DARKTRACE VSENSOR

CONFIGURATION GUIDE
vSensor v5.1.2

Last Updated: April 15 2021 | Reissued: August 1 2022

DARKTRACE VSENSOR CONFIGURATION GUIDE 2

DARKTRACE VSENSOR CONFIGURATION GUIDE

vSensor v5.1.2

Darktrace vSensors 3

Network and Virtual Hardware Requirements 5

Standalone Image 7

Cloud Infrastructure 8

Cloud Infrastructure via CLI 9

Configuring a Communication Mode 10

Methods of vSensor Packet Ingestion 12

Deployment Check 13

Log Ingestion for vSensors 14

Frequently Asked Questions 16

DARKTRACE VSENSOR CONFIGURATION GUIDE 3

DARKTRACE VSENSORS

The Darktrace vSensor is a lightweight virtual probe intended for deployment in cloud-based networks or environments
where it is not feasible to deploy a physical probe, such as virtualized networks. vSensors can be deployed as a standalone
virtual machine receiving packets from a virtual switch, in a public cloud VPC traffic-mirroring scenario, or by collecting
packets from osSensor agents deployed on VMs to be monitored.

In addition to processing and transmitting network traffic, vSensors can ingest and forward syslog-format logs to the
Darktrace master. VPN and DHCP logs can provide valuable device-tracking enrichment and custom event types derived
from ingested log data can be used to integrate with a number of third-party tools.

Deployment
The vSensor can be located as a ‘virtual’ probe instance, configured to receive a SPAN from the virtual network switch.
vSensors can ingest and process physical network traffic in addition to virtualized with additional configuration, ideal for
scenarios where altering the physical network is not possible. Only one vSensor needs to be installed on each hardware
server, allowing for scalability. The vSensor supports VXLAN and ERSPAN type I and type II, as well as GRE with transparent
ethernet bridging.

Example Scenario: a vSensor receiving mirrored traffic from a virtual switch.

For usage in cloud or other environments where it is not possible to span a virtual switch, the vSensor also supports
ingestion of traffic from multiple osSensors. Darktrace osSensors can be installed on devices running Windows, supported
Linux distributions and any Linux environment running the Docker engine. The osSensor agent is installed on each
customer device where visibility is desired and monitors all of the network traffic to/from that device; the monitored traffic is
then sent to the vSensor for analysis. osSensors utilize host resources to forward traffic, so should only be installed where it
is not possible to retrieve traffic through other means.

Example Scenario: a vSensor in a VPC with osSensors monitoring individual devices and a vSensor receiving mirrored
packets from a physical switch.
DARKTRACE VSENSOR CONFIGURATION GUIDE 4

In VPC environments, the Darktrace vSensor can receive network traffic from packet mirroring. Guides are available for
configuring the vSensor with AWS VPC Traffic Mirroring and GCP Packet Mirroring. Deployment scenarios are not mutually
exclusive; a vSensor deployed in AWS receiving traffic via VPC mirroring may also have connected osSensors to ensure
coverage over pre-nitro instances or containerized infrastructure.

Example Scenario: a vSensor receiving mirrored traffic from a VPC mirroring policy and from osSensors monitoring
containerized infrastructure.

Virtualized deployments support Darktrace RESPOND autonomous response applied via vSensors and osSensor agents.
vSensors can perform Darktrace RESPOND/Network reset actions directly or instruct their associated osSensors - agent or
containerized - to respond. Darktrace RESPOND/Network is enabled by default on both vSensors and osSensors - where a
valid license key is present on the associated Darktrace master, no additional configuration is required to begin taking
actions.

Pre-Requisites
• vSensors require an Update Key; this can be found on the “Product Updates and Documentation” page of the
Darktrace Customer Portal alongside the vSensor download. If you do not have access to the Customer Portal,
the UpdateKey can be supplied by your Darktrace representative or a member of Darktrace support.

