Skip to main content
Version: Spectra Detect 5.2.1

Manager settings

These are the general steps to configuring a new Manager:

  1. Deploy the appliance and attach it to the network.
  2. Configure network settings via the console to access the Web UI.
  3. Configure installation-specific settings on the system configuration screen.
  4. License the Manager

Network Ports

The Manager supports the following ports for inbound connections:

  • 80/TCP and 443/TCP for connecting to the Manager Web UI.
  • 22/TCP for maintenance purposes.
  • 161/UDP for SNMP monitoring

Outgoing connections to the internet via the following ports are also supported:

  • 53/UDP for DNS
  • 123/UDP for NTP

However, it is strongly recommended that the users configure the system to use their own DNS and NTP infrastructure (if necessary).

For outgoing connections to the Spectra Intelligence database at https://appliance-api.reversinglabs.com, the destination port is 443/TCP.

The DNS name is appliance-api.reversinglabs.com and the connection supports HTTPS only.

Configuration via the Manager Web Interface

After logging in, access the Administration ‣ Spectra Detect Manager page from the main Manager menu. The page contains dialogs with options for configuring the Manager. When done updating the settings in the configuration dialogs, click Save. The appliance will be restarted and begin using the new settings.

General

Network settings
Application URLThe URL that can be used to access the Web UI of the Manager. The application URL must be configured to use the HTTPS protocol.
Allowed hostsA list of strings, one per line, representing the host/domain names that this appliance installation can serve. Values in this list can be fully qualified names (e.g., "www.example.com"), in which case they will be matched against the request’s host header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: ".example.com" will match "example.com", "www.example.com", and any other subdomain of "example.com". A value of "*" will match anything. Examples: .reversinglabs.com, 89.201.174.154, 89.201.174.152
Select SSL certificateClicking Browse allows the user to upload a file containing a custom SSL certificate to replace the self-signed certificate generated by the Manager.
Select SSL certificate keyClicking Browse allows the user to upload a file containing the key that corresponds to the certificate uploaded in the option above.
Synchronization
Enable YARA ruleset synchronizationSelect the checkbox to allow synchronizing YARA rulesets between the appliances connected to the Manager. This setting is a global switch that affects all Spectra Analyze and Spectra Detect Worker appliances. For this functionality to work, YARA synchronization must also be enabled on connected Spectra Analyze appliances. See the YARA Sync Page section for more details.
SSH
Permit root SSH loginSelect the checkbox to allow root SSH access to the Manager. This setting can be used for automated password management.
SWAP
Disable SWAP memoryChecking this option will disable the usage of SWAP memory. Not applicable if appliance is deployed as a Docker image. Enabled by default.

SMTP

SMTP hostnameThe host to use for sending email. For the SMTP service to function properly, this field must not be empty.
SMTP portPort of the host used for sending email. For the SMTP service to function properly, this field must not be empty.
Username; PasswordSMTP username and password for authentication.
Default "from" email addressThe email address used by the appliance as the "from" address when sending email (for password resets, error alerts…).
Use TLSSelect the checkbox to use a secure connection (TLS; Transport Layer Security) when communicating with the SMTP server.

SNMP & system alerting

Enable SNMP serviceSelect the checkbox to enable Simple Network Management Protocol service.
CommunityEnter the name of an SNMP community list for authentication. Community is a list of SNMP clients authorized to make requests. The SNMP service will not function properly if this field is not configured.
Enable trap sinkSelect the checkbox to enable sending SNMP traps to the sink server. Traps are asynchronous, unsolicited SNMP messages sent by the SNMP agent to notify about important events on the appliances.
Trap communityEnter the SNMP trap community string. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required.
Trap sink serverEnter the host name or the IP address of the trap sink server. The sink server is the location to which SNMP traps will be sent. If the Enable SNMP service and Enable trap sink checkboxes are selected, then this field is required.
SNMP trap thresholdsA set of configuration fields allowing the user to set the thresholds (values that will trigger an SNMP trap) for supported types of events. Thresholds can be configured for average system load in 1, 5, and 10 minutes (as a percentage), used memory and used disk space (as a percentage).
System Alerting
Send system alert messages to syslog serverSelect the checkbox to enable sending alerts about the status of critical system services on the connected appliances to the syslog server.
HostHost address of the remote syslog server to send alerts to.
PortPort of the remote syslog server.
ProtocolCommunication protocol to use when sending alerts to a remote syslog server. Options are TCP (default) and UDP.
Enable audit logs to be sent to syslog serverAudit logs will be automatically sent to the syslog server in addition to other system messages. Enabling this will increase the traffic between the Manager and the syslog server.

