Professional Documents
Culture Documents
User Manual
Rel. 1.2.0
Corrado Federici
(corrado@blueye.it)
March 10 , 2008
Copyright Corrado Federici 2006-2011
Contents
1.Why
...................................................................................................................................................
4
2.WhatisBlueye?
................................................................................................................................
4
3.Buildingblocks
.................................................................................................................................
5
3.1.Snooper(SN)
...............................................................................................................................
5
3.2.PacketInjector(PI)
....................................................................................................................
7
3.3.SessionTracker(ST)
...................................................................................................................
8
3.4.Diagnostic(DG)
.......................................................................................................................
10
4.Configurationdetails
......................................................................................................................
11
4.1.snconf
........................................................................................................................................
11
4.1.1.interfname:
..........................................................................................................
11
..................
4.1.2.capdir:
.........................................................................................................................
12
............
4.1.3.capfilesize:
..................................................................................................
12
..........................
4.1.4.sessionhistory:
.................................................................................................................
12
......
4.1.5.sessionnumber:
....................................................................................................................
..12
4.1.6.sessionstorage:
................................................................................................
13
......................
4.1.7.sessiontimeout:
...................................................................................................................
13
...
4.1.8.sessiononedir:
.....................................................................................................................
13
...
4.1.9.sessionmindack:
....................................................................................................
14
................
4.1.10.patternmatchmethod:
............................................................................................
14
.............
4.1.11.bpf:
....................................................................................................................................
14
....
4.1.12.key:
...................................................................................................................
14
....................
4.1.13.noscreenmsg:
..........................................................................................
15
............................
4.1.14.affinitymask:
...................................................................................................
15
....................
4.1.15.enableipmsg:
...................................................................................................
16
....................
4.1.16.ipmsgid:
...........................................................................................................................
16
....
4.1.17.ipmsgaddress:
....................................................................................................................
..16
4.1.18.ipmsgport:
.......................................................................................................
16
....................
4.1.19.ipmsgbuddyaddress:
.........................................................................................
16
.................
4.1.20.ipmsgbuddyport:
..........................................................................................................
16
......
4.2.piconf
........................................................................................................................................
16
4.2.1.feid:
............................................................................................................
16
...........................
4.2.2.dbhost:
.......................................................................................................................
17
............
4.2.3.ftphost:
......................................................................................................
17
............................
4.2.4.user:
.................................................................................................................
17
.......................
4.2.5.password:
..........................................................................................................................
17
......
2
4.2.6.capdir:
.........................................................................................................................
17
............
4.2.7.deleteafterinjection:
..............................................................................................
17
...............
4.2.8.sessionmindack:
....................................................................................................
18
................
4.2.9.affinitymask:
....................................................................................................
18
.....................
4.3.stconf
........................................................................................................................................
18
4.3.1.dbhost:
.......................................................................................................................
18
............
4.3.2.user:
.................................................................................................................
18
.......................
4.3.3.password:
..........................................................................................................................
18
......
4.3.4.sessiondir:
.................................................................................................
18
...........................
4.3.5.sessionstorage:
................................................................................................
18
......................
4.3.6.key:
....................................................................................................................
18
.....................
4.3.7.deleteafterinspection:
..........................................................................................................
.
19
4.3.8.affinitymask:
....................................................................................................
19
.....................
4.3.9.sessionrebuilddelay:
....................................................................................
19
........................
4.3.10.sessiononedir:
...............................................................................................
19
.....................
4.3.11.mergedirtimestamps:
......................................................................................
19
...................
4.3.12.inspectudppkt:
.................................................................................................................
20
...
4.4.dgconf
.......................................................................................................................................
20
4.4.1.smtpsender:
......................................................................................................
20
.....................
4.4.2.smtprecipient:
.....................................................................................................................
20
...
4.4.3.fromsender:
........................................................................................................
20
...................
4.4.4.smtpserver:
..................................................................................................................
20
..........
4.4.5.logdir:
......................................................................................................................
20
..............
5.Architecture
....................................................................................................................................
20
6.Installation
......................................................................................................................................
21
6.1.Win32setup
..............................................................................................................................
21
6.2.Linux
.........................................................................................................................................
23
6.3.Sourcefiles
...............................................................................................................................
25
6.4.WiFicards
................................................................................................................................
