F.A.Q

Please read the "readme.md" and follow the instructions.

1) Install the dependencies according to your distribution.
2) Copy the licence file to IntruSense-v30 folder.
3) Configure server's logs paths (if you use default Debian/Ubuntu logs, you can skip this stage).
4) Install the sensor "./install" (this will also install and start the sensor as a service).

in such installation the sensor will run in default mode, it means if it will find a malicous file or a "false positive" malicouios file it will remove it to the "quarantine" folder (/opt/Intrusense-v30)
and in case it is a flash positive file you will need to retrieve it with the "./secopx --retrieve ./"

Probably the Intrudia sensor (the secopx sensor) found one of your files as "false positive" and put theme in the quarantine, you can easily retrieve theme all with:
./secopx --retrieve .

Yes, if you are using external Web Application firewall you can ignore the "Modsec" flag.

If the sensor finds infected files with "Webshells","Ransomware" or other malicious files that have serious potential to harm the server,
the sensor will remove those files from their original location into the "QUARANTINE" folder /opt/IntruSense-v30/quarantine/
99% those files are dangerous and can cause serious harm, if you are 100% sure that the quarantined file is a "false positive" than you
can "retrieve" the quarantined file or files by running:

this command will retrieve ALL of the quarentined files "./secopx --retrieve ."
to retreive specific file run the following command "./secopx --retrieve filename"

To see the quarantined list go to the front end (if you purchased SOC AS A SERVICE service) or see the quarantined folder /opt/intruSense-V30/quarantine
you can see the list also at the secopx.log file.

None, the sensor is opensource and GPL3, we do NOT sell the sensor, but if you want our "SOC/SIEM as a service" and other services you need to support us.

Very, we are doing our best in order to secure our servers and our users data, we perform penetration testings on regular basis, use firewalls, etc etc needed from security professionals.

What is "Deep scan" mode? which servers it may fit?

By default the Sensor will use Yara to scan the whole "web files folder" (/var/www/html for example) ONLY
at the first run, after the first run the sensor will scan only "just created files" from the last hour in a scan
which we call "smart scan" smart scan is system resources efficient and will scan only know, hard coded
file extensions (php,asp,js,cgi,sh,bash,jsp,csf,cfn,html,swf,css,aspx,yaws,wss,action,jspx,pl,py,phtml,rb,rss,svg,shtml,asmx,wasm,atom,dtl,kt,hta,htc,cs)

How is it working in the default mode?

In the default running mode of the scanner "deep mode" is NOT set,
in order to set "DEEP_SCAN_MODE" to 'true'. The sensor then will scan each time the entire "web files folder" (/var/www/html for example).

Deep scan mode is intended for servers who has maximum 150,000 files!
Because of the nature of the scanner (which scans the whole web server folder) on servers that contains more than 150.000 files the Yara engine might take too much time to complete the task thus will cause the whole scanning process to lag the scanner and thus NOT recommended!

When setting the "REPORT_MODE:true" in the "/opt/IntruSense-v30/secopx.conf", the sensor will NOT be in protective mode
e.g will not move malicious file to quarantine, the sensor will DO create an incident but no protection will be applied to the system.
This mode should be used only for testing purposes
(ideal to test the sensor on test environment first before installing on production environment to avoid "false positive")
the default settings is REPORT_MODE:false

KEEP IN MIND - first running will ALWAYS run in normal mode, it is NOT Possible to run the sensor from day 1 with report mode, report mode can be
set only after the sensor already run once in "normal mode" thus from second run only, that's why we recommend first to test the sensor on
test enivornment only afterwards in "production" environments.

Configure your WEB-SERVER binary & log file PATH:

For default LAMP installations you dont need to config anything, BUT in case your WEB SERVER PATH is not "/var/www/html/"
please define your web server folder, server logs folder PATHS in the config file (/opt/IntruSense-v30/secopx.conf)
for example if you use NODE.JS set the path /use/bin/nodejs in the secopx.conf file and than restart the service "secopx service restart"

By defalut the sensor is reading the syslog from "/var/log/syslog". If your syslog file in another location plaese define in secopx.conf

Initialization:
After making changes to the monitored files system you must initialize aide engine in order not to get false positive from the new createad files.
In order to initialize run cli command
/opt/IntruSense/./secopx --init

Changing password:
After you have installed and run the sensor, if you wish to change you password, simply connect to secopx.com/dashboard and change your password, then update your password in the sensor by running cli command
/opt/IntruSense/./secopx --password

Simply run
/opt/Intrusense-v30/./secopx --destroy "FILENAME"
or
./secopx --destroy . to delete all quarantine folder.
Make sure non of the files is false positive file
and in case you are not sure than make a backup before delete theme.

