Version 18.6 Plixer - readthedocs.com

Scrutinizer DocumentationVersion 186

Plixer

Scrutinizer

1 Admin 311 Admin Tab Overview 312 Data Aggregation 1513 Interface Details 1914 Licensing 2115 Report Designer 2216 Reporting 2417 User Name Reporting Overview 2518 User Name Reporting - Active Directory Integration 2619 User Name Reporting - Cisco ISE Integration 41

2 Alarms 4521 Overview 4522 Gear Menu 4723 Configuration Menu 4724 Views Menu 4925 Bulletin Board Events 5226 Reports Menu 5327 Edit Policy 5428 Notification Profile 5629 Threat Index 59

3 Baselining 6131 Baselining Overview 61

4 Dashboards 67

41 Dashboard Overview 6742 Vitals Dashboard 71

5 Flow Analytics 7551 Overview 7552 Navigation 7653 Configuration 7754 Exclusions 7855 Algorithm Activation Strategy 8056 Algorithms and Gadgets 8157 Custom Algorithms 9458 FA Bulletin Boards 9859 Optimizing FA 100

6 Maps 10161 Main View 10162 Connections 10263 Dependencies 10364 Google Maps 10465 Groups 10566 Objects 10667 Plixer Maps 10768 Settings 111

7 Status 11371 Status Tab 11372 CrossCheck 11973 CSV Reporting 12174 Device Overview 12175 Flow Hopper 12276 Flow View 12277 Network Traffic Reporting 12678 Report Thresholds 13679 Run Report 138710 Scheduling a report 140711 Vitals Reporting 143

8 System 14781 Backups 14782 Changelog 14883 Check Vulnerabilities 15684 Distributed Collectors 15785 Flowalyzer 15786 Interactive scrut_util 158

87 Language Translations 17888 Mailinizer Setup 17989 Meta Data Collection 180810 Migration Utility 182811 Multi-Tenancy Module 190812 NetFlow Help 190813 NetFlow Knights 190814 Searching 191815 Security Updates 193816 SSL 195817 System LEDs 197818 Third Party Licenses 200819 Troubleshooting 221820 Vitals 222821 Web Server Port 222

9 Implementation Guides 22391 Configuring Amazon Web Services flow streaming 22392 How to Add Resources to a Scrutinizer EC2 Instance 22893 Configuring Ciscorsquos FireSIGHT eStreamer Client 23194 Configuring Endace Probe Integration 23895 Configuring Scrutinizer for DualMulti-homing 24096 Creating a Network Map 24397 Creating Thresholds and Notifications 24498 Elasticsearch Kibana (ELK) Integration 24799 Scrutinizer for Splunk Application 250910 Third Party Integration 254911 Using the Reporting API 261912 Using the IP Groups API 277913 Using the User API 284

Scrutinizer Documentation Version 186

Welcome to the on-line manual

Click Here for online troubleshooting or FAQs

There are also online webcasts which give quick overviews (ie 2 - 5 minutes each) of specific features

Important Donrsquot struggle contact Plixer support

Scrutinizer 1

2 Scrutinizer

CHAPTER 1

11 Admin Tab Overview

This section covers all the options under Scrutinizerrsquos Admin Tab

111 Settings

The Settings page is primarily left to the administrators

bull Alarm Notifications Enable additional system alarms

bull Alarm Settings Modify settings to optimize syslog and SMTP processing

bull ASA ACL Descriptions Enter the username and password used to SSH into ASA firewalls toretrieve ACL descriptions (Appliance only)

bull AWS Configuration Set parameters for Amazon Web Services flow streaming configuration here

bull CrossCheck Specify the thresholds for changing color and the syslog threshold that the FaultIndex must reach to trigger a syslog

bull Data History Specify how long each flow interval is saved

ndash Historical 1 Min Avg Saves 100 of all flows received Make sure the serverhas enough disk space to save significant quantities of the raw flows The 1 minuteintervals consume the most disk space as it is not aggregated and flows are in rawformat

ndash Historical 5 minute - 1 week Avg These intervals only save the specified Maxi-mum Conversations after aggregation per interval

ndash Maximum Conversations Used when creating large intervals (eg 5 minute) fromprior intervals (eg 1 minute) All flows are aggregated together per router The top1000 (default) based on bytes are saved

ndash Auto History Trimming This option allows for automatic database trimmingwhen available disk space falls below 10 (with a minimum threshold of 10GB)Check the checkbox to activate this option An alarm will also be generated tosend an alert that the database is being trimmed (1 minute and 5 minute conversa-tion database tables) and includes how much 1 minute and 5 minute data currentlyexists in the database (in hours)

Read more about topics related to this subject

Data Aggregation

System LEDs

Note In a distributed collector environment each collector will perform the databasetrimming independent of the other collectors Auto History Trimming onoff appliesto all of the collectors in the cluster but the database trimming will only occur on theserver(s) that fall below 10 of available disk space

bull Email Server Necessary for on demand and scheduled emailed reports Make sure the test issuccessful

bull Flow Analytics Configuration Used to configure the algorithms and monitor their performance

bull Flow Analytics Exclusions Used to manage the Flow Analytics IP Group and hostname exclusions

4 1 Admin

bull Flow Analytics Settings Used to modify default settings of Flow Analytics relating to FlowProDefender jitter latency violations and top algorithms

bull Licensing Displays the current licensing level expiration date(s) and unique Machine ID forthis installation The Machine ID is required by Plixer Customer Service for generating newlicense keys Once a new key is received to activate the key copy and paste the entire key in theLicense Key textbox See the System gt Licensing page for more information

bull Mapping Groups Add and manage Map Groups

bull Mapping Objects Add and manage Map Objects

bull Proxy Server Setup the server to work with a proxy server

bull Reporting Report settings configuration options

bull Syslog Server Configure the syslog server port and priority

bull System Preferences System Preferences are accessible via Admin Tab -gt Settings -gt SystemPreferences The list of options are global configuration settings for all of the collectors Theexplanation for each feature is to the right of the setting

112 Definitions

bull 3rd Party Integration Create links to 3rd party applications and pass variables in URLs Afterenabling 3rd Party Integration links will be available in the Device Explorer on the Maps and StatusTabs

Warning Please be aware that Solarwinds includes the User ID and Password in plain text inthe URL Using HTTPS will protect the integrity of the credentials over the network but theywill still be visible in the URL per process set by Solarwinds

bull Applications This feature is useful for properly labeling in-house applications Some applicationsutilize multiple IP addresses and ranges of ports This utility is used to create a single applicationname that is made up of multiple IP addresses numerous ports and protocols

bull Autonomous Systems Display and search Autonomous System Names that are shipped with thesoftware or imported by the user Use import asns in Interactive scrut_utilexe to import AS Names

11 Admin Tab Overview 5

bull Host Names Setup and modify known hosts Use this option to statically assign host names to IPaddresses that will not age out It can also be used to label subnets in the related report types Thereare three resolve DNS options

ndash Current - Has been or attempted to be resolved already (will expire in whatever days are setin the serverprefs)

ndash Queued - Ready to be resolved by the resolver User can set it to Queued to force a DNSresolve again on the host

ndash Never - A permanent address that was manually added by the user Users can make namespermanent by switching this to never Itrsquos not purged

bull Interface Details Displays the SNMP details of the devices sending flows Allows custom deviceand interface names to be defined which override the defaults Notice that the in and out speedscan be entered to override what was collected with SNMP

bull IP Groups IP Groups are used to group ranges of IP addresses or subnets that belong in a specificgroup (eg Marketing sales phones etc) A single IP group name can contain multiple rangesand or subnets Run a report on an interface to see the IP Group reports

bull Language Use this interface to update languages or create new translations

bull MAC Addresses Lists MAC Addresses with labels as collected by the utility It is scheduled torun nightly

ndash MAC address descriptions are collected from Cisco wireless LAN controllers via SNMP

ndash MAC address descriptions are collected from option templates that contain these two ele-ments lsquostamacaddressrsquo and lsquousernamersquo

ndash Run the scrut_util lsquocollect optionsummaryrsquo utility to force immediate collection

ndash Manually enter or edit MAC Address information here

bull Manage Collectors Provides details on the servers which are collecting flows for this Scrutinizerinstall Multiple collectors will be listed if a distributed solution has been deployed

ndash Delete This check box can be used to remove collector(s) from the list

ndash Collector IP Address of the flow collector

ndash State Current state of the flow collector - ONLINE or OFFLINE

6 1 Admin

ndash Exporter Count Number of exporters that are currently sending flows to the collector

ndash First Flow Time Timestamp when flows first received by the collector

ndash Last Flow Time Timestamp when the last flows were received by the collector

ndash Flow Rate Current flows per second per collector

ndash Packet Rate Current packets per second per collector

ndash MFSN Rate Missed Flows Sequence Number rate in flows per second

ndash Duplicate Rate Duplicate flows per second

bull Manage Exporters Details on the devices sending flows This page provides the following infor-mation and configuration options as viewed from left to right on the screen

ndash Action Down Arrow Use this menu to make several changes to how the flow exporter isrepresented in the system

Edit Additional Notes Add a few comments about the device that can be seen in theStatus and Maps tabs

Edit Name Give the device a name if it doesnrsquot resolve to an IP address If it resolved toa host name this will over write it

Edit Protocol Exclusions Used to tell the collector to drop flows on certain ports Thiswas build because some vendors like Cisco export the same flows twice when VPNs ortunnels have been configured

Edit SNMP Credential Define the community string to use when querying the device

Update SNMP Poll the device for SNMP details on demand

ndash Check Box Check this checkbox to remove the device from the Status tab device tree Thedevice will be rediscovered immediately if the collector is still receiving flows from the deviceNote that templates and interfaces from devices that stop sending flows are aged out

ndash Round LED click to view the Interface Details

Green This exporter is enabled and up on the collector specified

Red This exporter is enabled and down on the collector specified

Yellow No flows have been received for this exporter on the collector specified

Gray This exporter is disabled on the collector specified

ndash Exporter Exporter name or IP Address if unnamed Clicking on nameIP Address opens aManage Exporters modal with options to Name the exporter the domain for the exporter setProtocol Exclusions for this exporter SNMP Credential selection and also attach AdditionalNotes to the exporter

ndash Status

Enabled Flows from this exporter will be collected stored and available for reporting

Backup Flows from this exporter will be collected and stored but will not be includedin reporting from this collector

Disabled Flows from this exporter will be ignored by the collector

Unlicensed Set by the collector This exporter exceeds the exporter license count andflows from it will be ignored Users wanting to disable specific exporters should uselsquodisabledrsquo

ndash Last Activity Timestamp when the last flow was received for this exporter

ndash Collector IP IP Address of the collector receiving flows for this exporter

ndash Credential SNMP Credential in use by this exporter Clicking on the SNMP Credentialopens the Manage Exporters configuration modal to the SNMP section allowing editing ofthe credential

ndash Additional Notes Any notes added to this exporter are visible in this column

bull Notification Manager Configure notifications to be applied to Policies in the Alarms tab

bull Policy Manager List all of the Policies that are configured for the Alarms Tab Learn more aboutediting policies

bull Protocol Exclusions Define protocols to exclude during the collection process per exporter ex-porterrsquos interface or for all exporters and interfaces

Default protocol exclusions for all devices are

8 1 Admin

(any private encryption scheme) (99)(ENCAP) (98)(ESP) (50)(ETHERIP) (97)(GRE) (47)(IPIP) (94)

Excluding these protocols prevents possible duplication of flow reporting The Understanding Net-Flow Traffic Volume blog explains this in more detail

bull SNMP Credentials Configure the SNMP Credentials used on each flow exporter SNMP v1 v2and v3 are supported

bull Type of Service (ToS) Configure the ToS and DSCP values displayed in the reports Be sure todefine the ldquoToS Familyrdquo under System Preferences

bull Well Known Ports Define port names In the Well Known Ports report the following logic isused

ndash Which port is lower the source port or the destination port

ndash If the source port is lower and defined use this as the well known port

ndash Else use the destination port if defined as the wellknown port

ndash Else display the lower port as the wellknown port

113 Security

bull Auditing Report Displays a report of all the administrative actions users have performed withinScrutinizer

bull Authentication Configure general authentication settings enable or disable different technologiesallow or deny users from different authentication methods and set the order in which methods areattempted

bull Authentication Tokens These tokens can be used to automate Scrutinizer application logins withuser-specific permissions and applicable expiration dates without having to include user name andpasswords in the URL

bull LDAP Configuration Server and connection settings for LDAP integration

ndash LDAP User Authentication Process

1 In the LDAP Configuration Administrators provide credentials for an LDAP accountwith permission to see any users theyrsquod like to permit access to

(a) This is the account that will be used to search for and authenticate users when theyattempt to log in

(b) The Searchbase defines the group that will be used to search for authorized usersThis is a required field

(c) The scope of users in that searchbase who are allowed to authenticate can be limitedin two ways

By specifying one or more Security Groups in the LDAP Configuration

By specifying individual user account names in Security gt Authentication gt LDAP

2 A user attempts to log in The system authenticates as the administrative account pro-vided then checks a searchbase specified by the Scrutinizer administrator for any accountmatching the username provided Authentication with the sAMAccountName UserPrin-cipalName or uid attribute is supported

3 If the LDAP server responds with an LDAP_REFERRAL code Scrutinizer will checkthe referred server

4 If the Scrutinizer administrator has specified multiple LDAP servers it will check themall in series until successfully authenticating or failing

5 Once the user has successfully authenticated for the first time Scrutinizer checks forany Security Group theyrsquore a member of which also exists in Scrutinizer with the sameusergroup name If it does theyrsquore added to the Scrutinizer usergroup automatically

bull RADIUS Configuration Server and connection settings for RADIUS server integration Learnmore about Radius Authentication in Scrutinizer

bull TACACS+ Configuration Server and connection settings for TACACS+ integration Learn moreabout TACACS+ Authentication in Scrutinizer

bull User Groups Specifies what a Group login account can access More details regarding the per-missions can be read about under Usergroup Permissions

bull Users Configure login preferences for individual accounts User Accounts must be a member ofone or more User Groups If no group is selected when a User Account is created they are placedin the default (eg Guest) User Group Permissions for a User Account are inherited from all theUser Groups it is a member of

10 1 Admin

Functional IDs

A functional ID is a generic account used for an IT asset Specific to Scrutinizer functional IDs are UserIDs providing access to different areas and access levels within Scrutinizer

The following functional IDs are included by default with the installation of Scrutinizer

Ap-plica-tion

User Us-age

Ac-cessLevel

Description

Op-erat-ingSys-tem

root In-ter-ac-tive

Priv-i-leged

Provides user root access to the operating system User has unre-stricted shell access SSH and console Some processes run as root(procmon scheduler poller) and some scrut_util processes whenrun by the scheduler

plixer In-ter-ac-tive

Non-privileged

Provides user access to run all plixer services andor processes Thisis the Primary user for the Interactive Scrut_util utility

pg-bouncer

Non-interactive

Non-privileged

Database load balancing

post-gresqlormysql

Non-interactive

Priv-i-leged

Database User

apache Non-interactve

Priv-i-leged

HTTP services

Databaseroot In-

ter-ac-tive

Priv-i-leged

Provides full readwrite to PostgreSQLMySQL database for localusers

scrutremoteIn-ter-ac-tive

Non-privileged

Provides communications between remote systems

scru-ti-nizer

Non-interactive

Priv-i-leged

Local DB connections

Webinter-face

ad-min

In-ter-ac-tive

Priv-i-leged

Full access to management functions

12 1 Admin

bull Usage

ndash Interactive usage allows a User to use that ID inheriting all privileges that were granted tothat ID

ndash Non-interactive is used internally by the system only and cannot be used by a User

bull Access level

ndash Privileged access level is defined as an ID with elevated entitlements such as a system admin-istrator or super user

ndash Non-privileged access allows just the access level required for the intended functions of theID

114 Usergroup Permissions

User Groups

Users are assigned to Usergroups Usergroups are granted permissions Users inherit permissions fromall the Usergroups they are a member of This functionality also serves as the basis for the enterprisefocused multi tenancy functionanlity

bull New User Groups Is used to create a new Usergroup that individual users can be assigned toGive the group a name and apply a template from another Usergroup that has similar permissionsto the new user group After creating an account find the new Usergroup on the left and click it tomodify

bull Administrators This is the admin account and cannot be deleted Users can be assigned to thisgroup and inherit all of its permissions

bull Guest This is the default guest account which cannot be deleted Users can be assigned to thisgroup and will have limited permissions

Important Permissions for an individual User account will be inherited from all Usergroups it is amember of To view all the Usergroups a user account is a member of visit Admin tab gt Security gt Usersand click on user account Then click on the User ldquoGroup Membershiprdquo tab

Settings

Specify the tabs the members of the Usergroup should be able to see Also check off the Administrativepermissions the Usergroup should have access to

Device Status

Device Status is used to grant permission to see the status of the device (ie Flow exporter) Device iconsappear blue in maps if the ldquoDevice Grouprdquo permission is granted without this permission

Interface Statistics

Interface Statistics is used to grant permission to see the statistics of an interface

Device Groups

Device Groups is used to grant permission to see a Group (ie map) Devices (ie Flow Exporters) appearblue and interfaces black unless permission is granted in ldquoDevice Statusrdquo and ldquoInterface Statisticsrdquo

Select the saved reports filters that the Usergroup will need to have access to run

Dashboard Gadgets

Select the Gadgets that the Usergroup will need to be able to add to dashboards

Members

Select the user accounts that will need to have access to this Usergroup A user can be a member ofmultiple Usergroups and inherit all applicable permissions

14 1 Admin

Bulletin Boards

Select the Bulletin Boards that the Usergroup will need to be able to access in the Alarms tab

Delete Group

This allows an administrator to delete the current Usergroup being reviewed

115 Reports

bull Report Designer Is used to create new reports that are not part of the core reporting solutionClick here for instructions on using the Report Designer

bull Report Folders Manage Saved Report Folders found in the Status tab under saved reports Noticethe Membership drop down box

ndash Folders Select a folder and add or remove reports from it

ndash Reports Select a report and add or remove folders it can be found in

bull Scheduled Reports Manage Scheduled Reports delete etc

12 Data Aggregation

121 Overview

The system can save and roll up data in one of two ways

bull Traditional Mode (Creates Forensic Tables) This is the default mode for version 17x and prior

bull SAF Mode (Creates both Summary Tables and Forensic Tables) This is the default mode for version18x and higher Summary tables are condensed flows that represent 100 of the traffic but bysummarizing the data as explained below reporting is much faster

12 Data Aggregation 15

122 Upgrades

When existing customers upgrade from version 17x and prior to 18x versions the aggregation methodwill stay in Traditional (Forensic) Mode New installs default to SAF mode Contact technical supportfor instructions on how to change this to SAF mode When running a report and switching between thetwo types of data this is referred to as the ldquoData Moderdquo

123 Traditional Mode

Traditional mode creates Forensic tables In this mode the collector saves 100 of all data in raw formatto the 1 minute forensic tables for each router Every hour it creates a new 1 minute interval table perrouter Every 5 minutes it creates higher intervals using the smaller intervals This process is calledldquorollupsrdquo

When the rollups occur for 5 min 30 min 2 hr 12 hr 1 day and 1 week two tables are created

bull Totals The total in and out byte counts are saved per interface before the data for the forensictable is calculated This table allows the reporting front end to display accurate total throughputper interface over time and allows the front end to operate with no dependency on SNMP yet stillprovide accurate total utilization reporting

bull Forensic All flows for the time period (eg 5 minutes) are aggregated together based on a tupleOnce all flows are aggregated together the top 1000 (ie default) flows based on highest byte countare saved The non top 1000 flows are dropped Remember the totals tables ensure a record of thetotal in out utilization per interface over time

When a report is run on an individual interface with 1 minute interval data the totals table isnrsquot neededbecause the forensic table contains 100 of the data When a report is run on an individual interface withno filters in 5 minute or higher intervals both the Forensic and Totals tables are used in the report Whenreporting the Totals tables are used to display the total in and out utilization of the interface and the top10 from the forensic table are subtracted out from the total and added back in color

Important In some cases a report that doesnrsquot utilize the Totals tables can understate the actual utiliza-tion of the interface

The Totals tables are not used when

bull Reporting across all interfaces of a device

16 1 Admin

bull A report is run on multiple interfaces from different devices regardless of filters

bull A non interface filter has been applied to the report (eg IP address)

bull When a report uses more than one template

bull Looking at 1 minute intervals in a report One minute intervals contain 100 of all data exportedfor the template as no rollups have occurred As a result no Totals tables are created for 1 minuteintervals

The Totals tables are only being used when

bull Looking at 5 minute intervals and higher

bull The ldquoFlow Templatesrdquo section of the report filter indicates ldquoAvailable Templatesrdquo

bull Looking at a single interface without any additional filters

Note Only the top 1000 (default) conversations are saved in the rollups by default A conversation isdefined as 1 or more flows in a time frame that match based on values in a tuple (source and destinationIP address ingress and egress interfaces commonPort etc) If the collection server has the availabledisk space try increasing the Maximum Conversations under Admin Tab -gt Settings -gt Data History to10000 and see if it improves the accuracy Donrsquot configure it right away for the maximum Instead trycarefully increasing the number of conversations saved over a few days Some reports may render moreslowly when the Maximum conversations is increased this is the result of the tables being larger

124 SAF Mode (Summary and Forensic)

SAF mode creates both Summary and Forensic tables but only the Summary tables are rolled up Sum-mary tables contain a subset of Forensic columns and are useful for fast and long term reporting It canact as a search index before drilling into the Forensic data

In SAF mode the collector saves 100 of all data in aggregated format to the 1 minute Summary tablesfor each router By default with Summary data flows are aggregated based on a tuple that includes thecommon port Fields that prevent aggreggation such as the source and destination transport ports aredropped Kept fields include but are not limited to

bull intervalTime

bull commonport

bull ingressInterface

bull egressInterface

bull sourceIpAddress

bull destinationIpAddress

bull octetDeltaCount

bull octetDeltaCount_rev

bull packetDeltaCount

bull packetDeltaCount_rev

bull flowDirection

bull applicationId

bull protocolIdentifier

The Summary aggregation logic used to create the above can be modified contact technical support fordetails on how to modify these settings

This dramatically reduces table size and maintains accuracy Every hour the collector creates a new 1minute interval Summary table per router Every 5 min 30 min 2 hr 12 hr (no 1 day or 1 week) it createshigher intervals using the smaller intervals This process is called ldquorollupsrdquo

When the rollups occur on Summary data two tables are created in exactly the same way as outlined forTraditional (Forensic) Mode The 2nd table is the Totals table

In SAF mode

bull Nearly all reports leverage the Summary tables

bull Only vendor specific reports and a few other reports that require elements such as source and des-tination ports go back to the Forensic data

bull Since Forensic tables in SAF mode are not rolled up Totals tables are not created for Forensictables

A Word about sFlow

When collecting sFlow make sure the packet samples and the interface counters are both being exportedto the collector The collector will save the packet samples to the Raw tables and the Interface counters toTotals tables even at 1 minute intervals

18 1 Admin

Warning If the sflow exporting device (eg switch) is exporting multiple templates for differentflows utilization could be overstated if the flows contain the same or nearly the same information Thefront end of Scrutinizer will render reports using data from all templates with matching informationBe careful when exporting multiple templates from the same device If this is found to be the caseuse the filters to select a single template

13 Interface Details

Selected interfaces can be hidden from the reporting GUI The SNMP community string used to commu-nicate with the device can be altered

At the top there is a drop down box containing all the flow sending devices Type in this box to filter Aftera device is selected a drop down box to select the SNMP community stringcredential will appear Nextto the community string is a check box for SNMP Enabled If SNMP Enabled is checked the WatcherService will attempt to poll and update SNMP information for the device By default the automatic SNMPdiscovery occurs once a night The user can disable the automatic SNMP capability by unchecking ldquoAutoSNMP Updaterdquo from the Admin Tab Settings -gt System Preferences

There are several columns displayed for each interface on the NetFlow capable routerswitch Some ofthem include

bull Action The Drop Down Arrow is a menu providing options for

ndash Manage Exporter Launches the Manage Exporters interface

ndash Settings Provides a modal to provide a custom description for the device and allows forcustom In and Out speeds on the interface to be entered

ndash Update SNMP Attempts to update the details using the SNMP credentials

bull Hide Check off to remove the interface from appearing in the Status tab

bull Interface this is the SNMP instance of the interface Click on it to run the default report

bull Custom Description A custom interface name can be entered

bull ifAlias Collected via SNMP

bull ifName Collected via SNMP

13 Interface Details 19

bull ifDescr Collected via SNMP

bull ifSpeed Collected via SNMP Use the next two columns to customize the inout speeds

bull Custom (Bits) In Specify a custom inbound speed to override the default This does not do anSNMP set on the device Enter a 0 in the Custom (Bits) ifSpeed to force the Status tab to displaythe interface in bits in lieu of utilization

bull Custom (Bits) Out Specify a custom outbound speed to override the default This does not do anSNMP set on the device

bull Metering Indicates whether NetFlow is collected INGRESS EGRESS or BOTH on this interfaceTo determine which flows are being used when reporting on an interface run a report and click onthe ldquoFilters Detailsrdquo button and then click on the Exporter Details tab

Scrutinizer labels flow exporter interface names using the following logic in this order if it is available

bull Instance and Custom Name

bull Instance ifAlias and ifDescr

bull Instance ifDescr and ifName

bull Instance and ifDescr

bull Instance

This requires SNMP access to the devices that are exporting flows SNMP Enterprise MIBs may require3rd party software or customized scripts to correlate the enterprise instances to match the MIB II instances

If SNMP is not available the collector will look for an interface names option template Some vendorsexport an interface names option template using NetFlow or IPFIX This option template contains thenames of the interfaces In Cisco IOS v 124(2)T or greater the command is

Router(config) ip flow-export interface-names

SonicWALL and other vendors export a similar options template

20 1 Admin

131 SNMP

If any updates are applied to a router or switch be sure to go back to the device interface and run UpdateSNMP in the down arrow menu or wait for the daily evening update to run

Important By default the flow collector performs SNMP polls on a nightly basis on the switchesand routers it is receiving flows from This software was engineered to be a passive collection tool withminimal SNMP requirements The best way to update the SNMP information including the informationon the interfaces is to click on the ldquoUpdaterdquo button NetFlow v9 option templates can be used in place ofSNMP to gather interface names and speeds

14 Licensing

141 Overview

The Licensing page is where the license key is entered The current licensing status for local install canalso be obtained The unique Machine ID for the server is also displayed here which can be submitted toPlixer Customer Service when a license key is needed

The Licensing page contains two sections the Details and License Key sections

142 Details

Product Type ndash This field indicates the licensing levelStatus ndash Licensing status valid expired due to expireDays Left ndash Days remaining for valid licenseCustomer ID ndash Plixer generated customer identificationMachine ID ndash Unique server ID used by Plixer Customer Service to generate the license keyServer Count ndash Total number of servers that are licensed (includes both reporters and collectors)Reporter Count ndash Number of reporters that are licensed (primary and secondary)Exporter Count ndash Number of exporters that are licensedDeployed Servers ndash Number of actual serversEnabled Exporters ndash Number of actual exporters

14 Licensing 21

143 License Key

The text box in this section is where the license key received from Plixer Customer Service is placed

Example License Key

Nb4JuYhx5R1Uv60ipcnvuuEBsK2HBcZym3t3XwuVZKkFB08HfoVHQgBGDfOPmN+hebMENz+1vUuz1+vpAKg3S9C5M1rLb52HYyadaVIYWJgY8mqwsEdMPk968Bs7qFPftaQekdGn4IgCEDqnzWlUccQcTD54vnyqR9SSySH9zIxqUebDPxOUjcdt6eK9gWSHPm3

TVX2Nz1mPQagpRPXeYZFVLL593yIZwBtEmSBQDiGaAiC0MG3h4pINox0u9OWBcOdrZKQjTIUNRWF2NzMwJBfAzFxdxWUGicfyaRjNsutNmj6RB9gupmLhPzJdchgHLZg7+vj4PRSRM0n0g==

15 Report Designer

The Report Designer is used to create new reports that are not part of the core reporting solution Itcan be used against any flow template even when byte counts are not available These new report typesonly appear on devices that are exporting the necessary elements in templates The steps to design a newreport

1 Copy an existing report design or select lsquoNewrsquo

2 Enter a name for the new report design

3 Select a device that is exporting the template that is needed for the report

4 Select a template from the device After selecting a template click [Open Raw Flows] to verify thatthe element is contained in the template

5 Select an element in the template for the first column

(a) Specify the column name It is best to try and keep it short Often the name entered is similarto the Report Field name

(b) Specify the treatment

bull Average takes the average of the total (total values divided by the number of matches)

22 1 Admin

bull Count Counts the number of entries in consideration of the lsquogroup byrsquo columns

bull Count Distinct Counts the number of entries in consideration of the lsquogroup byrsquo columnsbut if a matching flow shows up more than once it is only counted once

bull Max Display the maximum value

bull Min Display the minimum value

bull Sum Adds up the values

bull Group By Group the matching values together

(c) Rate vs Total

bull Rate trend the data by rate per second Total will not be an option in the drop down boxafter the report is run

bull Total trend the data by total per interval Rate will not be an option in the drop downbox after the report is run

bull Rate (default) Total trend the data by rate per second Total is an option in the dropdown box after the report is run

bull Rate Total (default) trend the data by total per interval Rate is an option in the dropdown box after the report is run

(d) Stack or Unstacked

bull Stacked trend the data as a stacked trend Non Stacked is not an option in the drop downbox after the report is run

bull Non Stacked trend the data as an unstacked trend Stacked trend is not an option in thedrop down box after the report is run

bull Stacked (default) Non Stacked trend the data as a stacked trend Non Stacked is anoption in the drop down box after the report is run

bull Stacked Non Stacked (default) trend the data as an unstacked trend Stacked trend isan option in the drop down box after the report is run

The new report will show up in the run report menu in a category named ldquoDesigned Reportsrdquo when thetemplate(s) from the device contain the elements necessary for the report

bull The report will not work outside of one minute intervals if rollups are not being performed on thetemplate in a format that is supportive of the report created

bull The columns can be reordered Grab a row in the table with the mouse and move it up or downthen release it

15 Report Designer 23

16 Reporting

The Reporting page is accessible via Admin Tab -gt Settings This page includes system configurationoptions related to Scrutinizer reporting

Following is the list of options available in Report Settings

bull Business Hours End The end of the business day as an integer 5pm = 17

bull Business Hours Start The start of the business day as an integer 8am = 8

bull CSV include all rows Checkbox If checked all rows will be included in the csv instead of theTop X selected in the report

bull Display Others on Top Report Graphs can display the lsquoOtherrsquo traffic on top of or below the top10

bull Display raw MAC addresses in reports Checkbox When checked MAC addresses will appearin reports in raw format When unchecked it will display the first 3 bytes as the manufacturername

bull Limit All Device report results Only this many results will be returned if set to a non-zero valuewhen running all device reports

bull Max Aggregations from Data Source This value limits the number of intervals used to run areport Click here for more detailed information on this configuration option

bull Max Report Processes Each report run will use this as a maximum number of sub processes Thisbreaks reports up by time or exporters depending on which will be faster

bull Max Reports per Email The maximum number of saved reports a user is allowed to include ina scheduled email report Including too many reports in a single email can result in timeouts Thedefault is 5

bull Max Reports per Interval The maximum number of reports users are able to schedule for thesame minute The default is 5

bull Push Data Aggregation Checkbox Apply data aggregation when pushing temp tables fromcollector to reporter (Only applies to Distributed collector environments)

bull Re-use temp tables Checkbox With this option turned on reports will use existing temp tableswhen possible

bull Target graph intervals The maximum number of intervals allowed in a graph Default = 300

24 1 Admin

17 User Name Reporting Overview

171 Overview

User Name reporting (and other User Name features) requires integration with an authentication systemsuch as a Microsoft Domain Controller Most authentication systems are supported (eg Cisco ISELDAP TACACS+ Radius etc) The following sections of the User Manual provide some step-by-stephelp in configuring the integration

bull User Name Reporting - Active Directory integration

bull User Name Reporting - Cisco ISE Integration

Other devices that require authentication such as firewalls and wireless LAN controllers can also provideUser Name information to Scrutinizer

Once the User Name integration is in place the following features are available in Scrutinizer

bull User Name Reporting

bull Alarms reporting with User Name

bull Saved Flows Search by User Name

172 User Name Reporting

User Name reports are available under

bull Top reports category

ndash Reports the amount of traffic generated per user

bull Device-specific report categories (such as SonicWALL Palo Alto or Wireless reports)

bull Source Destination gt User Name by IP reports

ndash These reports display the user name(s) associated with the IP Address during the report timeframe

With the User Name reports network usage per user can be monitored Alerting on a userrsquos traffic volumeor type of traffic can occur if set thresholds have been violated

17 User Name Reporting Overview 25

173 Alarms reporting with User Name

Alarms can be associated with the user name of the user that has triggered them helping to reduce theMTTR (Mean Time to Resolution) for network issues by highlighting who was responsible for the alarm

174 Saved Flows Search by User Name

If itrsquos a specific user that requires investigation andor monitoring finding that users traffic is quick andeasy with the Search Tool on the Status page using either ldquoUser as Sourcerdquo or ldquoUser as Destinationrdquo asthe search field

18 User Name Reporting - Active Directory Integration

181 Upgrade Scrutinizer

First itrsquos recommended to upgrade to the latest version of Scrutinizer Please contact Plixer support at207-324-8805 x4 for assistance

182 Configure a non-admin user to query the Domain Controller EventLogs in Windows 2008 or 2012

1 Create a domain user for IPFIXify to use

(a) Add the IPFIXify user to the ldquoEvent Log Readersrdquo Built-in group

26 1 Admin

2 Provide WMI Permissions

(a) Login to the Domain Controller as an administrator

(b) Go to ldquoStart -gt Runrdquo

(c) Type ldquowmimgmtmscrdquo

18 User Name Reporting - Active Directory Integration 27

(d) Right click on ldquoWMI Control (Local)rdquo and select ldquoPropertiesrdquo

(e) Go to the ldquoSecurityrdquo tab click on ldquoRootrdquo and then select ldquoSecurityrdquo

28 1 Admin

(f) In the next popup select ldquoAdvancedrdquo

(g) Press ldquoAdd rdquo and then enter the ipfixify user

(h) Under the ldquoApply tordquo section make sure it is configured for ldquoThis namespace and subnames-pacesrdquo

(i) Give the user ldquoEnable Accountrdquo and ldquoRemote Enablerdquo Allow privileges Apply these changesby pressing OK in each of the popup windows

30 1 Admin

183 Enable LogonLogoff Audit Policies on the domain controller

1 Modify the default domain policy for domain controllers and enable the following group policies

(a) Expand Computer Configuration -gt Policies -gt Windows Settings -gt Security Settings -gtAdvanced Audit Policy Configuration -gt Audit Policies -gt LogonLogoff and then enablesuccess and failure for ldquoAudit Logoffrdquo and ldquoAudit Logonrdquo

(b) The advanced audit policies require that another group policy override setting is enabled un-der Computer Configuration -gt Policies -gt Windows Settings -gt Local Policies -gt SecurityOptions -gt Audit Force audit policy subcategory settings -gt Define this policy setting and setto Enable

32 1 Admin

184 Setup IPFIXify on a Windows computer

1 Move homeplixerscrutinizerfilesconfipfixify-templatecfg to Cipfixify on a Windows com-puter that will run IPFIXify and also download the Windows IPFIXify executable to this Windowscomputer

2 Rename ipfixify-templatecfg to ipfixifycfg open the file in a text editor and then edit the followinglines

bull collector=NetFlowIPport

ndash Enter the NetFlow collectorrsquos IP and port

bull member=DCip

ndash Enter the IP address of the domain controller For each additional domain controller addanother member line

bull usernamesOnly=yes

ndash Set this value to yes if the goal is to collect username data

3 Configure the IPFIXify user credentials

(a) Open a command prompt and navigate to the directory that contains ipfixifyexe

(b) Run the following command and enter the ipfixify user and password ipfixifyexe--credentials ipfixifycfg

4 Download PSToolszip and move PsExecexe to the same directory as ipfixifyexe and ipfixifycfg

(a) PSToolszip download httpstechnetmicrosoftcomen-ussysinternalsbb897553

34 1 Admin

(b) Before PsExecexe will function the user must accept the agreement by doing the following

i Hold down shift and then right click on PsExec In the menu select ldquoRun as differentuserrdquo

ii Type in the IPFIXify user and password and press enter

A If the user does not have access to the directory that PsExecexe is in this will failThe ipfixify user must be granted access to the directory that PsExecexe and ipfix-ifyexe are in

iii Agree to the PsExec EULA

5 From an Administrative command prompt run the following command to verify that IPFIXify hasall the permissions to poll the domain controller (screenshot below)

ipfixifyexe --sysmetrics --config ldquoCipfixifyipfixifycfgrdquo-psexec=ldquoCipfixifyPsExecexerdquo -permtest IPofDC

36 1 Admin

6 If all the tests passed it is time to set up IPFIXify to run as a service In an administrative commandprompt execute the following command

ipfixifyexe --install auto --name Scrutinizer UsernameCollection --config Cipfixifyipfixifycfg --sysmetrics--psexec=CipfixifyPsExecexe

7 Lastly the IPFIXify service has to be configured to log on as the IPFIXify user

(a) Go to Start -gt Run -gt and type ldquoservicesmscrdquo

(b) Find the service named ldquoIPFIXIfy Scrutinizer Username Collectionrdquo right click on it andselect ldquoPropertiesrdquo

(c) Click the ldquoLog Onrdquo tab select ldquoThis accountrdquo enter in the IPFIXify user and password andthen select ldquoApplyrdquo

38 1 Admin

(d) When OK is clicked a popup appears that displays ldquothe user has been granted the log on asa service rightrdquo it means that the user will not maintain the log on as a service permissionacross reboots Permission can be granted as outlined in this Microsoft document httpstechnetmicrosoftcomen-uslibrarycc794944(v=ws10)aspx

8 Wait a few minutes and then start checking user names in Scrutinizer

Example IPFIXify Config

[options] The IP AddressHostname and port of the IPFIX Collector(s) multiple collectors can be specified on additional lines collector=IPPORT (eg 1014194739)collector=10141884739 When accessing remote machines use the supplied credentials this is encoded So execute the following command to manage it ipfixifyexe --credentials=ltPATHTOCFGgtcredentials=6e6ff0a30ff3d13d0f9a38a753f52f44283f9a7dfd928511dbaf2f7af1446e57981dc4628c038553 Number of minutes between ping and WMI test of all members The default is 60 minutestestinterval=5rarr˓ The number of seconds to try and ping a host during the process of verifying a member is reachable If 0 is used then the ping test is ignoredpingtimeout=2 The number of threads to gather data from the members who respondedrarr˓ If there is only a small list of members then this can be a small number (egrarr˓ 1 - 3) The more threads used the more memory will be consumed by IPFIXifypollthreads=5 If vitals is a true value then CPU Memoryrarr˓ and Number of processes running data is collected To disable these statistics comment out the following linevitals=yes If storageAvailability is a true valuerarr˓ then disk availability is collected To disable these statistics comment out the following linestorageAvailability=yes If eventlogs is a true value then System Security and Application Eventlogs are collected To disable these statistics comment out the following lineeventlogs=yes usernamesOnly is used in conjunction with the eventlogs optionrarr˓ If username integration with Scrutinizer is the only goal then this line should berarr˓un-commentedusernamesOnly=yes If processLists is a true valuerarr˓ then running processes data is collected To disable these statistics comment out the following lineprocessLists = yes If processListCPU is a true valuerarr˓ then CPU per process data is collected