• For Push Token communication mode, a Darktrace Master instance running Threat Visualizer v4.0.7 or above is
required.
DARKTRACE VSENSOR CONFIGURATION GUIDE 5

NETWORK AND VIRTUAL HARDWARE

REQUIREMENTS

Networking Requirements
Ingested network traffic is processed and sent to the Darktrace master; the size of data transferred across the network is
approximately 1-4% of the incoming bandwidth to the vSensor.

PURPOSE PORT / PROTOCOL DIRECTION REQUIRED?

Contact packages.darktrace.com for

443/TCP (HTTPS) Outbound Required
updates

Contact packages-cdn.darktrace.com for

443/TCP (HTTPS) Outbound Required
updates

443/TCP (HTTPS) & 80/TCP Required (when osSensors

Communication with associated osSensors Inbound
(HTTP) deployed)

Remote management of Cloud

22/TCP (SSH) Inbound Required
Deployments

Communication Mode Requirements

Data can be pushed from the vSensor (in one of two ways) or pulled from the vSensor by the master: all methods use HTTPS
over port 443/port 80. Pull mode and Push Token mode use an extra layer of symmetric encryption using a shared token,
making these options appropriate for use over untrusted networks such as the internet.

One of the following modes will be required:

PURPOSE PORT / PROTOCOL DIRECTION APPROVED FOR CLOUD-HOSTED MASTERS?

Push Token
443/TCP (HTTPS) Outbound to Darktrace Master True
mode

Pull mode 443/TCP (HTTPS) Inbound to Darktrace Master True

Legacy Push Outbound & Inbound to Darktrace

443/TCP (HTTPS) False
mode Master

Virtual Hardware Requirements

Operating System

• Ubuntu 20.04 Focal (v5.1 and above)

CPU

Minimum of 2 CPU cores, best performance with 3+. Faster CPUs are more useful than many cores. The Deep Packet
Inspection workers auto scale - each extra DPI worker requires 2 CPU cores and 500mb RAM.

RAM

1.5GB RAM is required, 3.75–4 GB RAM is recommended. Deep Packet Inspection workers auto scale - each extra DPI
worker requires 2 CPU cores and 500 MB RAM.
DARKTRACE VSENSOR CONFIGURATION GUIDE 6

Example Sizings

STATISTIC / REQUIREMENT

Estimated Devices 50 100 200 400 800

Traffic (Mbps) 100 250 500 1000 2000

CPUs 2 4 8 16 32

RAM (GB) 8 16 32 64 128

Hard Drive (GB) 50 100 200 400 800

Please note, vSensor performance will vary by CPU speed and the nature of the traffic - estimated sizings are provided
for guidance only.
DARKTRACE VSENSOR CONFIGURATION GUIDE 7

STANDALONE IMAGE

Configuration Process
1. Access the Darktrace Customer Portal and download the appropriate vSensor file for your environment. You can
also find your Update Key on the vSensor download page.

2. Import the image into your virtual machine manager (e.g., VirtualBox / VMware vSphere)

3. Assign it two network interfaces and if possible, initialize fresh MAC addresses.

◦ The first network interface should be able to contact the Darktrace Master or be accessible to the
Darktrace Master over TCP port 443 (HTTPS), depending on your desired communication mode. More
details of the networking requirements can be found in vSensor Requirements.

◦ The second network interface should be receiving packets from the virtual switch span in promiscuous
mode.

Please note, when running on VMware, set “Mac Address Changes” to “Accept” on each vSwitch span port.

4. Expand the hard disk to match your sizing (50gb is recommended).The VM will automatically grow its partitions
to match. Minimum hardware requirements can be found in vSensor Requirements.

5. Boot the vSensor instance. On first boot, you will be prompted to set a keyboard layout.

Please note, this is only applicable to the console application and will not be applied when using SSH to access
the vSensor.

6. You will also be prompted to create a new password for the user darktrace . This will be the default admin
user and the password will be used when accessing the vSensor or performing console actions.

7. Wait for the vSensor to initialize. A screen will now be displayed with details of the vSensor’s current status.
Proceed to the main console menu.

8. From the main menu, enter the Network submenu and configure the interfaces. Navigating to an interface and
pressing enter will provide options to change the interface type.

