Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps_results [2018/05/12 23:38] – [Get an overview of flow activity] veera
+++ offline:wrccdc_pcaps_results [2018/05/12 23:41] – [Viewing IDS Alerts] veera
@@ Line 44: / Line 44: @@
 ==== Get an overview of flow activity ====
-//Open with Dashboards > Flows//
+//Open with Dashboards > Sessions//
 This is a favorite starting point. You can see the PCAP dump from a flow perspective, you immediately get insight into what actual traffic is flowing.  In this case , you can immediately see more than 30% of the traffic in the PCAP is from 10-15 flows.  There is a lot of windowsupdate, symantec updates, etc.  That is useful baseline information to have.  You can also get flows uploading data OUT of your network, downloads, long running flows but low volume, etc.
@@ Line 51: / Line 51: @@
 ==== Viewing IDS Alerts  ====
+Another great baseline place to start. Remember from Part-1 in addition to Trisul , we also run Suricata with ALL rules from ET-Open ruleset. The alerts generated by this give us a fairly good idea of the hygiene of the network. In this case, as you would expect there are a ton of NMAP scans, a few ETERNALBLUE and other alerts. You can use the "Search" form on the top to filter further. But right now, we have a fairly good baseline from this angle.
 {{ :offline:wrccdc1.png?direct&400 |}}