This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

encrypted traffic

Go to solution
PhilipPeter
Beginner
Beginner

‎2016-02-25 03:56 PM

what meta data can be used to detect encrypted traffic

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
DavidWaugh1
Employee
Employee

‎2016-02-26 08:42 AM

Hello I would use the service meta key.

Types of traffic that definitely are encrypted are

SSL (service=443)

SSH (service=22)

 

Traffic that we don't understand and could be encrypted are OTHER (service=0)

 

However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.

It might be better to look for unusual traffic size packets between end points.

 

In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.

View solution in original post

Preview file
119 KB
1 REPLY 1

Go to solution
DavidWaugh1
Employee
Employee

‎2016-02-26 08:42 AM

Hello I would use the service meta key.

Types of traffic that definitely are encrypted are

SSL (service=443)

SSH (service=22)

 

Traffic that we don't understand and could be encrypted are OTHER (service=0)

 

However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.

It might be better to look for unusual traffic size packets between end points.

 

In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.

Preview file
119 KB
© 2022 RSA Security LLC or its affiliates. All rights reserved.