◦ Set up one interface as the main interface (eth0 recommended) with a static or DHCP IP

◦ Set up a second interface (eth1 recommended) as a sniffer interface to receive packets

9. Return to the main menu and select the Updates submenu. Here, enter your Update Key and configure
optional elements such as a proxy for updates.

If you do not have an Update Key, please see Step 1. or the FAQ.

10. From the main menu, enter the Setup sub menu, configure any space for PCAP buffer storage if desired

The vSensor must now be configured to communicate with the Darktrace master in one of three modes. Two modes -
Push Token and Pull - use a shared token for symmetric encryption and are suitable for communication over untrusted
networks.
DARKTRACE VSENSOR CONFIGURATION GUIDE 8

CLOUD INFRASTRUCTURE

Configuration Process
1. Spin up an appropriate Virtual Machine instance in your Cloud environment. Minimum virtual hardware
requirements can be found in the vSensor Requirements section.

Ensure you have a valid Update Key at hand. If you do not have an Update Key, please see the FAQ.

2. SSH into the instance run the install script:

bash -c "$(wget -O - https://packages.darktrace.com/install)"

Enter the Update Key when prompted.

3. Reboot.

4. SSH into the instance and run sudo confconsole to bring up the configuration console.

5. From the main console, select the Setup submenu and then the osSensorHMAC option. Enter a string
between 5 and 63 characters long - the string may contain alphanumeric characters.

This token is used to secure communications between the osSensor and the vSensor. It must be entered into
the vSensor and each associated osSensor, so you may wish to record it securely.

6. Remaining in the Setup submenu, configure space for PCAP buffer storage if desired.

The vSensor must now be configured to communicate with the Darktrace master in one of three modes. Two modes -
Push Token and Pull - use a shared token for symmetric encryption and are therefore recommended for cloud
environments.
DARKTRACE VSENSOR CONFIGURATION GUIDE 9

CLOUD INFRASTRUCTURE VIA CLI

Configuration Process
1. Spin up an appropriate Virtual Machine instance in your cloud environment. Minimum virtual hardware
requirements can be found in the vSensor Requirements section.

2. SSH into the instance and run the install script:

bash <(wget https://packages.darktrace.com/install -O -) --updateKey [updatekey]

Replace [updateKey] with your Update Key. If you do not have an Update Key, please see the FAQ.

3. Reboot the instance.

4. SSH into the instance and set PCAP storage size:

set_pcap_size.sh [size]

For example, set_pcap_size.sh 50 for 50GB.

5. If the vSensor is intended for use with osSensors, set the osSensor HMAC:

set_ossensor_hmac.sh "[token]"

Where [token] is a string between 5 and 63 characters long. The string may contain alphanumeric
characters.

The vSensor must now be configured to communicate with the Darktrace master. CLI instructions are provided for two
modes - Push Token mode and Pull mode.
DARKTRACE VSENSOR CONFIGURATION GUIDE 10

CONFIGURING A COMMUNICATION MODE

Which Mode?
During configuration a communication mode must be selected: data can be pushed to the Darktrace master from the
vSensor or pulled from the vSensor by the master. There are two forms of Push mode available - Push Token mode and
legacy Push mode. All methods use HTTPS over port 443.

Pull mode and Push Token mode use an extra layer of symmetric encryption using a shared token and are appropriate for
use over untrusted networks such as the internet. In Cloud Master deployments, one of these encrypted modes is required
and Push Token is particularly recommended as it does not require an inbound firewall exception to the vSensor IP.

To configure one of these modes for vSensors, it is necessary to have followed the setup guide for either standalone or
osSensor/vSensor environments already.

Full networking requirements for each mode can be found in vSensor Requirements.

Configuring Push Mode (legacy)

Interactive

1. In the vSensor Setup sub menu, select the Master option.

2. Configure the vSensor in Push (legacy) mode. Enter the IP or hostname of the Darktrace Master instance.

If a hostname, ensure the name is resolvable via the DNS server provided to the vSensor.