25
7.Limitations
......................................................................................................................................
26
8.Directionsoffuturework
...............................................................................................................
26
9.TheBlueyeL7Group
....................................................................................................................
27
1.Why
The reader may wonder : So many sniffers available on earth. Did we need a
new one?. I hope so. At least me. Everything started when I first tried to
tackle the problem of chasing interesting signatures on high performance
Gigabit Ethernet links. When traffic reached the 100/150 Mbit/s threshold, the
classic approach of storing all packets in the file system for later analysis
showed all of its limits and every probe that I could use intolerably dropped
possibly precious information. I then had
2.What is Blueye?
Just a moment. First let me tell you what it is not. Blueye is not properly an
IDS, so if you may need to pinpoint a DoS attack outbreak, there are plenty of
tools that make it better (Snort being in pole position). However, if you ever
need to recover as much information as possible, maybe while trying to avoid
4
3.Building blocks
Blueye has three main components, each of which can be configured by mean
of its private ASCII file:
3.1.Snooper (SN)
Snooper is a pcap application that owns logic for capturing data and can
work in two modes:
a. Layer 7 mode: if the user defines at least one keyword in the
configuration file snconf, SN keeps track in memory of all captured
packets up to a configurable limit, beyond which a management
policy is enforced and entries are updated. When one of the keyword
is found in a frame , session history is rebuilt since the beginning and,
from then on, the stream is kept under observation until its natural
end or until it timeouts. Because of this RAM-only working mode, we
5
-c conffilepath
-l logfilepath
created
Examples:
./blueye-sn c ./etc
./blueye-sn c ./etc l /var/snlogs
Type blueye-sn --help for help.
As
bare
minimun,
you
must
configure
capture
interface
For space and bandwidth optimization , PI selects only tcp frames that
carry information (payload size is not null) or that delimit session
boundaries (SYN, FIN or RST flag set to one). Thus, when Snooper works
in L4, you will notice that the number of injected packets in database is
lesser than the total number of them present in the .cap file. You will see
an equal number only when Snooper works in L7 mode, because it uses
the same optimization (unless parameter session-mindack is unmasked:
see 4.19 and 4.2.8).
Another virtue of Packet Injector is sanity checking of the values present
in layer III and IV headers, so you can be positive that only valid tcp
packets are stored in the db.
PI is configured via text file piconf , to be discussed later.
After having configured piconf file (see chapter 4.2), you can launch the
application in a command shell by typing:
./blueye-pi [options]
With no command line options , PI will have a default behaviour, looking
for its configuration file and creating its operation log file in the local
directory.
Command line options:
-c conffilepath
-l logfilepath
Examples:
./blueye-pi c ./etc
./blueye-pi c ./etc l /var/pilogs
Type blueye-pi --help for help.
As bare minimun, you must configure front end identifier
parameter of piconf file in order to run Packet Injector.
one)
The drawback of keeping every record is that database size could grow
very significantly and thats why one can choose to delete every session
after it has been inspected.
After having configured stconf file (see chapter 4.3), you can launch the
application in a command shell by typing:
./blueye-st [options]
-l logfilepath
Examples:
./blueye-st c ./etc
./blueye-st c ./etc l /var/stlogs
Type blueye-st --help for help.
3.4.Diagnostic (DG)
When all the above stuff is in operation, log files are produced that
describe all the relevant events. If we need to setup a very small
monitoring system, maybe we want to be remotely informed about them.
Diagnostic is a very basic parser that scans each daily log file produced
by SN, PI, ST and emails some of its entries: every kind of error, program
startup and shutdown and key found events.
After having configured dgconf file (see chapter 4.4), you can launch the
application in a command shell by typing:
./blueye-dg [options]
With no command line options , DG will have a default behaviour, looking
for its configuration file in the local directory.
Command line options:
-c conffilepath
Examples:
./blueye-dg c ./etc
Type blueye-dg --help for help.
At this point it should be clear that searching for patterns at the first stage of
the SN->PI->ST chain instead of the last, has complementary benefits in
terms of performance (capture in SN) and completeness of information
(search in ST).
10
Finally, you could ask: As L7 mode produces complete sessions from SYN to
FIN, when packets are not split over two physical links, why do I need to inject
them into the database?. Good question. In a local network scenario you
should not need it, but take into account that, for sake of speed, Snooper in
L7 mode cannot guarantee that frames are unduplicated or well sequenced as
Session Tracker does. In this context, you can rely on STs ability to act as a
washing machine, configuring it (with no keywords) to clean and reorder all
your interesting streams.
