RSA enVision^® Discussions

EricLevin · ‎2008-10-22

I am trying to create a custom report which will show me foreign address on the X axis and number of FTP connections on the Y axis, however I cannot get it to work. Does somone want to help me?

RSAAdmin · ‎2008-10-22

Hi elevin, can you post the .xml file of the report you have started with so we can take a look?

EricLevin · ‎2008-10-28

Here is the chart I started. Any help would be welcomed.

RSAAdmin · ‎2008-10-29

Hi Eric,

I took a look at this - the XML is currently set to create a Scatterplot of Foreign Address vs. Foreign Address, which isn't going to give you what you want.

A Bar Chart of Foreign Address vs. count(Foreign Address) will give you what you need. I edited your report to do this and it seems to work. Try it out and let us know if it's what you're after!

Note: I don't have any test data that included a ForeignPort of 21, so I had to modify the Where Clause in my template to look for LocalPort = 21 - the result of that test is what you see in the attached picture. The attached XML contains your original Where Clause, though.

Also, I set a limit to display just the top 20 results, otherwise the graph runs the risk of getting overcrowded and unreadable.

Let us know if this helps.

Message Edited by MattMarchand on10-29-200808:18 AM

EricLevin · ‎2008-10-29

Matt -

Thanks for your help. This does a fine job of displaying the number of FTP connections by foreign address which is valuable to me, however what I was hoping to see is which local address is establishing connections to which foreign address. That is why I was using the plotter graph. Here is the exact problem I am trying to solve:

My FW logs show the following over a 1 hour period

Local address, foreign address, foreign port

local host 1, foreign host 1, 21

local host 1, foreign host 2, 21

local host 2, foreign host 3, 21

local host 3, foreign host 4, 21

local host 1, foreign host 4, 21

local host 1, foreign host 5, 21

local host 1, foreign host 1, 21

...

With this I know:

Local Host 1 connected to Foreign Host 1 3 times

Local Host 2 connected to Foreign Host 3 1 time

Local host 3 connected to Foreigh Host 4 3 times

Local host 1 conneected to Foreign Host 2 1 time

Local host 1 conneected to Foreign Host 4 1 time

Local host 1 conneected to Foreign Host 5 1 time

This is the information I would like to see charted. Something like the attached (mocked up in Excel). Let me know if this does not make sense.

RSAAdmin · ‎2008-10-29

OK - I see what you're after now - Top pairs of addresses using an FTP exchange. I can do this easily with a tabular report. Let me see if I can graph it somehow.

RSAAdmin · ‎2008-10-29

Alas, it would seem the graphing engine is not quite sophisticated enough to pull off what you are asking for.

I can't get the combo Local/Foreign Address to display on the tic labels, nor can I get them to appear as labels on either the bar or point data.

Best I can offer is the attached tabular report - it provides the data set you want, but not presented quite the way you want it. You could export the data it provides to CSV and manipulate the graph options you need, though.

Message Edited by MattMarchand on10-29-200803:46 PM

RSAAdmin · ‎2008-10-29

As Matt indicated, the tabular version is easier. I couldn't pull it off on a graph... at least not inside 20 minutes. Pls note: this one does a countDISTINCT(Date/Time) and there's a remote chance you might get more than one ftp attempt inside the tenth of a second that the event is logged. would also suggest throwing "DeviceAddress IN (select paddr from device_list where dtype=XX)" into the SQL clause where XX is your firewall device type, just to speed things up.

I'd be interested in figuring out the graphical plot of this as well... but I ran out of time.

RSA enVision® Discussions

Need a Graph Report showing FTP Destination - Cannot get it to work!

RSA enVision^® Discussions