(continues on next page)

40 1 Admin

(continued from previous page)

To disable these statistics comment out the following lineprocessListsCPU = yes If netstatDetails is a true value then netstat details are collected To disable these statistics comment out the following linenetstatDetails = yes The list below contains the current hosts being polled by the IPFIXify Agent One host or IP Address per line It is recommended to use IP Addresses in case there are DNS issuesmember=10151member=10152

19 User Name Reporting - Cisco ISE Integration

191 Overview

User Name Reporting options for Cisco ISE include lists of user names available at StatusgtVendor Spe-cificgtCisco ISE ability to search across all flows for user names and also a Cisco ISE option in the Othermenu in reports to see which user has generated specific traffic

192 Enable ERS

The first part of Cisco ISE integration for User Name Reporting is to enable ERS (External RESTfulServices) on the Cisco ISE appliance

Supported versions of Cisco ISE are ISE 12 13 14 20 and 21

1 On the Cisco ISE server create a new user with the following permissions

bull ERS Admin

bull ERS Operator

bull Super Admin

bull System Admin

19 User Name Reporting - Cisco ISE Integration 41

2 To learn more about enabling ERS on Cisco ISE version 12 13 14 20 or 21 visit this page onCiscorsquos web site

3 To test the configuration external to Scrutinizer use POSTMAN to do a GET Request

(a) Making a GET Request Using POSTMAN-

(b) Use this URL for the test - https[ISE_SERVER]isemntSessionAuthListnullnull

Tip When using POSTMAN first navigate to the server with your browser tell Chrome it is OK to usea bad certificate and leave that window open

193 Configure Cisco ISE Integration in Scrutinizer

The initial configuration on the Scrutinizer server can be performed from within Interactive scrut_utilwith just one command

Login to the Scrutinizer server with administrative permissions and run the following command to openthe Interactive scrut_util prompt

homeplixerscrutinizerbinscrut_utilexe

Then at the SCRUTINIZERgt prompt enter

SCRUTINIZERgt ciscoise add ltise_ipgt ltise_tcp_portgt ltise_usergt

This command adds a CiscoISE node to the queue to acquire user identity on all active sessions

The required parameters are the host address ltise_ipgt tcp port ltise_tcp_portgt and user ltise_usergt thatcan access the API (the new user created in step 1 of Enable ERS)

Scrutinizer will prompt the user for the ltise_usergt password

42 1 Admin

194 Other scrut_util options for CiscoISE

ciscoise check Tests polling and outputs the results to the screen for review

ciscoise kick ltise_idgt [ltmac_addressgt] ltuser_ipgt Kicks the user off the ISE node forcing them to re-authenticate Minimally the userrsquos IP address is required Optionally the ltmac_addressgt can beprovided

ciscoise nodelist Lists the currently configured CiscoISE nodes

ciscoise poll Runs a poll manually and outputs the results to the screen

ciscoise remove ltise_ipgt Removes a CiscoISE node from Scrutinizer The required parameter ltise_ipgtis the IP address of the CiscoISE node

ciscoise update ltise_ipgt ltise_tcp_portgt ltise_usergt Updates existing configuration settings for a spe-cific CiscoISE node The required parameters are the host address ltise_ipgt tcp portltise_tcp_portgt and user ltise_usergt that can access the API

Note For further information on CiscoISE scrut_util commands see the Interactive scrut_util section

44 1 Admin

CHAPTER 2

Alarms

21 Overview

211 Bulletin Boards

As messages come in they are processed against the list of policies in the Policy Manager If the messageviolates a policy it can be saved to the history table and may also end up being posted to a Bulletin BoardThe Bulletin Boards are used to organize alarms into categories Each policy is associated with a BulletinBoard view There are 4 primary menus in the Alarms tab

bull Views Menu Provides options to view some of the more popular reports available in the Alarmstab Learn More

bull Configuration Menu Provides access to the utilities responsibile for most of the functionality inthe Alarms tab Learn More

bull Reports Menu Run reports to determine how well the algorithms are performing over time andhow frequently the policies are being triggered Learn More

bull Gear Menu Configure global settings for the Alarms tab Learn More

212 Heat Maps

A Heat Map is a graphical representation of the corresponding Bulletin Board table Objects appearingin the Heat Map high and to the right are the hosts or policies that often need immediate attention Thisis because those objects have the most violators and the most violations combined For more detailedinformation on Bulletin Boards and Heat Maps go to Alarms Views

213 Threat Index

The Threat Index (TI) is a single value comprised of events with different weights that age out over timeBecause any one event could be a false positive the TI gives the administrator the option of letting thesummation events possibly trigger a notification when a configurable threshold is breached

For example if a device on the local network reaches out to the Internet to a host with a reputation ofbeing part of a botnet does that mean it is somehow infected It could but probably not What if thesame local PC also receives a few ICMP redirects from the router supporting the subnet Now can it bediscerned that there is an infection that needs to be addressed Again probably not but suspicions arerising More information can be found on the Threat Index page

214 Alarming on Interface Percent Violation

This is a global setting used to trigger events for excessive traffic on any individual interface from thedevices sending flows to the collector To set this alarm perform the following steps

1 Go to Admin gtgt Settings gtgt Alarm Notifications From here check ldquoThreshold Violationsrdquo

2 Go to Admin gtgt Settings gtgt System Preferences Make sure a ldquoThreshold - Utilizationrdquo percenthas been entered The default is lsquo90rsquo percent

If both the ldquoThreshold Violationsrdquo and the ldquoThreshold - Utilizationrdquo options are set then alarms will besent to the Alarms tab once a violation occurs The alarm violations can be seen in the alarms tab underthe Policy ldquoScrutinizer Interface Exceeded Thresholdrdquo From there the user can assign any notificationdesired to the Policy

46 2 Alarms

22 Gear Menu

221 Options

bull Show X Entries Adjust the number of results shown in the Bulletin Board (10 25 50 100 200300 or 400)

bull Refresh This View Set the auto refresh interval

bull Make this view the default for my profile Every time the user visits the Alarm tab this view willbe the default

bull Refresh Button Refresh the Bulletin Board for the most up to date information

bull IPDNS Display IP addresses or DNS (Host Names)

23 Configuration Menu

231 Alarm Notifications

Check off the entries that the Scrutinizer administrator would like to trigger events for Events are postedas policy violations in the Alarms tab

232 Alarm Settings

Optimize how notifications are triggered depending on the unique environment Call support for assis-tance

233 Create New Board

In the upper left hand corner a bulletin board can be selected Algorithms trigger policies which post to abulletin board This feature allows the user to create or delete new bulletin boards To modify the bulletinboard that a policy posts to visit Admin tab gt Definitions gt Policy Manager and edit the correspondingpolicy

Note Bulletin boards can have permissions assigned to them More details regarding the permissionscan be read about under Usergroup Permissions

22 Gear Menu 47

234 Flow Analytics Configuration

The overall status of all algorithms and the total runtime and count of violations across all algorithmsFor more information on Flow Analytics Configuration please go to FA Configuration and AlgorithmActivation Strategy

235 Flow Analytics Settings

Brings the user to Admin gtgt Settings gtgt Flow Analytics Settings

236 IP Groups

IP address(es) can be excluded from violating selected algorithms Individual IP addresses entire subnetsor ranges of IPs can be specified A Child can also be excluded which is a group of IP addresses

237 Notification Manager

Set up notifications which can be triggered by policy violiations

238 Policy Manager

This option brings the user to Admin tab gtgt Definitions gtgt Policy Manager This feature lists all of thepolicies that can be triggered by events Events are passed through the policies and matches occur basedon content in the Message Source Address or Syslog Alert Level A policy can be configured to do oneof three things with an alarm

bull Post it to a Bulletin Board (Alarms posted to a Bulletin Board will also be stored in history)

bull Only store in history for reporting

bull Delete the alarm (It is not available in any way)

Policies also determine if a notification should be processed for an alarm by associating alarm messageswith a notification profile The Policy Manager table displays

48 2 Alarms

bull Priority The Scrutinizer alarm policy engine compares each alarm against the defined policy listThe order they are checked is based on this priority field

bull Check Box used to select one multiple or all policies to delete

bull Name Name of the policy

bull Action Violations can be posted to a Bulletin Board stored to history only for future reporting ordeleted

bull Hits The number of times the policy has been violated since counters were last reset

bull Last Violation Date and time of the most recent violation

bull Notification Type of notification

bull Creation Info Date Time and Username that created the policy

Learn more about editing policies

239 Syslog Server

Modify the settings for the syslog server

24 Views Menu

241 Bulletin Board by Policy

In the Bulletin Board by Policy view the alarms are grouped by policy violated The Heat Map in theBulletin Board by Policy view displays the policies (eg threat algorithms) that are violated Y axis =count X axis = unique hosts The Bulletin Board by Policy Table displays

bull Policy - Policies are used to match messages that will be saved to the history table Click on aPolicy name to see all of the messages that violated the Policy from all hosts

bull Board Name - Policy categories

bull Violations ndash The number of times a policy has been violated With Flow Analytics alarm aggrega-tion one violation may consist of multiple events

24 Views Menu 49

bull Events - The number of events triggered by the algorithm

bull TI (Threat Index) - This is the default sort by table The threat index is a function of a policiesviolation count and the policies threat multiplier The higher the TI the greater the chance thesepolicy violations are a security threat TI = violations threat multiplier Click here to learn moreabout the threat index

bull HI (Host Index) ndash The number of unique secondary IPs associated with a policy Some algorithmshave two IPs associated with the violation For example Network transports If two hosts are seenusing an unsanctioned transport the source becomes the violator and the destination becomes thehost If there is one violator and an HI of six a single host was communicating with six other hosts

bull Violators ndash The number of unique IPs that violated this policy

bull First Event - Date and Time of the first violation

bull Last Event - Date and Time of the last (most recent) violation

bull Last Notification - Notification methods include Email Logfile Syslog SNMP Trap Script andAuto Acknowledge

242 Bulletin Board by Violator

In the Bulletin Board by Violator view the alarms are grouped by violating IP address The Heat Map inthe Bulletin Board by Policy view displays the hosts that are violating policies Y axis = count X axis= unique policies The Bulletin Board by Violator Table introduces a few new columns that were notoutlined above

bull Country Group ndash If an IP is a public address we determine the IPs country If it is not a publicaddress we check to see if it is in a defined IP Group

bull Users ndash User is determined based on violator address The lookup requires eventlog collection beconfigured See Username Reporting for details

bull Violator Address - The IP andor DNS associated with the violator Click on a Violator address tosee all of the alarm events generated by that address

bull Other columns - described above

50 2 Alarms

243 Notification Queue

The Notification Queue lists the last 24 hours of notifications that were sent or that currently in queue andwaiting for execution The Notification Queue Table displays

bull Violator Address - the IP andor DNS associated with the violator

bull Policy - The associated Policy

bull Notification - The name of the notification sent

bull Alert Type - The type of notification sent (see Notication Profile for available options)

bull Status ndash Whether the notification has been sent If it is set to finished it has been processed If it isset to available it is waiting to be processed

bull Notes ndash Additional details if available

bull Time Stamp - Date and Time of the notification

bull Rate or Threshold Once a notification is added specify whether it should be triggered on by rateor threshold

ndash Rate X alarms within Y minutes need to be seen to trigger a notification

ndash Threshold Once there are X violations for this alarm on a BB the notification will be sentAcknowledging off the BB resets this

bull Device Specific determines whether the notification thresholds are for all policy violators or arehandled per violating address For example with device specific selected IP address 1111 andIP address 2222 would each need to breach the threshold for a notification to be sent Withoutdevice specific set the combined alarms from those IPs would count against the threshold

bull First or Each There is also an option to decide whether a notification should be ldquofirstrdquo or ldquoeachrdquo

ndash First means once the threshold is breached and the notification is sent another notificationwill not be sent until the alarms are acknowledged off the BB

ndash Each means a notification will be triggered each time the rate or threshold is met

24 Views Menu 51

244 Orphans

The Orphans view lists messages that did not violate policies From this view new policies can be createdto organize alarms The Orphan Table displays

bull Source Address - the IP andor DNS associated with the message source

bull Log Level - The severity and facility of the original syslog

bull Create Policy - Click here to attach a policy to the orphaned message

bull Message - The orphaned message itself

245 Policy Violation Overview

This view lists the threats detected by Flow Analytics It includes the Policies and the correspondingviolations that occured in the specified time frame The Policy Violation Table displays

bull Policy Name - The associated policy name

bull Last 5 Min - Number of violations in the last 5 minutes

bull Last Hour - Number of violations in the last hour

bull All - Number of total violations for the associated policy

bull Totals - Located at the bottom of the table it provides the totals for the three previous columnsacross all violated policies Learn more about editing policies

25 Bulletin Board Events

251 Overview

The Bulletin Board Events view provides detailed information of the selected alarm events and is usefulfor isolating specific events andor violators of alarm events

The Bulletin Board Events view is accessible by clicking on a policy in the Bulletin Boards by Policyview or a violator in the Bulletin Boards by Violator view

Filters can be applied to most columns in this view and the list of events can also be sorted on thosecolumns Additional actions are included in the Action menu to use against specific alarm events

52 2 Alarms

252 Available Information

The columns available in this view are

Action - A dropdown menu of available actions per event is provided in this column Actions availablemay include excluding the various ip addresses from the Flow Analytics algorithm view the raw flowsfor the alarm view all alarms for the violator address and several ip address lookup options (GEO IPGoogle HTTP etc)

Checkbox - Check this box to acknowledge specific events or check the box in the header row to selectall events for acknowledgment

The remaining columns are all both sortable and searchable

Violator Address - IP address that triggered the alarm event

Host - IP address that the Violator Address was communicating with to trigger the alarm event

Users - Displays the user(s) associated with the violator address while the alarm is active

Alarm Time - The time the alarm occurred or the time the alarm was first issued in the case of aggregatedalarms

Recent Activity - The most recent time an alarm was observed for an aggregated alarm This will displayldquoNArdquo for a single alarm incident

Duration - Displays the time an aggregated alarm has been active This is the difference between theRecent Activity time and the Alarm Time This will display ldquoNArdquo for a single alarm incident

Events - Displays the number of individual five minute periods an aggregated alarm has been activewithout a break in activity longer than the ldquoAggregated Alarm Timeoutrdquo

Board Name - The name of the Bulletin Board that this event is posted to

Message - This column provides the full message text of each alarm event

26 Reports Menu

Since all of the violations are saved into the database reports can be run on them to determine how theyare performing The product ships with the sample reports outlined below

26 Reports Menu 53

261 Options

bull Policies Violated This report trends the algorithms violated by violations over the last 24 hours

bull Threats This report tends the Policies violated by violations over the last 24 hours Columnsinclude the number of violators and the number of Destinations per Policy

bull Threat Index This report trends the top hosts with the highest threat index over the last 24 hours

27 Edit Policy

271 Overview

The Edit Policy interface is used to create a new or modify an existing policy Policies are used to matchon events that can be saved to the history table and viewed in the Alarms tab Algorithms for examplecan create events which trigger a policy

Note Some policies are read-only and cannot be edited because they are predefined to support specificalgorithms that monitor flows or specific events

272 Policy Fields

bull Policy Name Name displayed in the Bulletin Board

bull Active This is a check box that is used to determine whether or not the Policy should be active

273 Filters

bull Message Filter The text in the body of the message

bull IP Address Filter The host the message came from

bull Alert Level Filter Can be a combination of two fields ldquofacilityrdquo and ldquoseverityrdquo

ndash Facility includes kern user mail daemon auth syslog lpr news uucp cron authpriv ftpunknown local0 7

ndash Severity (Priority) includes emerg alert crit err warning notice info debug

bull Exclude IPs IP addresses to exclude from this policy

bull Include IP Range Hosts that this policy will apply to

bull Notes Information saved with the policy to help administrators remember its useful purpose

54 2 Alarms

274 Logic

bull Match (Default) Allows for matching on text with Logical And amp Or expressions This is themost common

bull Regex (Advanced) Requires advanced instruction A regular expression is a powerful way ofspecifying a pattern for a complex search

The SQL database uses Henry Spencerrsquos implementation of regular expressions which is aimedat conformance with POSIX 10032 The database uses the extended version to support pattern-matching operations performed with the REGEXP operator in SQL statements

The following does not contain all the details that can be found in Henry Spencerrsquos regex(7) manualpage That manual page is included in some source distributions in the regex7 file under the regexdirectory In short a regular expression describes a set of strings The simplest regular expressionis one that has no special characters in it For example the regular expression lsquohellorsquo matches helloand nothing else

Non-trivial regular expressions use certain special constructs enabling them to match more than onestring For example the regular expression ldquohello|wordrdquo matches either the string hello or the stringword As a more complex example the regular expression ldquoB[an]srdquo matches any of the stringsBananas Baaaaas Bs and any other string starting with a B ending with an s For more referenceson Regular Expressions visit the following internet pages

ndash Regexp

ndash Pattern Matching

ndash String Comparison Functions

275 Select Action

bull Bulletin Board Select and view the foreground and background colors

bull History When the policy is matched should a message be

ndash Posted to Bulletin Board and saved to history for later reporting

ndash Stored to history for later reporting but not posted to the Bulletin Board

ndash Deleted immediately with no history on the message

ndash Save to same order in Policy List Save with the current policy priority (Default)

ndash Save to bottom of Policy list Saves to the bottom of the policy list and will be checked for amatch last

ndash Save to top of Policy list Saves to the top of the policy list and will be checked for a matchfirst

ndash Threat Multiplier Enter the value the Threat Index increases by for each violation

27 Edit Policy 55

276 Notifications

Allows the user to select an action for a policy See Notification Profiles to add values to the list Select aNotification Profile or create a new one

bull Trigger

ndash Threshold Trigger This is used to notify when the amount of events exceeds the thresholdRemember it could take 10 minutes or greater than 10 months until the threshold is reached

ndash Rate Trigger This is used to prevent notification for an event until it happens X times in Yminutes

ndash Device Specific This is checked off when the events coming in must be from the same hostin order to trigger the threshold violation alarm

bull Process Notification for

ndash First Violation Notify once for the threshold violation and donrsquot repeat unless the messageis cleared from the bulletin board

ndash Each Violation Notify every time the threshold is breached

28 Notification Profile

281 Overview

Notification Profiles can be created once and applied to multiple policies or to objects in the maps thatare being polled Notification methods include Email Logfile Syslog SNMPTrap Script and AutoAcknowledge Enter the necessary data and select additional details from the ldquoAvailable Variables forMessagerdquo list to ensure the desired information is included in the alert Specify the number of minutes towait on triggering the selected action in ldquoMinutes Triggerrdquo (0 is the default)

If multiple notification alerts are added to the same Notification Profile the order of notification can bere-ordered by entering lower or higher numbers to the left of each notification and clicking the ldquoRe-orderAlertsrdquo button

56 2 Alarms

282 Alerts

bull Email send an email alert

ndash Enter the email address the alert is destined for in the ldquoTordquo field

Note An email server must be configured in Scrutinizer for these alerts to function If the email serverhas not yet been configured in Scrutinizer click the ldquoConfigurerdquo button to set that up

bull Logfile add alert message to a file

ndash Enter log file name with the absolute file path of

homeplixerscrutinizerfileslogslogfile_nametxt

Note Log files must be placed at this location

bull Syslog send syslog alert to Host address

Required fields are

ndash Host Target server address

ndash UDP Port Target server port (default 514)

ndash Priority

ndash Facility

bull SnmpTrap send snmptrap alert to Host address

Required fields are

ndash Host Target server

ndash Community String

ndash UDP Port

ndash Enterprise OID

28 Notification Profile 57

ndash Generic ID

ndash Specific ID

ndash Binding OID

ndash From Host

bull Script trigger action defined in Script

Required fields are

ndash Script homeplixerscrutinizerfilesalert_scriptsh

ndash Note Script must be placed in this folder and absolute path must be included in theScript field

ndash Command-line Arguments Variables to include in the script from the AvailableVariables list below

bull Auto Acknowledge automatically acknowledge policy alarms

ndash Policy To Acknowledge select target policy from dropdown list

283 Available Variables for Message

m Messagev Violator Addressh Hostp Protocolpol Policy Violatednotes Policy Notesid Alarm ID

Learn more about editing policies and assigning notifications to them

58 2 Alarms

29 Threat Index

The Threat Index (TI) is a single value comprised of events with different weights that age out over timeBecause any one event could be a false positive the TI gives the administrator the option of letting thesummation of events trigger a notification when a configurable threshold is breached

For example If a device on the local network reaches out to the Internet to a host with a reputation ofbeing part of a botnet does that mean it is somehow infected It could but probably not What if thesame local PC also receives a few ICMP redirects from the router supporting the subnet Now can it bediscerned that there is an infection that needs to be addressed Again probably not but suspicions arerising and the Threat Index is climbing

In the practice of threat detection reacting to any single odd behavior often leads to tail chasing becauseoften times normal communications can lead to an occasional odd connection that triggers an event TheThreat Index reduces this problem Also different algorithms that increase the Threat Index have differentmultiplier weights as they are considered more suspicious behaviors Modify the TI weight by editing thePolicy

The idea behind the threat index is that they rise for an individual host each time it participates in abehavior that is suspicious Depending on the type of behavior (eg scanning the network) the event mayincrease the TI by a higher value than others (eg receiving an ICMP redirect) If the Threat Index of ahost hits a threshold (eg 100) a notification can be triggered Keep in mind that the index is a movingvalue because individual events age out over time For this reason an IP address must reach the ThreatIndex threshold within a configurable window of say 14 days because the same events that increased thecounter are also aging out and as a result the individual TI will go up and down over time

29 Threat Index 59

60 2 Alarms

CHAPTER 3

Baselining

31 Baselining Overview

Baselining is analyzing the performance of the network by comparing current performance to historicaldata (also known as the ldquobaselinerdquo) For example when measuring the current traffic from an interfacealerts will be sent if any traffic exceeds the baseline Scrutinizer can be configured to baseline any NetFlowor IPFIX element and alert By default there are several baselines enabled and configured to collect datawhenever a new exporter is added to Scrutinizer

bull ingressInterface and octetDeltaCount

bull ingressInterface and packetDeltaCount

bull egressInterface and octetDeltaCount

bull egressInterface and packetDeltaCount

bull applicationTag (NBAR) and octetDeltaCount

bull applicationTag (NBAR) and packetDeltaCount

Using the Interactive scrut_utilexe command baselining behavior can be modified whenever that baselineexceeds a higher than normal traffic pattern

311 How Baselining Works

Once an hour Scrutinizer will analyze historical data and tally network performance of the configuredelements for baselining Exporters that do not have the specified baseline elements in any of the templatesexported are skipped Once the data for recent data is calculated it is compared against the historicalbaseline Alerts will be sent if one of the following occur

bull (BLACK) There is no historical baseline

bull (RED) recent data exceeds the maximum value of any historical baseline value

bull (ORANGE) recent data exceeds two standard deviations over the average baseline

bull (YELLOW) recent data exceeds one standard deviation over the average baseline

No alert is generated if the recent data exceeds the average baseline but is less than one standard devia-tion over the average baseline Baselining will collect data for two weeks (by default) before alerts aregenerated

Lastly a weighted average (by default 100 of the value) is applied to the most recent baselining dataand stored to compare against the next baseline collection cycle The weighted average can be modifiedto allow new data to have a more or less significant role when comparing future baseline values

312 Baselining Hosts

Scrutinizer has the ability to baseline hosts that are specified in IP Groups (eg 1921681024) Morethan one IP range can be specified For more information see the section in the manual on how toconfigure IP Groups

313 EnablingDisabling Baseline Globally

Using the Flow Analytics Configuration Manager (Admin Tab -gt Settings -gt FA Configuration) Baselin-ing can be globally enabled or disabled

Note Baselining is disabled by default

62 3 Baselining

314 Using the Interactive scrut_utilexe utility for Configuring Baselines

To enable the interactive scrut_utilexe utility run

Which will open this Scrutinizer prompt

SCRUTINIZERgt

For more information on using this utility reference the Interactive Scrut_util section

315 AddingRemoving default Baselines to an Exporter

Using the following Interactive scrut_utilexe command default baselines can be added or removed froma specified exporter

Warning These commands will alter the behavior of Scrutinizer baseline functionality Please usewith caution

Adding enable baseline ltexporter_ipgt default

Removing disable baseline ltexporter_ipgt

316 Adding Custom Baselines

Every install is unique Before deploying additional baselines contact Plixer Technical Support to assistin planning sizing and deploying baselines in Scrutinizer

Using the following Interactive scrut_utilexe command custom (manual) baselines can be added to aspecified exporter

Warning This command will alter the behavior of Scrutinizer baseline functionality Please usewith caution

31 Baselining Overview 63

This lsquoenable baselinersquo command enables custom baselines (manual) based on elements from NetFlow andIPFIX templates

Baselining has several parameters available to customize the specific baseline data to collect with thelsquomanualrsquo option

bull Replace ltexporter_ipgt with the exporter to collect the specified baseline data

bull ltpri_elementgt and (optionally ltsec_elementgt) specify which IPFIX elements will be part of thisbaseline This is how the data is grouped and calculated

bull ltelementgt must be an IPFIX element with a numeric value that the ltpri_elementgt andorltsec_elementgt will be baselined on

ndash For example To collect data on source addresses and bytes the ltpri_elementgt would besourceipv4address and the ltelementgt would be octetdeltacount

ndash Another example To collect data off multiple elements such as source address and applica-tiontag based on packets the ltpri_elementgt would be sourceipv4address the ltsec_elementgtwould be applicationtag and the ltelementgt would be packetdeltacount

ndash To find the numeric values for IPFIX elements in Scrutinizer go to Status gt System gt Tem-plates Drill in on the Plixer ID to see all details regarding the elements in that template

bull ltAVG|COUNT|MIN|MAX|STD|SUMgt are options that are used to calculate how to measure theltelementgt

ndash AVG = Average

ndash COUNT = Flow Count

ndash MIN = Minimum Value

ndash MAX = Maximum value

ndash STD = Standard Deviation

ndash SUM = Sum

bull Lastly there are several ways baselines can be compared

ndash dailyhr = same time frame (eg 1a - 2a) for each day

ndash busday = same time frame (eg 1a - 2a) for each business day skipping weekends

ndash sameday = same day and time each week (eg 1a - 2a Mondays)

When baselining ip addresses IP Groups must be configured with the ranges and subnets of addresses toinclude in the baseline This protects the user from baselining addresses that may talk once and thereforeeventually alarm as a false positive

The baseline learning process takes 7 days by default

64 3 Baselining

317 Reset Baselines to Defaults

Using the following Interactive scrut_utilexe command custom (manual) baselines can be reset to thedefault baselines for each exporter Historical data will not be deleted However it will expire off basedon Scrutinizerrsquos historical settings

clean baseline

Warning This command will purge data from Scrutinizer Please use with caution

318 Monitoring Baseline Processing

Use the following Interactive scrut_utilexe command to get the Task ID for the baseline task (to be usedin the lsquocheck taskrsquo command below)

show task baseline

Displays information regarding the baseline task

Example

SCRUTINIZERgt show task baseline

Done (0010545 seconds)

The lsquocheck taskrsquo command provides information on the baseline task processing

check task ltidgt

Checks the execution times and error codes for the baseline task The task id is available by using theshow task baseline command

Example

SCRUTINIZERgt check task 224

+---------------------+----------+------------+----------------------------rarr˓------------------+| START_TIME | RUN_TIME | RETURN_VAL | INFO_STRrarr˓ |+---------------------+----------+------------+----------------------------rarr˓------------------+| 2018-01-23 131000 | 764 | 0 | baseline scrut_utilexe -rarr˓-collect baseline || 2018-01-23 121000 | 875 | 0 | baseline scrut_utilexe -rarr˓-collect baseline || 2018-01-23 111000 | 2018 | 0 | baseline scrut_utilexe -rarr˓-collect baseline || 2018-01-23 101000 | 691 | 0 | baseline scrut_utilexe -rarr˓-collect baseline || 2018-01-23 091000 | 752 | 0 | baseline scrut_utilexe -rarr˓-collect baseline || 2018-01-23 081000 | 637 | 0 | baseline scrut_utilexe -rarr˓-collect baseline |

bull RUN_TIME indicates how long the baselining task has run It should complete in a few seconds

bull RETURN_VAL indicates if any error code was returned It should be 0 Anything else somethingis wrong and Plixer Technical Support should be contacted for assistance

319 Baseline Reports

To monitor the progress of the baselining function baseline reports are available on the collectorrsquos ex-porter These reports are accessible by following these steps

1 In the Status tab under Device Explorer filter on lsquoScrutinizerrsquo

2 Click on lsquoScrutinizerrsquo

3 Then click on lsquoReportsrsquo

4 Then click on lsquoBaselinesrsquo

5 This will provide a list of available auto-created Baseline reports on your server

bull Select a report to view

bull These reports will show if Baselining is working as configured

66 3 Baselining

CHAPTER 4

Dashboards

41 Dashboard Overview

411 Welcome to Dashboards

Highlights

Dashboards are used to create custom views of precisely what the user or group of users wants to seewhen they login Multiple unique dashboards can be created

bull With the right permissions these dashboards are customizable per login account

bull All dashboards created by any user in a usergroup are available to other users in the same usergroupThe default is read-only access

bull Each dashboard can be manipulated and shared with others

bull The Read-only permission (check box) is used to grant others the ability to manipulate a shareddashboard

412 Menus

In the upper left-hand corner of the dashboard there are three drop down menus

1 Gear with down arrow

bull If the user has permission this option can be used to change the dashboard name

bull Set the default dashboard when the Dashboard tab is clicked

bull If the user has permission the user can make a dashboard ldquoRead-Onlyrdquo to others whom willbe viewing the same dashboard Leaving unchecked allows them to change the dashboardwhich includes rearranging as well as adding and removing gadgets

bull The user with ownership of the dashboard is also displayed with the dash-board ID The dashboard ID can be accessed directly through a URLhttpsltservergtdashboardidltdashboard_idgt

bull A user wanting to modify a dashboard that doesnrsquot have permission can copy the dashboardand make changes to the copy Copying a dashboard requires permission as well

2 Dashboard name

bull Use this menu to select the desired dashboard to view

bull The default dashboard is displayed at the top of this menu

bull A lsquorsquo after the dashboard name indicates that it is read-only

3 Configuration

bull Add a New Gadget When viewing a dashboard this option can be used to addadditional gadgets

ndash Select the category of gadgets in the drop down box at the top

ndash To add gadgets click on them

Note To add gadgets to a dashboard one of the following is required 1) The user mustbe the creator of the dashboard 2) The creator of the dashboard must have uncheckedldquoRead-Onlyrdquo in the gear menu or 3) the user must be a ldquoDashboard Administratorrdquo forthe user group Permission can be granted under the Admin Tab gt Security gt UserGroups Select a user group and then click on Settings Check off Dashboard Admin

68 4 Dashboards

bull Copy this Dashboard Use this option to make a copy of the dashboard which canthen be modified by the user This requires either the ldquoCreate New Dashboardsrdquo orldquoDashboard Adminrdquo permission

bull Create New Dashboard If the user belongs to a usergroup that has permissions thisoption can be used to create a new dashboard This requires either the ldquoCreate NewDashboardsrdquo or ldquoDashboard Adminrdquo permission

ndash Use the filter on the left to find the desired gadgets

ndash Use the drop down box below the filter to select a category of gadgets

ndash To add gadgets highlight them in the ldquoGadgets Availablerdquo box and drag themto the ldquoGadgets Addedrdquo box

ndash Use the shift and CTRL keys to select multiple gadgets at once

ndash Uncheck ldquoRead-onlyrdquo if the goal is to give others permission to view the dash-board AND they will need to modify this dashboard

ndash Permission can be granted to give others a read-only view of the dashboardunder the lsquoGrantrsquo tabs Users able to view a read-only dashboard will be ableto copy it and manipulate the copy

ndash Give the dashboard a name before saving it

bull User Dashboards

Use this option to select the dashboards a user will have visible in theirmenu of available dashboards

ndash Select the user from the drop down box at the top To see other Usersthe User must be a member of a User Group with ldquoDashboard Adminrdquopermission

ndash Select the dashboards in the ldquoAvailablerdquo box and move them to the ldquoVis-iblerdquo box to grant permission

ndash Notice the filter on the left

ndash If granting permission to multiple users administrators generally use theldquoUsergroup Dashboardsrdquo option This requires the ldquoDashboard Adminrdquopermission

41 Dashboard Overview 69

bull Usergroup Dashboards

Use this option to select the dashboards a usergroup will have visible intheir menu of available dashboards

ndash This feature requires that the User be a member of a User Group withldquoDashboard Adminrdquo permission

ndash Select the user group from the dropdown box at the top

ndash More details regarding the permissions can be read about under User-group Permissions

Note Even if a dashboard is added to the menu for a specific user or for all users in ausergroup individuals can still remove the dashboard from their menu

bull Remove this Dashboard

ndash Use this option to remove a dashboard from the menu

ndash Both read-only and user created dashboards can be removed and added back tothe menu This is done under Configuration gt User Dashboards

413 Gadget Icons

There are several configuration options in each gadget or window in the dashboard Each is representedby an icon some of which donrsquot appear until the mouse is moved over the window

bull Timer This value decrements to indicate the next refresh of this gadget Set the refresh frequencyby clicking on the gear icon

bull Gear The spinning gear icon can be used to rename the gadget and to set the refresh rate

bull Refresh Press the refresh or recycle icon to force the reload of the contents of the gadget (Willalso happen automatically when the timer runs out)

bull Move Click the four-headed arrow icon hold and drag the gadget to a new location in the dash-board

bull X This icon is used to remove the gadget from the dashboard It can easily be added back later andit will remain in the gadget inventory for use in other dashboards

bull Resize Arrows Located in the lower left and right-hand corners of the window these icons areused to resize the window

70 4 Dashboards

414 More Permissions

Additional permission options can be found under

bull Admin tab gt Security gt Users

ndash Set the users default tab for when they log in

bull Admin tab gt Security gt User Groups

1 Click on a User Group

2 Choose Settings

ndash Check off ldquoDashboard Tabrdquo to provide the users in this group the ability to see the dash-board tab

ndash Check off ldquoCreate Newrdquo to allow users to copy and create new dashboards

ndash Check off ldquoDashboard Adminrdquo to allow users to choose which dashboards appear in anindividual or group of users available dashboards menu Individual login accounts canmake changes to their own menu as well

3 Choose Dashboard Gadgets

ndash Uncheck ldquoAll Dashboard Gadgetsrdquo

ndash Select which gadgets the users of the selected group should be able to view Drag thegadgets from the ldquoDenyrdquo to ldquoAllowrdquo boxes and vice versa

42 Vitals Dashboard

The Vitals dashboard is created by default in the Admin userrsquos dashboard during a new install Thisdashboard provides vital information on how well the servers are handling the NetFlow IPFIX and sFlowvolume and other server metrics Vital information is reported for all servers in a Distributed collectorEnvironment

The following dashboard gadgets are available

bull CPU Utilization Average CPU utilization for the Scrutinizer server(s)

42 Vitals Dashboard 71

bull Memory Utilization This gadget displays how much memory is available after what is consumedby all programs on the computer is deducted from Total Memory It is not specific to NetFlow beingcaptured

Note The flow collector will continue to grab memory depending on the size of the memory bucket itrequires to save data and it will not shrink unless the machine is rebooted This is not a memory leak

bull Storage Available The Storage report displays the amount of disk storage space that is availableAfter an initial period of a few weeksmonths this should stabilize providing that the volume ofNetFlow stays about the same

bull Flow Metric by Exporter The following metrics are provided per exporter

ndash MFSN Missed Flow Sequence Numbers NOTE Sometimes MFSN will show up as 10m or400m To get the dropped flows per second divide the value by 1000ms A value of 400mis 4 of a second 1 4 = 25 second A flow is dropped every 25 seconds or 120 (ie 300seconds25) dropped flows in the 5 minute interval displayed in the trend

ndash Packets Average Packets per second

ndash Flows Average Flows per second This is a measure of the number of conversations beingobserved

Note There can be as many as 30 flows per NetFlow v5 packet (ie UDP datagram) and up to 24 flowsper NetFlow v9 datagram With sFlow as many as 1 sample (ie flow) or greater than 10 samples can besent per datagram

bull Flow Metric by Listening Port The above metrics are also available per listening port Theflow collector can listen on multiple ports simultaneously The defaults are 2055 2056 44324739 9995 9996 and 6343 however more can be added at Admin-gtSettings-gtSystem Preferences-gtListener Port

bull Database Statistics Provides the following database metrics

ndash Connections by Bytes Excessive connections can result in reduced performance NOTEOther applications using the same database will cause this number to increase

ndash Read Req The number of requests to read a key block from the cache A high number ofrequests means the server is busy

72 4 Dashboards

ndash Write Req The number of requests to write a key block to the cache A high number ofrequests means the server is busy

ndash Cache Free The total amount of memory available to query caching Contact support if thequery cache is under 1MB

ndash Queries Tracks the number of queries made to the database More queries indicates a heavierload to the database server Generally there will be spikes at intervals of 5 minutes 30 minutes2 hours 12 hours etc This indicates the rolling up of statistics done by the stored proceduresThis Vitals report is important to watch if the NetFlow collector is sharing the database serverwith other applications

ndash Threads Threads are useful to help pass data back and forth between Scrutinizer and thedatabase engine The database server currently manages whether or not to utilize the config-ured amount of threads

ndash Buffers Used Key Buffers Used - indicates how much of the allocated key buffers are beingutilized If this report begins to consistently hit 100 it indicates that there is not enoughmemory allocated Scrutinizer will compensate by utilizing swap on the disk This can causeadditional delay retrieving data due to increased disk IO On larger implementations this cancause performance to degrade quickly Users can adjust the amount of memory allocated tothe key buffers by modifying the database configuration file and adjusting the key buffer sizesetting A general rule of thumb is to allocate as much RAM to the key buffer as possible upto a maximum of 25 of system RAM (eg 1GB on a 4GB system) This is about the idealsetting for systems that read heavily from keys If too much memory is allocated the risk isseeing further degradation of performance because the system has to use virtual memory forthe key buffer The check tuning Interactive scrut_util command can help with recommendedsystem settings

bull Syslogs Received and Processed Syslog activity for the servers is provided in this gadget

Custom dashboard gadgets can be created for any of the other Vitals Reports that are listed in the VitalsReporting section The Vitals Dashboard can also be copied to another user or recreated by selecting thedesired gadgets from the gadget panel

74 4 Dashboards

CHAPTER 5

Flow Analytics

51 Overview

511 Overview

Flow Analytics (ie FA) brings the following additional features to Scrutinizer

bull Functions as a Network Behavior Analysis system by constantly monitoring all flows for behav-iors that could be compromising the health of the network (networks scans illegal applicationsP2P etc) It interrogates every flow from every host from selected flow exporting devices for sus-picious patterns and anomalies All flows across selected flow sending devices are monitored at alltimes

bull DNS resolution can be enabled to occur automatically to support Domain reporting To enableDNS resolution and to control how long the names are retained in a local cache visit the Admintab -gt Settings -gt System Preferences Note that this feature places additional load on the systemso monitor the CPU use before and after enabling to ensure proper performance

bull Performs threshold watches for saved reports FA can monitor for nearly any combination of flowcharacteristics and export a syslog if a match or a highlow threshold is reached