One final remark. STs speed mostly depends on database query
responsiveness, which can be greatly improved by optimization techniques.
Usage of indexes is a good candidate for this kind of task. This is not the
place to discuss table index creation, so please refer to Mysql doc about
optimization in general and CREATE INDEX statement syntax in particular.
4.Configuration details
What follows is a descriptions of all parameters of the configuration files.
Many parameters can be commented out with a pound sign # at the
beginning of each line, in which case a default value will be used. Notice that
parsing of configuration files will ignore blank spaces or tabs that you may
insert after colon with which parameter names end. Only for key statements
this spaces or tabs matter and are considered valid chars.
4.1.snconf
4.1.1.interf-name:
Name of the network interface that will snoop for packets. This
parameter is mandatory (there is no default value).
Example: (for Linux boxes)
Example: (for Linux boxes)
interf-name: eth0
Example: (for Windows boxes)
interf-name: \Device\NPF_{4DAF118C-ECC3-45CE-8E2DD649E02B7E40}.
11
In this case, you can get this lengthy string by running Snooper
with I switch, which prints out all network interfaces.
4.1.2.capdir:
Folder path in which .cap files will be stored. Default value is
current directory.
Example:
capdir: /var/caps (Linux)
capdir: c:\caps (Windows)
4.1.3.capfile-size:
When working in L4 mode, after having written log-size MB ,
Snooper will create a new log file. Min: 1 Max: 999 Default: 32
Example:
capfile-size: 64
4.1.4.session-history:
When working in L7 mode, this value determines the size of the
history cache in mega bytes. This container is the basket in which
Snooper will try to find packets (of same session) stored before the
one that contains the keyword. Please note that a bigger cache not
always gives better performances. Tcp session completeness may
increase, but also latency times could and the CPU may ignore new
incoming packets while busy in searching older ones. A value of
128/256 seems appropriate in many situations and a value of zero
will disable session history reconstruction.
Min: 0 Max: 999 Default: 256
Example:
session-history: 128
4.1.5.session-number:
When working in L7 mode, this value determines how many
interesting sessions at time must be handled. Interesting sessions
(for which at least one keyword matched) are kept in memory until
an ending mark is found or a timeout expires. Again this value
must be a trade off between performance and completeness and a
value from 4 to 16 could be appropriate if keywords are not very
trivial.
12
13
4.1.9.session-mindack:
For performance reasons, when working in L7, Snooper discards
zero sized acknowledge packets, because they are not strictly
requested by ST at rebuild time. However, should your protocol
analyzer need them to better track a conversation between two
parties, you can unmask this flag. Default: disabled (ACK arent
logged)
4.1.10.pattern-match-method:
When working in L7 mode, this value determines the algorithm that
will be used for pattern matching. You can choose between WuMamber (WM) or Aho-Corasick (AK)
Possible values: WM, AK . Default: WM
Example:
patternmatchmethod:AK
4.1.11.bpf:
If the capture board doesnt provide this service and we need to
rely on filtering ability of the OS kernel, it is possible to define a
filter following the tcpdump syntax (see www.tcpdump.org).
If bpf statement is commented out, all traffic is allowed to pass.
Example:
bpf:tcpdstport25ortcpport80ortcpsrcport110
HerewedecidetocaptureSMTPtraffictoanymailserver,webservertrafficin
bothdirectionsandPOP3trafficfromanymailserver.
4.1.12.key:
Presence of at least one statement of this type determines L7 work
mode. Keywords can be simple tokens or phrases, written in ASCII
or expressed in hexadecimal form. This latter feature lets you
specify any language by entering raw mode coding. Key statement
14
shorter than 4 chars are ignored (they are considered too generic).
There is no limit but memory size to the number of key statements,
but remember that each of them must be sized 254 chars at most.
Syntax is case sensitive , unless a nocase statement is appended.
Example:
key:|546861747327416D6F7265|
key:jellyfisH
key:theBlueorcinus;nocase
key:tellmehowtogetridoftheoldboomerangasIwanttobuyanewone
Inthefirst,secondandfourthexamplepatternswillbesearchedexactlymatching
case,whileinthethirdBlueorcinuswillbesearchedregardlessofcase.