3. Log into the Darktrace Master instance UI and navigate to the System Config page from the main menu.

4. The new vSensor IP should be listed in the probe section. Verify the IP is correct and confirm the new vSensor

Configuring Push Token Mode

Interactive

1. Log into the Darktrace Master instance UI and navigate to the System Config page from the main menu. Locate
the Push Probe Tokens section.

2. Enter a label for the vSensor and click Add - a token will generate in the form of [label:string] . This token
will be shown only once and must be entered into the vSensor. A unique token must be generated for each
vSensor.

The vSensor label is part of the token - to change the label, the token must be fully regenerated.

3. Return to the vSensor console and select the Master option from Setup sub menu. Choose Push Token mode
from the available options.

4. Enter the token in full, and enter the IP or hostname of the Darktrace Master instance. For cloud-hosted master
deployments, the hostname should be used.

5. The new vSensor IP should be listed in the probe section. Verify the IP is correct and confirm the new vSensor

CLI

Follow steps 1 and 2 of the interactive guide above to generate a push token.

SSH into the vSensor and run:

/usr/sbin/set_pushtoken.sh [pushtoken] [master-hostname] [proxy]

Where [push-token] is the token generated on the Darktrace Master instance, [master-hostname] is the hostname or
IP of the Darktrace Master instance (hostname required for Cloud Masters) and [proxy] is an optional parameter
available if a proxy is required for the vSensor to access the Master.
DARKTRACE VSENSOR CONFIGURATION GUIDE 11

Configuring Pull Mode

Interactive

1. In the vSensor console, select the Master option from Setup sub menu.

2. Configure the vSensor in Pull mode and set the Master HMAC token. The token string can be 5-63
alphanumeric characters, although 20+ is recommended.

Make a note of this key as it must be entered into the Darktrace Master instance.

3. Log into the Darktrace Master instance UI and navigate to the System Config page.

4. Scroll down to the Probes subsection. Enter the vSensor IP and the HMAC token configured in step 3.
Optionally configure any proxy settings.

Click the ‘Add’ button.

CLI

SSH into the vSensor and run:

/usr/sbin/set_dcip_hmac.sh [pulltoken]

Where [pulltoken] is the token to be used for master-vSensor communications.

Follow steps 3 and 4 of the interactive guide to configure the Darktrace Master instance.
DARKTRACE VSENSOR CONFIGURATION GUIDE 12

METHODS OF VSENSOR PACKET INGESTION

Virtual Packet Mirroring

Virtual Switch port mirroring can be used to send the vSensor packets. Configure the vSensor in the hypervisor to have two
or more virtual network interfaces, and mark any mirroring interfaces as “Sniffer (Promiscuous)” in the vSensor console. This
forwards the packets on to the DPI engine. Multiple interfaces can be configured this way.

osSensors
The vSensor can receive packets from other hosts which have an osSensor installed. The osSensor is an agent which
forwards a copy of every packet seen on the host to the vSensor’s management interface IP address over port 80/TCP.
Installing an osSensor enables Darktrace RESPOND capability on the host, and can work in environments where mirroring
the traffic is not otherwise possible.

More information about configuring osSensors can be found in the osSensor Configuration Guide (Customer Portal).
osSensors are also available as a Docker image for containerized environments (Customer Portal).

ERSPAN/VXLAN
The vSensor can receive VXLAN or GRE/ERSPAN traffic sent directly to the management interface. These packets are
forwarded onto the DPI engine by the softtap service which is enabled by default. VXLAN is enabled on port 4789/UDP
and the vSensor supports ERSPAN type I and type II, as well as GRE with transparent ethernet bridging. Packet received
counters can be seen using the vSensor Health check, or with the command softtap packets .

By default, the softtap service listens on the management interface - the interface with a default route. To override this,
enter interfaces into the file /etc/darktrace/softtap-interfaces with one interface name per line. Then, run
sudo service softtap restart . Verify that it is now listening on the correct interface with softtap status .
Changing the interface can be useful for high throughput scenarios where there may be a risk of link congestion or
saturation on the management interface during traffic peaks.