512 Security Event Algorithms

The security event FA algorithms provide alarms that are focused on providing actionable informationwhile significantly minimizing false positives IP Addresses are classified in two ways

1 Internal IPs are the IP addresses or assets that comprise your network

2 External IPs are the public Internet and other IP address spaces that are not under your administra-tion

Alarm messages identify both the source and destination of suspect activity as ldquoexternal to internalrdquoldquointernal to externalrdquo or ldquointernal to internalrdquo as well as providing additional details that are specificto the alarm type Internal Addresses are defined as any addresses entered as your IP Groups plus thefollowing list of IP Address blocks These addresses are private non-routable addresses per RFC 1918and link-local addresses per RFC 3927

10000817216001219216800161692540016

All other addresses are treated as external IPs

513 Aggregated Alarms

Aggregated alarms combine alarms from events that are continuous (may last several hours) into a singlealarm displaying the original alarm time the most recent alarm time and the number of times that thealarm has triggered while it was active Aggregated alarms will continue to collect matching alarm eventsuntil the ldquoAggregated Alarm Timeoutrdquo time has expired with no new alarms The ldquoAggregated AlarmTimeoutrdquo defaults to two hours (120 minutes) This value is controlled on the Admin Settings FlowAnalytics Configuration page and is also configurable per algorithm A value of zero will disable thealarm aggregation

52 Navigation

The navigation for FA is via gadgets in the Dashboard tab The primary gadget ldquoFlow Analytics Config-urationrdquo should be added to Dashboard It can also be reached by navigating to Admin tab gt Settings gtFlow Analytics Configuration Below are the primary utilities for configuring and observing the perfor-mance of Flow Analytics

bull Flow Analytics Dashboard Gadgets Used to visualize the results of the FA algorithms

bull Flow Analytics Settings are explained at Admin tab gt Settings gt Flow Analytics Settings

76 5 Flow Analytics

53 Configuration

531 Setting Up Flow Analytics (FA)

FA algorithms are executed sequentially Most of them do not run until one or more NetFlow exportersare added to the individual algorithms

To add exporters to an algorithm visit Admin gt Settings gt Flow Analytics Configuration and click on analgorithm name listed in the table

At the top of the Flow Analytics Configuration table it displays the overall time to run all algorithms andthe total count of violations across all algorithms

FA Configuration Columns

bull Down Arrow Menu This action menu provides several options

ndash Modify the Exporters this Algorithm runs against Many algorithms do not need to run againstall exporters Visit the Algorithm Strategy page to learn more about types of flows to send toeach algorithm

ndash Modify the Hosts Excluded from violating this Algorithm Use this utility to exclude IPaddresses and portions of hostnames that are triggering false positives

ndash View the Run Time Trend for this Algorithm View a report that displays how long the algo-rithm takes the run each time it is executed

ndash View the Violation Count Trend for this Algorithm View a report that indicates how fre-quently the algorithm is triggering for a matching event

bull Mouse over columns to learn what they do

bull Round Icon This icon indicates the status of the algorithm using different colors Mouse over theicon and the tool tip that appears will explain the status

bull Name This is the name of the algorithm that is checking for abnormal behaviors Click on thealgorithm name to modify the settings apply exporters or change the exclusions for the algorithm

bull Time This is the amount of time the algorithm takes to run across all selected routersswitches

53 Configuration 77

bull Count This is the number of violations found the last time the algorithm ran Click on the numberto view graphs for longer time periods

bull Time exceeded Algorithms that exceed the configured run time will be cancelled

Important Notes

bull Add only a few routers to a few algorithms initially and start off slowly Pay attention to the Vitalsof the server After 15-30 minutes add a few more routers to selected algorithms and slowly rampup the FA deployment

bull FA has only 300 seconds (ie 5 minutes) to finish all enabled algorithms If it canrsquot finish in 300seconds it will stop where it is and start over All algorithms must finish within 5 minutes asthe process repeats every 5 minutes Optimize performance by paying attention to the time eachalgorithm takes to run as well as the overall time shown at the very top of the Flow AnalyticsConfiguration gadget

bull Check out these other FA optimization tips

54 Exclusions

541 Overview

In an effort to reduce the false positives triggered by algorithms IP addresses and portions of host namescan be excluded from them This feature can be found by visiting Admin tab gt Settings gt Flow AnalyticsExclusions Most exclusions are added when viewing an individual event for an alarm

542 Exclusion Types

There are two ways to exclude hosts from triggering algorithms

1 IP Address Exclude one or more IP addresses from an individual algorithm by

bull IP Address

bull IP Range

bull IP Subnet

78 5 Flow Analytics

bull Child A child group is defined in IP Groups

2 Reverse DNS Name A portion of or all of a DNS resolved name can be entered Entries arecreated when false positives occur Use this interface to manage all of the entries

Visit the alarms tab and drill in on an alarm to see the individual events To add an exclusion click theDown Arrow Menu icon on the far left and select

bull Exclude IP xxxx from this algorithm

bull Exclude a portion of the reverse DNS name from this algorithm

The user can then use this interface to manage all of the the entries that will be made over time

54 Exclusions 79

55 Algorithm Activation Strategy

Algorithm Name Internal CoreRouters

EdgeRouters

Public Facing IP Addresses DefinedIn IP Groups

BotNet Detection FlowPro De-fender

FlowPro De-fender

Breach Attempt De-tection

Yes Yes Yes

DDoS Detection No Yes YesDenied Flows Firewall Yes No NoDNS Command andControl

FlowPro De-fender

DNS Data Link FlowPro De-fender

FlowPro De-fender

DNS Hits Yes Yes YesDomain Reputation FlowPro De-

fenderFlowPro De-fender

DRDoS Detection No Yes YesFIN Scan Yes Yes NoHost Reputation No Yes YesICMP Destination Un-reachable

Yes No No

ICMP Port Unreach-able

Yes No No

IP Address Violations Yes Yes YesMalware Behavior De-tection

FlowPro De-fender

Multicast Violations Yes Yes YesNull Scan Yes Yes NoOdd TCP Flags Scan Yes Yes NoPersistent Flow Risk Yes Yes NoP2P Detection Yes Yes NoRSTACK Detection Yes Yes NoSYN Scan Yes Yes NoTCP Scan Yes Yes NoUDP Scan Yes Yes NoXMAS Scan Yes Yes No

Algorithms for Public Facing IP Addresses These addresses should be defined as an IP Group whichwill cause these addresses to be treated as part of a protected network Algorithms such as DDoS will nottrigger an alarm unless the target of the DDoS is an internal address (defined within an IP Group)

80 5 Flow Analytics

If the primary concern is lsquointernal to internalrsquo and lsquointernal to externalrsquo monitoring then enable algorithmson the core routers and ensure that any routable IP Addresses that should be monitored as part of theinternal network are defined within an IP Group Monitoring lsquointernal to internalrsquo and lsquointernal to externalrsquotraffic is highly recommended for identification of traffic patterns that may indicate a compromised assetand to assist with incident response

If the primary concern is monitoring public facing assets ensure that all public-facing IP Addresses arecontained within an IP Group and add the edge routers to most algorithms

56 Algorithms and Gadgets

561 Overview

FA Algorithms may or may not include gadgets Some algorithms are enabled by default Others need tohave flow exporting devices applied to them A few algorithms need to have thresholds configured whichcan modified from the default

562 FA Gadgets that can be added to Dashboard

bull Flow Analytics Summary The overall status of all algorithms and the total runtime and count ofviolations across all algorithms Algorithms can be ordered alphabetically or by order of executionThe FA Configuration page can be opened with by clicking the button at the top left of this gadget

bull Flow Reports Thresholds Saved reports that are given a threshold to compare against every fiveminutes show up in this gadget

bull Medianet Jitter Violation Jitter values as reported by the Medianet flows that exceed the thresh-old defined in this algorithm The default threshold is 80ms

bull Network Volume The scale of the traffic traversing through the core network It lists the volumeof unique traffic on the network for the last 5 minute vs last 30 hours Only include a few coreroutersswitches in this algorithm

bull Analytics Violation Overview Top Flow Analytics policy violation summary with violationscounts for the Last 5 minutes Last Hour and Overall time

bull Policies Violated Last 24 hour report of top alarm policies violated with violations counts

56 Algorithms and Gadgets 81

bull Recent AlarmsRecent Alarms by Violator Violations listing by policy and violator with threatheat maps included

bull Threats Summary report of top Flow Analytics algorithm violations

bull Threat Index Last 24 hour report of top violators by threat index values

bull Top Applications Top Applications across selected flow exporting devices This algorithm is onby default across all flow exporting devices that are exporting the necessary fields

bull Top Conversations Top Conversations across selected flow exporting devices This algorithm ison by default across all flow exporting devices that are exporting the necessary fields

bull Top Countries Top Countries across selected flow exporting devices This algorithm is on bydefault across all flow exporting devices that are exporting the necessary fields

bull Top Flows Top Flow sending end systems across selected flow exporting devices This algorithmis on by default across all flow exporting devices that are exporting the necessary fields

bull Top Hosts Top Hosts sending data across selected flow exporting devices This algorithm is on bydefault across all flow exporting devices that are exporting the necessary fields

bull Top Network Transports Top Transport Layer Protocols across selected flow exporting devicesAlarms trigger for protocols that appear that havenrsquot been approved This algorithm is on by defaultacross all flow exporting devices that are exporting the necessary fields

bull Top Rev 2nd lvl Domains Top reverse 2nd level domains across selected flow exporting devicesThis algorithm is on by default across all flow exporting devices that are exporting the necessaryfields

bull Top Subnet Traffic Top IP Subnets across selected flow exporting devices This algorithm is onby default across all flow exporting devices that are exporting the necessary fields

bull Top Violators Last 24 hour report of top alarm violators

bull Top Well Known Ports Top ports across selected flow exporting devices This algorithm is on bydefault across all flow exporting devices that are exporting the necessary fields

Note Some gadgets include algorithms that should only be run against core routersswitches Watchthe Flow Analytics Summary gadget for algorithms that are taking an excessive amount of time to runEverything needs to finish in under 5 minutes (300 seconds)

82 5 Flow Analytics

563 FA Algorithms that donrsquot include Gadgets

Be sure to exclude certain hosts from select algorithms to avoid false positives This can easily be donefrom the alarms tab as well by clicking on the host The interface will prompt for the exclude confirmation

bull Indicator Correlation Event This algorithm escalates multiple Indicator of Compromise (IOC)and security events for a single host to a new alarm on the security event BB While a single IOCmay be indicative of malware it is much more likely to be a real security concern if there aremultiple indicators By default This algorithm correlates multiple IOCs along with any eventsposted to the Security Event BB and issues an alarm for any host that has three or more entries inthe IOC and Security Event bulletin boards Each of the contributing algorithms will be listed inthe alarm message

By default three different algorithms are required the threshold setting for Indicator Correlationcan be adjusted

bull Breach Attempt Detection This algorithm is examining flow behaviors that may indicate a bruteforce password attack on an internal IP address This is accomplished by examining the flow byteand packet counts being exchanged in short-duration completed flows between one source and onedestination Specific behaviors are observed for common attack vectors such as SSH LDAP andRDP If the number of flows that match these characteristics exceeds the alarm threshold an alarmwill be raised The default flow count threshold is 100 Either IP address can be excluded fromtriggering this alarm This algorithm is enabled by default across all flow exporting devices that areexporting the necessary fields

bull DDoS Detection Identifies a Distributed Denial of Service attack targeting the protected networkspace DDoS attacks are often launched by a BotNet and ldquoreflection attacksrdquo are becoming morecommon Scrutinizer may identify attacks against the network as ldquoreflection attacksrdquo if they meetthe criteria

There are four settings that are used to adjust the sensitivity of the DDoS detection algorithm

ndash DDoS Packet Deviation (default 10) and DDoS Bytes Deviation (default 10) - These set-tings control how similar the flows associated with the attack must be The standard deviationof the byte count and packet counts associated with the flows must be less than this setting

ndash DDoS Flows (default 4) controls the minimum number flows used to identify attacking hostsThe sensitivity of the DDoS attack can be reduced by increasing this setting to six or higher

ndash DDoS Unique Hosts (default 200) controls the threshold for the minimum number of hoststhat have sent flows that match the other characteristics required to trigger the alarm

bull Denied Flows Firewall Triggers an alarm for internal IP addresses sending to external IP ad-dresses that cause greater than the threshold of denied flows The default threshold is set to 5 deniedflows Either the source or destination IP address can be excluded from triggering this alarm

bull DRDoS Detection Identifies a Distributed Reflection Denial of Service attack targeted at the pro-tected network space DRDoS attacks are often launched by a BotNet and ldquoreflection attacksrdquoare becoming more common Scrutinizer may identify attacks against the network as ldquoreflectionattacksrdquo if they meet the following criteria

Scrutinizer detects the following ten Distributed Reflection Denial of Service (DRDoS) Attacks

ndash DNS

ndash NTP

ndash SNMP

ndash SSDP

ndash Chargen

ndash NetBIOS Name Server

ndash RPC Portmap

ndash Sentinel

ndash Quote of the Day

ndash Trivial File Transfer Protocol

There is an option to enable or disable a specific reflection attack via Admin Settings FlowAnalytics Configuration DRDoS Detection Settings

bull DNS Hits Triggers an alarm when a host initiates an excessive number of DNS queries This iden-tifies hosts that perform an inordinate number of DNS lookups To do this set the flow thresholdto a large value that reflects normal behavior on the network The default threshold is 2500 DNSflows in five minutes Either the source or destination IP address can be excluded from triggeringthis alarm

84 5 Flow Analytics

bull FIN Scan Alerts when a FIN scan is detected FIN scans are often used as reconnaissance priorto an attack They are considered to be a ldquostealthy scanrdquo as they may be able to pass throughfirewalls allowing an attacker to identify additional information about hosts on the network Thedefault threshold is 100 unique scan flows in five minutes Internal IP addresses that are allowedto scan the internal network such as security team members and vulnerability scanners should beentered into the IP exclusions list Either the source or destination IP address can be excluded fromtriggering this alarm

bull Host Reputation This algorithm maintains a current list of active Tor nodes that should be moni-tored Some malware families use Tor for Command and Control communications White-list userswho are authorized to use Tor and regard other uses as suspicious This algorithm will also monitorany IP address lists that can be provided as custom lists See below

ndash Custom List The Host Reputation algorithm also supports the use of custom lists where theuser can add additional reputation lists to the system A custom list of IP addresses can beimported into the Host Reputation algorithm To do this Host Reputation needs to be enabledand this list will be compared with traffic on the devices selected under ldquoConfigured FlowAnalyticsrdquo

To Enable Host Reputation

middot Go to Admin gt Settings gt FA Configuration

middot Expand the ldquoHost Reputation Monitorrdquo

middot Make sure Disabled is not checked and exporters are being included

To Create Custom Lists

middot The IP Addresses need to be in a file with a single address on each line

middot The name of the file will be the Threat Category Name and the Alarm Policy Name

middot The file must have a import file extension for example ldquoCustomThreatListimportrdquo

middot The file must be placed in the homeplixerscrutinizerfilesthreats directory

middot Once an hour this file will be imported into Scrutinizer and used for the next hour ofprocessing

middot To force a new file import to become active immediately run

middot homeplixerscrutinizerbinscrut_utilexe

middot SCRUTINIZERgt download hostreputationlists

middot After the import the Alarms Policy can be modified to change the threat_multiplierfrom the default of 0

bull ICMP Destination Unreachable This alarm is generated when a large number of ICMP destina-tion unreachable messages have been sent to the suspect IP address This may happen as a result ofscanning activity misconfiguration or network errors ICMP Destination Unreachable is a messagethat comes back from a destination host or the destination host gateway to indicate that the destina-tion is unreachable for one reason or another The default threshold is 100 destination unreachablemessages Either the source or destination IP address can be excluded from triggering this alarm

bull ICMP Port Unreachable This alarm is generated when a large number of ICMP port unreachablemessages have been sent to the suspect IP address This may happen as a result of scanning activitymisconfiguration or network errors ICMP Port Unreachable is a message that comes back fromthe destination host gateway to indicate that the destination port is unavailable for the transportprotocol The default threshold is 100 port unreachable messages Either the source or destinationIP address can be excluded from triggering this alarm

bull IP Address Violation By default this algorithm allows all subnets Once subnets are definedany flow that contains an IP address where either the source or destination IP address isnrsquot in anallowed subnet an event will trigger In other words if in a single flow both source and destinationIP addresses are outside of the allowed subnets an event will be triggered A common use of this al-gorithm is to identify unknown or unauthorized internal network addresses that are communicatingwith the Internet

bull Medianet Jitter Violations This algorithm compares the jitter values as reported by the Medianetflows to the threshold defined by the user in the Settings section of this algorithm The defaultthreshold is 80ms

bull Multicast Violations Any multicast traffic that exceeds the threshold that isnrsquot excluded willviolate this algorithm The default threshold is 1000000 and the minimum that can be set is100000

bull NULL Scan Alerts when a NULL scan is detected NULL scans are a TCP scan with all TCPFlags cleared to zero This scan is sometimes used as a reconnaissance tactic prior to an attackand is considered to be stealthy because often times it is able to pass through firewalls Eludinga firewall makes it easier for an attacker to identify additional information about the hosts on thenetwork The default threshold is 100 unique scan flows in five minutes Internal IP addressesthat are allowed to scan the internal network such as security team members and vulnerabilityscanners should be entered into the IP exclusions list Either the source or destination IP addresscan be excluded from triggering this alarm

86 5 Flow Analytics

bull Odd TCP Flags Scan Alerts when a scan is detected using unusual TCP Flag combinations Thesetypes of scans may allow an attacker to identify additional information about hosts on the networkThe default threshold is 100 unique scan (aka flows) in five minutes Internal IP addresses that areallowed to scan the internal network such as security team members and vulnerability scannersshould be entered into the IP exclusions list Either the source or destination IP address can beexcluded from triggering this alarm

bull P2P Detection Peer to Peer (P2P) traffic such as BitTorrent are identified by this algorithm Thedefault threshold is a P2P session involving over 100 external hosts which will detect most P2Papplications However there are several P2P applications that are stealthier Experimenting withlower thresholds or periodically lowering the threshold to about 20 will allow the security adminsto determine if other ldquolow and slowrdquo P2P traffic is on the network

bull Persistent Flow Risk Alerts when a persistent flow is detected Persistent flows are a strongindicator of VPNs proxy traffic remote desktop technologies or other means of covert communi-cation The default threshold for a flow to be considered persistent is 12 hours In addition to thetemporal threshold an optional ratio threshold is available to identify the relationship of traffic as itpertains to ingressing or egressing the network The default PCR threshold is set to 9 identifyingpersistent flows where the ratio indicates more traffic is destined outside the network

bull RSTACK Detection Alerts when a large number of TCP flows containing only RST and ACKflags have been detected that are sending to a single destination These flows indicate that a connec-tion attempt was made on the host sending the RSTACK flow and was rejected This algorithmmay detect other scan types used by an attacker to identify additional information about the hosts onthe network The default threshold is 100 unique scan flows in five minutes Internal IP addressesthat are allowed to scan the internal network such as security team members and vulnerabilityscanners should be entered into the IP exclusions list Either the source or destination IP addresscan be excluded from triggering this alarm

bull SYN Scan Alerts when a SYN scan is detected SYN scans are a TCP scan with the TCP SYN flagset This scan is often used as reconnaissance prior to an attack as it is fast and somewhat stealthyThe default threshold is 100 unique scan flows in five minutes Internal IP addresses that are allowedto scan the internal network such as security team members and vulnerability scanners should beentered into the IP exclusions list Either the source or destination IP address can be excluded fromtriggering this alarm

bull TCP Scan Alerts when a possible TCP scan is detected from an exporter that does not provideTCP flag information These types of scans may allow an attacker to identify additional informationabout hosts on the network The default threshold is 100 unique scan flows in five minutes InternalIP addresses that are allowed to scan the internal network such as security team members andvulnerability scanners should be entered into the IP exclusions list Either the source or destinationIP address can be excluded from triggering this alarm

bull UDP Scan Alerts when a possible UDP scan is detected These types of scans may allow anattacker to identify additional information about hosts on the network The default threshold is100 unique scan flows in five minutes Internal IP addresses that are allowed to scan the internalnetwork such as security team members and vulnerability scanners should be entered into the IPexclusions list Either the source or destination IP address can be excluded from triggering thisalarm

Note If company policy allows P2P traffic on the network then it is unwise to enable this alarm as itwill often detect P2P control traffic as a UDP Scan violation

bull XMAS Scan Alerts when a XMAS scan is detected XMAS scans are a TCP scan with the FINPSH and URG TCP flags set This scan is often used as reconnaissance prior to an attack Theyare considered to be a ldquostealthy scanrdquo as they may be able to pass through firewalls allowing anattacker to identify additional information about hosts on the network The default threshold is100 unique scan flows in five minutes Internal IP addresses that are allowed to scan the internalnetwork such as security team members and vulnerability scanners should be entered into the IPexclusions list Either the source or destination IP address can be excluded from triggering thisalarm

Note By default all of the scan algorithms are looking for ldquointernal to internalrdquo and ldquointernal to externalrdquoscanning activity Security admins have the option to control which scanning directions the differentalgorithms look for including ldquoexternal to internalrdquo which would normally be used to monitor publicfacing IP addresses listed in an IP Group Within each of the scanning algorithms the settings screenprovides a directional control option

564 FA Algorithms that Require FlowPro Defender

BotNet Detection

(Formerly named NXDomain detection)

This alarm is generated when a large number of unique DNS name lookups have failed Whena DNS lookup fails a reply commonly known as NXDOMAIN is returned By monitoringthe number of NXDOMAINs detected as well as the DNS name looked up behavior normallyassociated with a class of malware that uses Domain Generation Algorithms (DGAs) can bedetected

The default threshold is 100 unique DNS lookup failure (NXDOMAIN) messages in fiveminutes Either the source or destination IP address can be excluded from triggering thisalarm

88 5 Flow Analytics

DNS Command and Control

This algorithm monitors the use of DNS TXT messages traversing the network perimeteras detected by FlowPro Defender DNS TXT messages provide a means of sending infor-mation into and out of the protected network over DNS even when external DNS serversare blocked This technique is used by malware as a method of controlling compromisedassets within the network and to extract information back out Additionally some legitimatecompanies also use this method to communicate as a means to ldquophone homerdquo from theirapplications to the developer site

The algorithm will detect inbound outbound and bidirectional communications using DNSTXT messages Thresholds may be set based either on the number of DNS TXT messagesor the number of bytes observed in the DNS TXT messages within a five minute periodThe default setting is for any detected traffic to alarm and alarm aggregation defaults to 120minutes

To suppress alarms from authorized applications in the network the domain generating thealarm message can be added to to the ldquoTrusted Domainrdquo list on FlowPro Defender See theTrusted Domain List discussion below

DNS Data Leak

This algorithm monitors the practice of encoding information into a DNS lookup messagethat has no intention of returning a valid IP address or making an actual connection to aremote device When this happens the local DNS server will fail to find the DNS name inits cache and will pass the name out of the network to where it will eventually reach theauthoritative server for the domain At that point the owner of the authoritative server candecode the information embedded in the name and may respond with a ldquono existing domainrdquoresponse or return a non-routable address

FlowPro Defender uses proprietary detection algorithms to identify suspicious DNS namesthat may contain encoded data and passes this information to Scrutinizer where it is pro-cessed by the DNS Data Leak algorithm Thresholds may be set based either on the numberof suspicious DNS names or the number of bytes observed in the suspicious DNS namewithin a five minute period The default setting is for any detected traffic to alarm and alarmaggregation defaults to 120 minutes

Domain Reputation

Domain reputation provides much more accurate alarming with a dramatic decrease in thenumber of false positive alarms as compared to IP based Host Reputation The domain list isprovided by Plixer and is updated each hour and currently contains several hundred thousandknown bad domains

FlowPro Defender performs the actual monitoring and when it detects a domain with a poorreputation it passes the information to Scrutinizer for additional processing The default

setting is for any detected traffic to alarm and alarm aggregation defaults to disabled whichmeans that all DNS lookups observed will result in a unique alarm

To suppress alarms from authorized applications in the network the domain generating thealarm message can be added to the ldquoTrusted Domainrdquo list on FlowPro Defender See theTrusted Domain List discussion below

Malware Behavior Detection

This specific alarm is correlating IP address lookups (ie what is my IP address) activitywhich is commonly performed by malware shortly after the initial compromise with the de-tection of the BotNet alarm or with a Domain Reputation alert In other words this algorithmlooks for the following correlation

bull IP address lookup combined with a Domain Reputation trigger

bull IP address lookup combined with a BotNet trigger

When either of the two events is detected this algorithm is triggered as this behavior is a verystrong indicator of a compromised asset

Malware Domain Communications

This algorithm combines the Domain Reputation algorithm with communications detectedgoing to the IP address that was resolved Scrutinizer and Defender have detected the follow-ing sequence of events

1 Defender contains a list updated every 10 minutes of several hundred thousand knownmalware domains created by forensic analysis of the actual malware These are veryhigh confidence domains

2 Defender monitors all of the DNS resolution requests and generates an IOC (Indicatorof Compromise) alert on detection of a match with a malware domain and saves theresolved ldquoMalware IP Addressrdquo This only rates an ldquoIOCrdquo as a browser may ldquopre-fetchrdquo or resolve an address for all of the links on a web page Browsers like Chromedo this to make the browsing experience feel faster However as yet no connection tothe malware site has been made

3 Scrutinizer then examines all flows for any communications with the ldquoMalware IP Ad-dressrdquo resolved by Defender On detection of any flows to or from that address aconnection to the malware site has been established and a Malware Domain Commu-nication alert is triggered

Note For this algorithm to work the user must turn ON host indexing This setting is available in Admin Settings System Preferences

90 5 Flow Analytics

565 Correlation Algorithms

These algorithms demonstrate Plixerrsquos cyber threat correlation capability Correlation of multiple networkbehaviors over a long time period provides detection systems with more information allowing for a higheraccuracy with fewer false positive alarms

Below are the Correlation Algorithms available in Flow Analytics

bull Indicator Correlation Event

bull Malware Behavior Detection

bull Malware Domain Communications

566 Trusted Domain List

A ldquotrusted domain listrdquo often called a whitelist is preconfigured on FlowPro Defender to suppress alarmsinvolving specific domains The default whitelist contains five entries Add or remove entries as necessaryto best fit the local environment

bull mcafeecom

bull sophoscom

bull sophosxlnet

bull webcfs03com

bull applecom

mcafeecom suppresses DNS Data Leak alarms from McAfee AntiVirus software McAfee encodes in-formation from the anti-virus clients on the network into very long and complex DNS names and capturesthis information at their DNS server This is exactly the type of behavior that the DNS Data Leak algo-rithm is looking for as this technique is also used by some forms of malware

sophoscom and sophosxlnet are related to the Sophos Anti-virus software and it uses multiple tech-niques to get information in and out of the network using DNS In addition to using the same technique asMcAfee to send information back to their servers they also use DNS TXT messages to send informationback in to the clients on the internal network Use of DNS TXT messages to exchange information withan external host is also used by some malware families and the DNS Command and Control algorithmwill alarm on this type of activity This will prevent Sophos from generating either DNS Data Leak orDNS Command and Control alarms

webcfs03com belongs to SonicWALL and will also generate DNS Data Leak alarms

applecom uses DNS TXT messages to apparently exchange settings with their NTP server This willalarm as a DNS Command and Control alarm

It is possible to have authorized software within the local networks that abuse the DNS to bypass firewallsfor data communications If this is the case add the domain(s) involved with the software to the TrustedDomain list as described below Once they have been configured for the local environment any othertraffic using DNS to communicate will be worth additional investigation

567 To Modify the Trusted Domain List

1 Log on to the FlowPro Defender

2 Enter ldquoedit trusteddomainsrdquo

3 Modify the file contents as desired

4 enter control-x and select ldquoYrdquo to save the changes

5 press enter to accept the file name

6 quit

568 Untrusted Domain Lists

FlowPro Defender supports both the use of a domain reputation list that is downloaded from Plixer aswell as allowing for the addition of a unique list

569 Plixer Domain Reputation List

FlowPro Defender downloads a list of domains from Plixer once each hour These are domains thathave been determined to be ldquobad domainsrdquo with a high probability and this list is used in the ldquoDomainReputationrdquo and ldquoMalware Behavior Detectionrdquo algorithms Use of this list can be controlled by theFlowPro Defender

2 Enter ldquoedit plixerinirdquo

3 To enable the list (default is enabled) set the value enableDomainReputationList=1

4 or to disable the list set the value enableDomainReputationList=0

5 enter control-x and select ldquoYrdquo to save changes

6 quit

92 5 Flow Analytics

5610 User Defined Domain Lists

The Plixer Domain Reputation list can be augmented by creating one or more lists that contain domainsthat the system should alarm on The rules for the domain lists are

1 The DNS name must contain at least 2 labels which is often called a second level domain or 2LDfor short (for example googlecom) and no more than 3 labels (mapsgooglecom) or a 3LD

2 The labels must contain between 1 and 63 characters as is required to be a legitimate domain name

3 Entries that do not match these requirements will be ignored

5611 To create a list of domains to detect domainReputation violations

2 Enter ldquoedit my_domain_list_namerdquo NOTE Do NOT enter a file extension This will be automat-ically assigned

6 quit

5612 To Enable a Domain List

2 show domainlists

3 Enter ldquoenable domain_list_namerdquo

4 quit

5613 To Disable a Domain List

2 show domainlists

3 Enter ldquodisable domain_list_namerdquo

4 quit

Important Hosts can easily be excluded from certain algorithms by clicking on the IP address in theAlarms Tab This will pop up the Exclude Hosts table where the IP address can then be excluded fromother algorithms as well

57 Custom Algorithms

Developers and administrators can now create their own algorithms that Flow Analytics will execute rou-tinely whenever the pre-packaged algorithms are executed The level of complexity in a custom algorithmwill vary based on the task(s) that are being performed An indepth knowledge of Perl and Scrutinizerrsquosdatabase structure are required

571 Getting Started

There are important files and directories that are involved with creating and managing custom algorithms

bull scrutinizerfilesalgorithms is the directory where all custom algorithms are placed

bull scrutinizerfilesalgorithmsexamplepm is an example of a commented Perl module to help indi-viduals understand the work flow of an algorithm

bull Interactive scrut_util is used to add and remove custom algorithms from the Flow Analytics Engineand also display a list of custom algorithms

bull scrutinizerbinfa_cliexe is used to test custom algorithms

A Perl installation on the Scrutinizer server is not required to write algorithms

94 5 Flow Analytics

572 Creating a Custom Algorithm

Start by making a copy of examplepm and pasting it into the scrutinizerfilesalgorithms directory Re-name the file to something that is unique to help identify the custom algorithm For purposes of anexample this documentation will reference the custom algorithm as customAlgo1pm

Modify customAlgo1pm to perform the actions intended for this algorithm Change the package name atthe top of the example script to match the file name of the new algorithm module When complete savethe file To test the algorithm it first must be added to the Flow Analytics engine

It is up to the algorithm to send out alerts There is an example of how this is accomplished in theexamplepm file

573 Adding a Custom Algorithm

Before a custom algorithm can be tested or executed on a regular basis it must first be added to the FlowAnalytics Engine This is accomplished by running the following command from the Interactive scrut_utilprompt

1 To open the Interactive scrut_util prompt enter

2 At the SCRUTINIZERgt prompt enter

SCRUTINIZERgt enable custom_algorithm customAlgo1 My_Custom_Algorithm

Note Do not include the file extension for lsquocustomAlgo1rsquo in the command and the custom algorithmname (My_Custom_Algorithm) cannot contain spaces

3 To verify that the custom algorithm has been added launch the Flow Analytics Configuration Man-ager (Admin Tab -gt Settings -gt Flow Analytics Configuration)

574 Testing a Custom Algorithm

During the testing phase it is highly recommended that debug is added to ensure everything is workingas intended For production environments comment out any debug code

To test a custom algorithm execute the following command

homeplixerscrutinizerbinfa_cliexe ndashdebug 1

57 Custom Algorithms 95

575 Configuring a Custom Algorithm

At any time during production use or testing custom algorithm settings can be managed from the UserInterface by launching the Flow Analytics Configuration Manager (Admin Tab -gt Settings -gt Flow Ana-lytics Configuration)

Settings available to custom algorithms are

bull Threshold

bull Exporters to include

bull Hosts to exclude

bull EnableDisable Alerts

bull EnableDisable Syslogs

bull EnableDisable Algorithm

576 Running a Custom Algorithm in Production

When algorithms are run routinely in production the Flow Analytics Engine manages the execution andexporting of violation count and the time taken to execute the algorithm Flow Analytics will terminateany algorithm that is taking too long to execute The Flow Analytics Configuration Manager will indicateif any algorithm including custom algorithms were terminated before completion

577 Creating a Policy for a Custom Algorithm

Once the custom algorithm is violating and sending alerts that show up in the Scrutinizer Orphan View apolicy can be created to match violations and send alerts using notifications (See Alarm section for moredetails)

Follow the steps below to create policies for custom algorithms (eg customAlgo1)

1 Navigate to Alarms gt Configuration gt Policy Manager

2 Click New Policy

3 Give the policy a Name

4 Under Filter and to the right of Message paste in FAuserCustom_customAlgo1 in the box belowwhere it says Logical AND=ampamp Logical OR=||

96 5 Flow Analytics

5 Set the other options for this policy (for more details reference the Policy Manager section of thedocumentation)

Note Remember to replace customAlgo1 with the name of the custom algorithm

The next time a violation occurs the policy will trigger and perform whatever actions were configured inthe policy

578 Disabling a Custom Algorithm

Custom algorithms can be disabled from the Flow Analytics Configuration Manager (Admin Tab -gt Set-tings -gt Flow Analytics Configuration) by checking the lsquoDisablersquo checkbox for the Custom Algorithm

579 Deleting a Custom Algorithm

Custom Flow Analytic Algorithms can be deleted from the Flow Analytics Engine by executing the fol-lowing Interactive scrut_util command

This command deletes a custom_algorithm at the system level

SCRUTINIZERgt delete custom_algorithm custom_algo1

3 To verify that the Algorithm has been deleted launch the Flow Analytics Configuration Manager(Admin Tab -gt Settings -gt Flow Analytics Configuration)

5710 Display a list of Custom Algorithms

To display a list of custom algorithms available and whether they are enabled execute the followingcommand from the Interactive scrut_util interface

SCRUTINIZERgt show custom_algorithms

58 FA Bulletin Boards

FA algorithms are posted to one of three Bulletin boards depending on their importance and likelihoodthat a host has been compromised The different bulletin boards are

bull Policy Events

bull Indicators of Compromise (IOC)

bull Security Events

581 Policy Events

Algorithms that post to this bulletin board are those that detect network traffic that generally have nodirect security implications but may violate the network policy The following algorithms are posted tothe Policy Events BB by default

bull Excessive Jitter

bull Multicast Violations

bull IP Address Violation

bull P2P Detection

582 Indicators of Compromise (IOC)

The algorithms that post to the IOC bulletin board (BB) are those that indicate possible malware activitywith insufficient confidence to initiate a security event alarm This is a bulletin board that should beperiodically reviewed to pick up on recent changes If multiple IOCs are associated with a single hostthese may generate an ldquoIndicator Correlation Eventrdquo alarm that is posted to the Security Event BB Thisis discussed in more detail below The following algorithms are posted to the IOC Events BB by default

bull Breach Attempt Detection

bull DNS Hits

bull ICMP Port Unreachable

bull ICMP Destination Unreachable

bull Denied Flows

bull Domain Reputation

98 5 Flow Analytics

bull FIN Scan

bull NULL Scan

bull Odd TCP Flags Scan

bull Persistent Flow Risk

bull RSTACK Scan

bull SYN Scan

bull TCP Scan

bull UDP Scan

bull XMAS Scan

583 Security Events

The algorithms that post to the Security Events bulletin board are high confidence detections that a host iscompromised Any events posted to this bulletin board should be investigated The following algorithmsare posted to the Security Events BB by default

bull BotNet Detection

bull DDoS Detection

bull DRDoS Detection

bull DNS Command and Control Detection

bull DNS Data Leak

bull Host Reputation (Tor Blackhole Malware CampC Server and user defined)

Note Edit the policy for any algorithm to change the Bulletin Board from the default settings

58 FA Bulletin Boards 99

59 Optimizing FA

Flow Analytics can be optimized in several different ways

bull Modify the number of flow exporting devices included in the algorithm

bull Disable selected Algorithms

bull Utilize a second or third copy of Scrutinizer with FA

bull Contact your vendor to learn about the minimum hardware requirements

100 5 Flow Analytics

CHAPTER 6

61 Main View

611 Overview

The Mapping options are primarily utilized by administrators to display all or a portion of the networktopology Right mouse button on the background of a Plixer map (ie not Google map) and togglebetween Edit mode and View mode to rearrange the icons Be sure to save changes before leaving theEdit mode Donrsquot forget to save the position of the icons

Maps can be created by clicking on Create Maps Device Groups at the top of the tree menu in eitherthe Maps or the Status tabs or by clicking the New Group button in Admin gt Settings gt Maps amp DeviceGroups Map configuration can be completed in the Maps amp Device Groups page or by right-clicking inthe background of an existing map and selecting Map Settings from the menu

A default map per login account can be selected under Admin -gt Security -gt User Accounts

Maps are made up of three major parts

bull Objects

bull Backgrounds

bull Link Status

The device icon color is based on the Fault Index (FI) value in CrossCheck and the corresponding colorthresholds The link color between devices can be based on utilization between the devices Click on thelink to bring up a flow report for the connection

Hint Click on the map and then use the right mouse button to bring up a menu of options

62 Connections

621 Connections between objects

bull A Connection between any two objects can be created using this interface

bull Selecting a From Device which is sending flows will cause the Interface drop-down box to fill inwith the corresponding flow interfaces available

bull Selecting a Group or Icon From object results in an empty Interface drop-down box Check offldquoDisplay all interfaces in this grouprdquo to fill in the Interface drop-down box with all interfaces fromdevices in the group Another option is to select ldquoConnect with black linerdquo to connect to the ToObject without using a flow interface for the connection

bull Click the Connect button and the connection will be displayed in the window below

Important When creating connections for a Google map a device name might be followed by (NeedsGPS coordinates - Go to Objects Tab) Devices in a Google Map Group will not appear until they aregiven GPS coordinates or an address using the Objects tab

102 6 Maps

622 Links Status comes in 3 formats

bull Flow link are links representing flow capable interfaces

ndash Link colors can be green yellow orange or red and are based on settings configured in AdminTab -gt Settings -gt System Preferences

ndash Links are blue if there is no bandwidth statement for the interface

ndash Links are dashed gray if flows are not received within the last five minutes from the interfaceClick on a link to bring up the current flow information

bull Black line is a static link between two devices It is not clickable and doesnrsquot provide a status

bull Saved Reports connections between objects can be made with existing Saved Reports The thresh-old limits for the link color change are set per Saved Report connection