Authentication

See the Authentication section.

Spectra Intelligence

Enable Spectra IntelligenceSelect the checkbox to enable the connection to Spectra Intelligence. Spectra Detect Manager needs to be connected to the Spectra Intelligence cloud in order to automatically retrieve system updates and appliance upgrades. When connected, the Manager polls the cloud once every 60 minutes.
Username; PasswordUsername and password for authenticating to Spectra Intelligence.
TimeoutSpecify how long to wait before the Spectra Intelligence connection times out (in seconds; the maximum allowed value is 1000).
Proxy hostProxy hostname for routing requests from the appliance to Spectra Intelligence (e.g., 192.168.1.15).
Proxy portProxy port number (e.g., 1080).
Proxy username; Proxy passwordUsername and password for proxy authentication.

Dashboard configuration

  • Enable Central Logging

    Enabling central logging will completely change the home page to show statistics on the number of processed files and their classifications. This feature is also resource-intensive. Ensure at least 32 GB RAM and 1 TB disk for optimal performance.

  • Retention period

    How long to keep the collected logs on the Manager.

  • Enable Central File Storage

    Enables file storage on the Manager. If enabled, connected Workers will store samples on the Manager. Stored samples can later be analyzed with Spectra Analyze by clicking on "Analyze with Spectra Analyze" on the analytics page. Enabling this feature may require additional disk space. The required storage depends on the size of the samples coming from the connected Workers and their retention period. Samples larger than the file limit threshold will not be stored.

  • File Size Limit

    File size limit in MiB. Samples larger than the set threshold will not be stored. The default is 400, the maximum supported file size on Spectra Analyze.

  • Sample Retention Period

    Time, in hours, after which the uploaded samples will be removed from the Central File Storage.

  • Minimum Disk Space

    The minimum allowed free disk space in GiB. If the remaining disk space is below the configured threshold, new sample uploads will be rejected. For example, to use 900 GiB of space for central file storage on a 1000 GiB disk, set the value to 100.

  • Enable Deep Cloud Analysis

    Enabling Multi-Scanning instructs Workers to upload samples to the Cloud using their respective account and usage quota. Samples are uploaded only if they pass the filtering criteria: up to 2GB in size. If a sample already exists in the Cloud, the Manager monitors data changes in the data change feed and updates the dashboard accordingly. Enabling this feature impacts the final verdict - classification, risk score and threat name, resulting in increased detection rate and reduced remediation time. Additionally, up to 5 antivirus engine scanners can be selected to be listed on the dashboard.

System time

  • Enable network time synchronization

    Select the checkbox to enable clock synchronization via NTP (Network Time Protocol).

  • NTP servers

    A list of server addresses, separated by a new line, to use for system clock synchronization. Click Test connection to verify that time synchronization functions properly.

System Alerting

If system alerting is enabled in the System Alerting configuration dialog, the following system operations and services will be monitored. Syslog notifications are sent when any of the services or operations meet the condition(s) defined in the table.

SYSTEM OPERATION OR SERVICENOTIFICATION TRIGGER
RAMusage is over 90% for 10 minutes
CPUusage is over 40% for 2 minutes
CPU wait (waiting for IO)over 20% for 2 minutes
Disk usageover 90% for 10 minutes
UWSGI servicedown for 2 minutes
NGINX servicedown for 2 minutes
RABBIT-MQ servicedown for 2 minutes
POSTGRES servicedown for 2 minutes
MEMCACHED servicedown for 2 minutes
CROND servicedown for 2 minutes
SSHD servicedown for 2 minutes
SUPERVISORD servicedown for 2 minutes
SMTPif enabled, but stopped for 4 minutes
NTPDif enabled, but stopped for 4 minutes
Any of the SUPERVISORD servicesif it has crashed

SNMP Trap Thresholds

The Manager can receive notifications (traps) about important system events via the Simple Network Management Protocol (SNMP). The events are "trapped" and sent to the trap sink server when their configured threshold levels are triggered.

The Manager uses the DISMAN-EVENT-MIB::mteTriggerFired SNMP trap and supports 3 different triggers. These triggers can be used to keep track of low disk space, high memory usage or high CPU load average over time.

