Real-Time Event View
The Real-Time page shows Flow Summaries, IDS Events, Host/Service Discovery Information, Syslog and Incident Reports as they are being generated by the sensors. These events come directly from the sensors to the browser and are encrypted end-to-end (from the sensor to the browser). If the sensor is configured in client mode, it communicates through a forwarder service hosted in the MetaFlows datacenter. However, the forwarded traffic is never decrypted until it reaches the browser (as only the browser holds the session key). The IDS, Host/Service Discovery events, syslog and incident reports are also archived on the server and are available through the historical reports. The Flow Data is stored on the sensor. See Historical Flow and Payload Data Storage for further details on the flow data storage.
Real-Time Event View Columns
A sample of the Real-Time interface is shown in Figure 1. Right-clicking on each row provides a menu for further analyzing each record (see Forensic Tools for details).
Details provided in the "Real-Time" interface are:
- <TZ> Time - This displays the date (MM/DD) and time (HH:MM:SS) the event record was created in the time zone selected in the Account Preferences.
- Sensor - This identifies the sensor from which the event was collected.
- Rank - This displays the priority of the flow with respect to global correlation. The events received from the sensors are compared to the global correlation information collected through the MetaFlows site. Events that match get ranked accordingly. This increases or decreases their priority, showing a positive or negative ranking respectively. A 0 ranking means that no information is currently available.
- Bytes - This details the number of bytes exchanged between the server and client during the event reported. This number is calculated by looking at the TCP sequence numbers for performance reasons. Sometimes, these numbers might be incorrect due to inconsistencies in the TCP sequencing.
- Packets - This reports the number of packets exchanged between the server and client during the event reported.
- Flows - This indicates the number of TCP or UDP flows summarized by each row.
- Server/Client - This is the IP address for the server/client. If more than one server/client is summarized by the row, a link with the number of unique servers/clients are shown. Clicking on the link shows the complete list of servers/clients in a popup within the window. Below these will be any service or syslog events that have been associated with the addresses involved in the flow.
- Server/Client Ports - This identifies the server/client ports summarized in this row. If more than one server/client port is summarized by the row, a link with the number of unique ports is shown. Clicking on the link shows the complete list of server/client ports in a popup within the window.
- Events - This lists the event messages associated with each flow.
- Proto - This is either 6 (TCP) or 17 (UDP).
Real-Time Data Management
At the bottom left of the Real-Time page, you will see the menu shown in Figure 2. The actions are described below:
Inspect the sensor connection status.
Edit/add classifications as described in Event Classification.
Search for records by IP address
Perform a vulnerability scan of a target IP Address
Create a new IPv4 block rule using SoftIPS
Pause the Real-Time updates so that new events stop loading
Enable the display of all Flow Events (regardless of related IDS, service, syslog or incident report events)
Disable the display of Flow Events (flows without any related IDS, service, syslog or incident report events)
Previous Chapter | Next Chapter |
Notes
<references/>