Hello Security NInja’s, here you will find our F.A.Q-WIKI page, we will add every question we will receive from you via email or via the contact form.
please make sure to read the “readme.md” file (attached to the sensor zip file) BEFORE using the sensor.
for questions or comments please email to “info@secopx.com”
How to install the sensor?
Please read the "readme.md" and follow the instructions.
1) Install the dependencies according to your distribution.
2) Copy the licence file to IntruSense-v30 folder.
3) Configure server's logs paths (if you use default Debian/Ubuntu logs, you can skip this stage).
4) Install the sensor "./install" (this will also install and start the sensor as a service).
in such installation the sensor will run in default mode, it means if it will find a malicous file or a "false positive" malicouios file it will remove it to the "quarantine" folder (/opt/Intrusense-v30)
and in case it is a flash positive file you will need to retrieve it with the "./secopx --retrieve ./"
My web app crashed after i installed Secopx! what should i do now?
Probably the Intrudia sensor (the secopx sensor) found one of your files as "false positive" and put theme in the quarantine, you can easily retrieve theme all with:
./secopx --retrieve .
I use Cloudflare, can i ignore the "Modsec" part?
Yes, if you are using external Web Application firewall you can ignore the "Modsec" flag.
QUARANTINED FILES & HOW TO RETRIEVE THEME? - What are they? Where are they being kept? What to do with theme? How to retrieve files in case of "false positive"?
If the sensor finds infected files with "Webshells","Ransomware" or other malicious files that have serious potential to harm the server,
the sensor will remove those files from their original location into the "QUARANTINE" folder /opt/IntruSense-v30/quarantine/
99% those files are dangerous and can cause serious harm, if you are 100% sure that the quarantined file is a "false positive" than you
can "retrieve" the quarantined file or files by running:
this command will retrieve ALL of the quarentined files "./secopx --retrieve ."
to retreive specific file run the following command "./secopx --retrieve filename"
To see the quarantined list go to the front end (if you purchased SOC AS A SERVICE service) or see the quarantined folder /opt/intruSense-V30/quarantine
you can see the list also at the secopx.log file.
what is the differences between the sensor with "soc/siem" as a service and the free version?
None, the sensor is opensource and GPL3, we do NOT sell the sensor, but if you want our "SOC/SIEM as a service" and other services you need to support us.
How secure are your servers?
Very, we are doing our best in order to secure our servers and our users data, we perform penetration testings on regular basis, use firewalls, etc etc needed from security professionals.
Deep scan - full scan of the "web files folder"
What is "Deep scan" mode? which servers it may fit?
By default the Sensor will use Yara to scan the whole "web files folder" (/var/www/html for example) ONLY
at the first run, after the first run the sensor will scan only "just created files" from the last hour in a scan
which we call "smart scan" smart scan is system resources efficient and will scan only know, hard coded
file extensions (php,asp,js,cgi,sh,bash,jsp,csf,cfn,html,swf,css,aspx,yaws,wss,action,jspx,pl,py,phtml,rb,rss,svg,shtml,asmx,wasm,atom,dtl,kt,hta,htc,cs)
How is it working in the default mode?
In the default running mode of the scanner "deep mode" is NOT set,
in order to set "DEEP_SCAN_MODE" to 'true'. The sensor then will scan each time the entire "web files folder" (/var/www/html for example).
Deep scan mode is intended for servers who has maximum 150,000 files!
Because of the nature of the scanner (which scans the whole web server folder) on servers that contains more than 150.000 files the Yara engine might take too much time to complete the task thus will cause the whole scanning process to lag the scanner and thus NOT recommended!
What is "REPORT MODE" aka "SAFE MODE" and how to use it?
When setting the "REPORT_MODE:true" in the "/opt/IntruSense-v30/secopx.conf", the sensor will NOT be in protective mode
e.g will not move malicious file to quarantine, the sensor will DO create an incident but no protection will be applied to the system.
This mode should be used only for testing purposes
(ideal to test the sensor on test environment first before installing on production environment to avoid "false positive")
the default settings is REPORT_MODE:false
KEEP IN MIND - first running will ALWAYS run in normal mode, it is NOT Possible to run the sensor from day 1 with report mode, report mode can be
set only after the sensor already run once in "normal mode" thus from second run only, that's why we recommend first to test the sensor on
test enivornment only afterwards in "production" environments.
What are the special settings of the Secopx sensor and how to configure them?
Configure your WEB-SERVER binary & log file PATH:
For default LAMP installations you dont need to config anything, BUT in case your WEB SERVER PATH is not "/var/www/html/"
please define your web server folder, server logs folder PATHS in the config file (/opt/IntruSense-v30/secopx.conf)
for example if you use NODE.JS set the path /use/bin/nodejs in the secopx.conf file and than restart the service "secopx service restart"
By defalut the sensor is reading the syslog from "/var/log/syslog". If your syslog file in another location plaese define in secopx.conf
Initialization:
After making changes to the monitored files system you must initialize aide engine in order not to get false positive from the new createad files.
