offline:wrccdc_pcaps_results
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
offline:wrccdc_pcaps_results [2018/05/12 23:35] – [Start from PCAP Summary Dashboard] veera | offline:wrccdc_pcaps_results [2018/05/12 23:48] – [Retro Analysis - view advanced counters] veera | ||
---|---|---|---|
Line 34: | Line 34: | ||
==== Hosts Dashboard ==== | ==== Hosts Dashboard ==== | ||
- | ** Open with Dashboards > Hosts ** | + | //Open with Dashboards > Hosts// |
The Hosts dashboard is a good top level dashboard to give you a baseline view of host activity. See which internal and external are most active. By volume, by connections, | The Hosts dashboard is a good top level dashboard to give you a baseline view of host activity. See which internal and external are most active. By volume, by connections, | ||
Line 44: | Line 44: | ||
==== Get an overview of flow activity ==== | ==== Get an overview of flow activity ==== | ||
+ | //Open with Dashboards > Sessions// | ||
+ | |||
+ | This is a favorite starting point. You can see the PCAP dump from a flow perspective, | ||
[{{ : | [{{ : | ||
==== Viewing IDS Alerts | ==== Viewing IDS Alerts | ||
+ | Another great baseline place to start. Remember from Part-1 in addition to Trisul , we also run Suricata with ALL rules from ET-Open ruleset. The alerts generated by this give us a fairly good idea of the hygiene of the network. In this case, as you would expect there are a ton of NMAP scans, a few ETERNALBLUE and other alerts. You can use the " | ||
{{ : | {{ : | ||
Line 54: | Line 58: | ||
==== Retro Analysis - view advanced counters ==== | ==== Retro Analysis - view advanced counters ==== | ||
+ | |||
+ | //To open : Retro > Retro Counters // | ||
+ | |||
+ | The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools. | ||
[{{ : | [{{ : | ||
- | Here we are seeing | + | You have to select a time frame from the bandwidth chart and then select one of the 40+ " |
[{{ : | [{{ : |
offline/wrccdc_pcaps_results.txt · Last modified: 2018/05/13 00:08 by veera