I know that Netwitness 11 has the respond view for Incidents but how about extending this generally to interrogate meta?
Netwitness is very good at collecting data, but not so good when it comes to displaying it.
With the help of a colleague I have been playing around with D3 (https://d3js.org/ ) which is a great library.
As an example of this i wrote a normal report that would output denied connections to a csv file.
The format of the csv was
This means that there were 10 denied connections from 188.8.131.52 to 184.108.40.206 and 220.127.116.11 was in mygroup.
Here is the picture when i fed it some real data.
As you can see there were about 6 large clusters. (In the web page it is possible to zoom in but this is real data!)
If we exclude these large clusters, then we get a different picture.
Here we can see some more distinct clusters. In particular the one in the top right was traffic to two ip address on the same port.
When these pictures came up on my screen I was surrounded by people who we're asking what they were and were immediately interested. This is the same data that is already in Netwitness, just presented differently.
The advantages of this approach are
- Size of circles shows you how big the problem is
-Colour allows you to identify groups
- Arrows shows you connections
- You can see clusters
Yes, you can find the information already in Netwitness but it does not jump out at you. What would be great is if there was a view were you can narrow down your data and put in into a graph so you can create these graphs in realtime.
In the meantime, this can be done by:
1) Create a directory called /var/netwitness/srv/www/d3/ on the SA Server
2) Creating a report to write out CSV and copy the CSV to the directory /var/netwitness/srv/www/d3/
3) Amend the header line of the CSV so that it reads source,target,total,group
4) Copy the attached html file to this directory
5) Copy the d3.v3.js available from https://d3js.org/d3.v3.js into this directory.
4) Create a SSH Tunnel in putty to map localhost port 8080 to port 80 on the SA Server
5) With an SSH Tunnel to the SA Server navigate to localhost:8080/d3/index.html