VPC Packet Mirroring

Separate guides are available for configuring vSensors to ingest mirrored traffic. Please see the
AWS VPC Traffic Mirroring Guide (Customer Portal) or the Google Cloud Platform Packet Mirroring Guide (Customer Portal)
for more information.
DARKTRACE VSENSOR CONFIGURATION GUIDE 13

DEPLOYMENT CHECK

The following tests can be used to confirm that the vSensor is running and has connectivity with the associated osSensors
(if applicable).

Check that the vSensor is running

To check that everything is running, log in as the Darktrace user (or other sudo user) and run vsensor-health-check.sh .

For cloud installs, the sudo user will be the user you started with, usually ‘ubuntu’.

Check incoming packets

Check the Status page of the associated Darktrace master ( /sysstatus ) or run bmon on the vSensor.

Check for vSensor overloading

Check the Status page of the associated Darktrace master ( /sysstatus ) for load disk or run htop on the vSensor

Test connectivity to the Darktrace Master

The connectivity to the Darktrace master can be checked by running wget https://[instance] and checking that
wget connects.

The expected output is an error saying that the certificate is invalid, it will contain
issued by /C=UK/L=Cambridge/O=Darktrace/

If the configuration console doesn’t appear

Run sudo confconsole . If it does not appear, reboot the instance. To do so safely, login and type sudo reboot .

If the osSensors can’t connect to the vSensor

Check port 80/TCP and 443/TCP is open between the osSensor and vSensor.

Test on a Linux osSensor with nc -vz [vsensor ip] 80 and nc -vz [vsensor ip] 443
DARKTRACE VSENSOR CONFIGURATION GUIDE 14

LOG INGESTION FOR VSENSORS

In addition to processing and transmitting network traffic, vSensors can ingest and forward syslog-format logs to the
Darktrace master they are authenticated with. VPN and DHCP logs can provide valuable device-tracking enrichment and
custom event types derived from ingested log data can be used to integrate with a number of third-party tools.

Ingesting Syslog
vSensors accept both unencrypted and TLS/SSL encrypted logs. For encrypted logs, the vSensor accepts TCP traffic on
port 6514. If the vSensor is located locally within your network then you may wish to send log input data to the vSensor
unencrypted on port 1514 (UDP or TCP) - this is not recommended for vSensors outside the network boundary.

1. Configure the external device to send syslog to the vSensor in the desired port/protocol combination.

2. Access the Darktrace master instance associated with the vSensor. Within the Threat Visualizer, navigate to the
System Config page in the main menu under Admin. Select Modules from the left-hand menu.

3. In the Telemetry section, click the  Config button. A new dialog will open.

4. Select the vSensor that logs are being sent to. In the field Log Input Allowed IPs, enter the IP address of the
device sending syslog.

Save the changes.

Configuring the Pattern

Pattern-matching is configured on the Darktrace master and then propagated to the vSensor to apply to all future log
entries. Matching (and discarding) is performed at the vSensor level; valid matches are then forwarded on to the master.
The vSensor will also send a small number of unsuccessfully parsed log lines up to the master instance for use in template
configuration. Where “Load Input Filter” is set in Telemetry Config, only lines matching the filter will be stored and
propagated to the master instance.

For more detailed information on log input templates, please see Log Ingestion Templates (Customer Portal).

1. A template must now be defined for the logs to be parsed. Remaining within the “Telemetry” subsection, click
the plus (+) icon to create a new template.

Each template requires a name, a type, a log filter and a pattern.

2. Provide a descriptive name for the pattern which can be identified later, then select the “type” of template you
wish to configure. The type defines what Darktrace does with the data.

3. Set the filter for the pattern using a keyword that appears in all log lines.

4. Now, create the pattern to parse the data in the example log using the built-in shortcut strings or a regular
expression. The pattern must include all the required fields for the template “type”, for example “Credential
Tracking Logs” requires a username and an IP address.

