Differences

This shows you the differences between two versions of the page.

--- offline:wrccdc_pcaps_results [2018/05/12 23:41] – [Viewing IDS Alerts] veera
+++ offline:wrccdc_pcaps_results [2018/05/12 23:48] – [Retro Analysis - view advanced counters] veera
@@ Line 58: / Line 58: @@
 ==== Retro Analysis - view advanced counters ====
+//To open : Retro > Retro Counters //
+The retro analysis tools let you select arbitrary timeframe in the past and then drilldown into that. Since TrisulNSM is a streaming analytics tool, it can handle very large timeframes easily compared to search based tools.  Here we want to use **Retro Counters** to view whats in the PCAP dump from a metrics perspective. It only takes seconds per counter and in less than a minute you can get a fantastic baseline from many angles.
 [{{ :offline:retro_time.png?direct&400 |Select a timeframe and then view 100s of metrics}}]
-Here we are seeing the JA3 TLS Fingerprints
+You have to select a time frame from the bandwidth chart and then select one of the 40+ "counter groups" we have built into Trisul.  There are groups for TLS counts (Cert authorities, Orgs, ciphers used), SNI, HTTP Hosts, Error codes, Countries, ASN, and several advanced ones like [[https://github.com/salesforce/ja3|JA3 Hashes]]. To get the JA3 Hash metrics we have selected a timeframe and the //JA3 Print// from the drop down list.
 [{{ :offline:w19.png?direct&400 |Here we are seeing the JA3 TLS Fingerprints, building a baseline model}}]