In order to update go to /opt/Intrusense-V30 and run
./secopx --update

Before uninstalling make sure to stop the deamon with "service secopx stop",

afterwards go to the /opt/Intrusense-V30/ directory and run "make clean" this will delete the installation files.

If you are not using the default Debian/Ubuntu apache2 logs paths you must define in the conf file the location of:

- access log (if you use default CentOS with nginx default logs, change the path to /var/log/nginx/access.log).

- error log (if you use default CentOS with apache default logs, change the path to /var/log/httpd/error_log).

- syslog (if you use default CentOS logs, change the path to /var/log/secure).

- web server directory (by default set to /var/www/html/ , change if you use other location).

- messages (by default set to /var/log/messages , change if you use other location).

- email server log (optional, by default set to /var/log/maillog).

Conf file :
IntruSense-v30/secopx.conf

Debian 8,9,10 / Ubuntu 16,18,20, Centos 8.

We are FANS of Free-BSD so there is a very very good chance that we will make a BSD version soon, if you want to donate it please email us!

You will need to edit the "secopx" file first so skip the license and the connection to our API, but everything will work fine after you will do it, the sensor will report to /var/log/secopx.log, the sensor will also protect, there will be no alerts, no web frontend soc/siem, no support, and no alerting, but the core functioning will rock on and protect you! updates are also free and open source, just edit the bash file to skip the license file and you will be ready to go.

In general the Sensor is an hybrid of 7 licenses, but our original code is under GPL3, please see the attached files "LICENSE-AND-CREDITS.txt" and "WARNING-MUST-READ-BEFORE-USE.txt" in the root folder of the project, we also attached each license in the LICENSES folder also in the root folder of the project.

No, we wouldn't use the word "real time" here because we think the definition in such scenario is complex, the sensor scans every new created file with around every minute, so real time it's not, but it's very close to it and the the execute time is random.

Yes, the sensor is built and tested to run with SElinux support in the background.

Our Algorithm calculate the risk level according to several criteria's, the sensor combine inputs from several vecotors and using some kind of A.I based engine to determine the status of the system.

Our system divides D/DOS attacks to 3 levels, 1-2-3 , each represent the severity of the attack, If an alert was triggered it means you have been attacked in "LEVEL3" which is the highest level and
we assume that if the attack duration was longer than 10 minutes you probably lost access to the server.

Your probably have been blocked by one of our firewalls or security systems, probably due to failed login attempts or other issue with the Secopx sensor license, in such case
if you are paid user, please immediately contact customer support email address or our hotline phone line, we are available for paid customers 24 hours per day 7 days a week.
if you are free user please wait 24 hours or 48 hours and the firewalls will be reseted automatically.

Yes, only data about attackers and potential attackers is sent to our front end, the SOC/SIEM as a service, and even,unless was flagged or expoereted is kept for only 24 hours due to our data retention policy, the sensor itself does not collect nor send private user info.

Yes the sensor is safe, because it has no incoming data vector, the sensor ONLY SENDS DATA thus cannot be attacked,so no door no entrance, was purposely designed to work in this manner.

for Soc/Siem as a service, Incidents are kept forever or until they reach 100, then they enter in FIFO (first in first out) model, We keep sensor logs for up to 24 hours.
for on premise - we recommends a week but more should be possible.

Q- I cannt login with the License,
Q- "i get the following error "Please check your license file credentials match your user name and password on the secopx dashboard" - what to do?

A - First ask yourself a question, do you have multi License? or single? if multi, all of the machines
are under the same username / password credentials, only the UUID is different.

please remember to update the password in case you buy a new license (on top of existing one)
to your CURRENT password!

If you have a single license (you have 1 one machine) make sure the credentials
are identical to the ones you received in email! try first login into the dashboard with the same credential, is it working? everything is good,
if not, contact our support, depends on the error you are getting you might have been blocked by our Firewall, let's check.