623 Additional Notes on Links

bull Label displays the percent utilization or the bits received in the last average interval Set theldquoaverage intervalrdquo under Admin tab -gtSettings -gt System Preferences ldquoStatusLink Averagerdquo Thedefault is 5 minutes

bull Tooltip mouse over the Label to display the full interface description

bull Arrow on the link reflects highest utilization direction

bull Clicking on the link will bring up the default user preference report on the link for the last fewminutes (5 minutes by default) in one minute intervals Outbound or Inbound traffic is displayeddepending on the direction of the arrow when clicked

63 Dependencies

Dependencies impact how devices are polled and the events that can get triggered

bull Up Dependencies (ie these devices are lsquoUprsquo Dependent on this device) are configured to preventexcessive notifications behind a single down device For example if the poller has to go throughRouter 1 to reach Routers 2-50 then routers 2-50 (ie These Devices) should be ldquoUp dependent onrdquoRouter 1 The result if Router 1 stops responding to the poller the administrator will be notified forRouter 1 and not Routers 2-50 With Up Dependencies applied it would be assumed by the pollerthat routers 2-50 are unreachable and therefore polling to routers 2-50 would stop until Router 1responds to a poll

63 Dependencies 103

ndash Up Dependencies will stop the polling on all of the devices that are Up dependent on a downdevice This logic helps maintain optimal availability reports on the devices behind the downdevice

bull Down Dependencies (ie these devices are lsquoDownrsquo Dependent on this device) are configured toavoid polling unless a specified device stops responding to a poll For example Router B should notbe polled unless Router A stops responding to a poll This configuration would mean that RouterB is lsquoDownrsquo Dependent on Router A This scenario is desirable in a high availability networkconfiguration

ndash Down Dependencies will start the polling on a device that is Down dependent on a downdevice For example if Router A goes down Polling on Router B would commence untilRouter A responds to a poll

Configuring dependencies is a best practice for scaling the network polling process while managing thevolume of notifications sent when an outage occurs If possible they should be configured all the wayback to the poller This practice limits the risk of excessive notifications and aids the administrator inisolating the exact location of an incident

64 Google Maps

To create the first Google map an API key has to be generated

bull This requires a Google account

bull The web interface will guide the user through the process of creating a key

1 Copy the key and paste it into the box ldquoGoogle Maps - Browser API Keyrdquo

2 Click Save

bull ldquoGoogle TLDrdquo defaults to com and should be changed if the install is located in a country thatdefaults to a top level domain other than com

ndash For example in the UK change it to couk

bull Modifying the Google maps involves launching most of the same options found in a Plixer map

ndash There are a few exceptions such as no RIGHT mouse button menu which is reserved byGoogle for zooming out of the map

bull Click on an icon with the LEFT mouse button to launch the menu with the following options

ndash Device Overview Launches the device overview including this information

The SNMP information

104 6 Maps

Integration with 3rd party applications

Applications associated with the device as determined by CrossCheck

The three busiest interfaces

Response Time and Availability Trends if the device is being polled

Any outstanding alarms on the device

ndash Create a connection

Works as outlined in the Plixer Maps section

ndash GPS Location

1 Placing a device in a specific location requires entering either a physical address or theGPS coordinates

Simply specifying a city in a country will also work

2 After entering an address click (Resolve GPS) to ensure the address is resolved to thenew GPS coordinates

3 Then click Save

ndash Properties

65 Groups

Groups are the foundation of all maps Creating a new group creates a map Flow sending devices thatare not assigned to a map are placed in Ungrouped There are two types of maps

bull Plixer these maps are entirely local to the Scrutinizer server do not require any internet access

bull Google Useful for displaying network devices geographically

Highlights

bull Flow devices can be added to more then one groupmap

bull Flow devices added to groups are removed from Ungrouped

bull Membership use this to add devices and objects to the group

bull Pass up map status use this to pass the status of any down devices in a lower map up to parent map

bull Permissions can be set on Group visibility More details regarding the permissions can be readabout under Usergroup Permissions

65 Groups 105

66 Objects

Objects are placed in groups Each group is a map Generally objects on the map represent flow exportingdevices however polled devices can be added as well Objects have several properties

bull Label a read only field determined by the collector

bull Poll Using IP Address Hostname or disable

bull Notification Specify how the alert on the status of the objectdevice should be sent out

bull Primary Status This determines the background color of icons throughout Scrutinizer The defaultprimary status of a device is ldquoFlowrdquo That is an indication of whether we are still receiving flowsfrom an exporter To change primary status edit an object under Mapping Configuration and changeldquoPrimary Statusrdquo

bull Secondary Status This is the colored square that is superimposed on an icon The secondary orsub icon color is based on CrossCheck status for a device If the primary status is CrossCheck thenthere wonrsquot be a secondary status

bull Icon image shape of the icon

bull Dependencies are used to determine how and when the device is polled

bull Membership Specify the groups maps the object is a member of

Tip Modify an Objects Membership to place it in another groupmap

Objects come in four formats

bull Devices are imported from CrossCheck or can be manually added here These objects change colorbased on the Fault Index and the threshold settings in CrossCheck To remove a device that wasimported from CrossCheck the 3rd Party Method must be disabled or the device must be removedfrom the 3rd Party Method script or removed from the 3rd party application else it will continue tobe re-imported after deletion

ndash Label If the device is imported from CrossCheck this value is imported

ndash Poll Using Select IP Address Hostname or Disable Polling

ndash Notification Select a Notification Profile which will be triggered when the CrossCheck FaultIndex threshold is breached

ndash Icon The default icon type and size can be modified

bull Groups represent other maps and the status of devices in those maps They are clickable and bringup the appropriate map

106 6 Maps

bull Symbols represent devices in the maps that donrsquot display a status They can be assigned labelsand made clickable to launch other applications andor web pages

bull Text Boxes can be placed on maps and generally contain text Shapes colors and size can all bedefined As well as the Label and a clickable link Text boxes are for Plixer maps only They cannotbe placed on Google maps

Note to modify the Google address of an object select a map the object is in and then edit the objectSince the same object can be in multiple maps with different addresses the map must be selected first ThelsquoAddressrsquo listed is generally the mailing address of the location of the object Google uses this lsquoAddressrsquoto locate the GPS coordinates The actual GPS coordinates can also be manually edited

Adding custom Device icons

bull Object Icons Save graphic icons to the ~scrutinizerhtmlimagesmaps directory with the namingconvention of ltnamegt_objectgif Make sure the background of the image is transparent or it maynot look very good on the map

bull Device ldquoStatusrdquo Icons Save device icons to the ~scrutinizerhtmlimagesmaps directory withthe naming convention of ltnamegt_redgif and ltnamegt_greengif Two icons must be providedone for up status (green) and a second one for down status (red) Make sure the background of theimages are transparent

67 Plixer Maps

When creating a Plixer map the user is presented with the following options

bull Settings

ndash Name The name given to the map It can be changed later

ndash Pass Status If some maps are intended to be submaps the status can be passed to anotherlsquoParentrsquo map that contains an icon representing the lower map This in effect will cause theicon color status of the Parent to change The status of an icon is determined by CrossCheckwhich considers multiple factors

ndash Auto-add Devices (RegEx) This option is used to add similar devices quickly using regularexpressions For example if a number of IP addresses resolve to host names that all containthe text lsquocompanylocalrsquo this can be entered here When Save is clicked all devices thatresolve to a host name containing this text will automatically be added to the map

Other examples include

67 Plixer Maps 107

Entering lsquo^192rsquo will match any device with an IP address starting with lsquo192rsquo En-tering lsquomycompany$rsquo wll match any device with name ending in lsquomycompanyrsquo

For more information on how to use regular expressions visit the Regular expression pageon Wikipedia

ndash Truncate Map Labels on Sometimes the icon labels can contain excessive amounts of textOften times a portion of the trailing text on each icon can be omitted Enter the text here thatshouldnrsquot be displayed

bull Objects

ndash AddRemove objects Use this window to move Available objects from the right side to theMembers section on the left Multiple objects can be selected by holding down the shift orCTRL key Use the filter on the left to quickly locate objects The search can be performedby IP address or host name by clicking on the button below the filter

ndash New Non flow sending objects can be added to the maps IP addresses are optional (Egtext box)

Form fields for Object Type Icon are

Icon Use the arrow keys on the key board to scroll through the different icon options

Label This names the object and displays in the maps and groups listings

IP Address By default the optional IP address is polled every 60 seconds

Primary Status The Primary Status indicator is the largest colored portion of the icon

Link The web site that is launched when the icon is clicked in the map

Additional notes Help the user understand what the object represents

Form fields for Object Type Text Box are

Label Name of the object displays in the maps and groups listings

Shape Select Rectangle Circle Polygon

of Sides (Polygon only) Select from 3 - 10 sides for the polygon shape

Height (px) Width (px) (Rectangle only) Define the height and width of the rectanglein pixels

Radius (px) (Circle and Polygon) Define the size of the shape in pixels

Color Click on the box to open the color palette to choose the Text Box color

Type Choose from Text or Background text box type

Link The web site that is launched when the text box is clicked in the map

bull Connections

108 6 Maps

ndash Create Links between devices and objects can be connected using interfaces saved filtersor a simple black line

1 Select a lsquoFromrsquo device

2 The Type of connection

3 Fill out the additional options

4 Then select the lsquoTorsquo device or object

5 Click Save

Continue this process to represent the major connections on the network

Connections change color based on the utilization settings found in Admin tab gt Settings gtSystem Preferences and require that an interface speed was collected from or defined for thedevice Without an interface speed the connection will stay blue

The arrow on a connection represents the highest flow direction in the last five minutes

When a map is in view mode clicking on a link will launch a report showing the last 5minutes in the highest utilized direction (Ie inbound or outbound)

ndash Connections Click this button to list all of the configured connections with options to eitherdelete or edit a connection

bull Background

ndash Select background Multiple options can be used to represent the background of a map

Existing Map Select a map image from the dropdown selection list that is provided

Set background color click the color in the square to use the color pallet

Upload used to upload a custom background NOTE very light grayscale back-grounds are ideal as it allows the status of the icons to be clearly visible

middot New background images can be copied directly to the homeplixerscrutiniz-erhtmlimagesmapsbackgrounds directory

middot The images can be in gif jpg or png format

middot The image size should be at least 800x600 pixels to allow room for icon position-ing

Note Maps with background images autoscale to the size of the background image

67 Plixer Maps 109

671 Laying out the Plixer map

After a new Plixer map has been created and objects added the objects will be all clustered in the upperleft hand corner To start arranging the icons the user must enter Edit Mode When finished editing themap the user should return to View Mode Select a blank area on the map and click the RIGHT mousebutton then in the menu select ldquoEdit Moderdquo

bull Gear Menu Use these options to set the refresh rate to display either the IP Address or hostnameon the icons and to reset the zoom level

bull Edit Mode Right click anywhere in the map and select Edit Mode to enter this mode

The Edit Mode status is then clearly indicated at the top left of the map

In this mode the icons can be selected with the mouse and dragged to different areas of the mapfor custom arrangement

Click the right mouse button and notice that several new options present themselves in the MappingMenu

ndash Align (Applies to a group of selecte objects only) Aligns selected objects

ndash Auto Arrange Select Auto Arrange to get started with laying out the icons and then drag theicons to a more optimal position

ndash Change Background Opens Map modal to Background tab select background as describedabove

ndash Create a Connection (Available only if right clicking on object) Select Create a Connectionto connect two devices The mouse will have a line connected to it Click on the destinationicon The same two devices can be connected with multiple links

ndash Dependencies Configure Map Dependencies

ndash Edit Connections Edit existing map connections or create new from the Map modal

ndash Lasso Objects (or SHIFT+drag mouse) Used to select multiple objects in the map view Usethe crosshair icon to drag over and select a group of objects

ndash Map Settings Opens the Map modal to the Settings tab

ndash Objects Opens the Map Modal to the Objects tab

ndash Order (Applies to a group of selected objects only) Indicates object placement Options areBring to front Send to back Raise and Lower

ndash Properties (Only available when right clicking on an object) Opens Edit Object modal toProperties tab

ndash Remove Object (Only available when right clicking on an object) Removes selected object

ndash Save Click Save and then select View Mode when finished editing the map

110 6 Maps

ndash View Mode This selection exits Edit Mode

bull View Mode When finished editing the map save and exit Edit Mode The status of the deviceswill update automatically as configured in the Gear menu

68 Settings

The Map Settings are used to set defaults for all maps

bull Google Maps

ndash Zoom Level set when using the option ldquoSave Zoom amp Positionrdquo in a Google map Bydefault Google maps auto scale to fit all icons on the map This option overrides Auto witha favorite position on the map To undo the Save Level select lsquoAutorsquo and click lsquoSaversquo

bull Plixer Maps Map Settings are available in Admin gt Settings gt Map amp Device Groups by clickingon a map name or by right-clicking in the background of a map view and selecting Map Settingsoption

68 Settings 111

112 6 Maps

CHAPTER 7

Status

71 Status Tab

711 Interfaces

The Top Interfaces is the default view of the Status tab unless it is modified by the user by editing theirprofile Be sure to mouse over items on this page before clicking as the tool tip that appears can be veryhelpful The columns of this table of interfaces includes

bull Check Box Check off the interfaces desired to include in a single report and then click the trendicon at the top of this column

bull Icon color status The color is determined by CrossCheck Mousing over the icon will providepolling details

bull Flow Version Clicking on the version of flows received (eg N9 N5 I10) opens a report menu forthe device which includes a Flow Stats report for the device

bull Interface Clicking on the Interface will open the Report menu Selecting a report from here willrun an InboundOutbound (Bidirectional) report for the last 24 hours in 30 minute intervals Theuser can drill down from there

bull Arrow down menu Clicking this presents a menu

ndash Reset the high watermark(s) in the InboundOutbound columns

ndash Interface Details

ndash Device Overview

bull InboundOutbound these columns represent utilization over the last 5 minutes Clicking on themwill prompt the user to run a report for the last 5 minutes in 1 minute intervals

712 Menus

The Status tab is one of the most popular views for gaining quick access to all the NetFlow capabledevices and interfaces that are represented in the flows received The default view is a list of all flowsending interfaces however this can be modified under Admin tab gt Security gt User and then click ona user Click on Preferences in the modal and find the ldquoDefault Status Viewrdquo and choose from one ofseveral opitons

Gear This menu is where the user specifies

bull Select how many interfaces should be displayed before utilizing the pagination

bull Decide whether the interfaces should be listed by highest percent utilization or by highest bit byteor packet rate

bull The refresh rate of the top interfaces view

bull Toggle between IPDNS depending on how the flow devices should be listed

Top Right icons (mouse over for tool tips) are for

bull Primary Reporting Server Indicates if the server is a primary server or a collector

bull Scrutinizer Server Health View the system vitals of the server Find out where the system needsresources

bull Scrutinizer Software Health View the status of the system components

bull Exporter Health View a list of flow exporters Find out which devices are under performing

bull Magnifying Glass Search for a specific IP address

bull Down Arrow

114 7 Status

ndash Scrutinizer Version The current version the server is running on

ndash Check for Updates Connects to Plixer to see if updates are available

ndash Contact Support Launches a web page to contact plixer for support

ndash Share your desktop Launches GoToMeeting for remote desktop control

ndash Online Help Launches this manual

ndash Download Flowalyzer Download a free utility for troubleshooting NetFlow SNMP andother utilities

ndash Manage Exporters Launches gt Admin tab gt Definitions gt Manage Exporters to see whatdevices are sending flows to the collector(s)

ndash Join the beta program Fill out a form online to join the beta program

bull Log Out Log out of Scrutinizer

Top Right icons below logout are for

bull Clock Schedule a reoccuring email of the top interfaces view

bull Email on demand the current interfaces view

bull PDF Create a PDF on the current interfaces view

bull CSV Export a CSV file containing the content of the current interfaces view

Top menus along the top include

bull Run Report Need to design a custom report Select from all available elements operation columnsdevices and time ranges to get the exact data needed

bull Top Not sure what report to run Select from over a dozen canned reports that will include datafrom all flow exporters

bull Search Need to find a host or IP address

ndash Host Index Run a report by ldquoHost Indexrdquo to quickly determine if the host has ever been onthe network It searches the index rather than the saved flows This search requires that HostIndexing be turned on in AdmingtSettingsgtSystem Preferences

ndash Saved Flows Run a search against all ldquoSaved Flowsrdquo This search actually queries thedatabase and can take a bit longer NOTE Depending on archive settings the desired datamay have been dropped This search is a more flexible and allows for searching by hostaddress username wireless host or SSID across some or all flow exporters for a specifiedtimeframe

bull System These are advanced reports used by engineering when trying to understand why somethingisnrsquot working In a future release they will be moved to the Admin tab

71 Status Tab 115

ndash Available Reports Lists the report and the number of templates received that contain thenecessary elements

ndash Flow Report Thresholds Lists all the reports that have been saved with a threshold

ndash Templates These display the device and each flow (NetFlow v9IPFIX) template exportedfrom that device

ndash Vitals These are reports on the system resources from the flow collection and reportingservers

bull Views

ndash CrossCheck

ndash Device Status Lists all of the flow sending devices with corresponding details The color ofthe icons is determined by CrossCheck

ndash Interfaces This is the default view of the status tab before a report is run

ndash SLA Lists all of the flow sending devices which by default are being pinged by the collectorThe response from each ping is used to determine the Response times and availability foreach device polled

ndash Usernames This view displays any username information collected from exporters suchas Cisco ASA SonicWALL firewalls or authentication servers such as Active DirectoryRADIUS etc

bull Vendor Specific lists reports that will work ONLY if the collector is receiving the necessary tem-plates from the flow exporters

Left hand side menus provide three views

bull Device Expolorer Displays a list of all the Groups of devices Explained below

bull Current Reports Displays the current report after a report is run on one or more interfaces Ex-plained below

bull Saved Displays all of the saved filtersreports that can be run Explained below

713 Device Explorer

Organize devices by moving them into groups

bull New used to create groups maps of devices that are currently in lsquoUngroupedrsquo A device can be amember of multiple groups

bull Groups

116 7 Status

ndash Ungrouped By default all flow exporting devices are placed in Ungrouped until they aremoved into one or more user created groups

ndash Group A group of devices that typically share one or more attributes

View Displays the map for the devices in the group

Reports Select a report to run against all of the flows collected from all the devices inthis group

Copy Make a copy the group and give it a new name

Modify Modify the membership of the objects in the group

CrossCheck View CrossCheck for the devices in this group

SLA View the Service Level Report for the flow exporting devices in this group

Show Interfaces Show all active interfaces for the flow exporting devices in this groupThe interface list will display in the main window of this screen

Exporters Devices that are exporting flows show up in the left column The color ofthe icon represents the selected primary status for the object The sub icon representsthe Fault Index value for the device in CrossCheck Expland the flow exporter for themenu

middot Reports Run a report on the flows coming from the device Select a report to dis-play flow data Selecting a report from here will run the report for ALL interfacesof the device resulting in the inbound traffic matching the outbound traffic For thisreason this report is displayed inbound by default The default timeframe for thisreport is Last 24 hours in 30 minute intervals

middot Interfaces Displays a list of interfaces for the device Click on an interface to runa report Selecting an interface (or All Interfaces) from this list will open a reportmenu Select and run a report for the last 24 hours ALL Interfaces reports willdefault to Inbound as described above selecting a single interface will report onboth Inbound and Outbound

middot Properties Modify the properties of the device

middot Device Overview Provides the overall status of the device by leveraging data fromCrossCheck the poller and the alarms

middot Show Interfaces Displays a list of all active interfaces for the device in the mainwindow of the page

middot Other Options

middot Alarms Displays the outstanding alarms for the device

middot Interface Details launches the Interface Details view which lists SNMP detailsabout the device including the interface speeds

71 Status Tab 117

middot Flow Templates (Advanced) displays the templates (eg NetFlow v9 IPFIX etc)currently being received from the device

714 Current Report

This tab opens when a report is selected from the Report menu All of the icons that appear in the top leftare explained in Network Traffic Reporting

Filters can be added to the report by grabbing items in the table and dragging them to the left or byclicking on the ldquoFilters Detailsrdquo button

715 Saved Reports

Saved Reports are basically saved filters or reports which display the selected data on one or more inter-faces across potentially several devices When Saved is clicked the user is returned to the Current Reportview and the filter contents are displayed

This tab lists any reports that were saved and provides a folder management utilities

bull Add Folder Select lsquoAdd Folderrsquo A text box will open to enter a folder name which is used fororganizing saved reports

bull Manage Folders Select lsquoManage Foldersrsquo A new browser tab will open to Admin gt Reports gtReport Folders From here bulk foldersaved report management can be accomplished by movingseveral reports in and out of a folder New folders can be created or deleted from here

bull Saved reports list Following the list of report folders (if any) will be the list of any reports thathave been saved Each saved report has two icons

ndash Trash can to delete the saved report Deleting the report will also delete any dashboardgadgets or scheduled reports associated with this saved report

ndash Magnifying glass hovering over this icon will open a tooltip providing the parameters thatthe report was saved with such as who created the report the date range of the report andother information defining this report Also included at the top of the tooltip is the Report IDwhich is required for some advanced functions

Report Folder management is also available from within the Saved Reports tab by dragging and droppingthe reports into or pulling them out of the desired folders

Reports can be viewed by clicking on the report name They can also be renamed once the report is inview mode by editing the report name and clicking the Save icon

The dynamic filter just below the Saved Reports header allows the user to easily find reports within thereport list or folders

118 7 Status

72 CrossCheck

The CrossCheck and Service Level Reports located in the Status tab provide important roles in Scru-tinizerrsquos architecture CrossCheck provides the overall status of a device across multiple applicationsincluding 3rd parties The Service Level Report (SLR) provides availability and response time reportsusing data collected by the poller

721 CrossCheck Logic

Each 3rd Party Method in CrossCheck queries the related application (eg Flow Poller Denika What-sUp etc) for the devices in its database and finds or adds the device to the CrossCheck list Duplicate IPaddresses are removed Each 3rd Party Method applies a weight of importance to the device dependingon any problems found The Fault Index (FI) is the total value across all 3rd Party Methods All 3rd PartyMethods are open source and can be modified

After each 3rd Party Method completes CrossCheck (ie mappingcgi) performs the following routine

bull Using the data from all 3rd Party Methods it updates the FI for each device

bull It queries the above list for any device that has violated the configurable FI threshold

bull For each device over the FI threshold it sends a syslog to the alarm server which will violate theldquoExceeded CrossCheck Fault Indexrdquo policy

bull Any hosts that are up are removed from the xcheck_notifications table (see below)

722 Fault Index

The ldquoExceeded CrossCheck Fault Indexrdquo (Policy) in the Alarms tab performs the following when aCrossCheck syslog comes in

bull The syslog comes into the alarm process and violates the ldquoExceeded CrossCheck Fault Indexrdquopolicy which triggers the notification profile ldquoXC Notificationrdquo (XC)

bull XC looks to see if an entry exists in the table called xcheck_notifications

ndash If an entry exists for the device (ie IP address) this means a notification already went outThe time stamp is then updated

ndash Else if notification hasnrsquot already gone out The IP address of the device is inserted into thexcheck_notifications table The configured notification profile for the host is then executed

ndash Else if the configured notification profile in mapping for the host isnrsquot configured nothinghappens

72 CrossCheck 119

723 CrossCheck Table

The main CrossCheck table displays an inventory of all hosts being monitored as well as their statusin each of the applications that are monitoring the device The overall Fault Index (FI) on the far rightprovides the status of devices in the Scrutinizer maps and all of the 3rd party applications monitoringthem Click on the headings to sort The query time frame is the last 1 minute by default The buttons areexplained below

bull CrossCheck Summary Explained below

bull Thresholds This sets the threshold at which the sub icon on a device changes color Color thresh-olds are based on a percentage of the Fault Index threshold

bull 3rd Party Methods Data collected from other applications that will impact the Fault Index (FI) fora device

Table column header

bull Action Choose from one of the options

ndash Edit Polling and Appearance This launches the modify object view in the mapping utility

ndash Run Report Flow Report This runs the flow volume report for the device

bull Host List the IP address or DNS host name for the device Mouse over for tool tip

bull Flow Method used to determine if a device is sending flows

bull Poller Method used to determine if the poller can ping the device

bull Optional Third Party Methods Contact your vendor to create new methods (eg PRTG Solarwindsetc) When active a new column appears

bull Fault Index (FI) The FI provides the overall status of a device across all 3rd Party Methods

724 CrossCheck Summary

The CrossCheck Summary is an bar chart of the CrossCheck List It displays the number of unique hostsfound across all 3rd Party Methods as well as the Fault Index

bull Refresh Set the interval The default is every 5 minutes

bull Thresholds This sets the threshold at which the sub icon on a device changes color Color thresh-olds are based on percentage of the Fault Index threshold

bull Define Networks Specify a subnet to group IP addresses found across all 3rd Party Methods

bull Overview Provides a small window with the number of devices discovered in each 3rd PartyMethod as well as the overall total FI for the devices in the application

120 7 Status

725 Service Level Report

The Service Level Report is a dual purpose report listing device availability and response time In theService Level Report

bull Click on the headings to sort

bull The number to display (eg 25) followed by pagination

bull Click on the Poller to run a trend across all devices

bull Click on the Device to run an availability or response time report on the selected device

bull Click on the Round Trip Time column value or the Availability percent value to run a report

Note To remove a device that was imported from CrossCheck it must be removed from the 3rd PartyMethod script or removed from the 3rd party application (eg PRTGtrade WhatsUp Goldtrade SolarwindsOriontrade etc)

73 CSV Reporting

When checked off a CSV of the report contents will be sent with the emailed report This module is oftenused for service provider usage based billing

74 Device Overview

Clicking on a device within a map will launch this view Details include

bull The SNMP information

bull Integration with 3rd party applications

bull Applications associated with the device as determined by CrossCheck

bull The three busiest interfaces

bull Response Time and Availability Trends if the device is being polled

bull Any outstanding alarms on the device

73 CSV Reporting 121

75 Flow Hopper

Flow Hopper provides end to end visibility into the path a flow took through the network on a router hopby hop basis Because multiple paths exist between devices leveraging traceroute or routed topologyinformation may not provide the exact path taken by an end to end flow Flow Hopper displays the correctpath at the time of the flow even if the topology has since changed

This connection solution requires that most if not all of the flow exporting devices in the path be export-ing NetFlow v5 or more recent to the collector

Note This feature requires nexthop routing information as well as read only SNMPv2 or v3 access tothe router

If Flow Hopper determines that an asymmetric flow path exists (ie a different route is taken on the returnpath) the GUI will draw out the connection accordingly Admins can click on each router or layer 3switch in the path and view all details exported in the flow template Changes in element values (egDSCP TTL octets etc) between ingress and egress metered flows are highlighted

76 Flow View

761 Overview

The Flow View provides 100 access to all the elements that were exported in the raw flows Somecolumns or elements are generated by Scrutinizer The Flow View interface retrieves all of the flows thatmatch the values requested in consideration of the filters applied

Notice

bull Filters are passed to Flow View when drilling in

bull Use the filters drop down box to find data in specific columns NOTE The sourceOrDestinationoption is not a column

bull Click on the column headings to sort

122 7 Status

762 IPFIX NetFlow sFlow NSEL etc

Flow View is used to view flows generated by 100 of all flow technologies The collector can save anytype of NetFlow v1 v5 v6 and v9 data inclusive of IPFIX and other varients including NetFlow SecurityEvent Logs (NSEL) NetStream jFlow AppFlow and others This report provides access to view any andall flows received by the collector given the filters applied Some of the columns that may appear in theexports are below

763 Flow View Field Names

When looking at data in Flow View some data columns are Plixer specific

bull lsquoflowDirectionrsquo Tells the reporting interface if the flow was collected ingress or egress on the routeror switch interface When direction is not exported lsquoingresrsquo is displayed which means directionwas not exported with the flow and that ingress collection is assumed for the flow NetFlow v5 doesnot export the direction bit

bull lsquointervalTimersquo This is the time the collector received the flow

bull lsquoapplicationIdrsquo This is the application as determined by settings under Admin tab gt Definitions gtApplication Groups

bull lsquocommonPortrsquo How the collector determines which port is the application port (also known asWellKnownPort)

For example take a flow with a source port of 5678 and a destination port of 1234The collector will look at both ports (5678 1234) and perform the following logic

ndash Which port is lower port 1234

ndash Is there an entry in the local database for 1234 (eg HTTP)

ndash If Yes save it as the common port (1234)

ndash else if is port 5678 labeled in the local database (eg HTTPS)

ndash else save 1234 as the common port (eg Unknown)

Note If both source and destination ports were labeled it would have gone with the lower port

76 Flow View 123

764 Fields mapping more or less to IPFIX fields

These field names are overloaded and donrsquot map to any one IPFIX field IPFIX might send lsquosour-ceIPv4Addressrsquo or lsquosourceIPv6Addressrsquo the column is always named lsquosourceIPAddressrsquo The lsquosour-ceIPAddressrsquo column can store either IPv4 or IPv6

bull lsquoipNextHopIPAddressrsquo v4 or v6

bull lsquosourceIPAddressrsquo v4 or v6

bull lsquodestinationIPAddressrsquo v4 or v6

bull lsquosourceIPPrefixLengthrsquo v4 or v6

bull lsquodestinationIPPrefixLengthrsquo v4 or v6

bull lsquoingress_octetDeltaCountrsquo

bull lsquoingress_packetDeltaCountrsquo

bull lsquoegress_octetDeltaCountrsquo

bull lsquoegress_packetDeltaCountrsquo

bull lsquosnmp_interfacersquo (in|e)gress

Note v4 or v6 columns are used for both IPv4 and IPv6 formats

765 Field Names in both Cisco and IPFIX (The collector uses the namefrom IPFIX)

The field names below exist only in Cisco docs Except for the NBAR fields which only exist in Ciscorsquosdocs Notice that the field names are fairly descriptive

The IPFIX field names and descriptions can be found here The Cisco fields and descriptions can be foundhere and here

Warning The following names are subject to change depending on the version of firmware runningon the hardware

bull SAMPLING_INTERVAL

124 7 Status

bull SAMPLING_ALGORITHM

bull ENGINE_TYPE

bull ENGINE_ID

bull FLOW_SAMPLER_ID

bull FLOW_SAMPLER_MODE

bull FLOW_SAMPLER_RANDOM_INTERVAL

bull SAMPLER_NAME

bull FORWARDING_STATUS

bull NBAR_APPLICATION_DESCRIPTION

bull NBAR_APPLICATION_ID

bull NBAR_APPLICATION_NAME

bull NBAR_SUB_APPLICATION_ID

bull NF_F_XLATE_SRC_ADDR_IPV4

bull NF_F_XLATE_DST_ADDR_IPV4

bull NF_F_SLATE_SRC_PORT

bull NF_F_XLATE_DST_PORT

bull NF_F_FW_EVENT

bull NF_F_FW_EXT_EVENT

bull NF_F_INGRESS_ACL_ID

bull NF_F_EGRESS_ACL_ID

bull NF_F_USERNAME

Note The field names beginning with lsquoNBARrsquo were made up by plixer

766 Archiving amp Rollups

The collector will perform rollups at intervals specified under the Admin tab under settings In order forrollups to occur the template exported must provide the element octetDeltaCount Please contact supportto change the rollups to occur on an alternate field Visit the Admin Tab gt Settings gt Data History pageto configure how long to save the data

76 Flow View 125

77 Network Traffic Reporting

771 Overview

Reporting is the interface customers spend the most time in This page outlines the functionality that canbe found in all of the menus of the status tab If the user is more of a visual learner training videos areavailable on the plixer web site

772 Templates

Unlike NetFlow v5 NetFlow v9 and IPFIX use templates to dynamically define what is being sent in theflows Templates are the decoder that is provided by flow exporter They are used by the flow collector todecipher and ingest the flows

The reporting options (Ie menu) available on every flow exporting device is dependent on the values inthe template For example when clicking on a flow exporting device to launch the report menu the reportldquoVendor by MACrdquo under ldquoSource Reportsrdquo will not appear if the MAC address is not exported in thetemplate from the device If another flow exporting device is selected the user may find that the ldquoVendorby MACrdquo report does appear It all depends on what is being exported in the templates from each device

This template intelligence becomes critically important when trying to understand why the system isbehaving differently with oddly formatted vendor flow exports For example some flow exports do notprovide an ingress or egress interface When this is the case the device will not show up in the interfacelist of the Status tab To run reports the user will have to find the device in the Device Explorer

The available reports for each device can be observed by navigating to Status gt System gt AvailableReports The Available Reports view provides the ability to view sort and filter report lists by GroupName Report Name and Template Count

773 Report Types

There are hundreds of report types in the database Most will never appear in the menu because they onlyappear if the necessary elements are available in the templates exported by the device When reports arerun they group on the fields displayed For example the report Conversation WKP groups on Source IPaddress WKP (common port) and Destination IP address For answers to questions about anything notlisted here please contact Plixer support directly

126 7 Status

774 Current Report

The Current Report frame is displayed in the left hand pane when selecting an interface or after selectingthe Run Report Wizard from the Trends menu in the Status tab The graph and table data for the flowreport is displayed in the main section of the screen to the right of the Current Report frame

bull Colors In the table below the graph the top 10 or more entries are displayed Only the Top 10are in color Entries 11 and up are rolled into the color gray Notice the lsquoOtherrsquo entry at the bottomof the table This is the total non Top 10 traffic The lsquoTotalrsquo represents all traffic (ie Top 10 andOther traffic added together) These same colors are used in the graph to represent the Top 10 tableentries Greater than 11 entries can be displayed by visiting the gear menu

Tip The color selections can be changed in Admin gt Security gt User Accounts gt select a user gtPreferences gt Rank Colors

Warning If the flow device (eg router) is exporting multiple templates for different flows it isexporting utilization could be overstated if the flows contain the same or nearly the same informationThe front end of Scrutinizer will render reports using data from all templates with matching informa-tion Be careful when exporting multiple templates from the same device If this is the case use thefilters to select a single template

No Data Found

The ldquoNo Data Foundrdquo message in a report indicates that historical data is not available forthe time period requested This could happen for either of the following reasons

1 Historical data settings are too low for the time frame requested To increase the his-torical data retention go to Admin tab -gt Settings -gt Data History

2 Flows are not being or have not been received from the exporter(s) during the timeframe requested

775 Current Report (frame contents)

At the top of the Current Report frame is a row of icons providing the following actions available for thereport

bull Clear (trashcan) is used to remove all items in the ldquoCurrent Filterrdquo

77 Network Traffic Reporting 127

bull Save (diskette) is used to save a collection of report filters and parameters to create a Saved Report

bull Save As (double diskette) is used to make a copy of a current Saved Report with a new nameleaving the original report intact

bull Schedule (clock) is used to schedule a saved report

bull Dashboards (grid) is used to place a saved report in a selected Dashboards sub tab

bull Print (printer) is used to print the current report listed in the filter

bull CSV (CSV) is used to export the data in the current report in CSV format

bull PDF (PDF) downloads a pdf file containing the current report

bull Email () is used to email the report displayed using the current filter(s) Separate multiple desti-nation email addresses with a comma or semi colon

Next in the Current Report frame are these additional reporting options

bull Report Enter a name if the report and filter(s) are to be saved for future reference

bull Filters Details Button clicking this opens the Report Details modal with the following tabs

ndash Collector Details displays the collectors(s) that contained the flow exporters for this report

ndash Exporter Details details about the exporters that are providing flows for this report

ndash Filters vieweditremove existing and add new filters to the report

ndash Threshold vieweditremove existing thresholds or add a threshold to the report

ndash Report JSON (API)

776 Gear icon

Clicking on the Gear icon will display many more reporting options

bull Change Report Type button Report types are displayed based on the data available in the tem-plates selected

bull Direction Inbound Outbound and Bidirectional In Bidirectional mode the outbound is displayedon the bottom of the trend The reporting engine will try to use ingress flows to display inboundtraffic however if ingress flows are not available it will try to use egress flows if available Thesame logic holds true when displaying outbound traffic The reporting engine will try to use egressflows however if none are available it will use ingress flows Switching the configuration on therouter from exporting ingress to egress flows or vice versa will not be recognized by the reportingengine until after the top of hour

128 7 Status

bull Rate Total Select Rate to display Rate per second or Total for total amount per interval (eg 1min 5 min 30 min 2 hr etc) Some reports (eg Cisco Perf Monitor) default to Total Whenthe report is changed to display lsquoRatersquo this value will not change automatically and will have to bechanged back to Total manually The opposite is also true

bull Data Source Auto 1m 5m 30m 2hr 12hr 1d 1w This tells the system which tables to takeflows from when querying data used in the report Generally the default is taken as the databasehas been optimized for this setting This option allows the system to query several days of 1 minutetables (ie non rolled up data) when searching for specific values that may have been dropped inthe higher interval data

Warning Selecting 1m (ie 1 minute tables) for a 24 hour time frame can take a significant amountof time to render depending on the volume of flows coming from the device Expect results that varybetween flow exporting devices

Note The number of intervals used for granularity is set via the ldquoTarget graph intervalrdquo setting foundunder the Admin tab gt Settings gt reporting

bull Number of Rows 10 25 50 100 10000 This is the top number of results to be displayed inthe table below the trend The default can be set under Admin tab -gt Security -gt User Preferences

bull Show Host Names Toggle between displaying IP addresses or DNS Host names in the table data

bull Show Raw Values FormattedRaw displays the data in certain columns either formatted (5364Mbs) or raw value (5364239)

bull Bits Bytes Util Can be used when available to change the type of data used for the trendtableThis option does not apply to all report types Percent utilization ( Util) is not available unlessthe interface speed is picked up via SNMP Interface speed can also be entered manually via theInterface Details View or as a report filter When multiple interfaces are included in a report thecalculated interface speed with be the SUM of all interface speeds Inbound is calculated separatelyfrom outbound The summed port speed is used for percent calculations All interfaces are requiredto have a defined speed for percentage reports If lsquoPercentrsquo is selected in the drop down box itrepresents the overall percent of the entire interface The preceding percent column that canrsquot bechanged represents the percent of the overall bandwidth consumed

bull Show Peak If lsquoYesrsquo is selected a Peak column is added to the report Peak values are the highestdata point in the graph in the same interval the graph is reporting in

bull Show 95th If lsquoYesrsquo is selected a 95th (percentile) column is added to the report The 95th per-centile is a mathematical calculation used to indicate typical bandwidth utilization The top 5data points in the graph are dropped making the ldquo95thrdquo data point now the top bandwidth usage

point For example in a graph with 100 data points the 5 highest values are removed and the nexthighest becomes the 95th percentile

bull Show Interfaces Adds an lsquoin Intrsquo and an lsquoout Intrsquo column to the report showing inbound andoutbound interfaces for the flow data reported

bull Data Mode This specifies the source of the data The two values are Summary or Forensic Bothvalues at one minute intervals represent 100 of the data with some significant differences

ndash Summary Has been aggregated based on a definable tuple The default aggregation is on theWell Known Port This means that the source and destination ports are dropped as is every-thing else in the flows that isnrsquot needed to run most of the reports Visit Data Aggregationto learn more about what is kept in Summary tables As result of this optimization the tablesizes are much smaller which results in faster rendering of reports This is the default dataused to create the higher rollups (Eg 5 min 30 min 2hr etc intervals)

ndash Forensic This is the raw flows with no aggregation and all of the elements are retained It isused for vendor specific reports and for a few reports which display the source and destinationports These tables are not rolled up in SAF mode and therefore history trends that use theforensic tables will be limited to the length of time that the 1 minute interval data is saved Ifhowever the server is running in traditional mode roll ups will occur as summary tables arenot created in traditional mode

