
Average system load
This trap is sent if the average load of the local system exceeds specified values (1-minute, 5-minute and 15-minute averages). Values should be provided as percentages, which are recalculated into appropriate thresholds as reported with uptime or top commands.
The following examples show traps triggered by a high 1-minute, 5-minute and 15-minute system load average, respectively:
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.1
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.1 = STRING: Load-1
UCD-SNMP-MIB::laErrMessage.1 = STRING: 1 min Load Average too high (= 2.56)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.2
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.2 = STRING: Load-5
UCD-SNMP-MIB::laErrMessage.2 = STRING: 5 min Load Average too high (= 2.00)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.3
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.3 = STRING: Load-15
UCD-SNMP-MIB::laErrMessage.3 = STRING: 15 min Load Average too high (= 2.05)
Used memory
This trap is sent if used memory on the local system exceeds the specified percentage. The default value is 80%. The following example shows an event triggered by memory usage that exceeded the configured trap threshold:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8) 0:00:00.08
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::memTotalFree.0
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 2124816
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16467096 kB
Used disk space
This trap is sent if used disk space on any of the mounted disks exceeds the specified percentage. The default value is 90%. The following example shows an event triggered by a disk with less than 10% of free disk space on the /boot partition:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (25) 0:00:00.25
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::dskErrorFlag.26
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::dskPath.26 = STRING: /boot
UCD-SNMP-MIB::dskErrorMsg.26 = STRING: /boot: less than 10% free (= 8%)
Licensing on the Manager
On first login after installing or updating the appliance, the appliance must be licensed within 45 days of the release’s general availability date. This also applies to any connected appliances. While the trial license is active, Licensing options on the Manager can be accessed using the Administration > Licensing menu item.
There are two ways of licensing appliances:
By using Spectra Intelligence
Click the Activate Using Cloud button and fill out the account information. A licensing request will be sent to Spectra Intelligence and, if the account is valid, the appliance will be activated.
Individual appliances connected to the Manager can be activated using Spectra Intelligence by configuring it for appliance groups in Central Configuration.
By uploading a license file
Appliances can also be licensed offline by sending their machine IDs to ReversingLabs support via email. This can be performed from the licensing page by checking one or more boxes next to appliances and clicking the Request License button.
This opens the user’s default email client with the relevant information filled in. Make sure to send the request using an email address that is previously known to ReversingLabs.
When we respond with the requested license files, upload them using the Upload License button and click Upload. The Manager will automatically match the license files to appropriate appliances. A single license file can contain multiple machine IDs.
If an appliance instance was created by cloning a VM, administrators need to generate a new Machine ID and request a new license for every clone of the original appliance VM.
If the appliance is still in the licensing trial period, this can be done in the Administration > Licensing section.
License Expiration
- Appliances without a license are in a trial period for 45 days from the release’s general availability date.
- If appliances licensed using Spectra Intelligence can’t reach it, they enter a grace period of 14 days during which they will still operate normally.
- Regenerating a machine ID of an already licensed appliance will require it to be licensed again.
- Once the Manager trial/grace period expires, the appliance will open to the Licensing screen, and no other actions will be available.
Licensing can also be configured using the Spectra Detect Manager API. Visit Help > Spectra Detect Manager API Documentation for more information. To license Spectra Detect appliances without using the Manager, refer to the API section of the Spectra Detect user guide.