By right clicking a row in the Real Time or Historical summary reports, users can access the Forensic Tools in Figures 1 and 2 below. Summary View ("All") has a different set of menu options than Detailed View.
- 1 Forensic Tools
- 1.1 View Flow Details
- 1.2 Packet Data
- 1.3 Whois Server/Client Address
- 1.4 Show Files in Flow(s)
- 1.5 Resolve Server/Client Address
- 1.6 Escalate Records
- 1.7 Classify
- 1.8 Filter by Server/Client
- 1.9 Tune IDS
- 1.10 Rule Info
- 1.11 Server/Client Address Historical Report
- 1.12 Block Server/Client
- 1.13 Map These/All Addresses
- 1.14 Scan Server/Client/Port
- 1.15 Annotate Rule/Server/Client
This menu is context sensitive and only displays the options available for a particular record (row). For example, if a particular record has multiple server addresses, the Resolve Server Address option is not available.
View Flow Details
Whois Server/Client Address
Show Files in Flow(s)
Selecting this launches the Historical Flow and Payload Data Interface to show any recent flows and try to carve any files associated with this record. ‘’’Note’’’ that you must have a green light on the top right corner for this option to be available as the packet payloads are retrieved from the sensor. Refer to Historical Flow and Payload Data for details on this page.
Resolve Server/Client Address
This resolves the server/client address DNS for the record selected.
This launches a Classify window pre-populating all the fields of the classification with the value of this record. See Event Classification for further details.
Filter by Server/Client
This changes the interface to only show events which include the specified IP address
Using this allows for the creation of pass rules so that the sensor will ignore certain events in the future. The pass rule can be restricted to the specific addresses involved in the event or to all addresses (thus implicitly disabling the rule).
This launches the Rule Info interface for the Snort event selected.
Server/Client Address Historical Report
This option opens a new instance of the Historical Report page with a query to find all events matching the server address or client address for this particular record.
This inserts a block classification for the specified IP Address.
Map These/All Addresses
This initiates a vulnerability scan against the specified IP addresses and ports.
This adds the users comments to a database that is shared among all MetaFlows users.
|Previous Chapter||Next Chapter|