Graph Options

bull Graph Type Line Step Bar Pie Matrix is the type of graphical presentation to be displayedTry clicking and dragging on the line chart to zoom in on time frames All graphing options are notavailable for all Report Types For example the Matrix graph will only work with reports that havea source and destination field such as reports in the Pairs report group

Note The system will auto determine the number of intervals or data points in a trend Click hereto learn how trends determine intervals

bull StackedUnstacked Select Stacked to display the total amount Select Unstacked to display thetop 10 individually Some reports (eg Cisco PfM reports) default to Unstacked When the reportis changed to a report normally displayed as Stacked this value will not change automatically andwill have to be changed to Stacked manually

bull Show Others Set this option to lsquoNorsquo to hide the gray lsquootherrsquo traffic in the trend or pie chart Othertraffic is discussed in depth in the section on Data Aggregation This option is often used in sFlowreports Other traffic

ndash In the trending graph it is the non Top 10 traffic and shows up as gray in color

130 7 Status

ndash In the table below the graph the Other value at the bottom of a report table is the total trafficminus the sum of the line items displayed Notice as the pagination is clicked the total Othertraffic increases

ndash Some report types will have this option set to lsquoNorsquo by default When changing to anotherreport it should be manually changed to lsquoYesrsquo

Note In a standard interface trend (eg Top Protocols) with no filters other than the interface the graphis first built using data from the totals tables and then the data from the Top 10 in the related Summaryor Forensic table is subtracted from the total and then added back individually to display the colors foreach of the Top 10 These two tables are discussed in further detail in the section below on Filters Asthe pagination is clicked at the bottom of the table all of the data that makes up the 11th color (Ie gray)comes into view

Date Time Options

Timezone server timezone is displayed here

bull Reporting amp Timezones Flow timestamps are stored in epoch format which is time zone agnos-tic When a report is loaded Scrutinizer uses the browserrsquos time zone setting to format the epochtimestamps into a human-readable date format Individual users can change their time zone settingin the Admin gt Security gt [User] view A setting of ldquoAutomaticrdquo will default to the browserrsquosconfigured time zone

bull Range A drop down box to select a reporting time frame

bull Report Start Report End The actual date text can be altered or the arrows to the left and rightof the displayed time can be clicked to shift the time period displayed Avoid saving a report witha lsquoCustomrsquo time frame as each time the report is run it will execute with the exact same start andend time If the data necessary for the custom time frame report has been deleted the report willdisplay with a ldquono data availablerdquo message Suggested save times include ldquoLast 5 minutesrdquo or ldquoLast24 hoursrdquo

bull Apply Dates Click this button after making any date timeframe changes to have the changes takeeffect

bull Business Hours This is configured with a filter See the Business Hours entry in the Filters -Include or Exclude Data section below

777 Saved Reports

Refer to the Saved Reports section in the Status Tab Overview page for more information on the SavedReports view

778 Filters - Include or Exclude Data

It is often necessary to filter on the flow data to narrow in on desired traffic For this reason data in areport can be included or excluded Clicking on the ldquoFilters Detailsrdquo button in the left pane of the screenwill popup a modal

1 First option is to select the type of filter Included in this list are

bull General filter names are commonly used filters with familiar names They allow certainboolean expressions for example host to host domain to domain subnet range or ApplicationDefined (ie defined range of ports and IP addresses) These filters are not always in theactual NetFlow or sFlow export rather they are derived via portions or combinations of fields

ndash Not all devices (ie switches and routers) include TCP flags or nexthop in their Net-Flow exports If a field is not included in the NetFlow export for a device it will notbe part of the filter list for that device

bull Advanced filter lists all of the fields that are collectively in all of the templates being used ina report For example if the device is exporting MAC addresses in only one of two templatesbeing used in a report MAC address will appear

bull Calculated Column Filter lists any calculated columns available in the current report iesum_octetdeltacount sum_packetdeltacount

bull The following special case filters are also available

ndash Business Hours filter provides the ability to limit the reporting data between the startand end times change the reporting timezone and also select the days of the weekfor the report The default Business Hours settings are defined in Admin gt Reports gtSettings gt Business Hours End and Business Hours Start Business hours days of weekdefault to Monday - Friday

ndash Port Speed this filter allows the user to set a port speed for a report

ndash Sample Multiplier filter allows the user to set a multiplier value for sampled flows torecalculate to full flow values

ndash Wildcard Mask this filter allows the user to add a custom mask to filter on networksldquolikerdquo the search criteria

For example

Network 100113Mask 0255128240Results

1011151

132 7 Status

1030113102711310261135102611310261119

2 After selecting a filter typename other type specific options will appear If the filter type has apredefined list of items a dropdown list will appear to select from otherwise a textbox will bedisplayed for entering the filter data If Source or Destination are applicable another dropdownselector will appear for selecting Source Destination or Both If it is a calculated column adropdown selector of numerical comparisons will appear

3 The next option is to select whether this will be an Include or an Exclude filter Include filterswill only display flow data where the filter criteria is equal Exclude filters will display everythingexcept the filtering criteria

4 When all options are completed the Add Filter button will appear allowing the new filter to beadded to the existing filters After adding the new filter the Update Report button displays andclicking that button is the last step to apply a new filter

bull Report filters can also be added by simply dragging an item in the table portion of the reportand dropping that item in either the Include Filter (green) or Exclude Filter (red) boxes thatdisplay on the left

bull New or existing filters can be edited at any time by clicking on the edit link for the appropriatefilter After editing is completed click the Save button in the filter then click they Applybutton at the top of the filter list

Archived Data Three types of historical tables are maintained for each NetFlow exporting device

bull Forensic - This was formally the Conversations table This table contains the actual raw flows

bull Summary - This table contains 100 of the aggregated raw flows with no dropping By defaultflows are aggregated based on the WKP (common port) Aggregation can be read about in the DataHistory section If filters are used these are the only tables used in the report

bull Totals - This contains the actual amount of total traffic in and out an interface for each intervalbefore flows are rolled up into the Summary table This table must be maintained as the 5 minuteinterval and higher Summary tables only contain the top 1000 by default for each interval Thiscan be increased in Admin gt Settings gt Data History gt Flow Maximum Conversations If filtersare used this table is no longer part of the report A report with only a single interface filter (ieselected interface) will use this table so that total utilization is accurate over time

Note Interface utilization reports based on NetFlow or IPFIX flows seldom if ever match exactly tothe same interface utilization report based on SNMP counters Remember it can take 15 or more seconds

before a flow is exported SNMP on the other hand is more realtime and the counters include other typesof data not reflected in flows (eg ethernet broadcasts)

Filter Logic

bull Including and excluding data using the same filter field twice creates a logical lsquoORrsquo relationship(eg display all traffic if it includes 10111 OR 10112)

bull Including and excluding data using different filter fields creates a logical lsquoANDrsquo relationship (egdisplay all 10111 traffic AND that uses port 80)

bull When adding an lsquoIP Hostrsquo to an lsquoIP Rangersquo or an lsquoIP Hostrsquo to a lsquoSubnetrsquo filter the lsquoANDrsquo ruleapplies For example if an IP Range filter of 10111 - 1011255 is added and then an IP Hostfilter of 65656565 is added the flows must match both filters

bull When using Source or Destination or Both with IP Host IP Range or Subnet keep the following inmind

1 If the IP Host filter of lsquoSourcersquo A (eg 10114) is applied then there may be data forinbound but most likely not outbound This is because what comes in as the Source typi-cally doesnrsquot go out the same interface as the Source The same holds true with Destinationaddresses

2 If the IP Host filter of lsquoSourcersquo A (eg 10114) is applied and then a second filter of lsquoDesti-nationrsquo B (eg 10115) is applied then only flows where the Source is A and the Destinationis B will appear Although this is adding the same filter lsquoIP Hostrsquo twice the AND logic ap-plies because host A is the source and host B is the destination and thus are different filtertypes Note again that data for inbound may appear but most likely there wonrsquot be any out-bound or vice versa This is because what comes in as the Source typically doesnrsquot go outthe same interface as the Source The opposite case applies when data appears for outboundusing this type of filter

3 If trying to observe traffic between two IP Addresses use the Host to Host Filter There isalso a filter for subnet to subnet

4 If the filter ldquoSrc or Dstrdquo or lsquoBothrdquo is applied to an IP Host filter then all flows to or fromA will appear and traffic both inbound and outbound will likely display data from A If asecond filter is added as ldquoSrc or Dst is Brdquo then traffic again will appear from both hosts inboth directions However all flows must involve A or B as the Source or Destination

bull The Interface filter is the first option that must be exercised prior to any other filter

ndash When mixing NetFlow and sFlow interfaces in a report NetFlow data will usually dominateThis is due to NetFlowrsquos 100 accuracy with IP traffic where sFlow is sampled traffic

ndash Although sFlow samples packets it can send interface counters that are 100 accurate How-ever the totals tables used for total in out traffic per interface are not referenced when mix-ing sFlow with NetFlow interfaces in reports This leads to understating the lsquoOtherrsquo traffic inreports

134 7 Status

ndash When reporting on the lsquoALLrsquo Interfaces option for a device inbound should equal outboundin the trends What goes in ALL interfaces generally goes out ALL interfaces

779 Thresholds

Any report with any combination of filters can be turned into a traffic monitoring policy by adding aThreshold to the report See the Report Thresholds page for more information

7710 Report Navigation

Clicking on any value in a row within the table located below the report graphic will present a menuof available report types Remember the report options displayed is dependent on the values in thetemplates coming from the device(s) used in the current report When selecting a report in this way thevalue selected will automatically be added as a filter to the new report generated

If the selected table data is an IP Address a menu option called ldquoOther Optionsrdquo will be listed as describedbelow

7711 Other Options

In Other Options the IP address selected is passed in the URL to the application Default menu optionsare

bull Report to ISP - Report suspicious behavior

bull Search

bull Alarms

bull Lookup - Whois Lookup

bull GEO IP - Geographical lookup

bull Talos Reputation Center - Leverages the Talos Geographical and detailed IP address information

bull New applications can be added by editing the applicationscfg file in the homeplixerscrutinizer-files directory The format for applicationscfg is (title)(link)(desc) ndash one per line The descrip-tion is optional For example

ndash FTP ftpi this will launch an ftp session to the IP address

ndash Google httpwwwgooglecomsearchq=i this will launch a google search on the IP ad-dress

Updates to the languagesenglish table also need to be made for the new menu option to show up

ndash The following is an example for the lsquoWMI Usernamesrdquo script

INSERT INTO languagesenglish (id string) VALUES(lsquoWMIUsersrsquo lsquoCurrentUsersrsquo)(lsquoWMIUsersDescrrsquo lsquoUse WMI to identify users currently logged into the ad-dress aboversquo)

WMIUsers is the language key for the button name

WMIUsersDescr is the language key for the description

Then in applicationscfg add an entry to reference these language keys and associatethe URL with them

middot Open applicationscfg and add the following line without quotes ldquoWMIUserscgi-bincurrentUserscgiaddr=i WMIUsersDescrrdquo

Note The applicationscfg file is located in the homeplixerscrutinizerfiles folder and is used to mapthe URL of the new menu options to the language keys in the languages database table (as explainedabove)

78 Report Thresholds

Any report with any combination of filters can be turned into a traffic monitoring policy by adding aThreshold to the report The Threshold option is available by clicking on the ldquoFilters Detailsrdquo buttonlocated in the left hand frame of the Report view Instructions for adding thresholds to reports are detailedbelow

To add a threshold to a report

1 Save a report

(a) Thresholds can only be added to Saved reports

(b) Enter a report name in the Report textbox in the left hand pane of the Report view then clickthe Save icon above the report name If the report isnrsquot saved first the interface will promptthe user to enter a report name and save it when they enter the Threshold modal

2 Click the Add button to the right of Threshold in the left hand pane

136 7 Status

a The Report Details modal opens to the Threshold tab with the following text Triggeralert if [ratetotal] value per tablersquos [TotalPer row] for [inboundoutbound] traffic in 5minute interval

(a) Selectable options within this modal are

bull RateTotal ndash This is taken from the saved report parameter and determinesif the threshold is based on the rate of the value selected or the total amountof the value

bull TotalPer row ndash This radio button selectable in the Threshold modal indi-cates whether to threshold against the Total report value or each linerowentryrsquos value (Per row)

bull InboundOutbound ndash This variable is also determined by the saved reportparameter whether the selected flow direction is Inbound or OutboundThis is the flow direction that the threshold will be monitoring If the savedreportrsquos flow direction is Bidirectional the threshold will monitor Inboundtraffic

(b) Thresholds are monitored every 5 minutes based on the last 5 minute interval

(c) Threshold comparison options are

bull Greater than or equal to (gt=)

bull Less than or equal to (lt=)

(d) The threshold value is entered in the textbox after the word ldquothanrdquo

(e) The unit of measurement is from the saved report unit setting and can be eitherbits bytes percent or omitted for counter fields If bits bytes or counter fieldsan additional selection for unit quantity is presented

bull - Integer value of bitsbytes or counters

bull K Kilobitsbytes counter value

bull M Megabitsbytes counter value

bull G Gigabitsbytes counter value

(f) If Per row is selected above an additional field is presented Policy Threat Multi-plier This value is used to multiply the policy violation counts for this thresholdto give its weighted value reported as the Threat Index in the Policy Violationslistings Default is 1

3 After completing entry of the fields listed above click the Save Threshold button

bull To exit the Threshold modal without saving click the Close button

78 Report Thresholds 137

4 The Select Notification Profile modal displays next

(a) If Notification Profiles have been configured select the appropriate one from the dropdownselector

(b) To configure new Notification Profiles click Manage Notifications

i A new browser window opens to the Notification Manager page

ii After creating new Notification Profile(s) to assign the profile to the report thresholdclick on lsquoeditrsquo to the right of Threshold then click Save Threshold and the SelectNotification Profile modal will be displayed again

(c) After selecting the Notification Profile (or leaving the threshold modal without selecting aNotification Profile) click on

bull Save ndash Saves the threshold with the changes made up to this point

bull Close ndash Exits without saving the Notification Profile selection

bull Save amp Edit Policy ndash Saves the threshold settings made so far and opens the EditPolicy modal to edit this threshold policy

781 Notes

bull The threshold setting unit of measurement is determined by the report settings either percent bitsor bytes If the report is set to report by bits or bytes then there is an additional option of K M orG for total bitsbytes

bull Thresholds can also be set on other counters such as round trip time packet loss jitter flow countetc The K M and G option is also available when thresholding against these other counter fields

bull It is good practice to view the FlowView report to get an idea of what the raw data looks like beforesetting a threshold

bull After saving the threshold the modal will go to Select Notification Profile Select a profile from thedropdown or click Manage Notifications to create one Selecting Save and finish without adding anotification to the threshold is also an option An alarm will still be generated when the thresholdis violated even without a notification included in the threshold configuration

79 Run Report

This feature allows the ability to create custom reports Options available for selection include dataelements (fields) operation columns (packets and bits) devices and timeframe to run the report on Thisfeature is useful when field combinations not available in predefined report types are required

138 7 Status

791 Step 1 Select Data Elements

The first step in creating a custom report is choosing the data elements (fields) to include in the report

The selection list includes the basic tuple elements plus any Plixer manufactured fields based on thoseelements

By default the Selected list is empty select one or more from the Available section and drag to theSelected section A minimum of one data element is required for the report to run

792 Step 2 Select Operation Columns

Click on the Step 2 header line to expand this section

In this step the packets (packetdeltacount) and bits (octetdeltacount) elements are chosen and configuredfor which operation will be applied against them

By default both packetdeltacount and octetdeltacount are included Either can be removed by clickingthe lsquoxrsquo to the right of the element Additional columns of either of these elements can also be added (toinclude other operations against them) by clicking lsquoAdd Rowrsquo and selecting the element

A custom report requires at least one operation column

Operations available are

Sum Totals the values per row and a total for the report

Min Minimum values per row and per report

Max Maximum values per row and per report

Average Averages the values per row and per report

793 Step 3 (optional) Select Devices

This selection determines which device(s) the custom report will run against and report the data for Thelist of devices is limited to those that are exporting the basic tuple elements as shown in the selection boxin Step 1

By default all devices are selected Limiting the selection of devices to report against can be done eitherby

bull Clicking Select All and dragging all of the devices to the Available section then select the devicesto report on and drag back to the Selected side This would be the preferable method if there are alarge number of devices in the list The search box can also assist in the selection process

bull Selecting the devices to NOT include in the report and drag from the Selected section to the Avail-able section

79 Run Report 139

794 Step 4 (optional) Select Time Range

In Step 4 the timeframe that the report is run for can be changed to any of the predefined timeframes orset to a custom timeframe If this is not changed the report will default to the Last Hour

795 Step 5 Run Report

This step is grayed out until

bull At least one data element from Step 1 is selected

bull At least one operation column from Step 2 is included

bull At least one device from Step 3 is selected

With that criteria met click the Run Report button to generate the custom report

710 Scheduling a report

7101 Prerequisites

bull The Email server needs to be configured in Admin gt Settings gt Email Server

bull One or more report(s) need to have been lsquosavedrsquo

7102 Schedule reports from the Status tab

bull Either create a new saved report or select existing Saved Reports from left pane in Status tab thenselect the saved report(s) from the list Make sure the report is saved with a lsquolastrsquo time frame (EgLast Seven Days)

bull Click the lsquoclockrsquo icon to Schedule an emailed report It can be found at the top under Current reportIt will launch the Schedule Report modal

bull Schedule Report modal

ndash Email Subject This field is mandatory and is auto filled with the Report name when comingfrom the Status tab The subject of the email can be changed here

ndash PDF CSV Check these boxes to attach the report in PDF or CSV format

140 7 Status

ndash Frequency and Time This report will kick off on the current day every

Hourly Specify the minute each hour that report(s) will run

Daily Specify the hour minute and AMPM that report(s) will run each day

Weekly Specify the hour minute AMPM and day of week that report will run eachweek

Monthly Specify the hour minute AMPM and day of month that report will runeach month

ndash Recipients

Enter the email address(es) of recipients here

This field is mandatory and must include at least one recipientrsquos email address

Multiple email addresses may be separated by commas semi-colons or spaces andmay be entered all on one line or on separate lines

ndash IncludeExclude

This section shows which reports are in the scheduled report (Included) and whichones are not but are available to add to this schedule (Excluded)

At least one report must be in the Include section By default when scheduling fromthe Status tab the saved report being viewed will be automatically included

Add more reports to a scheduled report by selecting from the Exclude list and clickingthe double left arrows (ltlt) to move it to the Include list

Click lsquoSaversquo to add any selections to the Scheduled Report list

To monitor and manage the Scheduled Report go to Admin gt Reports gt ScheduledReports

Important Make sure the report is saved with a lsquolastrsquo time frame (Eg Last Seven Days) If thefrequency is set to lsquoHourlyrsquo for example a report will be emailed every hour which shows the last sevendays Also in order to avoid excessive processing overhead try to avoid scheduling multiple reports torun at the same time

7103 Managing Scheduled Reports

Scheduled Reports can be managed at Admin gt Reports gt Scheduled Email Reports This page will listall existing scheduled reports Columns in this page include

710 Scheduling a report 141

bull Action

bull Edit Schedule ndash opens the Schedule Report modal allowing changes to any aspect of the scheduledreport

bull Send Now ndash email this report on-demand

bull Disable - checkbox

bull Email Subject

bull Schedule

ndash Hourly

ndash Daily

ndash Weekly

ndash Monthly

bull Time ndash scheduled time for report

bull Day of Week ndash scheduled day for report

bull Day - scheduled day of month for report

bull Execute Time ndash the amount of time taken the last time the scheduled report has run

bull Last Sent ndash time stamp for last time the scheduled report has run

bull Recipients ndash email addresses configured to receive this scheduled report

Note Email Subject and Included report do not auto fill when scheduling from the Admin tab

bull The following buttons provide other actions

ndash Delete deletes any selected Scheduled Reports (leaves the Saved reports intact)

ndash Schedule Reports ndash opens the Schedule Report modal allowing for scheduling of one ormore Saved Reports

7104 Best Practices in Scheduling Reports

The Admin gt Reports gt Settings includes all of the server preferences that affect reporting The followingsettings are critical to Scheduled Reports

142 7 Status

bull Max Report Processes - Each report that is run will use this as a maximum number of sub processIt breaks reports up by time or exporters depending on the method that will be faster The default is4 and the default memory allocation per process is 1024MB

bull Max Reports per Email - The maximum number of saved reports a user is allowed to include in ascheduled email report Including too many reports in a single email can result in timeouts Thedefault is 5

bull Max Reports per Interval - This is the maximum number of reports that users are able to schedulefor the same minute The default is 5

bull To calculate how this will affect the server

ndash Four processes are created per report x 1024 MB = 4096 MB per report The maximumscheduled reports per interval is 5 4096MB which is equal to 20480MB If the server isconfigured with 16GB of memory this feature will not work To continue either decrease thenumber of reports per interval or add memory to the server

ndash In addition to the memory used by the Scheduled Email Reports keep in mind the othertasks that are consuming resources When possible schedule reports at off-times when otherprocesses are resting

Avoid scheduling reports during heavy daytime processing

Avoid scheduling reports during server or database backup times

ndash Daily reports can run anytime during the day or night by saving the report with a timeframeof lsquoYesterdayrsquo which will always run from 0000 ndash 2359 of the previous day

711 Vitals Reporting

The Vitals reports provide insight on the health of the Scrutinizer servers (eg CPU Memory usage Harddrive space available Flow Metrics etc) Vitals information is reported for all servers in a DistributedEnvironment

Vitals reports can provide valuable insight into the serversrsquo performance As with any other flow reporttype thresholds can be set on any of the Vitals reports providing the ability to alert on threshold violations(ie low disk space high cpu utilization etc)

These reports are accessible at Status-gtDevice Explorer-gtScrutinizer server (127001)-gtReports-gtVitals (A Vitals Dashboard is also created by default for the Admin user and includes many of thereports listed below)

bull CPU per Process This report displays CPU percentage consumed per process on the server

711 Vitals Reporting 143

bull CPU Average CPU utilization for the Scrutinizer server(s)

bull CrossCheck Runtime Monitors runtimes for CrossCheck methods (processes)

bull Database Provides the following database metrics

ndash Connections by Bytes Excessive connections can result in reduced performance NOTEother applications using the same database will cause this number to increase

ndash Read Req The number of requests to read a key block from the cache A high numberrequested means the server is busy

ndash Cache Free The total amount of memory available to query caching Contact support if thequery cache is presently under 1MB

ndash Queries Tracks the number of queries made to the database More queries indicates aheavier load to the database server Generally there will be spikes at intervals of 5 minutes30 minutes 2 hours 12 hours etc This indicates the rolling up of statistics done by thestored procedures This Vitals report is important to watch if the NetFlow collector is sharingthe database server with other applications

ndash Buffers Used Key Buffers Used - indicates how much of the allocated key buffers are beingutilized

If this report begins to consistently hit 100 it indicates that there is not enough memory al-located Scrutinizer will compensate by utilizing swap on the disk This can cause additionaldelay retrieving data due to increased disk IO

On resource strapped implementations this can cause performance to degrade quickly Userscan adjust the amount of memory allocated to the key buffers by modifying the databaseconfiguration file and adjusting the key buffer size setting

A general rule of thumb is to allocate as much RAM to the key buffer as possible up to amaximum of 25 of system RAM (eg 1GB on a 4GB system) This is about the idealsetting for systems that read heavily from keys

If too much memory is allocated the risk is seeing further degradation of performance be-cause the system has to use virtual memory for the key buffer The check tuning Interactivescrut_util command can help with recommended system settings

bull Distributed Heartbeat and Distributed Synchronization These two Vitals reports provide fur-ther insight into internal communications in a Distributed environment

144 7 Status

bull FA Counts and FA Times Flow Analytics Counts and Flow Analytics Times provide metrics onthe processing of Flow Analytics Algorithms FA Times is useful in managing FA algorithmsnot coming to successful completion

bull Flow MetricsExporter and Flow MetricsPort Metrics are provided by exporter and also bylistening port for

ndash MFSN Missed Flow Sequence Numbers Are generated for one of three reasons

The device exporting the flows canrsquot keep up with the traffic

The flow packets are being dropped by something on the network

The flow collector canrsquot keep up with the rate of flows coming in

Sometimes MFSN will show up as 10m or 400m To get the dropped flows per seconddivide the value by 1000ms A value of 400m is 4 of a second 1 4 = 25 second A flowis dropped every 25 seconds or 120 (ie 300 seconds25) dropped flows in the 5 minuteinterval displayed in the trend

ndash Flows Average Flows per second This is a measure of the number of conversations beingobserved There can be as many as 30 flows per NetFlow v5 packet (ie UDP datagram) andup to 24 flows per NetFlow v9 datagram With sFlow as many as 1 sample (ie flow) orgreater than 10 samples can be sent per datagram

bull Memory The Memory Vitals report displays how much memory is available after what is con-sumed by all programs on the computer is deducted from Total Memory It is not specific toNetFlow being captured

The flow collector will continue to grab memory depending on the size of the memory bucketit requires to save data and it will not shrink unless the machine is rebooted This is not amemory leak

bull Report Request Time Report Type Data Time and Report Type Query Time These Vitalsreports provide reporting performance metrics

bull Storage The Storage report displays the amount of disk storage space that is available Afteran initial period of a few weeksmonths this should stabilize providing that the volume ofNetFlow stays about the same

bull Syslogs The following metrics are available with the Syslogs report

ndash Syslogs Received The average number of syslogs received per second

ndash Syslogs Processed The average number of syslogs processed per second

bull Task Runtime Task Runtime displays runtimes per Scrutinizer automated tasks such as nightlyhistory expiration vitals data collection etc

bull TotalsRollups Times Time durations for totals rollups and data inserts in the database per flowtemplate per exporter

146 7 Status

CHAPTER 8

System

81 Backups

811 Overview

This page explains the Alternate Copy and Backup Method for Large Scrutinizer Databases

812 Backing up the data

The historical and configuration data for Scrutinizer is stored in the plixer and reporting databases Usersare not recommended to backup these databases directly The recommended solution is to dump thedatabases to backup files and optionally run the backup on those files

813 Copying the data

Use the following commands to dump the data to files in a backup directory

pg_dump plixer | gzip gt plixergzpg_dump reporting | gzip gt reportinggz

814 Choosing when to run the backup

There is no ideal time to do a backup but it is best to try and pick a time when Scrutinizer is least busyIn addition to when the network is busy keep in mind that rollups are executed at Consolidated UniversalTime (UTC)

bull Every 2 hours for 2h intervals which are executed at the top of even hours

bull Every 12 hours for 12h intervals which are executed after 12 and midnight

bull Every 24 hours for 1 day intervals which are executed after midnight

bull Every week for 1w intervals which are exectued after midnight on Saturday

Important The above times are in reference to UTC time For example If the server is in New Yorkthe 12h interval rollups would occur at UTC -5 hours or 700 and 1900

815 Suggested times

bull Weekly 3am Sunday

bull Daily 3 am Daily

82 Changelog

For more details on the new features below reference the Plixer website and Scrutinizer documentation

KEY ACTION (Bug Ticket Number) description

Ex ADDED (1640) Thresholds based on outbound traffic

148 8 System

821 Change Log History

mdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashmdashndash

Version 186 - 6292018

ADDED (9911) Test button for LDAPRADIUSTACACS setupADDED (15154) Ability to acknowledge alarms with any combination of filtersADDED (16826) scrut_util command to disable ping for devices that have not respondedADDED (17589) Manufactured columns can be included in the report designerADDED (18291) Full back button supportADDED (19981) Automatically detect which SNMP credentials to use for exportersADDED (20068) Ability to manage interface details via APIADDED (21522) Ability to filter on a port rangeADDED (21744) All interface reports now account for metering on each interface in the reportADDED (21770) Host -gt AS -gt Host reports for additional BGP reportingADDED (22220) Major release upgrade to PostgreSQL 96 and 10ADDED (22773) scrut_util command to enabledisable ipv6ADDED (23267) User can be locked out after n failed login attemptsADDED (23478) Full foreign datastore support in collection and rollupsADDED (23924) Ability to exclude domain names from flow analyticsADDED (24134) Ability to edit URLs for custom gadgetsADDED (24164) Milliseconds now included with formatted timestamps where applicableADDED (24297) Columnar store support for AWS ScrutinizersADDED (24452) Ability to customize the login pageADDED (24600) Improved support for configuration of multiple LDAP servers and domainsADDED (24661) Ability to grant dashboards to other users groupsADDED (24781) Default PostgreSQL datastore is columnar Better disk space utilization and IOperformanceADDED (24948) Performance improvements for flow class lookupsADDED (25077) Support IPv4-mapped IPv6 addresses in subnet and ipgroup filters (PostgreSQL)ADDED (25216) Report IP Group with protocol and defined applicationsADDED (25289) Support for Flowmon probe elementsADDED (25396) DrDoS detection for memcached and CLDAP attacksADDED (26187) Ability to schedule operating system updates

82 Changelog 149

FIXED (12972) Flow metrics vitals times now align with ingestion timeFIXED (22530) Ungrouped now visible by non-admin usersFIXED (22588) Tidy up loose ends when deleting exporters Deleted exporters will stay deletedFIXED (22654) Stop showing disabled exporters in the exporters LEDFIXED (24107) Some timezones were duplicated in the selectorFIXED (24115) Latency reports per exporterFIXED (24659) Addressed issue reporting on multiple interfaces with different metering configuredFIXED (24703) Issue with generating PDF with device group filtersFIXED (24790) Restrict PaloAlto username collection to only internal IPsFIXED (24875) DonutPie Graph not available in Top -gt Interfaces reportFIXED (24893) Map interface utilization arrows always pointed in the same directionFIXED (24899) lsquocancel reportrsquo button truly cancels backend reporting requestsFIXED (24993) Device menu in Google mapsFIXED (25027) Cleaned up log noise from Cisco ISE data collectionFIXED (25111) Scheduled reports font issue on AWSFIXED (25317) Remove memcached external exposure CVE-2017-9951FIXED (25323) FlowPro APM jitter reportFIXED (25399) Audit report times now display as clients timezoneFIXED (25419) Addressed CVE-2014-8109FIXED (25660) Issue with Queue Drops gtgt Queue Drops By Hierarchy

Version 1711 - 11222017

ADDED (24685) Support for Oracle cloud

FIXED (24500) Vitals errors when a user with a long UID is createdFIXED (24560) Save button for filters would go away if field was selected but not changedFIXED (24586) Localhost Unlicensed after upgrade to 1710FIXED (24616) Collector appears down after Daylight Savings Time changeFIXED (24647) Potential short gap in rollups after collector restart

150 8 System

Version 1710 - 10272017

ADDED (18992) Solarwinds IntegrationADDED (24165) Support for additional Procera IPFIX information elementsADDED (24186) Support for Viptela IPFIX information elementsADDED (24193) PRTG IntegrationADDED (24374) Support for additional Gigamon IPFIX information elements

FIXED (23140) Integration with ELKFIXED (23929) Cisco ISE integration issue preventing connection to ISE and reporting ISE dataFIXED (24100) Vitals allow vitalser_count to be set in plixeriniFIXED (24112) Issue with click behavior on Google Map links and markersFIXED (24141) Issue with getting WLC AP namesFIXED (24149) SNMP v3 supportFIXED (24185) Cannot create a connection in map view in Status tab or DashboardFIXED (24257) CSV issue when report name contained certain charactersFIXED (24390) Issue with FlowView not loading when Juniperrsquos flow direction column is presentFIXED (24434) Improved history expiry performance for installs using foreign datastoresFIXED (24476) Issue with filtering on text strings in Gigamon binary data

Version 178 - 8302017

ADDED (6677) Map groups can include devices automatically based on regexADDED (21422) Audit events stored permanentlyADDED (23317) Use Palo Alto usernames from flows in username reports for other exportersADDED (23485) New Plixer themeADDED (23524) New Gigamon theme

82 Changelog 151

ADDED (23550) Message is clearer when no data is found for a reportADDED (23615) New KVM deployment guideADDED (23810) New Ixia latency reports

FIXED (23508) Summary reports can be opened in new tabFIXED (23598) Issue with ldquotarget is busyrdquo error using disk resize commandFIXED (23616) Alarm -gt Action Menu -gt Alarms -gt Redirect failureFIXED (23618) Some scheduled reports timing outFIXED (23649) Improved stability when memory is constrainedFIXED (23652) Issue with multiple business hours filters in the same reportFIXED (23704) Tuning could take a long time to check CPUFIXED (23705) Tuning utility needs to work on AWSFIXED (23708) Interface speed changes not reflected in the front endFIXED (23745) Show interfaces option not included in a saved reportFIXED (23771) lsquoOther Optionsrsquo could have some items cut offFIXED (23823) Deleting an exporter would not kick the collector

Version 17621 - 6212017

FIXED (23541) Report based canned gadgets would not render properly in dashboardsFIXED (23544) Address the Stack Clash vulnerability (CVE-2017-1000364 and CVE-2017-1000366)for 176 VAs Upgrades to existing installs will need to run yumUpdateshFIXED (23547) Ignore Administrators and Guests in LDAP groups for automatic inclusion and removalin Scrutinizer groups

Version 176 - 6192017

152 8 System

ADDED (9643) Added the ability to report on all exporters in a groupADDED (10567) New Disk IO statistics Vitals reportsADDED (15017) Added the ability to SLOWLY stream flows to a customerrsquos Kafka instanceADDED (17538) New HTML 5 maps (removed Flash requirement)ADDED (18180) Added flowclass bulk import utility for PostgreSQL installsADDED (18209) Added MAC address descriptions wauto-populate from WLC option templates andSNMPADDED (18596) Improved PostgreSQL ipgroup performanceADDED (18998) Tooltip for IP Group report columns now include the IP Group rulesADDED (19406) New business hours filter with timezone and Day of Week supportADDED (20323) Added internal host filterADDED (20621) Added Refresh button to reportsADDED (20752) Added filtering for Cisco NBAR groups categories and sub categoriesADDED (20880) Peak and 95th are now calculated for values over table rank 10ADDED (21306) New Gigamon SSL reportsADDED (21341) Security Auditing Updates for Server Maintenance Interactive PromptADDED (21672) Added the ability to update a serverrsquos IP with scrut_utilADDED (21860) Added support for new Stormshield information elementsADDED (21954) Added experimental support for FireSIGHT eStreamer protocol version 61ADDED (21960) Added reportTypeLang (API ID) column to Status gt System gt Available Reportsreport viewADDED (22026) Added Amazon Linux supportADDED (22028) Renamed percent columns in report tables to improve clarityADDED (22104) Added support for an lsquoenablersquo password different from the login password for ASAACL collectionADDED (22173) Added auditing for saved report changesADDED (22191) Added the ability to log detailed FireSIGHT message contentADDED (22518) New Rollup Counts vitals reportADDED (22582) Added support for new Gigamon elementsADDED (22584) Added internalexternal host report typesADDED (22632) Added import ifinfo utility for bulk interface updatesADDED (22706) Added new standard and Saisei information elementsADDED (22710) Pie and donut charts now have segment labelingADDED (22767) Added ability to enforce password complexityADDED (22775) DB Migrate Utility added PostgreSQL to PostgreSQL cross-version supportADDED (23147) Added support for more Riverbed templates (application visibility)

FIXED (4230) Long interface names now wrap in PDF reports

82 Changelog 153

FIXED (20030) MySQL only Fixed a collection halt when deleting some exportersFIXED (20693) Fixed SSH key installation at installupgradeFIXED (21597) Pie chart tooltips only shows available values from tableFIXED (21762) Quotes in an SNMP credential will no longer cause interface issuesFIXED (21800) Authentication token login issueFIXED (21983) IP addresses for exporters are now resolved to custom host names from ldquoManageExportersrdquo if exporter is in a reportFIXED (22040) Fixed issue with sorting on non-default columns in PDF reportsFIXED (22056) Fixed issue with collect supportfilesFIXED (22323) Webmin vulnerability EIP-2015-0009 addressedFIXED (22768) Allow for reverse ipgroup ip rangesFIXED (22837) Improved PostgreSQL data expiration performanceFIXED (22872) Fixed an issue where DNS entries were expired prematurely without being re-queuedFIXED (22931) Exporters that donrsquot send interface info would not be included in FA Top N algorithmsFIXED (22987) Aggregation issue with AppFlow reportingFIXED (23003) Fixed Host search alert message for Host Index disabledFIXED (23329) Optimized database VACUUM performance

Version 17227 - 3222017

FIXED (21548) Intermittent ldquoLost connection to MySQL serverrdquo issueFIXED (22400) Alarm policies could not be saved as ldquodelete immediatelyrdquoFIXED (22429) Error messages were not clear when the installer encountered an invalid hostnameFIXED (22435) Distributed meta sync issues on large tablesFIXED (22465) vmWare tools would not install from our ESX imagesFIXED (22466) Some ldquoAll Devicerdquo reports were not disabled in MTM modeFIXED (22479) Peak values would not always be within the correct time range when reports usedcached dataFIXED (22481) ESX remote console would sometimes repeat characters

154 8 System

Version 172 - 2222017

ADDED (00000) New tuning utility for server resourcesADDED (00000) Several new Interactive scrut_util commandsADDED (19572) Integration support for Endace API v1 and v2ADDED (20107) Alert on lsquorsquo running out of disk spaceADDED (21230) Columnar store support for PostgreSQL installsADDED (21279) Encryption inter-database communication for distributed PostgreSQL clustersADDED (21755) Faster distributed PostgreSQL reportingADDED (21802) Faster reporting for standalone serversADDED (22051) Audit alerts for IP group changesADDED (22255) Subscription licensing

FIXED (19670) Fixed issues with intermittent gaps in Vitals graphsFIXED (19713) DNS resolution for Inbound and Outbound conversationsFIXED (20913) Fixed alarms formatting issueFIXED (21003) Improved Gigamon supportFIXED (21606) Graphs no longer have last (rightmost) datapoint of zeroFIXED (21660) Remove rpmforge repoFIXED (21820) Fixed issue with v9 flow countsFIXED (21893) Fixed scrut_util ipgroup_import reset optionFIXED (21913) Improved database pruningauto-trimmingFIXED (21928) Improved distributed registration when passwords are out of syncFIXED (21947) Total bar graphs do not match table dataFIXED (22009) Fixed issue where rollups would get stuck and optimized rollupsFIXED (22210) Fixed filtering issue in volume reports

Please reference our End of Life Policy for details regarding the end of life schedule For more informationon Scrutinizer please reference the online documentation or visit our website

82 Changelog 155

83 Check Vulnerabilities

831 Overview

It is important to keep the Scrutinizer software and Operating System up to date to patch any knownvulnerabilities

After applying all the system updates it is common for vulnerability scanners that only look at packageversion numbers to report that vulnerabilities still exist when they have already been patched This is aresult of backporting security patches

832 Backporting

Backporting has a number of advantages for customers but it can create confusion when it is not under-stood Customers need to be aware that just looking at the version number of a package will not tell themif they are vulnerable or not For example stories in the press may include phrases such as ldquoupgrade toApache httpd 2043 to fix the issuerdquo which only takes into account the upstream version number Thiscan cause confusion as even after installing updated packages from a vendor customers will not havethe latest upstream version They will instead have an older upstream version with backported patchesapplied

