2016-02-25 03:56 PM
what meta data can be used to detect encrypted traffic
2016-02-26 08:42 AM
Hello I would use the service meta key.
Types of traffic that definitely are encrypted are
SSL (service=443)
SSH (service=22)
Traffic that we don't understand and could be encrypted are OTHER (service=0)
However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.
It might be better to look for unusual traffic size packets between end points.
In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.
2016-02-26 08:42 AM
Hello I would use the service meta key.
Types of traffic that definitely are encrypted are
SSL (service=443)
SSH (service=22)
Traffic that we don't understand and could be encrypted are OTHER (service=0)
However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.
It might be better to look for unusual traffic size packets between end points.
In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.