4.1.13.no-screenmsg:
WhenworkinginL7mode,ifthisstatementispresent,everyKEYFOUNDpost
startupmessagewillbesuppressedandtherewillbenoscreenprintoutwhena
keywordmatches.Iguessthatyoumayappreciatethisonlyinextremecases,in
whichCPUtimeissopreciousthatyoudonotwanttowasteitprintingtothe
standardoutput.Default:disabled(screenmessagesareallowed).
4.1.14.affinity-mask:
Inamultiprocessorsystem,affinityisdefinedasthepossibilityforaprocessto
chooseasubsetofavailableCPUs.Ingeneralthisbindingisautomaticallyperfomed
bythedispatcherunitoftheOS.Nevertheless,therearetimeswhenwewantto
manuallyassignadedicatedCPUtoaparticularrealtimeprocess.Anaffinitymask
isapatternofbitseachcorrespondingtoanavailableprocessor.Ifthebitisset
Snoopercanrunonthatprocessor,otherwiseitcannot.Validmaskhavenbits,
wherenis2or4.MostsignificantbitisforCPU0andsoontillleastsignificantbit
forCPUn1.Default:allbitstoone.
Example:Dualcoresystem:SnooperrunsonCPU1,butnotonCPU0
affinitymask:01
15
Example:Quadcoresystem:SnoopercanrunonCPU0orCPU3
affinitymask:1001
4.1.15.enable-ipmsg:
WhenworkinginL7mode,thisstatementenablescommunicationbetween two
probesthatbehaveasiftheywereone.Theonethatfindsanewkeywordinapacket
ordetectsanendofsessionmarkersendsamessagetotheotherthat,accordingly,
tracksthatsessionorflushesittodisk.Default:disabled(interprobemessagesare
notsent).
4.1.16.ipmsg-id:
Mandatory interprobe messaging identifier that distinguishes a
probe from its buddy. Min: 1 Max: 999
Example:
ipmsg-id: 1
4.1.17.ipmsg-address:
Mandatory ip address that receives interprobe messages.
4.1.18.ipmsg-port:
Udp port that listens to interprobe messages. Default:34543
4.1.19.ipmsg-buddy-address:
Mandatory ip address of buddy (to send interprobe messages to)
4.1.20.ipmsg-buddy-port:
Udp
port
of
buddy
that
listens
to
interprobe
messages.
Default:34543
4.2.piconf
4.2.1.fe-id:
Front end identifier. This parameter is used to distinguish from one
probe to another and it is inserted into records to understand
packet origin. It mandatory also in case of single probe
architecture. Min: 1 Max: 999
Example:
fe-id: 5
16
4.2.2.db-host:
NameoripaddressoftheremoteMYSQLdatabase
Example:
db-host:backend.company.it
4.2.3.ftp-host:
Name or ip address of the remote FTP server. As an alternative to
inject packets into a database, it is possible to upload captured
files to an ftp server for further processing by some kind of
application the user might already have. File transfer is
accomplished by a standard version of ncftpput by Mike Gleason
(http://www.NcFTP.com)
4.2.4.user:
4.2.5.password:
Database connection credentials. PI must log into a MYSQL db
before it can inject frames. Blueye table setup script will have
granted access to this user.
Example:
db-user:blueyeadmin
db-password:blueye
This couple can be used also as logon credentials of a remote ftp
server.
4.2.6.capdir:
Folder path from which .cap files will be read. Default value is
current directory.
Example:(see4.1.2)
4.2.7.delete-after-injection:
Ifthisstatementispresent,everycapturefileisdeletedfromthefilesystemafterall
packetsthatitcontainshavebeeninjetctedintothedatabase.Youmayappreciate
thisbehaviourwhenitsbettersavingdiskspacethankeepingalocalcopyoftraffic.
Default:disabled(capturefilesarenotdeleted).
17
4.2.8.session-mindack:
See4.1.9
4.2.9.affinity-mask:
See4.1.12
4.3.stconf
4.3.1.db-host:
4.3.2.user:
4.3.3.password:
Databaseconnectioncredentials.STmustlogintoaMYSQLdbbeforeitcanfetch
frames.