833 Donrsquot Trust the Version Number

Some security scanning and auditing tools make decisions about vulnerabilities based solely on the ver-sion number of components they find This results in false positives as the tools do not take into accountbackported security fixes

834 Look for the CVE Number

Backported security fixes can be manually verified by looking for the CVE number in the packagechangelog

Here is an example

rpm ndashq ndashchangelog httpd | grep CVE-2017-3169

bull Resolves 1463197 - CVE-2017-3169 httpd mod_ssl NULL pointer dereference

To fix the false positives generated by security scanners that only look at version numbers somethingcalled OVAL definitions (machine-readable versions of the advisories) are supplied for third-party vul-nerability tools These can be used to determine the status of vulnerabilities even when security fixeshave been backported In doing this we hope to remove some of the confusion surrounding backportingand make it easier for customers to always keep up to date with the latest security fixes

OVAL definitions can be downloaded from ovalcisecurityorgrepository

156 8 System

84 Distributed Collectors

Scrutinizer supports a distributed architecture where numerous servers can collect flows with a centralreporting server for reporting on flows across all of the collectors Secondary reporting servers can alsobe configured for redundancyfail-over purposes

bull The distributed Scrutinizer system allows the collection system to ingest several million flows persecond across several servers - regardless of physical location

bull In addition to increased flow volume the distributed architecture allows the solution to receiveflows from tens of thousands of flow exporting devices

bull The reporting server provides a central interface for managing all exporters flows interfaces andalarms across the distributed cluster

bull The distributed architecture solution requires additional configuration Contact Plixer if interestedin this solution

85 Flowalyzer

Flowalyzertrade is a free NetFlow and sFlow Tool Kit for testing flow technologies This utility has severaltabs each with a unique function

bull Listener The Listener is used to determine whether or not NetFlow or sFlow is being receivedand what ports they are being received on Any application currently listening on the same port asFlowalyzer will cause conflicts Conflicting applications must stop using the ports Flowalyzer istrying to listen on

bull Generator The Generator is used to send NetFlow packets with specified flows Up to 30 flowscan be sent with NetFlow version 5 or up to 24 flows with NetFlow version 9 and IPFIX If a rangeof bytes and packets is specified Flowalyzer will randomly assign these values between the rangesspecified in each flow packet sent out The Flow Time range can also be randomized Reference theNetFlow v5 format or read RFC 3954 to learn more about NetFlow v9 For additional informationread the Charter on IPFIX

bull Configuration The Configurator is used to configure NetFlow v5 and v9 on Cisco routers orNetFlow v9 on Enterasys hardware (switches and routers)

bull Communicator The Communicator is used to ping destination hosts with specified ports usingICMP TCP or UDP It can also perform trace routes

bull Poller Polls Devices found in Scrutinizer or devices can be manually added The availability andresponse time for each device polled is sent off to the flow collector in IPFIX datagrams

84 Distributed Collectors 157

bull Trender Polls devices for SNMP counters and trends the values returned

The Flowalyzer page can provide additional information on this free NetFlow and sFlow testing utility

This utility is fully compatible with most NetFlow and sFlow reporting tools

86 Interactive scrut_util

861 Overview

The interactive scrut_utilexe utility provides access to numerous server maintenance utilities includingpassword changes third party integration processes many routines to access information required forsupport and more

SCRUTINIZERgt

To close the interactive prompt type lsquoexitrsquo

SCRUTINIZERgt exit

Exiting

[rootScrutinizer ~]

862 Two Modes of Operation

The scrut_utilexe utility has two modes of operation

1) Interactive

In interactive mode the user types in scrut_utilexe hits enter and enters the SCRUTINIZERgt commandline Commands can be executed as shown below

158 8 System

2) Command Line Interface (CLI)

When the user is logged in as root CLI mode can be run This allows commands to be executed withoutentering the SCRUTINIZERgt prompt For example

[rootScrutinizer bin] scrut_utilexe ndash ndashshow alarms ndash ndashname threshold

863 Help Function

The list of available commands can be displayed from within the Scrutinizer utility shell by entering

SCRUTINIZERgt help

For help with specific commands (for example the ldquoshowrdquo command) enter

SCRUTINIZERgt help show

For help with specific extended commands (for example the ldquoshow groupsrdquo command) enter

SCRUTINIZERgt help show groups

864 Commands

Following are the available top level commands

bull check

bull ciscoise

bull clean

bull collect

bull counteract

bull delete

bull disable

bull download

bull enable

bull endace

86 Interactive scrut_util 159

bull expire

bull export

bull import

bull moloch

bull optimize

bull repair

bull services

bull set

bull show

bull snoop

bull system

bull upload

bull version

For each top level command there are several extended commands as listed below

Runs a test or check against the command provided

160 8 System

Command Descriptioncheck activeif Checks for active flows by looking at active interface details and lists the last times-

tamp and number of interfaces that received flowscheckdata_last_written

Checks the activity of collected flow data written to the database

check databaseltdb_namegtltdb_passgt

Checks the specified database for errors

check dist_info Checks and displays distributed information about the Scrutinizer Serverscheck hdtest Tests the performance of the hard drive This is a good way to determine if the

hardware is adequate for Scrutinizerrsquos current flow volumecheck heartbeatltdatabase|apigt

Checks heartbeat functions to make sure Scrutinizer is internally communicatingproperly

check his-tory_index

Checks history_index for 1m interval table activity

check his-tory_index_empty_tables

List tables with zero rows from history_index Please stop the collector prior torunning this command This command will not delete entries reported To do souse delete instead of check

check his-tory_index_orphans

Checks entries from history_index for which a table does not actually exist Thisshould never happen but occasionally when things go wrong we need somethinglike this to make cleanup easier This command will not delete entries reported Todo so use delete instead of check

check his-tory_table_orphans

List tables with no history_index entry Please stop the collector prior to runningthis command This command will not delete entries reported To do so use deleteinstead of check

check in-terfaces[all|cisco|hauwei|sonicwall][host_ip]

Tries alternative methods to retrieve interface descriptions For Cisco and Son-icWALL that means using NetFlow data For Huawei that means using SNMP andreferencing their vendor specific MIBs

check license Checks and displays license details from the Scrutinizer Servercheck ma-chine_id

Checks and displays the current machine_id of the Scrutinizer Server

check ma-chine_id_list

Checks and displays the current possible and historical Machine IDs of the Scru-tinizer Server

check objects Verifies that xcheck_hosts all have a corresponding row in objectscheck passwordrootdb

Checks the database root password to make sure itrsquos the same password representedin the plixerini

check rollcall Analyze rollcall and the state of rollups per time bucket This is used to confirm theactivity of rollups on this Scrutinizer Collector

check rollups Lists rollups and their current state This is used to confirm the activity of rollupson this Scrutinizer Collector

check routeltipgt

Checks device specified to determine if Scrutinizer can access its routing data

check server-pref ltserver-prefgt

Checks and displays the current value for the specified serverpref

check sim-plercvltudp_portgt

Runs a simple test to see if udp traffic is seen on the udp port provided Thiscommand is useful to determine if flows are received at the top of the stack (ietcpdump -gt collector)

check snmp Attempts to get SysObjectID for all devices If SNMP connected successfully itwill return the credential object Otherwise it will return the error message

check ssl Checks and lists the current settings configured for SSL parameters Use the set sslcommand to modify settings or enabledisable SSL

checkstats_exporters

Lists statistical details related to time and exporter activity

check task ltidgt Checks the execution times and error codes for the specified task ltidgt A list oftasks is available by using the show task command

check thresh-oldpolicies

Checks and verifies that all threshold policies are correct and functioning properly

check tuning Checks the operating system and Scrutinizer settings that can be changed to im-prove Scrutinizerrsquos performance Best used under supervision of Plixer Support

check version Checks to see if a newer version of Scrutinizer is available

ciscoise

Manage CiscoISE Node Integration with Scrutinizer

Command Descriptionciscoise addltise_ipgtltise_tcp_portgtltise_usergt

Adds a CiscoISE node to the queue to acquire user identity on all active sessionsThe required parameters are the host address ltise_ipgt tcp port ltise_tcp_portgtand user ltise_usergt that can access the APIScrutinizer will prompt the user for the ltise_usergt password

ciscoise check Tests polling and outputs the results to the screen for review Itrsquos a good way toverify that Scrutinizer is collecting user identity information properly

ciscoise kickltise_idgtltmac_addressgtltuser_ipgt

Kicks the user off the ISE node forcing them to re-authenticate Minimally theusers IP address is required Optionally the ltmac_addressgt can be provided

ciscoisenodelist

Lists the currently configured CiscoISE nodes

ciscoise poll Runs a poll manually and outputs the results to the screen When integration isenabled polling is automatically performed routinely To diagnose issues run lsquocis-coise checkrsquo or lsquociscoise testrsquo

ciscoise removeltise_ipgt

Removes a CiscoISE node from Scrutinizer The required parameter ltise_ipgt isthe IP address of the CiscoISE node

ciscoise test Tests polling and outputs the results to the screen for review Itrsquos a good way toverify that Scrutinizer is collecting user identity information properly

ciscoise up-date ltise_ipgtltise_tcp_portgtltise_usergt

Updates existing configuration settings for a specific CiscoISE nodeThe required parameters are the host address ltise_ipgt tcp port ltise_tcp_portgtand user ltise_usergt that can access the APIScrutinizer will prompt for the ltise_usergt password

Executes housekeeping tasks that are scheduled to run at various times during Scrutinizerrsquosnormal operations

Warning These commands will purge data from Scrutinizer Please use with caution

162 8 System

Com-mand

Description

clean all Executes several housekeeping tasks that are scheduled to run at various times duringScrutinizerrsquos normal operations

clean base-line

Resets all configured baselines to the default baselines for each exporter Historical datawill not be deleted However it will expire based on Scrutinizerrsquos historical settings

cleandatabase

Cleans out temporary database entries manually This command is executed automati-cally every 30 minutes by Scrutinizerrsquos task scheduler

clean ifinfo Clears entries in the ifinfo db table that do not have an entry in the activeif db tableclean pcap[ltpcap-filegt]

Removes all or if specified a specific pcapfile from the Scrutinizer server To see a listof pcap files execute show pcaplist

clean tmp Removes any temporary files created by the graphing engine Executing this will per-form an on-demand clean up By default it is scheduled to be executed by Scrutinizerroutinely

collect

Manually collect data that is useful for Scrutinizer

Command Descriptioncollectasa_acl

Manually collects ASA ACL information from Cisco ASA Devices This task isscheduled and routinely executed as part of normal operations

collect base-line

Manually collects baseline data and checks for alarms This task is scheduled and rou-tinely executed as part of normal operations This command is automatically sched-uled to run routinely when baselining is enabled

collect dbsize Collects database size informationcollect elkltelk_ipgt

Manually collect data from Scrutinizer and send it to the configured ELK serverReference the Elasticsearch Kibana (ELK) Integration guide for more detailed in-formation on the ELK integration

collect op-tionsummary

Manually process flow option data collected by Scrutinizer This information is rou-tinely processed automatically

collect pcapltin_secgt[lthostgt]

Collects a packet capture on the interfaces of the Scrutinizer server Requires a time-out (in seconds) and an optional host name in IP format to further filter the capture

collect snmp Manually collects SNMP data that is used during Scrutinizerrsquos operations This pro-cess is automatically scheduled by Scrutinizer to run regularly

collectsplunkltsplunk_ipgtltportgt

Manually collect data from Scrutinizer and send it over to the configured SplunkserverReference the Scrutinizer for Splunk Application integration guide for more informa-tion

collect sup-portfiles

Collects various log files and server configuration data used by Plixer support to trou-bleshoot server issues

collect topol-ogy

Collects various types of data from devices and Scrutinizer to help Scrutinizer under-stand the topology layout of the network

collect useri-dentity

Manually process user identity data collected by Scrutinizer This information is rou-tinely processed automatically

counteract

Third-party integration support for ForeScout CounterACT servers

Command Descriptioncounteract lton|offgtltcounteract_ip[port]gt

Enables or disables support to ForeScout CounterACT servers Requiredparameters are lton|offgt and the host name and optional tcp port

delete

This operation deletes database tables andor database table entries

164 8 System

Command Descriptiondelete cus-tom_algorithmltidentifiergt

Deletes a custom algorithm at the system level For more information reference theFlow Analytics Custom Algorithms section Warning This command will alter the behavior of Scrutinizer functionalityPlease use with caution

delete his-tory_index_empty_tables

Deletes tables with zero rows from history_index Please stop the collector if runningprior to executing this command

delete his-tory_index_orphans

Deletes entries from history_index for which a table does not actually exist Thisshould never happen but occasionally when things go wrong we need something likethis to make cleanup easier

delete his-tory_table_orphans

Deletes tables with no history_index entries Please stop the collector if runningprior to executing this command

delete or-phans

Warning This command will delete all known orphan alarm events

disable

Disables functionality used by Scrutinizer or incorporated as part of customized development

Com-mand

Description

disablebaselineltex-porter_ipgt

Disables all baselines for the specified ltexporter_ipgt The historical data will not bedeleted However it will expire based on Scrutinizerrsquos historical data settings Warning This command will alter the behavior of Scrutinizer baseline functionalityPlease use with caution

dis-able elkhttpltipportgt

Disables ELK (Elasticsearch Logstash and Kibana) flows from Scrutinizer to the URLspecifiedReference the Elasticsearch Kibana (ELK) Integration guide for more detailed informa-tion on the ELK integration Warning This command will alter the behavior of Scrutinizer functionality Pleaseuse with caution

disablesplunkhttpltipportgt

Disables Splunk flows from Scrutinizer to the URL specifiedReference the Scrutinizer for Splunk Application integration guide for more informationon the Scrutinizer for Splunk integration Warning This command will alter the behavior of Scrutinizer functionality Pleaseuse with caution

disablevmware-tools

Disables vmwaretools for a Virtual Appliance running on VMware Warning This command will alter the behavior of Scrutinizer functionality Pleaseuse with caution

download

Downloads various files and utilities useful to Scrutinizerrsquos operations

Command Descriptiondownload hostrepu-tationlists

Download the latest Flow Analytics Host Reputations Lists manually This isalso automatically updated

download installer Download the Scrutinizer installer to perform upgrades

enable

Enables functionality used by Scrutinizer or incorporated as part of customized development

Warning These commands will alter the behavior of Scrutinizer functionality Please use withcaution

166 8 System

Enables default or custom baselines (manual) based on ele-ments from NetFlow and IPFIX templatesBaselining has several parameters available to customize thespecific baseline data to collect with the lsquomanualrsquo optionPlease reference the Baselining Overview section for detailedconfiguration instructions

enable custom_algorithm ltidenti-fiergt ldquoltalgonamegtrdquo

Reference the Flow Analytics Custom Algorithms section forspecific information on how to configure custom algorithmsand create alarm policies

enable elk httpltipportgt Enables ELK (Elasticsearch Logstash and Kibana) flowsfrom Scrutinizer to the URL specified Additional steps arerequired in Kibana to get the default filters visualizations anddashboardReference the Elasticsearch Kibana (ELK) Integration guidefor more detailed information on the ELK integration

enable splunk httpltipportgt ltsys-log portgt

Enables Splunk flows from Scrutinizer to the URL specifiedThe Scrutinizer for Splunk App is required on the SplunkServerReference the Scrutinizer for Splunk Application integrationguide for more information

enable vmwaretools Enables vmwaretools for a Virtual Appliance running onVMware Running enable vmwaretools also upgrades an ex-isting install of the vmware agent

endace

Third-party integration support for Endace Probes

Command Descriptionendace add lthost_ipgt ltportgtltendace_usergt ltendace_passgtendace remove lthost_ipgtendace update lthost_ipgt ltportgtltendace_usergt ltendace_passgt

Manages integration with Endace Probes For more informationon this integration reference the Configuring Endace Probe Inte-gration guide

expire

Purges data history older then the number of days defined by Scrutinizerrsquos history settings

Com-mand

Description

expirealarms

Expires alarm history from the threatsoverview and fa_transports_violations tables as spec-ified in the Data History Flow Historical 1 Min Avg preference

expirebullet-inboards

Purges alarm bulletin board events older then the number of days defined by Scrutinizerrsquoshistory settings

expirednscache

Purges DNS cache older then the number of days defined by Scrutinizerrsquos history settings

expirehistory[trim]

Expires flow data as defined by Scrutinizerrsquos history settingsIf the optional lsquotrimrsquo mode is passed Scrutinizer will trim older data to make more spaceon the hard disk

expireifinfo

Purges old and outdated interface information

expireinac-tive-flows

Expires interfaces from the interface view that have stopped sending flows Entries areexpired based on the number of hours specified in the Scrutinizer System Preferences(Admin -gt Settings -gt System Preferences -gt Inactive Expiration)

expireorphans

Purges alarm orphan events older then the number of days defined by Scrutinizerrsquos historysettings

export

Run various export commands to dump data out of Scrutinizer for external use

168 8 System

Com-mand

Description

exportlangtem-plateltlang_namegt

The ltlang_namegt parameter is required If the language exists then it will create a CSVfile that shows the english and ltlang_namegt keys If the language does not exist a blanktemplate will be createdThe language file resides at homeplixerscrutinizer-filespop_languages_ltlang_namegt_templatecsv

exportpeaks_csvltfilegtltinter-valgtltdirgtltdate_rangegt[ltgroup_idgt]

Exports a CSV file listing interfaces and peak values based on criteria specifiedValid options for are specified as raw minutes (1 5 30 120 720 1440 10080)Directory must exist as a sub-directory of Scrutinizerrsquos home directory If specifyinghomeplixerscrutinizertemp then use temp as the directoryThe valid ltrangesgt are Last24hours LastFifteenMinutes LastFiveMinutes LastForty-fiveMinutes LastFullHour LastHour LastMonth LastSevenDays LastTenMinutesLastThirtyDays LastThirtyMinutes LastThreeDays LastTwentyMinutes LastWeekLastYear ThisMonth ThisWeek ThisYear Today or Yesterdayltgroup_idgt is optional To see a list of group_ids use show groups

import

Run various import commands to bring external sources of data into Scrutinizer

Command Descriptionimport aclfile Imports ACL information from a file The

file must reside at homeplixerscrutinizer-filesacl_filetxt The format is a direct output ofSHOW ACCESS-LIST directly on the exporter

import applications ltpathfilegt [reset] Import application rules from a CSV fileIt is recommended to use this file and path for theapplications import csv file

homeplixerscrutinizerfilesapplication_importcsvA reset option can be passed which will removeall application rules before the bulk importExpected format is one named application andone application rule per line Supported rule typesare subnet single IP IP range wildcard port andchild rulesValid application rule syntax for PostgreSQL in-stalls are

ldquosubnet rulerdquo100008 ldquosin-gle ip rulerdquo10111 ldquorangerulerdquo10001-100042 ldquowild-card rulerdquo1000102552550ldquoparentchild rulerdquordquomy subnetrdquoldquoports and protocolsrdquo0-65535256

Valid application rule syntax for MySQL installsare

ldquosubnet rulerdquo100008 ldquowildcardrulerdquo1000102552550 ldquoparen-tchild rulerdquordquomy subnetrdquo ldquoports andprotocolsrdquo0-65535256

Applications must have at least one port rule andone of the IP rule types defined above Applica-tions not defined this way will be imported butmay not be tagged properly in flow dataThe format for a ports rule is

lsquoflowclass namersquoport-portprotocolid

lsquoport-portrsquo can be a range of ports (0-65535) or asingle port (443-443)Frequently used protocol ids are

TCP - 6 UDP - 17 All protocols - 256PostgreSQL installs support up to 100000 indi-vidual application rulesMySQL installs support up to 500 individual ap-plication rules

import asns ltpathfilegt [ltdelimitergt] Imports custom asn definitions from a csv fileThe is a required field The path should be spec-ified from after the homeplixer scrutinizer di-rectory The is an optional parameter and defaultsto rdquo rdquo (ie space)The csv file name must be all lowercase and re-quires these elements in this order

AS NumberAS NameAS Descrip-tionIP Network(s)

The fields are comma delimited whereas the op-tional parameter applies specifically to the IP Net-work(s) element A comma cannot be used for theIP Network(s) delimiterExample File

213my_listwhat a great au-tonomous system1000081921680016 214your_listmehits an okay system110008

Example CommandSCRUTINIZER gt import asns files-custom_asnimport

import csv_to_gps ltcsv_filegtltgroup_name|group_idgt [ltcreate_newgt][ltfile_formatgt]

Uploads latitude and longitude locations of de-vices from a csv file and imports them into anexisting Google mapThe csv file must be located in the lsquohome-plixerscrutinizerrsquo directory If the csv fileis in lsquohomeplixerscrutinizerfilesrsquo enterlsquofiles[name_of_file]rsquo as the file nameThe csv file format is lsquoiplatitudelongitudersquo Ifthe csv file format is different specify that layoutas the ltfile_formatgt command parameter EX-AMPLE ldquoiplnglatrdquoEXAMPLE CSV FILE

1016913377749122419419216861407128740059

Provide either the group ID or group name in thearguments The group_id can be determined byrunning show groups Using the optional ltcre-ate_newgt parameter will add new objects if theIP address does not already existEXAMPLE COMMAND SCRUTINIZERgt

import csv_to_gps import_gpsimport 3

EXAMPLE COMMAND with ltcreate_newgt and different file formatSCRUTINIZERgt import csv_to_gps im-port_gpsimport 3 create_new iplnglat

import csv_to_membership ltcsv_filegt ltgroup-typegt [ltfile_formatgt]

Imports group definitions from a csv fileThe csv file must be located in the lsquohome-plixerscrutinizerrsquo directory If the csv fileis in lsquohomeplixerscrutinizerfilesrsquo enterlsquofiles[name_of_file]rsquo as the file nameThe ltgrouptypegt field refers to the map type thatwill be created if the group in the csv file does notalready exist and can be either lsquoflashrsquo or lsquogooglersquoThe default csv file format is ipaddrgroup If thecsv file format is different specify that layout asltfile_formatgt command parameter EXAMPLEgroupipaddrEXAMPLE CSV FILE

1016913Routers19216861Firewalls

import hostfile Imports a custom hoststxt file that contains a listof IP Addresses and hostnames The file formatis

IPv4orIPv6Address HostName Op-tional Description

Example10114 myscrutinizerrocks TheBest Software in my company

The file must be located at homeplixerscrutiniz-erfileshoststxt Warning This command will alter databasetables in Scrutinizer Please use with caution

import ipgroups [ltpathfilegt] [reset] Import ipgroup rules from a csv fileIt is recommended to use this file for the ipgroupsimport csv file

homeplixerscrutinizerfilesip_groupimportA reset option can be passed which will removeall ipgroup rules before the bulk importEach line of the file is an individual ipgroup withthe name of the group as the first field and therules of the group separated by a space in the sec-ond field Supported rule types are subnet singleip ip range wildcard and child rules Any childgroups must already exist in Scrutinizer or be de-clared in the import file BEFORE it can be usedas a rule in another groupValid ipgroup rule syntax for PostgreSQL installsare

lsquosubnet rulersquo100008 lsquosin-gle ip rulersquo10111 lsquorangerulersquo10001-100042 lsquowild-card rulersquo1000102552550lsquoparentchild rulersquorsquomy subnetrsquo

Valid ipgroup rule syntax for MySQL installs arelsquosubnet rulersquo100008 lsquowildcardrulersquo1000102552550 lsquoparen-tchild rulersquorsquomy subnetrsquo

If a named ipgroup within the import file alreadyexists in Scrutinizer that grouprsquos existing ruleswill be overwritten by those declared in the filePostgreSQL installs support up to 100000 indi-vidual ipgroup rulesMySQL installs support up to 500 individual ip-group rules

170 8 System

moloch

Third-party integration support for Moloch probes

Command Descriptionmoloch lton|offgt ltmoloch_ipgtltmoloch_portgt

Manages integration with Moloch probes The ltmoloch_portgtparameter is optional

optimize

Run various optimization tasks

Warning These commands will alter database tables in Scrutinizer Please use with caution

Command Descriptionoptimize common Optimizes tables that are commonly inserted and deleted This action keeps

things neat and clean for the database This command is routinely executed aspart of normal operations

optimize databaseltdb_namegtltdb_passgt

Optimizes the tables in the database specified

repair

Run various database check and repair commands

Com-mand

Description

repairbusi-ness_hour_saved_reports

Saved reports prior to 155 that were saved with business hours will require a manualcheck and repair This command converts older saved reports with business hours speci-fied to the newer format

repairdatabaseltdb_namegtltdb_passgt

Repairs errors for the database specified

repair his-tory_tables

Fixes history tables that have the wrong col type for octetdeltacount It may be updatedin the future to address other issues Warning This command will alter database tables in Scrutinizer Please use withcaution

repair pol-icy_priority_order

With some professional services and automated policy creation some policy IDs havebeen known to get out of whack (or duplicated) This function fixes that Warning This command will alter data in Scrutinizer Please use with caution

repairrange_starts

Fixes history tables that may not have a start time that helps identify the range of datawithin the individual history tablesNOTE This command may take a long time to complete Only execute under the direc-tion of technical support Warning This command will alter database tables in Scrutinizer Please use withcaution

services

Manages the Scrutinizer services

Warning This command will alter Scrutinizerrsquos operations Please use with caution

Command Descriptionservices ltservice|allgt ltactiongt Starts stops or restarts the specified service (or all services)

Modifies certain behaviors on how Scrutinizer authenticates and performs operations

172 8 System

Com-mand

Description

set dns Modify system file to manage list of dns serversThis command will remove any preconfigured dns servers User show dns to see what iscurrently configured Warning This command will alter Scrutinizerrsquos operations Please use with caution

sethostinfoltip_addressgtltfqhngt

Set the local machine name to the fully qualified host name provided Ensures thatetchosts is configured to resolve between the given ltfqhngt and ltip_addressgt Warning This command will alter Scrutinizerrsquos operations Please use with caution

sethttpdltportgt

Change the web port of non-ssl installs for the Scrutinizer WebUI Use set ssl to change theSSL port Warning This command will alter Scrutinizerrsquos operations Please use with caution

setmyad-dress

Change the IP Address of the current Scrutinizer Server Warning This command will alter Scrutinizerrsquos operations Please use with caution

set ntp Modify system file to manage list of ntp servers Warning This command will alter Scrutinizerrsquos operations Please use with caution

set par-titionsltparti-tion_namegt

Expand the operating system disk space for hardware and virtual appliancesNOTE Make a backup before using this command Warning This command will alter Scrutinizerrsquos operations Please use with caution

setpass-wordrootdb

Modify the databasersquos root password Warning This command will alter how Scrutinizer andor users access data Pleaseuse with caution

setpass-wordscrutdb

Modify the databasersquos scrutinizer password Warning This command will alter how Scrutinizer andor users access data Pleaseuse with caution

setpass-wordwebuiltusergt

Modify the webui password for the specified user Warning This command will alter how Scrutinizer andor users access data Pleaseuse with caution

set reg-istercol-lector

Manually register this collector for both stand-alone and distributed use Warning This command will alter Scrutinizerrsquos operations Please use with caution

setreport-menu

Manually recreate the report menuNOTE The report menu is automatically maintained based on the flows received

set saltltsaltgt

Setting a salt value will allow users to mask certain machine characteristics from any li-cense key generated Warning This command will alter Scrutinizerrsquos operations Please use with caution

set self-register[reset]

Manually registers this Scrutinizer Server to identify itself for both stand-alone or dis-tributed functionality Warning This command will alter Scrutinizerrsquos operations Please use with caution

set self-reporter

Promotes this Scrutinizer Server to a reporter Warning This command will alter Scrutinizerrsquos operations Please use with caution

set ssh-collec-torkeys

Generate a new SSH key pair and distribute it to all active registered machines Anyprevious SSH key pairs will be overwritten unconditionally making this suitable for resyn-chronizing SSH access should problems ariseThis enables future functionality to perform upgrades and other maintenance operations enmasse Warning This command will alter Scrutinizerrsquos operations Please use with caution

set ssllton|offgt

Enable or disable SSL support in Scrutinizer It only works with the local Apache serverbundled with Scrutinizer Warning This command will alter Scrutinizerrsquos operations Please use with cautionPlease reference the SystemSSL section for detailed configuration instructions

settime-zonelttime-zonegt

Set the serverrsquos time zone To see a list of time zones run show tzlist Warning This command will alter Scrutinizerrsquos operations Please use with caution

set tun-ing

This command will alter some operating system and Scrutinizer settings in these databasetables plixerexporters and plixerserverprefs and these files sysctlconf postgresqlconf and plixerini Warning Please use with caution or under the supervision of Plixer Support

set voiplton|offgt

Toggles the predefinition of VoIP port ranges on or off Warning This command will alter Scrutinizerrsquos operations Please use with caution

setyum_proxylthostgtltportgtltusergt

Used to set up yum proxy setting in the yum configuration file This command will removeany previously configured proxy serversAll fields are required Once all fields are entered on the command line a prompt for theusers password will appear To see what proxy servers are currently configured use showyum_proxy Warning This command will alter Scrutinizerrsquos operations Please use with caution

Shows various details about the Scrutinizer Server

174 8 System

Com-mand

Description

showalarms[filter]

Displays a list of alarms ordered by timestamp descending

show cus-tom_algorithms

Displays a list of custom algorithms available and whether they are enabled For in-formation on managing custom algorithms reference the Flow Analytics Custom Algo-rithm section

showdiskspace

Displays details about available storage

show dns Displays a list of DNS servers currently used to resolve hostnames Use the set dnscommand to change the list of DNS servers

showexporters[filter]

Displays a list of exporters that are currently sending data to Scrutinizer based on thesupplied filter (if any)

show exta-larms [fil-ter]

Displays a list of alarms with extended json data ordered by timestamp descending

showgroups

Displays a list of groups currently configured on this Scrutinizer server

showinterfaces[filter]

Displays a list of interfaces that are currently sending data to Scrutinizer based on thesupplied filter (if any)

showipad-dresses

Displays the current ip address(es) on this Scrutinizer server

show me-tering [fil-ter]

Displays a list based on the supplied filter (if any) of matching exporter IPs and howeach interface is metered (ie ingress andor egress)

show ntp Displays a list of NTP servers currently used to sync timeshow par-titions

Displays a list of partitions on the current Scrutinizer Appliance This command is onlyavailable for Hardware and Virtual AppliancesUse show diskspace if looking for diskspace per volume (or partition)

showpcaplist

List what current pcap files have been created and their sizes Pcaps can be removedusing the clean pcap command

showserverpref[filter]

Displays serverprefs and their current values The filter parameter is optional to narrowthe serverprefs to match the string provided

show task[name]

Displays a list of tasks currently configured in Scrutinizer The name parameter is op-tional to narrow the task names to match the string provided

showtimezone

Displays the current timezone of this Scrutinizer Server Use set timezone command tomodify the timezone

show tzlist[filter]

Displays the list of timezones

showunknown-columns

List info elements from exporters that are unknown to ScrutinizerDonrsquot fret Give the list to Plixer and support will be added for it

showyum_proxy

Displays the currently configured yum proxy settings To change these settings use setyum_proxy

Note If after running the show command the results are long lsquoqrsquo can be typed in to quit and return tothe SCRUTINIZERgt prompt

Listens at the interface level for traffic from the specified interface or ip address

Command Descriptionsnoop interfaces ltinter-face_namegt

Listens at the interface level for traffic from the specified inter-face

snoop ipaddresses ltip_addressgt Listens at the interface level for traffic from the specified ip ad-dress

system

Scrutinizer system level functions

176 8 System

Command Descriptionsystem ltrestart|shutdowngt system update [sched-ule|unschedule]

Performs system level functions such as reboot-ing shutting down or applying operating systemlevel patchesTo enable daily scheduled operating system up-dates run the lsquosystem update schedulersquo com-mand This will run the system update commandevery day at a random time This time is se-lected outside of the lsquobusiness hoursrsquo set in Ad-min gt Settings gt System Preferences An alert issent to Scrutinizer describing what time this com-mand will run To change the time simply run thelsquosystem update schedulersquo command again A newtime will be selectedTo disable daily scheduled operating system up-dates run the lsquosystem update unschedulersquo com-mandIf operating system patches are applied all Scru-tinizer services will be restarted and could causea minute of missed data

The lsquosystem updatersquo commandwill break installs prior to ver-sion 18 Do not attempt to runthis command on version 1711 orprior

upload

Uploads files for troubleshooting purposes

Command Descriptionupload pcapltcapturefilegt

Uploads the specified packet capture collected by the collect pcap command Tosee a list of captures on this server execute show pcaplist

upload support-files

version

Displays Scrutinizer version

Command Descriptionversion Shows version information about Scrutinizer

87 Language Translations

This software can be translated to another language To translate or localize Scrutinizer to another lan-guage navigate as follows

1 Admin TabgtDefinitionsgtLanguage

2 Select a language and make updates Notice the pagination at the bottom

3 Languages are saved as homeplixerscrutinizerfileslocalize_LANGUAGENAMEHERExls

4 Contact support and they will create a file that can be imported into Scrutinizer to support thedesired language

This feature can be used to make changes to nearly all text in the interface For example by modifyingthe following key types with custom text

bull lsquologinCustomTextrsquo

bull lsquologinCustomTitlersquo

A message can be displayed to people logging in

178 8 System

Links can also be inserted into the message (eg This is my Login Custom message ltugtlta href=rdquohttpwwwplixercomrdquogt with a link ltagtltugt)

These fields can be modified regularly by using a scheduled script to the API which could automatechanges to the login message

88 Mailinizer Setup

Below are the steps to set up this IPFIXifytrade Plug-in

1 Download the latest version of the IPFIXify Agent from wwwplixercom and extract those files toa directory

2 Extract the files contained within this plug-in to the directory where the IPFIXify Agent resides

88 Mailinizer Setup 179

3 Modify the msexchange_2010cfg file and change the collector directive at the top to the COLLEC-TOR_IPPORT of the IPFIX Collector If unsure of which port to use Scrutinizer is listening bydefault on ports 2055 2056 4432 4739 9995 9996 and 6343

4 To verify that the data is being exported properly run the following command from the IPFIXifydirectory

bull ipfixifyexe ndashfile=rdquopathtoMSGTRKrdquo ndashconfig=rdquopathtomsexchange_2010cfgrdquo ndashverbose

bull Please specify the absolute path to both the msexchange_2010cfg and MSGTRKlog files

bull Example ipfixifyexe ndashconfig ldquoCProgram Files (x86)IPFIXifymsexchange_2010cfgrdquo ndashfileldquoCProgram FilesMicrosoftExchange ServerV14TransportRolesLogsMessageTrackingMSGTRKrdquo

5 IPFIXify should (but not required) start as a service if the objective is to automatically collect datawhenever the system restarts

bull ipfixifyexe ndashinstall auto ndashname=rdquoSVCNAMErdquo ndashconfig=rdquopathtocfgrdquo ndashfile=rdquopathtofilerdquo

bull Replace SVCNAME with a short descriptive name and specify the absolute path to the msex-change_2010cfg and MSGTRK files All four parameters are required

Tip For more information on IPFIXify options execute ipfixifyexe without any parameters

89 Meta Data Collection

891 Overview

By default Plixer gathers meta data that determines the general health overall performance and targetedmetrics to help Plixer improve the Scrutinizer Platform

892 How often it is collected

Meta data is collected once a week at a randomly scheduled times during typical peak business hours(M-F 9a to 4p) The actual scheduled time is determined at the time Scrutinizer is installed

180 8 System

893 What meta data is collected

bull Vendor identifies if the Scrutinizer installer is branded as Plixer or an OEM vendor

bull smtpfromEmail The email address configured as the administrator in the server preferences

bull smtp the email server name which is used to identify the customerrsquos company as configured in theserver preferences

bull installedVersion the current version of Scrutinizer installed

bull License Details Identifies license key details such as license level and license state (eg valid orexpired)

bull How many exporters are actively sending flows A count of exporters that have sent flows inthe last 24 hours

bull Server Metrics How many flows per second received packets per second received and flowsdropped per second at the time the data is gathered

bull Flow Template Details All templates and element names exported from the exporters Scrutinizeris currently collecting data from

bull Flow Analytics Exporter Statistics A count of exporters configured for each algorithm

bull Flow Analytics History A list of violating IP addresses from external sources It is used todetermine if outside patterns exist from the aggregated data between globally installed ScrutinizerServers

894 How is the data transferred

The data is encrypted It is sent to phplixercom Port 443 80 and 25 are used depending on portavailability

895 What Plixer Does with the Data

Plixer uses the collected data for support purposes only From the data we can learn which customerscould benefit from a support call to upgrade a system or to fix issues

896 How do I turn it off

By default this functionality is enabled To turn off this functionality go to the Admin Tab select theSettings Menu and click System Preferences

Uncheck the option ldquoShare Health Statisticsrdquo scroll to the bottom and click save

89 Meta Data Collection 181

810 Migration Utility

8101 NAME

Plixer Scrutinizer DB Migration Utility

Note As of version 187 the migrator is shipped within Scrutinizer If you are currently using version186 you will need to contact Plixer support

8102 SYNOPSIS

migrateexe [-d|-f|-m|-p|-r|-t] OPTIONS

This program is used to migrate a Scrutinizer install between different hosts OS and DB platforms Sup-ported Database platforms are MySQL and PostgreSQL Please READ and completely UNDERSTANDthe documentation before using this util on any kind of production database This utility requires one ofthe run mode flags

Run Modes

-d -data Migrate Scrutinizer historical data The system MUST becollecting flows on the destination before doing this

-f -finish Attempt to remove DB ROLEs listed in the migrateini andoutputs necessary SQL commands to do so if not

-j -juxtapose Compare the Scrutinizer SCHEMA between two Databases-m -meta Migrate Scrutinizer meta data The plixer_flow_collector

service MUST be stopped on the destination-p -push Migrate a single specific table

ex migrateexe -p plixerip_groups-r -retreat Un-migrates historical data at the destination server-t -test Tests connections and gathers some initial migrationrarr˓stats

Options

182 8 System

-c -cross_ver Used for cross-version meta data migrations Stompsrarr˓SCHEMA-clobber_version on the destination and re-CREATEs it using the source as

reference The command re-run MUST be performed on therarr˓destinations

Scrutinizer installer after the meta data migration-checksum Performs a checksum per table for migrated historicalrarr˓data

and logs the results-dump Performs a mysqldump or pg_dump of the Scrutinizer meta

data pre-migration to scrutinizerfiles providing thatrarr˓either

mysqldump or pg_dump have been installed in therarr˓environment PATH-flip_ips Will flip the source and destination ips in the

migrateini This is handy if re-IPing the destination-h -help Display this help message-i -inifile Designate a path to a configuration file-l -logfile Designate the path to write a migration log to

scrutinizerfileslogsmigratelog by default-man -info Display the full documentation-q -quiet Suppress terminal progress messages-skip_clock Skips sourcedestination clock test (as risky as itrarr˓sounds)-skip_lock Skips table locking during migration (as risky as itrarr˓sounds)

8103 DESCRIPTION

The Plixer Scrutinizer DB Migration Utility is designed to ease the process of moving a Scrutinizer installbetween hosts andor Database platforms As with any kind of critical database work a complete back-upshould be made before attempting any kind of migration

8104 PRE-MIGRATION

The Migration Utility requires database ROLEs with SUPERUSER privileges that can connect remotelySince this is an obvious security risk temporary ROLEs should be created for the duration of the migra-tion

