Configure file analysis

You can specify a size limit that applies globally to all file rules. Any file that exceeds this limit will not be hashed.

1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. In the Size Limit (MB) field, specify a file size, in MB.
   The range is from 1 to 1,000,000 MB. The default value is 10 MB.
4. Click Save.

You can create custom file rules that determine which files are hashed on the ExtraHop system. The ExtraHop Default rule is automatically enabled and is configured to hash executable media type files and files observed on any protocols, localities, and file extensions supported by file analysis. You can disable the default rule but you cannot modify the rule configuration.

1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. In the File Rules section, click Add Rule.
4. In the Name field, enter a unique name for the Rule.
5. From the Protocol drop-down menu, select one of the following protocol options:
   • HTTP
   • SMP
   • FTP
   • Any protocol
   Selecting Any protocol only hashes files observed on HTTP, SMB, or FTP protocols.
6. From the Locality drop-down menu, select one of the following flow direction options:
   • Inbound
   • Internal
   • Outbound
   • Any locality
7. In the File Format section, select the type of files to hash:
   • Click Media Type and then select one of the following media options:
     • Archive
     • Document
     • Executable
   • To hash by file extension, click File Extension, and then type one or more file extensions, separated with a comma. You can enter extensions in either of the following formats: txt or .txt.
8. In the Options section, select the Enable file rule checkbox to enable the rule and begin hashing files that match the criteria.
9. (Optional): If the file rule is enabled, you can select the Display hashed files in Files table checkbox to display hashed files and associated metadata in the Files table available from the Assets page.
10. Click Save.

For RevealX 360, ExtraHop consoles manage file analysis settings by default. For RevealX Enterprise, ExtraHop sensors manage these settings.

1. Log in to the console or sensor that is currently managing file analysis settings through https://<extrahop-hostname-or-IP-address>.
2. Click the System Settings icon and then click File Analysis.
3. Transfer management of file analysis to a different system.

   Option	Description
   Transfer from sensor to console	Click Transfer Management. From the Managing Console drop-down menu, select a console name.
   Transfer from console to sensor	Click N of N connected sensors. The Management Settings window displays a list of sensors that the console manages shared settings and a list of sensors that manage their own settings. Click the name of the sensor that you want to manage its own settings. Log in to the sensor. Click Transfer Management. From the Managing Console drop-down menu, select Sensor Appliance - Self.