This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Vertical Scan Dashboard for Firewall Logs

Anonymous
Not applicable
‎2016-10-12 10:06 PM

Vertical Scan Dashboard for Firewall Logs

Overview

 

The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:

  • Unique port count of individual IP addresses probing/scanning the network and displayed by IP address.
  • Unique port count of countries probing/scanning the network and displayed by country.
  • Unique IP address count of individual Countries probing/scanning the network and displayed by country.
  • Top 10 most denied destination ports, displayed by port.

 

The Dashlets

Top 10 Denied IP High Unique Port Count

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address.  In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis.  Basically a vertical scan, a single IP probing multiple ports.

pastedImage_7.png

 

Top 10 Denied High Unique Port Count by Country

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country.  In short, a unique port count by country and displayed by country.

pastedImage_8.png

 

Top 10 Denied Countries by Unique IP Count

It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country.  In short, it’s a count of unique IP addresses used to probe your network displayed by country.

pastedImage_9.png

 

Top 10 Denied Destination Ports

It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied.  Then it displays them in a Timeline and a Summary format as shown below.  In short, it shows the top ten ports that are being probed and denied.

pastedImage_10.png

Prerequisites

You must have the items listed below installed and configured for this dashboard to work properly.

Security Analytics/Netwitness

  • Versions 10.5 or higher
  • Log Decoder and Concentrator
  • Firewall Logs

Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.

Lua Parser

  • Traffic Flow (RSA Live)
  • lua (RSA Live

 

Directions for installation and configuration of this parser are located in the link below:

https://community.rsa.com/docs/DOC-44948

 

If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.

Netwitness Vertical Scan Dashboard for Firewall Logs.zip
Netwitness Vertical Scan Dashboard for Firewall Logs.zip
2 Comments
© 2022 RSA Security LLC or its affiliates. All rights reserved.