These Examples assume lsquotmp_userrsquo and lsquotmp_passrsquo as the ROLE

810 Migration Utility 183

SELECT PASSWORD(tmp_pass)+-------------------------------------------+| PASSWORD(tmp_pass) |+-------------------------------------------+| 00C233A85F04B58B5C9728B5BB411DC46F85BA54 |+-------------------------------------------+GRANT ALL ON TO tmp_user IDENTIFIED BY PASSWORDrarr˓00C233A85F04B58B5C9728B5BB411DC46F85BA54FLUSH PRIVILEGES

PostgreSQL

CREATE USER tmp_user WITH SUPERUSER ENCRYPTED PASSWORD tmp_pass

The user will need to update homeplixerscrutinizerpgsqldatapg_hbaconf to allow lsquotmp_userrsquo to con-nect remotely Add this line to pg_hbaconf

host all tmp_user 00000 md5

Restart the plixer_db service

Warning Be sure to remove these ROLEs once the migration is complete The -finish run modecommand will help with this

8105 CONFIGURATION

Most configuration parameters are set in the migration ini file lsquomigrateinirsquo by default The Utility willlook for this file in the present working directory if -inifile is not set

184 8 System

[source|destination database]

DB connection parameters for the migration hosts

_db_host

IP address of the migration host Use the loopback address if running this util locally on one of the hosts

_db_user

The user needs to ensure that the db user named here has full GRANTs to the plixer SCHEMA as well asinformation_schema The lsquorootrsquo user is likely the best bet

_db_pass

Password for the Database User

_db_port

Database connection port Default for MySQL is 3306 5432 for PostgreSQL

_db_dialect

This is the Database connection driver lsquomysqlrsquo for a MySQL database lsquopgsqlrsquo for a PostgreSQLdatabase

The database to use upon connection Leave this blank for MySQL Default for PostgreSQL is lsquoplixerrsquo

186 8 System

[exporters]

inclusions

A space separated list of exporters to include when performing a historical data migration with the -d orndashdata flag

exinclusions= 10113 10114

The migrate utility will attempt to migrate all exporters if it is left blank

exclusions

A space separated list of exporters to exclude when performing a historical data migration with the -d orndashdata flag

exexclusions= 6666 7777

[data range]

intervals

A space separated list of flow history intervals to migrate

Valid entries are1m 5m 30m 2h 12h 1d 1w

By default 1 minute data is not migrated

startend_epoch

Limits the time frame of data migrations to a unix timestamp

[scrutinizer data]

These are specific ldquocategoriesrdquo of Scrutinizer meta data a user may want to migrate from the source installto the destination install This is done when calling the utility with the -m or ndashmeta flag

Any value for these parameters in the migrateini is considered true To avoid migrating a particularcategory leave the value blank

alarms

Migrates Alarm Bulletin Boards Alarm Policies Notification Policies and Flow Analytics Configuration

dashboards

Migrates all Dashboards and Dashboard Gadgets

ipgroups

Migrates custom Applications and IpGroups

objects

Migrates Scrutinizer Maps and Device Tree Groups If using any custom map background images theywill need to be uploaded manually

reports

Migrates Saved Reports and any reports created in Report Designer

188 8 System

systemprefs

Migrates Scrutinizer server preferences scheduled tasks Cross Check configuration and any Third Partyconfiguration

Migrates Scrutinizer users user groups and user preferences

8106 EXAMPLES

Scrutinizer Cross Version Migration

These steps work for either MySQL or PostgreSQL The source server MUST be version 163 or greater

1 Deploy and license the latest Scrutinizer VA for the destination

2 Following the PRE-MIGRATION section create temporary database ROLEs

3 Get the migration utility binary and migrateini file onto the destination

4 Following the CONFIGURATION section fill out the migrateini

5 Stop the plixer_flow_collector service on the destination

6 Test the connections Only proceed if all green [OK] results are displayed

migrateexe -t

7 Migrate the Scrutinizer meta data using the clobber_version flag

migrateexe -c -m

8 Run the latest Scrutinizer installer on the destination

9 Verify the meta data migration was sucessful via the web interface

10 Verify collection has started again The destination must be collecting before continuing

11 Migrate the Scrutinizer historical data within tmux

tmuxmigrateexe -d --skip_version

12 Once the migration is complete be sure to remove the temporary ROLEs

migrateexe --finish

811 Multi-Tenancy Module

The Multi-Tenancy module provides the following features

bull Access to specific tabs (eg Dashboard Maps Status Alarms Admin)

bull Ability to apply permissions to User Groups per flow exportering Interface or per device

bull Set permissions to see dashboards and even the ability to manipulate or copy a dashboard

bull Access to administrative functions

The Multi Tenancy module is useful to companies who need to give customers a unique login and restrictwhat they see Restrictions can be set on specific devices and or interfaces More details regarding thepermissions for specific Usergroups can be read about under Usergroup Permissions

812 NetFlow Help

Activating NetFlow J-Flow sFlow NetStream IPFIX etc

813 NetFlow Knights

The Help tab is a link to httpswwwnetflowknightscom This site is the on-line support community andis used to bring subjects of interest directly to customers and evaluators This is done in several wayssome of which include

bull A frequently updated blog

bull The on-line support forum

Posting a comment or question requires membership Click here to join

190 8 System

814 Searching

8141 Overview

The Search Tool is launched by navigating to Status gt Search This tool provides the means to searchthrough all of the flows stored in the database for specific flows

There are two search options available

1 Saved Flows search

2 Host Index search

Note Only the 1 minute interval tables contain 100 of all flows collected To make sure the system isquerying 1 minute interval data limit the search to under 1 hour of time Visit the AdmingtSettingsgtDataHistory page and increase the ldquoMaximum Conversationsrdquo saved per interval value to increase the volumeof flows saved per interval Be aware that this will likely require more hard disk space Before making anychanges visit the Dashboard tabgtVitals (or StatusgtSystemgtVitals) to view how much hard drive spaceis being consumed

8142 1) Saved Flows search

The Saved Flows search allows a search on the following fields

bull Source Host

bull Destination Host

bull Source or Destination Host

bull Client

bull Server

bull User as Source

bull User as Destination

bull Wireless Host

bull Wireless SSID

814 Searching 191

Note The User as Source and User as Destination search fields allow a search by Username if they arebeing collected from the authentication servers

Other search options

bull Either All exporting devices or a specific exporter

bull Selecting the time range for the search The time range can be either a predefined time range suchas Last 5 minutes Last Ten Minutes etc or a custom timeframe

If flows meet the search criteria for the Saved Flows search a Host to Host report will return the resultsof the search

8143 2) Host Index search

The index is a list of all IP addresses that have been seen in flows either as the source or destination of aflow Because it is an index it does not contain the entire flow contents The Host Index search is used toperform extremely fast searches for hosts

Simply enter the host IP address in the search textbox and click the Search button If the host is found aseither Source or Destination in any flows stored in the database Scrutinizer will return a list including

bull Device (exporterrsquos IP address)

bull First Seen

bull Last Seen

bull Flow Count

Clicking on an IP address in the Device list will open a Report menu The report selected will report onthe last hour of flows received by the host selected

The Host Index search requires that Host Indexing in Admin -gt Settings -gt System Preferences is enabled

Note The host index will retain IP addresses for 365 days by default To make changes visit Admin tab-gt Settings -gt Data History and modify the ldquoDays of host index datardquo Keep in mind that even though thehost index has the IP address searched on the flows used to build the index may have been dropped bythe rollup process

192 8 System

815 Security Updates

8151 Overview

Security updates can be run on demand or scheduled to run on a daily basis The commands to perform thesecurity updates are listed below Plixer recommends scheduled updates be enabled to ensure maximumprotection

The update process will reach out to a plixer repository at filesplixercom to pull down updates Thoseupdates have been applied to our QA servers internally and determined to be stable before being postedto our repository

All patches and updates including vulnerabilities and major upgrades are included in the system updates

An audit event will be logged to the Scrutinizer Alarms table whenever the lsquosystem updatersquo command isrun Each update will also be listed within the audit event In the event of a problem with the securityupdates yum history can be used to roll back updates

If a proxy server is required it can be configured within the yumconf file

8152 Transport Security

The lsquosystem updatersquo command runs yum update using https Firewall policies will need to allow traffic tofilesplixercom on TCP port 443 from your Scrutinizer servers

Cryptographic verification of the downloaded update files is provided by yum

8153 system update command

The lsquosystem updatersquo command will need to be run on each server in a distributed environment It can berun directly from the command line and also from within the Interactive scrut_util utility

If operating system patches are applied all Scrutinizer services will be restarted and could cause a minuteof missed data

815 Security Updates 193

Following is the command syntax to be used when running the scrut_util utility directly from the com-mand line

scrut_utilexe --system update

bull This will pull down updates from plixercom when run

scrut_utilexe --system update --schedule

bull This will schedule the updates to be pulled from plixercom on a daily basis A random hourminuteis chosen to run the update This time is selected outside of the lsquobusiness hoursrsquo set in the Admin gtSettings gt System Preferences page An alert is sent to Scrutinizer and can be viewed in the AuditEvent policy in the Alarms tab

scrut_utilexe --system update --unschedule

bull This will cancel the daily update schedule

INTERACTIVE

The following command syntax is used from within the interactive mode of the scrut_util utility Runningscrut_utilexe from command line will open the interactive prompt

SCRUTINIZERgt system update

SCRUTINIZERgt system update schedule

SCRUTINIZERgt system update unschedule

194 8 System

816 SSL

8161 Configuring SSL in Scrutinizer

Enabling and disabling SSL support in Scrutinizer is done within the Interactive scrut_utilexe shell Itonly works with the local Apache Server bundled with Scrutinizer

To open the Interactive scrut_utilexe use the following command

The Scrutinizer prompt will then display

SCRUTINIZERgt

8162 Enabling SSL

To enable SSL at the Scrutinizer prompt enter

SCRUTINIZERgt set ssl on

Warning This command will alter Scrutinizerrsquos operations Please use with caution Scrutinizerwill then issue the following prompt for these mandatory fields

Enter the secure tcp port to be used ex 443

Enter the two-letter abbreviation for the desired country ex US

Enter the stateprovince of the organization ex Maine

Enter the city of the organization ex Kennebunk

Enter the name of the organization ex Plixer

Enter the contact email address ex namecompanycom

Enter the server name or IP of the Scrutinizer server

816 SSL 195

ex 1234 or scrutinizercompanycom

Enter the key encryption size [2048|4096] ex 2048

Name Field ExplanationCountryName

The two-letter ISO abbreviation for the desired countryexample US = United States

State Province

The stateprovince where the organization is located Can not be abbreviatedexample Maine

City Locality The city where the organization is locatedexample Kennebunk

Organization The exact legal name of the organization Do not abbreviateexample Plixer

Email Ad-dress

The email address for the CA (who to contact)example someoneyourdomain

CommonName

URL to attach to the certificateexample 101110 or scrutinizercompanycom

Key Size 2048 4096example 2048

8163 Creating a signed certificate

1 Enable SSL by running ssl on as described above

2 Send the etcpkitlsprivatecacsr file to the Certificate Authority (CA) and ask them to sign it andreturn it as base 64 encoded and not DER encoded

3 When the signed SSL cert is received stop the apache service within Interactive scrut_util

SCRUTINIZERgt services httpd stop

4 Replace the active SSL Cert with the new one and rename the file to etcpkitlscertscacrt

5 Then start the apache service

SCRUTINIZERgt services httpd start

8164 Disabling SSL

To disable SSL at the Scrutinizer prompt enter

SCRUTINIZERgt set ssl off

196 8 System

817 System LEDs

8171 Overview

The System LEDs are shown in the upper right hand corner providing the status on server health andother various critical operations of the flow collection and reporting architecture Preceding the LEDs isthe letter P indicating that this is a Primary reporting server In a single server installation of Scrutinizerit will always be P In a distributed server environment this letter can alternatively be S for the Secondaryreporting server The LEDrsquos color and the icon indicate the status of the LED

bull Operational ndash Green (checkmark)

bull Degraded ndash Orange (exclamation point)

bull Critical ndash Red (X)

The LED status is based on the most critical level of severity of any item within the detail of the LEDmodal All columns within each LED modal are both sortable and searchable

8172 Scrutinizer Server Health

P [x] [ ] [ ]Scrutinizer Server Health [status]

This LED provides vital server statistical information such as CPU utilization and memory and diskstorage availability The information below is available per Server with the color change occurring at thethreshold levels defined

Note All of the entries in the Server Health LED modal link to trend reports except for the Free DB data entry

817 System LEDs 197

Description ThresholdsGreen Orange Red

CPU CPU Utilization percentage lt=60 lt=85 gt85Memory Available Memory gt8GB gt=4GB lt4GBFree Memory Available Free memory gt=2GB gt=1GB lt1GBFree DiskDB

Available Free Disk space for database gt10 gt4 gt25

Free DB Percent of disk storage that is still available fordatabase

NA NA NA

DB Latency Server to server database latency (in milliseconds) lt250ms gt=250ms NAAPI Latency Server to server reporting latency (in milliseconds) lt1000ms gt=1000ms NAClock Drift Server to server clock difference (in seconds) 0s ltgt0s NA

bull Free Disk DB

If disk space drops below 10 of available space (with a minimum of 10GB) andAuto History Trimming is selected in AdmingtSettingsgtData History Scrutinizer willautomatically start trimming historical data until space available is greater than 10again

If disk space hits 25 of available space the collector will stop saving flows In theevent that the collector stops a utility can be run that expires historical data to free upspace Go to AdmingtSettingsgtData History and adjust the current retention settings

On the server access the interactive scrut_util prompt with the following command

At the scrut_util prompt run

SCRUTINIZERgt expire history

When the above command runs it looks at the settings in the master data history con-figuration then purges historical data based on the current time After the above hascompleted run the following command to restart the Plixer Flow Collector serviceThis will will cause the system to begin receiving and processing flows again

SCRUTINIZERgt services plixer_flow_collector start

8173 Scrutinizer Software Health

P [ ] [x] [ ]Scrutinizer Software Health [status]

198 8 System

The following information is available per Server from this LED

bull Role ndash primarysecondarycollector (secondary and collector used in distributed server environ-ments)

bull API ndash Reporting (web) interface UpGreen means the web server is running DownRed means theweb server is down

bull Database ndash UpGreen means the database is running DownRed means the database is down

bull Collector - UpGreen means the collector service is running DownRed means the collector serviceis down

bull Alarms ndash UpGreen means the Alarmssyslog service is running DownRed means that the Alarmsservice is down

bull Version ndash current running Scrutinizer version

bull Flow Rate ndash flows per second

bull MFSNs ndash Missed Flow Sequence Numbers (see Scrutinizer Exporter Health LED for more infor-mation on MFSNs)

8174 Scrutinizer Exporter Health

P [ ] [ ] [x]Scrutinizer Exporter Health [status]

This LED reports on the data collected by the Plixer flow collector service The flow collector receivesdata from network devices processes it and stores it in the appropriate database tables The collector isalso responsible for rolling raw 1 minute data into 5 minutes 30 minutes 2 hours 12 hours 1 day and 1week intervals Currently the collector service supports NetFlow v1 v5 v6 v7 v8 v9 IPFIX and sFlowv2 v4 amp v5 as well as jFlow cflowd NetStream and others

bull To run the collector from the command prompt (ie CLI) type

homeplixerscrutinizerbinscrut_collectorexe

Note The output from this command is for internal use only

Information available per Exporter

817 System LEDs 199

bull Collector ndash IP Address of the server collecting the flows

bull Exporter ndash IP Addressname of exporter

bull Flows ndash flow collection rate (green=flowsorange=none)

bull Packets ndash packet rate (green=packetsorange=none)

bull MFSN ndash This led turns orange if Missed Flow Sequence Numbers exceed 300 in an interval

If only one or a few of the flow sending devices report high MFSNs it is likely thenetwork or the flow exporting device that is dropping or skipping flows If all devicesreport high MFSNs it is likely to be the collector that is dropping flows To improveperformance make sure the server hardware meets the minimum requirements Visitthe Vitals dashboard for trending details of the server

bull Max Flow Duration ndash

This LED turns orange if the collector is receiving flows with a total flow durationbeyond 60 seconds Make sure these Cisco or similar commands have been entered onthe flow exporting device (eg routers or switches)

ip flow-cache timeout active 1ip flow-cache timeout inactive 15

Learn more about the ip flow-cache timeout commands

bull Templates ndash template count

bull Last Flow ndash timestamp of last flow received

818 Third Party Licenses

Certain open source or other third-party software components are integrated andor redistributed Scruti-nizer software The licenses are reproduced here in accordance with their licensing terms these termsonly apply to the libraries themselves not Scrutinizer software Copies of the following licenses can befound in the licenses directory at homeplixerscrutinizerfileslicenses

8181 Licensed under Apache 20 License

Apache Giraph

200 8 System

GuavahttpsgithubcomgoogleguavaCopyright (c) Google Inc

Jackson JSON ProcessorhttpsgithubcomFasterXMLjackson

818 Third Party Licenses 201

Copyright (c) Jackson Project

WenQuanYi Micro Hei fontshttpsgithubcomanthonyfokfonts-wqy-microhei

202 8 System

8182 Licensed under Artistic 10 License

Common-Sensehttpsearchcpanorg~mlehmanncommon-senseTerms of Perl - No Copyright Author - Marc Lehmann

DBD-mysqlhttpsearchcpanorgdistDBD-mysql

ExtUtils-MakeMakerhttpsearchcpanorg~bingosExtUtils-MakeMakerTerms of Perl - No Copyright

204 8 System

JSONXS

Net-SSLeayhttpsearchcpanorg~mikemNet-SSLeay

206 8 System

TypesSerialiserhttpsearchcpanorg~mlehmannTypes-Serialiser-10SerialiserpmTerms of Perl - No Copyright Author - Marc Lehmann

XML-SAXhttpsearchcpanorg~grantmXML-SAXNo Copyright listed - Terms of Perl

Xml-sax-basehttpsearchcpanorg~grantmXML-SAX-Base-108BuildSAXBaseplNo Copyright listed - Terms of Perl

NetPacket

208 8 System

httpsearchcpanorg~cganesanNetPacket-LLC-001Copyright (c) 2001 Tim Potter and Stephanie Wehner Copyright (c) 1995 - 1999 ANU and CSIRO onbehalf of theparticipants in the CRC for Avanced Computational Systems (lsquoACSysrsquo)

8184 Licensed under BSD 2-Clause Simplified License

8185 Licensed under BSD 3-Clause License

NetcasthttpfreshmeatsourceforgenetprojectsnetcastCopyright (c) Stanislaw Pasko

Net-SNMPhttpwwwnet-snmporgCopyright See licensesnet-snmptxt

strace

210 8 System

httpsourceforgenetprojectsstraceCopyright (c) 1991 1992 Paul Kranenburg Copyright (c) 1993 Branko Lankester Copyright (c) 1993Ulrich Pegelow Copyright (c) 1995 1996 Michael Elizabeth Chastain Copyright (c) 1993 1994 19951996 Rick Sladkey Copyright (c) 1998-2001 Wichert Akkerman Copyright (c) 2001-2017 The stracedevelopers

8186 Licensed under CDDL 10 License

8188 Licensed under CURL License

8189 Licensed Dually under GPL amp MIT Licenses

212 8 System

81810 Licensed under GPL 20 License

jQuery Paginationhttpsgithubcomgbirkejquery_paginationCopyright (c) Gabriel Birke

sshpasshttpfreshmeatnetprojectssshpass

MariaDBhttpmariadborgCopyright (c) The MariaDB Foundation

214 8 System

81812 Licensed under LGPL 21 License

81814 Licensed under MIT License

dshistoryjshttpcodegooglecompdshistoryCopyright (c) Andrew Mattie

216 8 System

httplib2httpsgithubcomjcgregoriohttplib2Copyright (c) 2006 by Joe Gregorios Thomas Broyer James Antills Xavier Verges Farreros JonathanFeinbergs Blair Zajacs Sam Rubys Louis Nyffeneggert Dan-Haim 2007 Google Inc

jQuery Form PluginhttpsgithubcommalsupformCopyright (c) Mike Alsup

jQuery MigratehttpspluginsjquerycommigrateCopyright (c) jQuery Foundation and other contributors

JQuery Validation Pluginhttpbassistancedejquery-pluginsjquery-plugin-validationCopyright (c) Joumlrn Zaefferer

LogalothttpswwwnpmjscompackagelogalotCopyright (c) Kevin Maringrtensson

Moment Timezonehttpmomentjscomtimezone

218 8 System

Copyright (c) JS Foundation and other contributors

MomentjshttpmomentjscomCopyright (c) JS Foundation and other contributors

pboxjshttpwwwibegincomlabs

81815 Licensed under MIT Old Style License

81816 Licensed under Mozilla Public License 11

Rhinohttpsgithubcommozillarhino

81817 Licensed under OpenSSL License amp SSLeay License (conjunctive)

220 8 System

81818 Licensed under Oracle BCL License

81819 Licensed under PostgreSQL License

81820 Licensed under Unicode Inc License Agreement

819 Troubleshooting

8191 Getting Started Guide

Contact Support For assistance setting up the server or the collector or for navigation techniques

How to enable NetFlow or sFlow on various hardware

System LEDs Familiarize yourself with these They should all be green

FAQ This page lists many common questions we have received over the years

Webvideos These are short 2-5 minute videos that offer good general help with different areas of thesoftware

819 Troubleshooting 221

820 Vitals

View vital information on how well the server is handling the NetFlow and sFlow collection volumeMore details can be found at Vitals Reporting and Vitals Dashboard

821 Web Server Port

8211 Overview

This software runs on the Apache Web Server Use the interactive scrut_utilexe utility to change the webserver port Scrutinizer is running on

1 Log on to the Scrutinizer server with administrative permissions

2 Open the Interactive scrut_util prompt with the following command

3 And run

SCRUTINIZERgt set httpd ltportgt

Use the above command to change the web port of non-ssl installs of Scrutinizer Do not edit thehttpdconf manually or certain functionality will not work properly

Note This needs to be run on all servers in the cluster

8212 SSL Support

To change the port for SSL run

Then follow the instructions provided

222 8 System

CHAPTER 9

Implementation Guides

91 Configuring Amazon Web Services flow streaming

911 Overview

The integration between Amazon Web Services (AWS) and Scrutinizer provides insight into networktraffic destined for AWS such as

bull AWS connection latency

bull Top AWS users

bull Top AWS applications

bull Overall traffic load of AWS hosted applications

After configuring Amazon Web Services using Amazon Kinesis to stream logging data to Scrutinizer thefollowing AWS specific flow reports are available in Scrutinizer

bull Action

bull Action with Interface

bull Action with Interface and Dst

bull Action with Interface and Src

bull Interface

bull Pair Interface

bull Pair Interface Action

912 Prerequisites

A minimum of Scrutinizer v1610 is required for the configuration to successfully complete and for theAWS reports to be available

913 Required Information

Before starting the AWS configuration in Scrutinizer the following in information needs to be collected

1 AWS Account ID

(a) In the AWS interface click on the name in the upper right hand corner

(b) Select lsquoMy Accountrsquo

(c) The Account ID is under lsquoAccount Settingsrsquo

2 What region will be monitored

(a) Click the AWS console home link (AWS logo in upper left hand corner)

(b) The region will be in the url Example us-west-2

3 What VPC will be monitored

(a) Go to AWS gt VPC gt Your VPCs

(b) Make note of the VPC ID needed to collect flow data from

224 9 Implementation Guides

914 Create an AWS User for Flow Streaming

The next step is to create an AWS user for flow streaming

1 Go to AWS gt Security Identity amp Compliance gt IAM

2 Users gt Add User

3 Enter a user name Example lsquoScrutinizerConsumerrsquo

4 Select lsquoProgramatic accessrsquo

5 Click lsquoNext Permissionsrsquo

6 Select lsquoAttach existing policies directlyrsquo Check the following policies

bull AmazonEC2ReadOnlyAccess

bull CloudWatchFullAccess

bull AmazonDynamoDBFullAccess

bull AmazonKinesisFullAccess

bull AdministratorAccess

ndash This policy can be removed from this user after the configuration is complete

7 Click lsquoNext Reviewrsquo

8 Verify the policies and access type from above

9 Click lsquoCreate Userrsquo

10 Click lsquoDownload csvrsquo (to be used in lsquoAWS Configuration in Scrutinizerrsquo below)

915 AWS Configuration in Scrutinizer

Next wersquoll add the AWS configuration settings in the Scrutinizer user interface

1 Add the following ScrutinizerConfig credentials in Admin gt Settings gt AWS Configuration

(a) AWS access key ID

This is included in the credentials downloaded for the flow streaming AWS userjust created

(b) AWS Region Name

Gathered in the Required Information step

91 Configuring Amazon Web Services flow streaming 225

(c) AWS secret access key

(d) AWS Stream Name

Defaults to lsquoScrutinizerStreamrsquo and is generated in step 5 (aws_configexe)

(e) Flow Collector IP

IP Address of the server where step 2 (ndashenable aws) will be run

(f) Flow Collector Port

Default 4739

2 Run homeplixerscrutinizerbinscrut_utilexe ndashenable aws

Note The first time this is run on a server that has been upgraded from an earlier version of Scrutinizerit will take a few minutes to install all the required libraries

3 Change to the bin directory

(a) cd homeplixerscrutinizerbin

Note Step 4 is for versions 1610 and 1611 only The aws_configexe file is included with the installand upgrade of versions above 1611

4 Download aws_configexe to the homeplixerscrutinizerbin directory

(a) wget httpfilesplixercomsupportaws_configexe

(b) chmod 750 aws_configexe

5 Run aws_configexe ndashconfigure ndashregion XXX ndashaccount_id YYY ndashvpc_id ZZZ

(a) region account_id and vpc_id are all from the information gathered in the Required Infor-mation section

(b) This will create the AWS Stream Name lsquoScrutinizerStreamrsquo

6 Restart the AWS service

(a) Run service plixer_aws restart

bull It can take 10 minutes before the exporter can be seen

Note If the exporter is not seen within 10 minutes verify that the exporter is not disabled in Admin gtDefinitions gt Manage Exporters

7 Detach the AdministratorAccess policy from the AWS user

916 Frequently Asked Questions

Q Why do I see ldquoUnable to load AWS credentialsrdquo installing modulesA Amazonrsquos package tests assume AWS connectivity is already in place These can be ignored

Q Why are there gaps in the data in 1m and 5m intervalsA Amazon flow logs are updated every 10 minutes

Q It isnrsquot working how can I see what is going onA Turn on debugging and review the log files (see the lsquoTroubleshooting AWSrsquo section below)

Q All commands ran successfully but I donrsquot see the exporterA If no exporter appears after 10 minutes verify that the exporter is not disabled in Admin gt Definitionsgt Manage Exporters

Q How do I add resources to the AWS instanceA Visit the page on AWS Adding Resources

917 Troubleshooting AWS

Overview

AWS integration involves a number of moving parts

bull On the Amazon side of things

ndash Cloudwatch logs are streamed to Kinesis for consumption

bull On the Scrutinizer side

ndash The plixer_aws daemon takes settings from lsquoAdmin gt Settings gt AWS Configurationrsquo andconnects to the Kinesis stream That data is then sent to Scrutinizer as IPFIX

Enabling

If upgrading from a version prior to 1610 required libraries will be installed the first time this commandis run lsquoscrut_utilexe ndashenable awsrsquo This will also install the plixer_aws service

Running

When the service is started all necessary configuration files are rebuilt This means that changes to settingsrequire a restart of the service

service plixer_aws restart

A plixer_awslog file is created under homeplixerscrutinizerfileslogs It will show the service starttime

Debugging

1 Stop the plixer_aws service

2 Go to homeplixerscrutinizerbin

3 Run this command lsquoscrut_utilexe ndashenable aws ndashdebugrsquo

4 Go to homeplixerscrutinizerfiles

5 Run this command lsquokinesisshrsquo

6 Collect plixer_aws_debuglog and plixer_awslog files from homeplixerscrutinizerfileslogs

92 How to Add Resources to a Scrutinizer EC2 Instance

921 Overview

As needs change an instance could become over-utilized if it is too small If this is the case the sizecan be modified For example if an instance named t2micro is resource strapped it can be changedto an m3medium instance When an instance is resized an instance type that is compatible with theconfiguration of the instance must be selected If the instance type is not compatible with the instanceconfiguration the application must be migrated to a new instance

1 SSH to the instance

2 Stop all of the services using the interactive Scrutinizer utility

[ec2-usersupportami ~]$ sudo su [rootsupportami ec2-user] cd homeplix-erscrutinizerbin [rootsupportami bin] scrut_utilexe

Scrutinizer 17112074951 (Mon Nov 20 110935 2017) scrut_util 17112074666(2017-11-03 123414 -0400 (Fri 03 Nov 2017))

SCRUTINIZERgt services all stop

(stop) plixer_flow_collector DONE (stop) httpd DONE (stop) plixer_syslogd DONE (stop) plixer_db DONE

SCRUTINIZERgt quit

Exiting

3 Power off the operating system

[rootsupportami bin] shutdown -h now

4 Open the Amazon EC2 console In the navigation pane choose Instances and select the instance

[EC2-Classic] If the instance has an associated Elastic IP address write down the Elas-tic IP address and the instance ID shown in the details pane

5 Choose Actions select Instance State and then choose Stop

In the confirmation dialog box choose Yes Stop It can take a few minutes for theinstance to stop

[EC2-Classic] When the instance state becomes stopped the Elastic IP Public DNS(IPv4) Private DNS and Private IPs fields in the details pane are blank to indicate thatthe old values are no longer associated with the instance

6 With the instance still selected choose Actions select Instance Settings and then choose ChangeInstance Type Note that this action is disabled if the instance state is not stopped

92 How to Add Resources to a Scrutinizer EC2 Instance 229

7 From Instance Type select the instance type desired If the desired instance type does not appearin the list then it is not compatible with the configuration of the instance (for example because ofvirtualization type)

Choose Apply to accept the new settings

8 To restart the stopped instance select the instance choose Actions select Instance State and then

choose Start

In the confirmation dialog box choose Yes Start It can take a few minutes for theinstance to enter the running state

[EC2-Classic] When the instance state is running the Public DNS (IPv4) Private DNSand Private IPs fields in the details pane contain the new values that we assigned to theinstance If an instance had an associated Elastic IP address it must be reassociated asfollows

In the navigation pane choose Elastic IPs Select the Elastic IP address that was writtendown in the above step before the instance was stopped Choose Actions and thenchoose Associate address From Instance select the instance ID that was written downbefore the instance was stopped then choose Associate

9 SSH into the instance and use the interactive utility to retune the instance

[rootsupportami ec2-user] cd homeplixerscrutinizerbin [rootsupportami bin]scrut_utilexe

SCRUTINIZERgt check tuning

SCRUTINIZERgt set tuning

93 Configuring Ciscorsquos FireSIGHT eStreamer Client

931 Overview

Cisco FireSIGHT Management Center centrally manages network security and operational functions forCisco ASA with FirePOWER Services and Cisco FirePOWER network security appliances

Configuring the FireSIGHT eStreamer Client to send flows to Scrutinizer will make the following flowreports available

bull App Internet HTTP Host

bull Application E-Zone amp Sub Type

bull Application I-Zone amp Sub Type

bull Firewall List

93 Configuring Ciscorsquos FireSIGHT eStreamer Client 231

bull Ingress and Egress Zones

bull User App HTTP Host

bull User App HTTP URL

bull User Application

bull Web App amp CoS

bull Web App Event amp Rule Details

bull Web App and Source IP

932 Prerequisites

Minimum required versions are

bull Scrutinizer v162

bull eStreamer 54

Before starting the eStreamer Client configuration two pieces of information are needed

bull Scrutinizer collectorrsquos public IP Address

ndash Itrsquos 1030115 in the example

bull FireSIGHT eStreamer IP Address

934 Register Scrutinizer with FireSIGHT

Start with the Client configuration in the FireSIGHT Defense Center

1 Log into the FireSIGHT Defense Center

(a) For Firepower v54 Navigate to System gt Local gt Registration

b For Firepower v6x Navigate to System gt Integration gt eStreamer

(The remaining steps apply to both versions of Firepower)

2 Enable all eStreamer Events and click the ldquoSaverdquo button at the bottom of the list

(a) Wait for the page to refresh It may not give any other indication that a change has beenmade

3 Click on the ldquo(+) Create Clientrdquo button on the right

4 Enter the Scrutinizer collectorrsquos public IP Address

5 Enter a password (optional)

(a) If a password is entered remember it It will be needed in a later step

6 Find the newly configured client in the list and click the download button to the right of the client

(a) Download and save the client certificate

7 License Scrutinizerrsquos eStreamer Client

(a) Upload the client certificate to homeplixerscrutinizerfiles on the Scrutinizer appliance

(b) example

scp ~Downloads1030115pkcs12 plixer1030115homeplixerscrutinizerfiles

935 Configure Scrutinizerrsquos eStreamer Client

Now it is time to move over to the Scrutinizer collector server and configure the client

1 Create or edit etcfiresightini with contents like the example above but with details changed toreflect the unique network

(a) There is also a sample file installed with Scrutinizer in homeplixerscrutinizerfilesfire-sightinisample that can be edited and moved to the etc folder

2 Scrutinizerrsquos eStreamer client will reconfigure itself every time a change is saved to firesightini Itmay be better to edit a separate file and copy it into place when ready

3 The eStreamer client will export flows to the collector at CollectorIP and CollectorPort

4 fdi_templates is the path where the export templates are defined Use the location provided in theexample

5 The eStreamer client will connect to the FireSIGHT at the firesight host and port

6 pkcs12_file is the location FireSIGHT certificate was updated

7 pkcs12_password is the certificate password or blank if a password wasnrsquot specified

8 fs_bind_addr is the eStreamer client address registered with FireSIGHT (Scrutinizer collector IPAddress) It must be a bindable address that can route to the eStreamer service

9 export_to tells the eStreamer client which collector or collectors will receive exported flows

bull There can be more than one ldquocollectorrdquo andor ldquofiresightrdquo but they must have different names

bull One ldquocollectorrdquo can receive flows from multiple ldquofiresightsrdquo

bull One ldquofiresightrdquo can export flows to multiple ldquocollectorsrdquo

936 Wait for Flows

Flows should be observed in Scrutinizer within a minute Contact Plixer Technical Support if they do notappear after a few minutes

94 Configuring Endace Probe Integration

941 Overview

Endace captures packets on the network Searching through what can be thousands of packets or morein the packet capture (pcap) can be very time consuming and tedious Using Scrutinizerrsquos flow collectionwith the Endace probe integration finding the specific packet capture detail that correlates to the flow datain question is simplified

With this integration Scrutinizer allows the user to quickly filter down to to certain flow data related tothe issue then the Endace Probes can be selected from the reporting menus to download just the packetsrelated to the specific flow data observed in Scrutinizer

942 Setting up Endace Packet Capture Integration

In order to configure Scrutinizer to download the packet captures from Endace probes the probe mustfirst be added (endabled) via the Interactive scrut_utilexe utility on the Scrutinizer appliance

To access these commands open the Interactive scrut_util prompt by running

Then in the SCRUTINIZERgt prompt use the following commands to configure the probes

bull Add a probe

SCRUTINIZERgt endace add

bull Remove a probe

SCRUTINIZERgt endace remove

bull ChangeUpdate a probe

SCRUTINIZERgt endace update lthost_ipgt ltportgt ltendace_usergt ltendace_passgt

943 Accessing Endace Probes in Scrutinizer

There are three ways to access the probes from within Scrutinizer

1 Vendor Specific Menu

2 Violated Alarms

3 Reports with IP Addresses

Vendor Specific Menu

From the Status tab gt Vendor Specific menu there is an Endace Probes option This option allows the userto access the Endace device without being in a report This is especially handy when the users alreadyknows the IP Addresses protocol and ports Take the following steps to access Endace packet capturesvia the Endace the Probes option

1 Select the Status tab

2 Select the Vendor Specific menu

3 Select the Endace Probes menu entry

4 Complete the following fields

bull Initiator IP

bull Target IP

bull Protocol

bull Initiator and Target Port fields are optional

5 Click Search

6 Download the pcap and open it in the desired packet analyzer

Violated Alarms

More details can be investigated on the Alarms generated This can be done be using the followinginstructions to access Endace Reports from Violated Alarms

1 Select the Alarms tab

2 If looking for a specific Alarm type

(a) Select ViewsgtgtBulletin Board by Policy

(b) Select the Policy Violated desired to retrieve the packet details

(c) Or expand the Violators list for that Policy and select the Violator that packet details aredesired for

3 If looking for a specific Violator

(a) Select ViewsgtgtBulletin Board by Violator

(b) Select the Violator Address to get the packet details

(c) Or expand the Policies Violated list and select the Policy that packet details are desired for

94 Configuring Endace Probe Integration 239

4 In the Bulletin Board Events page

5 Click the dropdown arrow between the Board Name and Message columns

6 Select Endace Probes

bull Any relevant details from the alarm are pre-populated This is useful because the actualpackets from the conversations that triggered alarms become available

7 Click Search

8 Download the pcap and open in your favorite packet analyzer

Reports with IP Addresses

The Reports with IP Addresses option allows the user to select the source or destination IP Address (orDNS Name) from a report and get information from the Endace probes

To investigate further into a conversation launch the flow report this is a great option

1 Start within a report that includes source and destination IP Addresses

2 Select an IP Address from the report

3 Select Other Options from the dropdown menu

4 Select Endace Probes from the Other Options menu

bull Any relevant details from the conversation are pre-populated This is useful because the usercan get to the actual packets from the conversation

5 Click Search

95 Configuring Scrutinizer for DualMulti-homing

951 Security Considerations

Scrutinizer is configured with Reverse-Path Filtering which is disabled by default It allows the collectorto receive flows from IP addresses that it does not know how to route to This functionality exists in orderto allow collectors to receive non-local traffic that may have been forwarded by a proxy or replicationappliance and is intended ONLY to be used when Scrutinizer

1 is in a secure environment

2 has a single interface

Plixer recommends that in multi-interfacemulti-homed situations and where strict networking practicesare required best practices defined in RFC 3704 should be observed This is required in order to ensurethat spoofedforged packets are not used to generate responses that are sent out another interface

It is recommended the following steps be taken

1 Enable Reverse Path Forwarding ndash

Edit the etcsysctlconf and modify the line ldquonetipv4confdefaultrp_filter = 1rdquo toldquonetipv4confdefaultrp_filter = 0rdquo

2 If the goal is to not restart networking after editing this file simply run the command ldquosysctlnetipv4confdefaultrp_filter = 0rdquo and this should turn it on (editing the file is still required)

3 Make sure the routing tables contain routes to all networks that will be receiving flows Failure toproperly configure routing will result in the inability to collect flows from non-local address spaces

952 Virtual Routing and Forwarding (VRF) Mode

In certain circumstances it might be best to isolate the routing tables from the management networkCommon cases for this are either security requirements or the management network may overlap with IPaddresses on the collection side interfaces

In these cases separate routing tables can be created in order to isolate management traffic to the manage-ment interface Collection and polling traffic will then only impact their respective interfaces

953 Configuration Examples

In this example Scrutinizer has 2 interfaces eth0 and eth1 Each will have its own routing table Onecalled ldquoplixerrdquo another called ldquopublicrdquo

Configure separate routing tables

In this example notice that 2 default gateways are configured This would not be possible under a standardconfiguration with a single routing table Each maintains separate isolated IP networks which are notroutable to one another on the Scrutinizer box

