This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
PhilipPeter
Beginner
Beginner
‎2016-02-25 03:56 PM

encrypted traffic

Jump to solution

what meta data can be used to detect encrypted traffic

0 Likes
Reply
1 Solution

Accepted Solutions
DavidWaugh1
Employee
Employee
‎2016-02-26 08:42 AM

Jump to solution

Hello I would use the service meta key.

Types of traffic that definitely are encrypted are

SSL (service=443)

SSH (service=22)

 

Traffic that we don't understand and could be encrypted are OTHER (service=0)

 

However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.

It might be better to look for unusual traffic size packets between end points.

 

In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.

View solution in original post

Preview file
119 KB
Reply
1 Reply
DavidWaugh1
Employee
Employee
‎2016-02-26 08:42 AM

Jump to solution

Hello I would use the service meta key.

Types of traffic that definitely are encrypted are

SSL (service=443)

SSH (service=22)

 

Traffic that we don't understand and could be encrypted are OTHER (service=0)

 

However users may also pass information over other protocols. Information could be exfiltrated as part of valid DNS or HTTP traffic.

It might be better to look for unusual traffic size packets between end points.

 

In Investigation View you can sort events by Event Size rather than Event Count. This would allow you to see which ip sources and ip destinations are responsible for the most traffic.

View solution in original post

Preview file
119 KB
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.