In order to initialize run cli command
/opt/IntruSense/./secopx --init
Changing password:
After you have installed and run the sensor, if you wish to change you password, simply connect to secopx.com/dashboard and change your password, then update your password in the sensor by running cli command
/opt/IntruSense/./secopx --password
How to delete the quarantined files?
Simply run
/opt/Intrusense-v30/./secopx --destroy "FILENAME"
or
./secopx --destroy . to delete all quarantine folder.
Make sure non of the files is false positive file
and in case you are not sure than make a backup before delete theme.
How to update the Secopx Sensor?
In order to update go to /opt/Intrusense-V30 and run
./secopx --update
Uninstall - How to uninstall the Secopx sensor?
Before uninstalling make sure to stop the deamon with "service secopx stop",
afterwards go to the /opt/Intrusense-V30/ directory and run "make clean" this will delete the installation files.
How to configure the Secopx sensor log files?
If you are not using the default Debian/Ubuntu apache2 logs paths you must define in the conf file the location of:
- access log (if you use default CentOS with nginx default logs, change the path to /var/log/nginx/access.log).
- error log (if you use default CentOS with apache default logs, change the path to /var/log/httpd/error_log).
- syslog (if you use default CentOS logs, change the path to /var/log/secure).
- web server directory (by default set to /var/www/html/ , change if you use other location).
- messages (by default set to /var/log/messages , change if you use other location).
- email server log (optional, by default set to /var/log/maillog).
Conf file :
IntruSense-v30/secopx.conf
Which Linux distributions are currently supported?
Debian 8,9,10 / Ubuntu 16,18,20, Centos 8.
What about Free-BSD and Open-BSD support?
We are FANS of Free-BSD so there is a very very good chance that we will make a BSD version soon, if you want to donate it please email us!
What happens if i will use the Secopx sensor on my server without a license?
You will need to edit the "secopx" file first so skip the license and the connection to our API, but everything will work fine after you will do it, the sensor will report to /var/log/secopx.log, the sensor will also protect, there will be no alerts, no web frontend soc/siem, no support, and no alerting, but the core functioning will rock on and protect you! updates are also free and open source, just edit the bash file to skip the license file and you will be ready to go.
Under which license the Secopx sensor is released?
In general the Sensor is an hybrid of 7 licenses, but our original code is under GPL3, please see the attached files "LICENSE-AND-CREDITS.txt" and "WARNING-MUST-READ-BEFORE-USE.txt" in the root folder of the project, we also attached each license in the LICENSES folder also in the root folder of the project.
Is the sensor is reporting and working in "real time"?
No, we wouldn't use the word "real time" here because we think the definition in such scenario is complex, the sensor scans every new created file with around every minute, so real time it's not, but it's very close to it and the the execute time is random.
Is the sensor working with SElinux in background?
Yes, the sensor is built and tested to run with SElinux support in the background.
How Does the Risk-Level is calculated?
Our Algorithm calculate the risk level according to several criteria's, the sensor combine inputs from several vecotors and using some kind of A.I based engine to determine the status of the system.
I have received an alert that my server is under DDOS/DOS attack, what does it mean?
Our system divides D/DOS attacks to 3 levels, 1-2-3 , each represent the severity of the attack, If an alert was triggered it means you have been attacked in "LEVEL3" which is the highest level and
we assume that if the attack duration was longer than 10 minutes you probably lost access to the server.
I got blocked, i cannot access secopx.com domain OR i see a white screen, what happened?
Your probably have been blocked by one of our firewalls or security systems, probably due to failed login attempts or other issue with the Secopx sensor license, in such case
if you are paid user, please immediately contact customer support email address or our hotline phone line, we are available for paid customers 24 hours per day 7 days a week.
if you are free user please wait 24 hours or 48 hours and the firewalls will be reseted automatically.
I am using Secopx on my server, am i GDPR compliant?
Yes, only data about attackers and potential attackers is sent to our front end, the SOC/SIEM as a service, and even,unless was flagged or expoereted is kept for only 24 hours due to our data retention policy, the sensor itself does not collect nor send private user info.
Is it safe to install the sensor? can someone hack me via the sensor?
Yes the sensor is safe, because it has no incoming data vector, the sensor ONLY SENDS DATA thus cannot be attacked,so no door no entrance, was purposely designed to work in this manner.
What is your data retention policy for "SOC/SIEM as a service" ? and for "on premise"?
for Soc/Siem as a service, Incidents are kept forever or until they reach 100, then they enter in FIFO (first in first out) model, We keep sensor logs for up to 24 hours.
for on premise - we recommends a week but more should be possible.
I cannt login with the License, i get
Q- I cannt login with the License,
Q- "i get the following error "Please check your license file credentials match your user name and password on the secopx dashboard" - what to do?
A - First ask yourself a question, do you have multi License? or single? if multi, all of the machines
are under the same username / password credentials, only the UUID is different.
please remember to update the password in case you buy a new license (on top of existing one)
to your CURRENT password!
If you have a single license (you have 1 one machine) make sure the credentials
are identical to the ones you received in email! try first login into the dashboard with the same credential, is it working? everything is good,
if not, contact our support, depends on the error you are getting you might have been blocked by our Firewall, let's check.