(see 4.2.2-4-5)
4.3.4.session-dir:
Folder path in which .cap files with rebuilt sessions will be stored.
Default value is current directory.
Example:
session-dir: /var/sessions (Linux)
session-dir: c:\sessions (Windows)
4.3.5.session-storage:
During session building , packet payloads are copied in a
temporary buffer for later inspection. This value determines the
size of this buffer.
Min: 1 Max: 999 Default: 128 MB
Example:
sessionstorage:64
4.3.6.key:
If at least one key statement is found, after session is reassembled
from beginning to end, it is searched for keyword occurrence . In
case of match only, session is written to disk in the capdir folder as
a tcpdump formatted .cap file. If no keyword is defined, all sessions
will be flushed to disk. (see 4.1.10 for syntax)
18
4.3.7.delete-after-inspection:
Ifthisstatementispresent,everysessionisdeletedfromthedatabaseafterithas
beeninspected.Thissavesspaceonyourharddisk,butofcoursepreventsyoufrom
replayingtherebuildingprocessincaseofneed..Default:disabled(recordsare
simplydisabledandnotdeleted).
4.3.8.affinity-mask:
See4.1.12
4.3.9.session-rebuild-delay:
AsSessionTrackerandPacketInjectorworksasynchronously,wemustavoidthat
rebuildprocessofalengthysessioncouldstartwhilepacketsarestillbeingwritten
tothedatabase.ThusitisnecessaryforSTtoprocessonlyagedpacketsthatwere
writtenatleastsessionrebuilddelaysecondsago. Min: 10 sec Max: 999 sec
Default: 10 sec
4.3.10.session-one-dir:
Startingfromrel.1.1.0,bothdirectionsofasessionsarerebuilt(e.g.fromserverto
clientandviceversa)andflushedinthesamefile.Incaseofneed,onecanchooseto
processonedirectionattimeandhavethemwrittenintwoseparate.capfiles.
Default:disabled.
4.3.11.merge-dir-timestamps:
Inthedefaultcase,thetwodirectionsofasessionareflushedtodiskoneafter
another,becausetheyarerebuiltoneindependentlyfromtheother.Byunmasking
thisparameter,however,onecanchoosetosortpacketsaccordingtotheirreal
timestamp(thetimetheywerecapturedbythenetworkcard).Thisway,youcansee
theconversationbetweentwopeersasitreallyhappened.Awordofcaution:
rearrangingpacketsisanextracomputationalburdenforthebackendandmaybeit
isuselessatthisstage,becauseyourprotocoldecoder(theprogramyouuseto
analyzeapplicationlayerinformation)isalreadyabletodoit.Default:disabled,
unlessbuiltinprotocoldecodersareenabled.
19
4.3.12.inspect-udp-pkt:
Udppacketsareonlyprocessedifthisflagisunmasked.Default:disabled
4.4.dgconf
4.4.1.smtp-sender:
Optional SMTP address of the sender, that is RFC 821s MAIL
FROM: field (es Probe-1@company.com)
4.4.2.smtp-recipient:
SMTP address of the receiving mailbox, that is RFC 821s RCPT TO:
field (es blueyemonitor@company.com)
4.4.3.from-sender:
Name of the sender , that is the From: field inside RFC 821s
DATA field (es Probe-1)
4.4.4.smtp-server:
Fully qualified domain name (es mx.company.com) or ip address of
the mail server.
4.4.5.log-dir:
Directory in which log files are located.
Mail messages are sent by the following command line SMTP clients:
email rel 2.5.1. (www.cleancode.org) for Linux and blat 2.6.1
(www.blat.net) for Windows.
5.Architecture
Blueyes software components fit in a simple front-end/backend architecture
that let you easily deploy a distributed monitoring system. Most of the times
every front end probe (FeP) will host one
physical point of view, every probe will be a two armed object, connected
from one side to the network segment under observation, via span (mirror)
port or passive tap. The other network card is used to transmit packets to a
backend server that hosts a central MYSQL database and a Session Tracker
component. It is also possible to deploy a solution with multi-homed Feps, in
20
which a couple of SN, PI agent will be running for every capturing card, but of
course this configuration is strongly dependent on FeP hardware and traffic
rate sent to the Snooper. In case of interprobe messages, one can decide to
reserve a an additional network card as a private communication channel or
use backend interface.
