Skip to main content

The Network sensor

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.

For more information about the Network sensor requirements, refer to the Network sensor requirements page.

For optimal results, it is recommended you implement one network sensor appliance per network subnet.

Note

The Network sensor does not support SCADA or any particular OT protocols.

After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.

View the triggered detections in the Incidents > Search section, by using the following query: other.sensor_name:network. These detections are used to enrich the context of Extended Incidents generated by GravityZone.

To add the Network sensor, follow these steps:

Install the Network sensor

You can deploy the Network sensor in your environment by using the prebuilt appliance images for vSphere, Hyper-V, or you can install it manually.

Configure the Network sensor virtual appliance

After installing the Network sensor, follow these steps to configure the virtual appliance:

  1. Start the Network sensor virtual machine.

  2. Log in via SSH using root / sve as username and password.

  3. Change the password.

    The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.

    gravityzone_cl_sve_new_password_nsva.png

    Note

    For more information about resetting the root password, refer to Reset root password for Security Server.

  4. To configure the Network sensor, run the following command:

    /opt/bitdefender/bin/sva_setup.sh
  5. Start the configuration process.

    xEDR-NS_config.png

    Choose an option from:

    1. Network configuration - allows setting the following modes:

      • eth0: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.

      • eth1: this is the interface in promiscuous mode, used to analyze network traffic.

      The subnet of the monitored network on the promiscuous interface must be configured:

      1. Select Network configuration.

      2. Select the promiscuous interface. By default it is eth1.

        eth1.png
      3. Configure the monitored subnet address using the CIDR notation:

        subnet.png
      4. Select the configuration mode for the primary interface:

        configuration_mode.png
        • If no change is needed, select 1. DHCP (current).

        • If the primary interface must have static IP address, select 2. Static and complete the configuration:

          static_ip.png
    2. Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .

    3. Go to Communication server configuration and select one of the following options, based on your browser's URL:

      • For cloudgz.gravityzone.bitdefender.com: GZ Cloud Instance 1

      • For cloud.gravityzone.bitdefender.com: GZ Cloud Instance 2

      • For cloudap.gravityzone.bitdefender.com: GZ Cloud Instance 3

    4. Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).

  6. If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups( in approximately 30 seconds).

    xEDR-NS-in-network-page.png
  7. The Network sensor main log file can be found here:

    /opt/bitdefender/var/log/bdxdrd.log
    xEDR-main-log-file.jpg

View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster.

If you encounter any issues with your Network sensor, you can collect debug logs and contact Bitdefender Enterprise Support for assistance.