The following pattern extracts these values from the log entry:

User <%{DATA:username}>.*IP Address <%{IP:ip_address}>

5. Save the template. Once saved, the new pattern will be sent to the vSensor and applied to future ingested logs.

6. Return to the Telemetry section of System Config page. Click Test to open the testing dialog and then select
the vSensor from the available instances.

Click Load until log lines appear and then Test. The Load button will only return syslog entries that were not
successfully parsed when they entered the Darktrace instance.
DARKTRACE VSENSOR CONFIGURATION GUIDE 15

7. Now, click the Test button to compare against the log line in the Log Input Test field. If the filter and pattern
match successfully, a “Success” message will be shown and the data extracted from the log entry will be
displayed.

If the message “Matching Failed!” is returned, check that the filter value appears in the log. If so, the pattern will
need to be refined.

Alter the pattern or until all information is successfully parsed from the log line.

Logs are sent from the vSensor in batches so it may take a short while for logs to appear using the new pattern.

Encrypted Log Input TLS Certificates

For encrypted log ingestion, the vSensor uses a self-signed TLS/SSL certificate by default. If required by your syslog
forwarder, the SHA1 and SHA256 fingerprints of the current certificate are available in the certificate tooltip on the System
Config page or can also be found on Status page

Replacing the Certificate

This can be replaced with a trusted certificate via the follow process:

1. Navigate to the System Config page of the master instance associated with the vSensor.

2. On the Settings page, click the options icon  beside the search bar and select “Use Legacy Page >”.

3. Locate the subsection for the vSensor that you wish to change the certificate for.

4. Beside “Syslog Server TLS Certificate”, click the Create New button. Complete the required fields.

5. At a minimum, complete the Country Code and FQDN / Common Name fields. The FQDN field should contain
the hostname of the vSensor as you wish to contact it.

6. Save the fields to generate a CSR. This can be exported and signed.

7. Paste the signed certificate into the Certificate field below the CSR and save your changes.
DARKTRACE VSENSOR CONFIGURATION GUIDE 16

FREQUENTLY ASKED QUESTIONS

For basic vSensor troubleshooting and error information, run the Healthcheck from the confconsole main menu or
vsensor-health-check.sh from shell.

What are the limitations of vSensor 4.0.8+?

• The vSensor transfers approximately 2-4% of the incoming bandwidth up to the Master instance (compared to
~1% on a hardware probe).

• One vSensor is limited to 255 osSensors.

What bandwidth will the input support?

This is dependent on CPU speed and the nature of the traffic. The vSensor will do around about 100-200 mbit/s for every 2
CPUs.

If the incoming traffic makeup contains lots of small connections such as DNS or rapid HTTP, the vSensor will take less. If the
traffic is comprised of a few large transfers (e.g., large file transfers), it will manage to process more data.

Can I administer via SSH?

Yes, once the initial password is set, you can SSH and run sudo confconsole to bring up the menu.

Any changes occur on reboot.

Where do the updates come from?

Updates come from packages.darktrace.com over port 443/TCP or a CDN option is available for global locations. An update
key is required and can be entered on the Setup > UpdateKey section of the console.

vSensors are set to automatically upgrade daily if an upgrade is available.

How can I get support or an Update Key? ( updateKey )?

Contact your Darktrace representative or raise a ticket on the Customer Portal to get support on vSensor installations.

The Update Key can be found on the “Software Downloads” page of the Darktrace Customer Portal alongside the vSensor
download. If you do not have access to the Customer Portal, the Update Key can be supplied by your Darktrace
representative or a member of Darktrace support.
DARKTRACE VSENSOR CONFIGURATION GUIDE 17

How do I expand the hard drive or disk space?

For image installs (OVA, VHD etc): The base drive size is controlled in the VM manager software (e.g., VMware). Once that is
increased, the software on the vSensor will increase the partitions and filesystems to match the free space available. This
will occur on next boot, and will automatically reboot once during resize.

• In VMware, use the Expand Disk feature in machine settings when the vSensor is turned off.