TRIGGER IDENTIFIERTRIGGER CONDITION
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTabledisk usage is higher than the configured threshold (the default value is 90%)
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFreememory usage is higher than the set threshold (the default value is 80%)
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTableaverage system load in the specified time frame (1, 5 or 15 minutes) is higher than the set threshold

To enable SNMP traps and configure the address of the trap sink server, adjust the values in the Settings ‣ Configuration ‣ SNMP & System Alerting dialog on the Manager.

The dialog also allows setting thresholds for supported types of events, which are described in more detail below.

Average system load

This trap is sent if the average load of the local system exceeds specified values (1-minute, 5-minute and 15-minute averages). Values should be provided as percentages, which are recalculated into appropriate thresholds as reported with uptime or top commands.

The following examples show traps triggered by a high 1-minute, 5-minute and 15-minute system load average, respectively:

2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.1
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.1 = STRING: Load-1
UCD-SNMP-MIB::laErrMessage.1 = STRING: 1 min Load Average too high (= 2.56)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.2
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.2 = STRING: Load-5
UCD-SNMP-MIB::laErrMessage.2 = STRING: 5 min Load Average too high (= 2.00)
2018-01-26 14:35:54 <UNKNOWN> [UDP: [192.168.123.247]:60418->[192.168.123.17]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (13) 0:00:00.13
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: laTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::laErrorFlag.3
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::laNames.3 = STRING: Load-15
UCD-SNMP-MIB::laErrMessage.3 = STRING: 15 min Load Average too high (= 2.05)

Used memory

This trap is sent if used memory on the local system exceeds the specified percentage. The default value is 80%. The following example shows an event triggered by memory usage that exceeded the configured trap threshold:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8) 0:00:00.08
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: memoryFree
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::memTotalFree.0
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 2124816
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 16467096 kB

Used disk space

This trap is sent if used disk space on any of the mounted disks exceeds the specified percentage. The default value is 90%. The following example shows an event triggered by a disk with less than 10% of free disk space on the /boot partition:

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (25) 0:00:00.25
SNMPv2-MIB::snmpTrapOID.0 = OID:
DISMAN-EVENT-MIB::mteTriggerFired
DISMAN-EVENT-MIB::mteHotTrigger.0 = STRING: dskTable
DISMAN-EVENT-MIB::mteHotTargetName.0 = STRING:
DISMAN-EVENT-MIB::mteHotContextName.0 = STRING:
DISMAN-EVENT-MIB::mteHotOID.0 = OID:
UCD-SNMP-MIB::dskErrorFlag.26
DISMAN-EVENT-MIB::mteHotValue.0 = INTEGER: 1
UCD-SNMP-MIB::dskPath.26 = STRING: /boot
UCD-SNMP-MIB::dskErrorMsg.26 = STRING: /boot: less than 10% free (= 8%)

Licensing on the Manager

On first login after installing or updating the appliance, the appliance must be licensed within 45 days of the release’s general availability date. This also applies to any connected appliances. While the trial license is active, Licensing options on the Manager can be accessed using the Administration > Licensing menu item.

There are two ways of licensing appliances:

By using Spectra Intelligence

Click the Activate Using Spectra Intelligence button and fill out the account information. A licensing request will be sent to Spectra Intelligence and, if the account is valid, the appliance will be activated.

Individual appliances connected to the Manager can be activated using Spectra Intelligence by configuring it for appliance groups in Central Configuration.

By uploading a license file

Appliances can also be licensed offline by sending their machine IDs to ReversingLabs support via email. This can be performed from the licensing page by checking one or more boxes next to appliances and clicking the Request License button.

This opens the user’s default email client with the relevant information filled in. Make sure to send the request using an email address that is previously known to ReversingLabs.

When we respond with the requested license files, upload them using the Upload License button and click Upload. The Manager will automatically match the license files to appropriate appliances. A single license file can contain multiple machine IDs.

If an appliance instance was created by cloning a VM, administrators need to generate a new Machine ID and request a new license for every clone of the original appliance VM.

If the appliance is still in the licensing trial period, this can be done in the Administration > Licensing section.

License Expiration

  • Appliances without a license are in a trial period for 45 days from the release’s general availability date.
  • If appliances licensed using Spectra Intelligence can’t reach it, they enter a grace period of 14 days during which they will still operate normally.
  • Regenerating a machine ID of an already licensed appliance will require it to be licensed again.
  • Once the Manager trial/grace period expires, the appliance will open to the Licensing screen, and no other actions will be available.
note

Licensing can also be configured using the Spectra Detect Manager API. Visit Help > Spectra Detect Manager API Documentation for more information. To license Spectra Detect appliances without using the Manager, refer to the API section of the Spectra Detect user guide.