A third possible computational level is a workstation that runs network
analysis software (Analysis Console: AC ) fed by .cap files picked up from the
backend, but nothing forbids to install it on the backend if enough
computational resources are present.
The following picture displays a possible configuration with two Feps
connected to span ports of the corporate network :
In
the
simplest
cases,
we
can
deploy
an
all-in-one
configuration
6.Installation
6.1.Win32 setup
Wizard Blueye 1.2.0 Setup.exe will assist you during installation
process. After having accepted license condition, you will be able to
select all the components you need:
21
Packet Injector: will copy in the installation folder the files blueyepi.exe and piconf. Prerequisites are packet capture library for
Windows (as above) and libmySQL.dll client libray rel 5, necessary to
connect to MYSQL database. This dll will be copied too, provided that
Blueye Database Tables options is not selected, in which case it is
assumed that installation occurs in the database machine where this
library is already present (at most you will have to copy it from Mysql
installation folder to where Windows can find it, perhaps System32 or
Blueye local directory) . The package also includes ncftpput.exe rel
3.2.0 (see 4.2.3);
Session Tracker: will copy in the installation folder the files blueyest.exe and stconf. libmySQL.dll client libray is a prerequisite and the
same considerations as above apply;
Blueye Database Tables: you will choose this option after having
installed MySQL database version 5 (www.mysql.com) in the selected
host. Setup will copy and execute MySqlCmd-win32.bat that will
22
GRANT
command
specifying
(blueyeadmin'@'somehost')
(blueyeadmin'@'172.16.5.32')
or
for
instance
an
perhaps
hostname
ip
a
class
address
B
subnet
6.2.Linux
Archive Blueye-1.2.0-Linux.tar.gz contains all the stuff if you need to
start immediately: binaries precompiled with gcc 4.1.1 on a Fedora Core
6 box running kernel 2.6.18-1 with glibc 2.5.3 and libstdc++ 4.1.1,
configuration files and db table generation script. Snooper comes in two
flavours:
-
blueye-sn-ring which will work only on Linux boxes that have been
previously kernel patched with the PF_RING rel.3 package by Luca
23
blueye-sn-ring requires:
o previous installation of library libpcap 0.9.4 or later;
o previous
kernel
pacthing
as
described
here:
blueye-dg
requires
previous
installation
of
24
package
6.3.Source files
Blueye-1.2.0-src.tar.gz contains all the project with source, doc and
configuration files. Win32 master project blueye.vcproj was created
with Microsoft Visual C++ 2005 Express Edition (which is freely available
from MS site) with .NET framework 2.0. Core part of Platform SDK is
needed (download and burn a copy of Windows Server 2003 R2 platform
SDK iso from MS site) in order to install some include and library files and
VC configuration must be updated accordingly (Tools->Options->VC++
Directories: Include and Library files).
Linux
project
files
are
blueye-c.cbx,
PacketInjector.cbx
and
6.4.WiFi cards
As previously recalled, Snooper and Packet Injector are able to decode
radio headers that WiFi cards drivers prepend to packets with Ethernet
802.3 encapsulation (Linux only):
-
AVS headers.
See this page by Jean Tourrilhes for a whos who of wifi drivers and
devices
under
Linux:
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.driv
ers.802.11ag.html#AtherosMADWiFi.
Tests were performed with Proxim Orinoco 11 a/b/g ComboCard
(cardbus interface, atheros chipset, madwifi drivers) and D-Link DWLG122 8012.11g (usb interface, Ralink chipset and rt73-k2wrlz-2.0.1
drivers). For example with D-Link DWL-G122 driver rt73-k2wrlz-2.0.1
installs a wifi interface as rausb0. Then the following shell commands
25
7.Limitations
At the moment, Blueye is able to rebuild tcp sessions or inspect single udp
packets. Therefore, other kinds of traffic should be filtered out by the network
card or by operative system bpf kernel filters, because they only represent a
useless burden.
Furthermore, Snooper in L7 mode is not able to deal with fragmented
packets. Should your network have an not negligible quota of fragmented
datagrams and you need to collect them, the only way is reverting to L4
mode. According to experience, this issue is not generally important in a
corporate network scenario, when compared to the performance increase that
you can achieve working in L7 mode.
26
Blueye building blocks now get configured via simple text files. In the
future, configuration commands could be stored as database tables.
27