• In Virtualbox, this may require a conversion from .vmdk hard disk to .vdi. For example:

VBoxManage clonehd darktrace-vsensor_3.0.10_amd64-disk1.vmdk cloned.vdi --format vdi

VBoxManage modifyhd cloned.vdi --resize 300000
VBoxManage clonehd cloned.vdi darktrace-vsensor_1.5_amd64-disk1.vmdk --format vmdk

For cloud installs, use cloud management software - clone the machine and increase the size - or manually manage disks
using lvm or similar before installing the vSensor.

For further support, please contact your Darktrace representative.

How can I set the correct time?

The vSensor should take time from the virtual machine host. This is preferable than installing NTP or similar on the guest, as
the host can pause execution on VMs and cause clocks to go out of sync.

• For VMware ESXi: Right click the VM and select Settings, go to the Options tab and tick the Synchronize guest
time with host. open-vm-tools is installed on the OVA/VHD/qcow2 images, allowing the clock sync from
VMware.

• For Cloud installs, configure NTP in the Setup > NTP section of the console.

Are there any restrictions on the HMAC token string?

The HMAC token can contain up to 63 alphanumeric characters with a minimum of 5.

How can I automate vSensor rollouts?

The easiest method is to set up one vSensor using the confconsole and make an image/clone of it. When cloning a
vSensor, a new ID will be required on first boot to correctly contact the Master. Run the following scripts:

sudo /usr/lib/inithooks/firstboot.d/15random-uuid
sudo /usr/lib/inithooks/firstboot.d/15regen-sslkeys
# if not a cloud vSensor
# cloud init does this automatically
sudo /usr/lib/inithooks/firstboot.d/10regen-sshkeys

Installs can be configured via the command line using one of the scripts below.
DARKTRACE VSENSOR CONFIGURATION GUIDE 18

What configuration scripts are provided for command line customizations?

The following scripts are available:

• set_dcip_hmac.sh to configure Pull mode.

• set_pcap_size.sh to configure PCAP storage
• set_updatekey.sh to set the Update Key if not already provided.
• set_ics.sh to enable ICS analyzers (see below).
• set_pushtoken.sh to configure Push Token mode.
• set_ossensor_hmac.sh to set the HMAC token for use with osSensors.
• set_sniff_primary_interface.sh to set the primary packet ingestion interface.

I want to PCI pass-through a physical network card to the vSensor, but it doesn’t show up?

By default, a virtual kernel is run which only includes a minimal amount of hardware drivers. Install the generic image and
reboot.

First, setup package updates with the updateKey in the confconsole menu. Then run:

sudo apt install linux-image-generic

sudo apt remove linux-virtual linux-image-virtual linux-headers-virtual
sudo update-grub
sudo reboot

The disk is full?

If you have not increased the hard drive from the 20gb default, please do so. Otherwise please raise a support ticket on the
Customer Portal.

You can locate the largest directory with sudo du -hs /* | sort -h and keep recursing. E.g.
sudo du -sh /var/log/* | sort -h

Does the vSensor support ICS protocols?

vSensors running v4.0.6 and above can now be converted into Industrial Immune System vSensors to analyze and forward
industrial protocol traffic. This setting can be enabled in the console application or by running the command
set_ics.sh 1 .

Industrial mode adds additional decoding capability to the deep packet inspection engine, however this can cause protocol
mis-identification on non-ICS networks and is not recommended for non-Industrial environments.

Does the vSensor support dedicated Darktrace RESPOND/Network Firing Interfaces?

Yes, vSensor v4.0.8 allows unconfigured interfaces to be set as default dedicated firing interfaces. The interface intended to
be set as a dedicated firing interface must be set to ‘unconfigured’ through the vSensor “Network” console option, then
selected as the default interface with the “AGN Interface” option. Unconfigured interfaces that predate v4.0.8 must first be
set to another state and then returned to ‘unconfigured’ to ensure they intialize correctly.
DARKTRACE VSENSOR CONFIGURATION GUIDE 19

More information and a configuration process can be found in the

Darktrace RESPOND/Network documentation (Customer Portal).
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 info@darktrace.com darktrace.com