1 Add the 2 routing tables to the file named ldquoetciproute2rt_tablesrdquo The 2 lines will result in thefile looking like this

95 Configuring Scrutinizer for DualMulti-homing 241

reserved values255 local254 main253 default0 unspec local1 inrruhep1 public2 plixer

2 Create file etcsysconfignetwork-scriptsroute-eth0 containing the following

default via 17216220 table plixer

default via 1011251 table public

4 Interfaces do not need any special configuration Here is an example based on the above configura-tion

etcsysconfignetwork-scriptsifcfg-eth0DEVICE=eth0BOOTPROTO=noneHWADDR=NM_CONTROLLED=yesONBOOT=yesBOOTPROTO=nonePEERDNS=noTYPE=EthernetNETMASK=2552552550IPADDR=1721627

etcsysconfignetwork-scriptsifcfg-eth1DEVICE=eth1BOOTPROTO=noneHWADDR=NM_CONTROLLED=yesONBOOT=yesBOOTPROTO=nonePEERDNS=no

TYPE=EthernetNETMASK=25525500IPADDR=1014190GATEWAY=1011251

5 Restart the server in order to make sure networking is reset and operating properly

6 Verify that iptables are configured to accept or deny the traffic desired on each interface

96 Creating a Network Map

961 Overview

Network Maps are useful in Scrutinizer to give a quick visual of the overall Network health They canalso easily be added to dashboards for display on a big screen in the Network Operations Center as itallows for issues to be quickly identified

Two types of maps are available Plixer maps and Google maps

Plixer Maps can be used to completely design a topology by arranging the flow sending exporters andother types of network devices in a desired format Adding custom background images custom objectsand text boxes is also possible These maps can reflect exactly how the network is laid out by including animage of the wiring closet as a background and then overlaying the flow exporting devices Connectionscan be added which represent utilization between the devices

The feature allows for multiple maps with links between them Hierarchies can also be established whichallow alerts to roll up to the top map

Google Maps can provide a geographical representation of the network By adding physical addresses tothe objects Google maps will automatically perform a GPS lookup of longitude and latitude coordinatesthen the devices are placed on the map based on those coordinates

Google maps are especially handy when multiple network topologies are locationed within a single citystate or country This type of map not only allows users to see at a glance what network device is havingissues but also where in the world it is located

96 Creating a Network Map 243

962 Creating a Plixer Map

1 To create a Plixer Map start by clicking on the Maps tab

2 Select ldquoCreate a Group (Map)rdquo

3 The ldquoCreate a Group (Map)rdquo modal will pop up in the center of the screen

Note Learn how the map configuration process works in just a few minutes by watching this video onYouTube

97 Creating Thresholds and Notifications

971 Overview

Thresholds are used to receive notification of

bull potential problems on network devices

bull excessive utilization on interfaces

bull devices that appear to be down

bull violation of algorithms in flow analytics

bull and more

This guide will demonstrate how to properly set thresholds and set up notifications based on violations

972 Setting the Global Threshold

Scrutinizer relies the SNMP poller to determine the link speed of an interface These values are used tocalculate interface utilization percentages

bull Link speed is commonly referred to as ifSpeed

bull The link speed can also be changed manually per interface

When the interface utilization percentage reaches a specific level an alarm is triggered to indicate highutilization The default utilization percentage set in Scrutinizer is 90 Depending on the link speed(s)received from the SNMP poller admins may want to increase or decrease the values obtained from pollingthe device To change the Global threshold for utilization navigate as follows

Admin TabgtSettingsgtSystem Preferences

1 Scroll down to Threshold ndash Utilization

2 Edit the percentage as needed

3 Click Save

973 Applying a Notification to the Global Threshold

Once the ifSpeed is set and the global threshold is set notification can be applied This notification canbe in a number of forms (email logfile syslog snmptrap script and auto-acknowledge) and will sendan alert when the threshold is breached To add a notification to the global threshold policy navigate to

Admin TabgtDefinitionsgtPolicy Manager

1 Enter lsquoInterface Exceededrsquo in the search field

2 Click the Search button

3 Then click on the lsquoScrutinizer Interface Exceeded Thresholdrsquo Policy when itrsquos dis-played

4 Next click on the Assign button select the Notification profile previously set up (seebelow to set up a Notification profile) then click Save

974 How to Create a Notification that is sent via email

Example

I want to run a default report that monitors total bandwidth on a particular interface

When it exceeds a threshold that I will specify I want to have it send an email to me

97 Creating Thresholds and Notifications 245

975 Creating the Notification Profile to use

Navigate to

Admin TabgtDefinitionsgtNotification Manager

1 Select New and enter a profile name for this notification

2 Click Add Alert

(a) Specify the email address to send the report to

3 Press Save Alert when done

976 Adding a Threshold that sends an email notification

Now that a notification profile has been set up a report which will trigger an email alert can be configuredAdding a threshold to a report requires that the report first be Saved

Use the following steps to create a Saved Report

1 Go to the Status tab to bring up the Top Interfaces view

2 Click on the interface name for the reports available list

3 Select Top Reports gt Applications Defined from the report menu This will launch a report for thelast 24 hours

4 To save this report

(a) In the upper left enter a name in the report text box

(b) Click the Save icon above the report name

5 Next in the Saved Report click the FiltersDetails button on the left Click the Threshold tab in themodal The threshold will use the parameters already defined in the report (Total vs Rate Bits orBytes etc)

6 Enter a threshold for the Total amount of traffic reported or Per Row which tells Scrutinizer tolook at each line in the report table and match it against the threshold This is useful for applyingthresholds to Users or Applications

7 After completing the fields in the modal click the Save Threshold button and another window willopen prompting the user to select a Notification Profile

8 Click the dropdown list that says lsquoNonersquo and select the profile that was created earlier then clickSave

9 To create a new Notification profile click the Manage Notifications button

10 Notice that the Notification Profile was added to the Threshold

With the threshold set any time traffic on the specified interface exceeds the value set an email alertincluding the specific violation information will be sent

If any assistance is needed please contact us

98 Elasticsearch Kibana (ELK) Integration

981 Overview

What does ELK integration with Scrutinizer do

bull From within Scrutinizer searches for IP Addresses in Kibana can be launched

bull From Kibana users can view Scrutinizer Vitals and FA TopN gadget details

982 What is ELK

Elasticsearch - A searching service to look through the stored data collected by Logstash

Logstash - A means to collect logs and events (like syslogs) and filter them in a specific way to be storedfor later analysis

Kibana - Front-end to present data by creating dashboards and visualizations similar to Scrutinizerrsquosdashboards and gadgets

983 Integration Prerequisites

Kibana 42

Scrutinizer v1512+

Note The following configuration instructions apply to Scrutinizer v167 and later If an earlier versionof Scrutinizer is installed contact plixer for assistance

98 Elasticsearch Kibana (ELK) Integration 247

984 Kibana Searches from Scrutinizer Reports and Alarms

The following steps will walk through how to search Kibanarsquos database from Scrutinizer reports

1 Select a Scrutinizer report that includes IP addresses

(a) Select a host of interest and click on it

(b) Select lsquoOther Optionsrsquo from the Reports menu

(c) Select lsquoKibana (ELK)rsquo

2 The IP address and report timeframe are passed to Kibanarsquos search engine for detailed Kibanareporting

For more detail (from Kibana) on Scrutinizer Alarms follow these steps

1 Go to the Alarms tab in Scrutinizer and select either

(a) Bulletin Board by Violator Select a violator

(b) Bulletin Board by Policy Select the policy

2 In the Bulletin Board Events view that opens click on the dropdown arrow to the left of the Messagecolumn for the alarm that was selected

3 Select lsquoKibana (ELK)rsquo from the Available Options menu and the Violatorrsquos IP address and time-frame of the violation are passed to Kibana

bull If the Violatorrsquos IP address and an alarm time (not timeframe) are being passed then 30minutes before and after the alarm time is searched

985 Scrutinizer Reporting from within Kibana

Within the Kibana (ELK) integration with Scrutinizer dashboards can be setup which include

bull Scrutinizer Vitals information

bull Flow Analytics TopN Algorithms

The Scrutinizer Vitals dashboard in Kibana can include

bull CPU

bull Memory

bull Disk Usage

bull Flows per collector

bull Status per collector

Dashboards created with the TopN Algorithm gadgets from Flow Analytics include

bull Top Applications

bull Top Countries

bull Top Rev 2nd lvl Domains (Top reverse 2nd level domains)

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

986 How to Configure ELK Integration with Scrutinizer

There are two components to the ELK Integration

1 Preparing Scrutinizer

2 Importing the necessary files into Kibanarsquos UI

Preparing Scrutinizer

Note Flow Analytics must be enabled and collecting statistics for the Top X Algorithms

2 Open the Interactive scrut_utilexe prompt with the following command

3 And run

SCRUTINIZERgt enable elk httpltipportgt

ltipportgt is the ELK serverrsquos IP address and port

After a few moments Scrutinizer will begin to send events to ELK

bull To test the data export from within the scrut_util shell run

collect elk ltelk_ipgt

bull To disable the data export run

disable elk httpltipportgt

Preparing Kibana

Integrating ELK with Scrutinizer displays details in Kibana that have been collected and processed byScrutinizer For more information visit Plixerrsquos Elasticsearch Kibana Integration page

1 After enabling the ELK integration on Scrutinizer refresh the index on Logstash in order to getScrutinizerrsquos fields to show up In Kibana go to Indices gt Logstash Click on the Reload field listicon at the center top of the screen

2 Download the Kibana Integration Plugin from the Elasticsearch Kibana Integration page

(a) Extract the files from the scrutinizer-elkzip file

3 In Kibana go to Settings gt Objects gt Import gt Visualizations and navigate to the elk-scrutinizer-visualizationsjson file extracted in Step 2a above and click Open

4 Go to Settings gt Objects gt Import gt Dashboards and navigate to the elk-scrutinizer-dashboardsjsonfile extracted in Step 2a above and click Open

5 The Kibana dashboards and visualizations are now all imported and events have been configured tobe coming from Scrutinizer

6 From the Visualize tab scroll to the bottom and filter for a specific visualization Typing Scrutinizerin the filter for example will show all of the Scrutinizer visualizations

7 From the Dashboard tab navigate around the various Scrutinizer dashboards imported

99 Scrutinizer for Splunk Application

991 Overview

What does the Scrutinizer for Splunk Application do

bull From within Scrutinizer searches for IP Addresses can be launched in Splunk

bull From Splunk Scrutinizer Vitals and FA TopN gadget details can be viewed

992 Splunk Searches from Scrutinizer Reports and Alarms

The following are the steps necessary to search Splunkrsquos database from Scrutinizer reports

(c) Select lsquoSearch Splunkrsquo

2 The IP address and report timeframe are passed to Splunkrsquos search engine for detailed Splunkreporting

For further details (from Splunk) on Scrutinizer Alarms follow these steps

(a) Bulletin Board by Violator

i Select the violator desired

(b) Bulletin Board by Policy

i Select the policy desired

2 In the Bulletin Board Events view that opens click on the dropdown arrow to the left of the Messagecolumn for the alarm selected

3 Select lsquoSearch Splunkrsquo from the Available Options menu and the Violatorrsquos IP address and time-frame of the violation are passed to Splunk

993 Scrutinizer Reporting from within Splunk

With the Scrutinizer for Splunk Application dashboards can be setup which include

The Default Dashboard view for the Scrutinizer - Splunk Application is the Vitals information whichincludes

99 Scrutinizer for Splunk Application 251

bull CPU

bull Memory

bull Disk Usage

Other Splunk menus can include links to the Scrutinizer tabs

bull Dashboards

bull Maps

bull Status and Reports

bull Alarms

bull Admin and Settings

Additionally panels can be created which are based on the TopN Algorithm gadgets from Flow Analytics

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

bull and more

Note Clicking on any entities in the graphs or detail in a table report will run a Splunk search for thatdetail and time range As mentioned earlier those searches can also be initiated directly from Scrutinizerreports or alarms

A menu can be added which consists of useful links on our website

bull plixercom

bull Configure NetFlow

bull Internet Threat Center

bull Latest Blogs

bull NetFlow Knights

994 How to Configure Splunk Integration with Scrutinizer

There are two components to the Splunk Integration

bull Preparing Scrutinizer

bull Installing the Scrutinizer for Splunk Application on Splunk

The following configuration instructions apply to Scrutinizer v167 and later If an earlier version ofScrutinizer is installed contact Plixer directly for assistance

2 To enable the ScrutinizerSplunk integration from the command line

(a) Run

(b) At the SCRUTINIZERgt prompt run

SCRUTINIZERgt enable splunk httpltipportgt ltsyslog portgt

ltipportgt is Splunk IP address and port

ltsyslog portgt is port used to send syslogs to Splunk

After a few moments Scrutinizer will begin to export data to Splunk

bull To manually collect data from Scrutinizer and send to Splunk run

SCRUTINIZERgt collect splunk ltsplunk_ipgt ltportgt

SCRUTINIZERgt disable splunk httpltipportgt

Installing the Scrutinizer for Splunk Application on Splunk

The Scrutinizer for Splunk App displays details that have been collected and processed by ScrutinizerFor more information visit Plixerrsquos Splunk Integration page

1 Download the Splunk Plugin using the link at the bottom of the Splunk Integration page

2 Log into Splunk

3 Click ldquoApps gt Manage Appsrdquo

4 Click ldquoInstall app from filerdquo

5 Click ldquoChoose Filerdquo and locate the PlixerScrutinizerForSplunkspl file within the Splunk Plugin filedownloaded in Step 1

(a) If upgrading the plugin click the ldquoUpgrade Apprdquo checkbox below the ldquoChoose Filerdquo button

6 Click the ldquoUploadrdquo button

7 Follow the onscreen instructions and restart Splunk

8 Navigate to the ldquoApps gt Manage Appsrdquo menu

9 Locate the ldquoScrutinizer for Splunkrdquo app in the list below and click the ldquoView Objectsrdquo link associ-ated to the application

10 Locate the ldquoDefaultrdquo link and click it

11 Replace the text ldquohttpADD_SCRUTINIZER_ADDR_HERErdquo with the link to the desired Scruti-nizer server (eg https10111288)

12 Click the ldquoSaverdquo button and then access the Scrutinizer application in the Apps menu

After a few minutes data will begin to show up in Splunk and the graphs will begin to fill in

910 Third Party Integration

9101 Enabling Third Party

Third party integration from Scrutinizer can be enabled by navigating to Admin gt Definitions gt 3rd PartyIntegration Simply select an integration in the dropdown menu and enter the integration URL of thedesired integration server in the URL box Uncheck the disable checkbox otherwise the integration onthe Device Explorer wonrsquot be visible

Some integrations require object ID translations such as PRTG and Solarwinds Please review the setupinstructions if these types of integrations are going to be enabled

9102 PRTG Integration

PRTG integration can be enabled by navigating to Admin gt Definitions gt 3rd Party Integration Additionalfields are required to connect to the PRTG API

1 Select PRTG in the dropdown menu

2 Uncheck the lsquodisabledrsquo checkbox

3 Fill out the additional fields that appear

Field DescriptionProtocol The default is https but http can be entered if PRTG is set up to use itIP The IP address of the PRTG serverPort The default is 443 but another port can be entered if PRTG is configured to

use itUser The login user to connect to PRTG APIPass-word

The login users password to connect to PRTG API

4 Click the Save button

Note Defaulted fields assume that the PRTG instance is running on HTTPS If the local install is runningon a different port or using a different protocol the settings can be adjusted to match what is configuredon the PRTG server (PRTG Administration Tool gt Web Server Tab)

910 Third Party Integration 255

Now that the PRTG third-party integration is enabled its icon will be displayed in the Device Tree foreach exporter on the Status Tab and the Maps tab By clicking on the PRTG icon a browser is launchedPRTG will then display the device statistics for the exporter selected in Scrutinizer

9103 Solarwinds Integration

The Solarwinds integration can be enabled by navigating to Admin gt Definitions gt 3rd Party IntegrationAdditional fields are required to connect to the Solarwinds API

1 Select Solarwinds in the dropdown menu

Field DescriptionIP The IP address of the Solarwinds serverUser The login user to connect to Solarwinds APIPass-word

The login users password to connect to Solarwinds API

Port The default is 17778 but another port can be entered if Solarwinds is config-ured to use it

Warning Please be aware that Solarwinds includes the User ID and Password in plain text in theURL Using HTTPS will protect the integrity of the credentials over the network but they will still bevisible in the URL per process set by Solarwinds

Now that the Solarwinds third-party integration is enabled its icon will be displayed in the Device Treefor each exporter on the Status Tab and the Maps tab By clicking on the Solarwinds icon a browser islaunched Solarwinds will then display the device statistics for the exporter selected in Scrutinizer

Solarwinds Integration Into Scrutinizer

Should you wish you can pivot from the Node Details page in Solarwinds NPM into a Scrutinizer reportYou can add a link into Scrutinizer from your Solarwinds NPM installation by following these steps

Note This integration was written with Solarwinds NPM 122 It is not guaranteed to work on olderinstallations

1 Navigate to Settings gt All Settings

bull Under the section Node amp Group Management choose Manage Custom Properties

2 Click Add Custom Property

bull Select Nodes from the dropdown list

ndash Fill out the name and description fields for the property (eg Scrutinizer)

ndash Click Next

3 Now to assign this property to your existing nodes

bull Click the button labeled Select Nodes to specify your exporters

bull You may select all or just a few

ndash Click the Add arrow to move your selected exporters

ndash Choose Select Nodes when you are finished

4 Now to add the value for all these nodes This is where we specify the Scrutinizer info

bull Fill in the value box with the following code

lta href=httpSCRUTINIZER_IP_ADDRESSsearchhtmlel=$IP_Addressamprarr˓reportType=conversationsgt

ltimg src=httpscdnplixercomwp-contentuploads201609rarr˓scrutinizer_logo-300x49png height=49 width=300gtltimggtltagt

Tip You can specify the default report type that opens in Scrutinizer by editing the code block in step4 To specify another report type by the API report name for example ldquoConversations WKPrdquo is knownas conversations you just need to replace the reportType field in the url

bull Make sure you specify the IP address of your server in the above URL where it says SCRUTI-NIZER_IP_ADDRESS

bull Then click Submit

5 You will now have a custom properties widget on your node details page for all your selected hosts

bull Clicking the Scrutinizer logo will open a report in Scrutinizer

911 Using the Reporting API

9111 Overview

The Reporting API (Application Program Interface) is a simple way to access the report data via HTTPor command line

9112 Getting Started

Authentication

The Reporting API uses authentication tokens They can be configured under Admin gt Security gt au-thentication tokens

The auth tokens give the API privileges to access resources in the product which are based off of securitygroups

911 Using the Reporting API 261

Requesting a Report via HTTP

To request a report via HTTP using the API a POST or GET request must be made to this base URIldquohttp[SCRUTINIZER_SERVER]fcgiscrut_fcgifcgirdquo passing the following four (mandatory)fields

bull rm=report_api

bull action=get

bull rpt_json=

bull data_requested=

rm=report_api is always the same when accessing the Report API

action tells the API what we want to do Currently the only action supported is lsquogetrsquo

rpt_json takes the JSON string containing the details for the report (See Reference Guide gt rpt_json formore information)

data_requested is used to indicate what data from the report we need It also takes a JSON string

Requesting a Report via the Command Line

Using the Report API in the command line doesnrsquot require authentication since the user will need consoleaccess to the Scrutinizer server To request a report

Run ldquohomeplixerscrutinizercgi-binreportingcgi -getReport -rpt_json= lsquo[JSON STRING WITHREPORT DETAILS]rsquo -data_requested= lsquo[JSON STRING WITH DATA REQUESTED DE-TAILS]rsquordquo

9113 Examples

httpsSCRUTINIZER_SERVERtab=tab3ampsubCat=reportamprpt_json=rarr˓reportTypeLangconversationsreportDirectionsselectedinboundrarr˓timesdateRangeLastFiveMinutesstartendfiltersrarr˓sdfDips_0in_0A0101FB_ALL

JavaScript

This example illustrates how to make an AJAX request to the reporting API using Javascript amp jQuery

var url = http[SCRUTINIZER SERVER]fcgiscrut_fcgifcgivar report_details =

reportTypeLang conversationsreportDirections selected both

times start 1426001640end 1426088100

filters

sdfDips_0 in_0A040101_0A040101-0dataGranularity

selected auto

var data_i_need =

inbound graph alltable

query_limit offset 0max_num_rows 1000

outbound

table query_limit

offset 0max_num_rows 1000

$ajax(

type POSTurl urldata

rm report_apiaction getrpt_json JSONstringify( report_details )data_requested JSONstringify( data_i_need )

success function( response ) if ( responseerr )

alert(responsemsg) else

consolelog(response)return

There are example scripts that are included in Scrutinizer in the homeplixerscrutinizer-filesapi_examples directory Examples of files in this directory

bull api_report_examplepl

ndash This script will run a report and return the results It consists of three subroutines

host_search_request Builds the request JSON

get_scrutinizer_data Makes the request to Scrutinizer

format_report_data Formats the returned data

bull api_host_examplepl

ndash This script uses the host index API to perform a quick search on an IP address It willdetermine if a host has been seen anywhere on the network It consists of two subroutines

get_scrutinizer_data Makes a host search request to Scrutinizer

format_search_data Formats the returned data

Note To use HTTPS make sure this perl module is installed cpan -i LWPProtocolhttps

Python

bull Report Type flowView

bull Time Frame LastFiveMinutes

bull ExporterInterface IP is 1011251 which converts to 0A0101FB in_0A0101FB_ALL means thatwe are going to include all interfaces for the exporter 1011251

bull Max Num Rows 11000

This python script makes the same HTTP request but saves the json to datatxt

import urllibimport urllib2import jsonurl = httpSCRUTINIZER_SERVERfcgiscrut_fcgifcgireport_details =

reportTypeLang flowViewreportDirections

selected inboundtimes

dateRange LastFiveMinutesfilters

sdfDips_0 in_0A0101FB_ALLdataGranularity

selected 1m

data_i_need =

inbound table

data = rm report_apiaction getrpt_json jsondumps( report_details )data_requested jsondumps( data_i_need )

data = urlliburlencode( data )req = urllib2Request( url data )response = urllib2urlopen( req )report = responseread()report_obj = jsonloads( report )

with open(datatxt w) as outfilejsondump(report_obj outfile)

9114 Reference Guide

rm=report_api (required HTTP static)

This URL field is required when making an HTTP request The value for this field willalways be lsquoreport_apirsquo

action (required HTTP)

Indicates what we want to do Right now the only action supported is lsquogetrsquo to get a report

getReport (required CMD)

This field is required when using the CMD to access the API

rpt_json

bull reportTypeLang (required)

This is the lang id of the report type used for the report Available reports in the installcan be found by looking at Scrutinizer gt Status gt System gt Available Reports

ndash conversations

ndash host2host

ndash ipGroupGroup

ndash applications

ndash trafficTrend

bull reportDirection (required)

It takes an object with a single attribute lsquoselectedrsquo The values for lsquoselectedrsquo are

ndash inbound

ndash outbound

ndash both

bull times (required)

ndash dateRange (required if no start and end)

Indicates the time for which we want to run the report using one of the predefineddate ranges Available dataRange values

LastFiveMinutes

LastTenMinutes

LastFifteenMinutes

LastTwentyMinutes

LastThirtyMinutes

LastFortyfiveMinutes

LastHour

LastFullHour

LastThreeDays

LastSevenDays

LastThirtyDays

Yesterday

Last24Hours

ThisWeek

LastWeek

ThisMonth

LastMonth

ThisYear

Last year

ndash start

Epoch time that we want to use for the start time of the report

ndash end

Epoch time that we want to use for the end time of the report

ndash clientTimezone

If we want to base the report times on the time zone where the client is locatedwe need pass the time zone using clientTimezone otherwise the server time zonewill be used It takes the time zone names as they are defined in the IANA timezone database such as ldquoAsiaShanghairdquo ldquoAsiaKolkatardquo ldquoAmericaNew_Yorkrdquo

bull filters (required)

It takes an object that defines the different filters that can be applied to the report Wehave many filter types that can be applied Here are a couple examples

ndash There has to be at least an sdfDips filter sdfDips filters are used to indicate whichexporterinterface we want to use for the report sdfDips are defined like thisldquoin_[IP_OF_EXPORTER_IN_HEX]_[INTERFACE_ID]rdquo Example - Exporterall interfaces filter ldquosdfDips_0rdquo ldquoin_408CF386_ALLrdquo

Here are some other possible filter examples

middot SrcDst host filter ldquosdfIps_0rdquo ldquoin_10111_Bothrdquo

middot Well Known Port filter ldquosdfPorts_0rdquo ldquoin_80-6rdquo

ndash Filters are defined in the filters object like this

[filter_type]_[index] = filter_definition

bull index is used to differentiate filters of the same type and to indicate in which order they should beapplied

bull dataGranularity

It indicates which data interval (in minutes) we want to use It takes an object with onekey lsquoselectedrsquo Available values for lsquoselectedrsquo are

ndash auto (lets the API decide which interval to use)

ndash 1

ndash 5

ndash 30

ndash 120

ndash 720

ndash 1440

ndash 10080

bull rateTotal

Indicates if we want rates or totals Totals or rates are not available for all reportsDefault depends on the report type

selected rate total

bull byInt

Indicates whether we want to include the interface details in the report table Valuesare 0 or 1 Only applicable to reports with interface information available Defaults to0

selected 1

data_requested

It is used to indicate to the API what part of the report we need Reports return two data setsone for rendering the graph and the other for rendering the table Each one is divided intooutbound and inbound

While rpt_json tells Scrutinizer how to prepare the data (timeframe filters aggregation etc)data_requested tells Scrutinizer what data should be returned with the request (inbound out-bound table graph or just a table name) See examples for details

If ldquotable_name 1rdquo is passed in data_requested no data will be returned Only the name of atemporary database table will be returned Example

Return Data

Example

report

table inbound totalRowCount 50columns [

title Ranklabel klassth rankWidth

colHasBbp 0defaultSort nullklassth klassLabel format elementName sourceipaddresscanBeRate nulllabel Sourcetitle sourceipaddress

colHasBbp 0defaultSort nullklassth commPortWidthklassLabel format

elementName commonportcanBeRate nulllabel Well Knowntitle commonport

colHasBbp 0defaultSort nullklassth klassLabel format elementName destinationipaddresscanBeRate nulllabel Destinationtitle destinationipaddress

colHasBbp 0defaultSort nullklassth alignRight dataWidth sortableklassLabel format niceLtr pperSecMode 0bitOverRide 0

elementName sum_packetdeltacountcanBeRate 1label Packetstitle sum_packetdeltacount

colHasBbp 0defaultSort nullklassth alignRight dataWidthklassLabel format elementName percenttotalcanBeRate nulllabel Percenttitle percenttotal

colHasBbp 1defaultSort DESC

klassth alignRight dataWidth sortable hasBbp klassLabel sortdesc format

niceLtr bperSecMode 0bitOverRide 0

elementName sum_octetdeltacountcanBeRate 1label sum_octetdeltacounttitle sum_octetdeltacount

]rows [[

klasstd rank1title Ranklabel 1

rawValue 1014105dataJson columnsourceipaddressklasstd alignLeftklassLabel ipDnstitle 1014105label 1014105

rawValue av-emb-config (2050 - TCP)dataJson columncommonportklasstd alignLeftklassLabel title ()label av-emb-config (2050 - TCP)

rawValue 1011151dataJson columndestinationipaddressklasstd alignLeftklassLabel ipDns title 1011151label 1011151

rawValue 20132651

dataJson columnsum_packetdeltacountklasstd alignRightklassLabel title 20132651label 2013 Mp

rawValue nulldataJson columnpercenttotalklasstd alignRightklassLabel title 1953 label 1953

rawValue 26274904910dataJson columnsum_octetdeltacountklasstd alignRightklassLabel title 26274904910label 2627 Gb

]footer [

[title Otherlabel Other

klasstd alignLefttranslations elementName sourceipaddresstitle Group by columns are not summarizedlabel - menuType filterType

klasstd alignLefttranslations elementName commonporttitle Group by columns are not summarizedlabel -

menuType filterType

klasstd alignLefttranslations elementName destinationipaddresstitle Group by columns are not summarizedlabel - menuType filterType

klasstd alignRighttranslations elementName sum_packetdeltacounttitle 83442022label 8344 MpmenuType filterType

klasstd alignRighttranslations elementName percenttotaltitle Group by columns are not summarizedlabel - menuType filterType

klasstd alignRighttranslations elementName sum_octetdeltacounttitle 108236252030label 10824 GbmenuType filterType

title (from conv tables)label Total

klasstd alignLefttranslations elementName commonporttitle Group by columns are not summarizedlabel - menuType filterType

report (Object)

Is the object that contains the data returned by the API The data is divided into ldquotablerdquo andldquographrdquo

table (Object)

The table data is divided into inbound or outbound For each direction the following areprovided

bull totalRowCount integer representing the total number of rows available

bull columns See columns section below

bull rows See rows section below

bull footer See the footer section below

columns (Collection)

It is an array of objects that represent the definition of each column in the table Most ofthe data is used to create the html table in the browser Here is a list of the most relevantinformation included in each object

bull elementName Name of the element that the data in the column is for

bull format Details about how the data in the column needs to be formatted

bull label Label used in the table header

rows (Array)

Array of collection Each collection in the array represents a row and each object in thecollection represents a table cell for that row Here are some details about the keys for eachobject representing a cell

bull rawValue The unformatted value as it is return from the database

bull label formatted value

footer (Array)

The footer[0] represents the ldquoOthersrdquo data for the operations columns (columns which valueis the product of an arithmetic operation) That is the amount for the data not included in therows

The footer[1] represents the ldquototalrdquo Total for a column is equal to the sum of the rows forthat column plus the ldquoOthersrdquo value for that column

912 Using the IP Groups API

9121 Overview

The IP Groups API is a simple way to add remove and edit IP Groups via the command line

Note The API only accepts requests from hosts that are part of the authorized IPs whitelist

Authentication

First find the IP of the host from where the local computer is going to access the API in the list of IPaddresses that can access it The User API uses a whitelist of IPs for authentication The whitelist isdefined in $homeDirfilesauth_ipscfg (one host IP per line)

The response for unauthenticated request is ldquomsgrdquordquoRequest cannot be authenti-catedrdquordquoerrrdquordquooauthFailurerdquo

912 Using the IP Groups API 277

9123 Examples

There is an example script that is included in Scrutinizer in the scrutinizerfilesapi_examples directory

bull ipgrouppl

ndash This script allows the user to searchcreateeditdelete IP Groups within Scrutinizer It con-sists of six subroutines

search_ipgroups Pass name or fc_id to get group details

create_ipgroup Create ipgroups by ipsubnetrange

update_ipgroup Edit an existing IP Group

delete_ipgroup Delete existing IP Group

delete_rule Delete a specific flow class rule from a group

retrieve_rules List all flow class rules for an IP Group

rm=ipgroups

This URL field is required when making an HTTP request This field is always equal toipgroups

action

Indicates the API action that can be performed with the JSON provided

Below is a list of available actions

search_ipgroups

Allows the user to look up details about an IP Group There are a few parameters that can be passed tothe search_ipgroups function

bull Search By Exact Name

search_ipgroups(name=gtMy IP Group)

bull Search by name with like not like

search_ipgroups(name=gtMy IP Gro fc_name_comp =gt like)search_ipgroups(name=gtMy IP Gro fc_name_comp =gt notLike)

bull Search by Flow Class ID (Unique identifier for IP Group)

search_ipgroups(fc_id=gt16800916)

bull Retrieve IP Groups with paging

search_ipgroups(page=gt1maxRows=gt500)

create_ipgroup

To create IP Groups specify flowclass rules within the API script There are multiple ways to create aflowclass rule

bull Single IP Address

bull IP Range

bull Network

bull Child IP Group

For each of these options specify the data to use then edit the $rules array to fit the requirements

my $rules = [type=gtip address =gt 10111rarr˓ Single IP Address (10111)type=gtrange eip =gt 102110 sip =gt 10211rarr˓ IP Range (10211 -gt 102110)type=gtnetwork address =gt 172165221 mask =gt 16rarr˓ Network with 16 mask (172165xx)type=gtchild child_id =gt 16900011rarr˓ Child IP Group (exisiting group is part ofrarr˓new IP Group)]

bull Create an IP Group for a single IP address

my $rules = [type=gtip address =gt 10111rarr˓ Single IP Address (10111)]

create_ipgroup(rules=gt$rules apptype=gtinternalrarr˓name =gt myOneServer)

bull Create an internal IP Group for a specific subnet

my $rules = [type=gtnetwork address =gt 1921681000 maskrarr˓=gt 24 Network with 24 mask (192168100rarr˓x)]

create_ipgroup(rules=gt$rules apptype=gtinternalrarr˓name =gt myInternalIpGroup)

bull Create an external IP Group and include an existing IP Group (ldquoUK Branchrdquo will bepart of ldquoEuropean Officesrdquo)

my $rules = [type=gtchild child_id =gt 16900011rarr˓ Where 16900011 is the exisitingrarr˓UK Branch groups fc_id]

create_ipgroup(rules=gt$rules apptype=gtinternalrarr˓name =gt European Offices)

update_ipgroup

The API allows the user to also edit existing IP Groups To do this a flow class ID of the group must bespecified in order to edit it

bull Add rules to Group

bull Change Name of IP Group

Note The fc_id flag is required for this function This value can be found in theoutput from search_ipgroups by passing the name

search_ipgroups(name=gtUK Branch)

Output

results [fc_name UK Branchfc_id 16900017 This is the Flow Class ID for this

rarr˓exisiting IP Group]

bull Add a single IP address to an existing group

my $rules = [type=gtip address =gt 102030100rarr˓ Single IP Address (102030100) to be added]

update_ipgroup(fc_id =gt 16900017 rules =gt $rules apptype =gtrarr˓internal name =gt UK Branch)

bull Modify the name of an existing group (Change existing ldquoUK Branchrdquo to ldquoLondon Branchrdquo)

update_ipgroup(fc_id =gt 16900017 name =gt London Branch)rarr˓ Where 16900017 is the exisiting UK Branch groupsrarr˓fc_id

delete_ipgroup

Remove an IP Group from the system or delete multiple groups at once

bull Delete Multiple IP Groups

delete_ipgroup(ipgroups =gt [id=gt16800362id=gtrarr˓16800363]) Where the id is the exisitingrarr˓groups fc_id

delete_rule

Remove a rule from an IP Group this can be used to remove a single IP from an IP Group that has manyrules in it

Note The fc_id flag is required for this function This value can be found inthe output from search_ipgroups and passing the name

search_ipgroups(name=gtOffice fc_name_comp =gt like)rarr˓ Search for groups with name like Office

Output

allLoaded 1page 1totalRowCount 1to 0IPGroups 1from 0fc algo_name nullfa_id nullnumrules 1fc_type_name ip_groupfc_type ip_groupuse_in_reporting 1ipg_type internalfc_name European Offices

rarr˓Name of the IP Grouphas_fa_id 0fc_type_id 2fc_id 16900019

rarr˓The flow class ID for this groupmodified_ts 2018-02-27 143610433812is_internal 1

is_internal internalresults [childname UK Branch

rarr˓Name of the Child IP Groupchild_id 16900017

rarr˓The Child Groups flow class IDfc_id 16900019

rarr˓The parent flow class ID for this group(continues on next page)

modified_ts 2018-02-27 143610401185type childrule_id 47

rarr˓The ID of this specific flow class rule

bull Delete a rule from an existing IP Group (Remove lsquoUK Branchrsquo from lsquoEuropean Of-ficesrsquo)

delete_rule(rule_id=gt47) Where the 47rarr˓is the exisiting child groups rule_id from above

retrieve_rules

bull Retrieve rules for IP Group 1000 entries per page

retrieve_rules(fc_id=gt16900014page=gt1maxRows=gt1000)

bull Retrieve rules for IP Group 10 entries per page starting from page=2

Note The fc_id flag is required for this function This value can be found in theoutput from search_ipgroups and passing the name

Output

results [fc_name My IP Groupfc_id 16900014 This is the Flow Class ID for this

9125 Using the CLI

The command scrut_utilexe can also be leveraged as a CLI API

The most common use case is importing data on a regular basis To see options call help via the CLIpassing the mode

$ scrut_utilexe ndashhelp import

Command

import

scrut_utilexe ndashimport aclfile scrut_utilexe ndashimport asns [ndashfile ltpathfilegt] [ndashdelimiterltdelimitergt]

scrut_utilexe ndashimport csv_to_gps ndashfile ltcsv_filegt ndashgroup ltgroup_id|group_namegt

[ndashcreate_new] [ndashfile_format ltfile_formatgt]

scrut_utilexe ndashimport csv_to_membership ndashfile ltcsv_filegt

[ndashcreate_new ndashgrouptype ltflash|googlegt] [ndashfile_format ltfile_formatgt]

scrut_utilexe ndashimport hostfile scrut_utilexe ndashimport ifinfo ndashfile ltifinfo_filegt [ndashdelimiterltdelimitergt] scrut_utilexe ndashimport flowclass [ndashtype [application|ipgroup]] [ndashfile ltpath-filegt] [ndashreset]

Description

Run various import commands to bring external sources of data into Scrutinizer For moredetails on individual commands type lsquohelp import ltcommandgtrsquo from interactive mode

913 Using the User API

9131 Overview

The User API is a simple way to add remove and edit user and usergroup accounts via HTTP or thecommand line The API only accepts requests from hosts that are part of the authorized IPs whitelist

Authentication

Determine the IP address from the list of IP addresses that can access the API A whitelist of IPs is usedfor authentication The whitelist is defined in $homeDirfilesauth_ipscfg (one host IP per line)

Accessing the User API via HTTP

To access the API via HTTP a POST or GET request must be made to this base URI ldquohttp[SCRUTINIZER SERVER]fcgiscrut_fcgifcgirdquo passing the following mandatory fields

bull rm=user_api

bull action=

bull json=

rm=user_api is always the same every time we want to access the user API action tells the API what wewant to do json will contain a JSON object with the details of the action that we want the User API toperform

9133 Examples

JavaScript

This example illustrates how to make an AJAX request to the User API using Javascript amp jQuery

var url = http[SCRUTINIZER SERVER]fcgiscrut_fcgifcgivar action_details =

users [name MyAdmin

pass MyPassmembership [1]

name MyGuest

913 Using the User API 285

pass OtherPassmembership [2]

]$ajax(

rm user_apiaction createUserjson JSONstringify( action_details )

success function ( response )

if ( responseerr ) alert(responsemsg)

Python

This example illustrates how to make a request to the User API using Python

import urllibimport urllib2import jsonurl = http[SCRUTINIZER SERVER]fcgiscrut_fcgifcgiuser_details =

users [

name MyAdminpass MyPassmembership [1]

name MyGuestpass OtherPass

membership [2]

data = rm user_apiaction createUserjson jsondumps( user_details )

data = urlliburlencode( data )req = urllib2Request( url data )response = urllib2urlopen( req )user_data = responseread()user_obj = jsonloads( user_data )

rm=user_api

This URL field is required when making an HTTP request This field is always equal touser_api

action

Indicates what action we want the User API to perform with the JSON we provide Below isa list of available actions

createUser

Allows the creation of user accounts within Scrutinizer They can be added to user groups atthe same time

JSON Object Expected

users [

name MyGuestpass OtherPassmembership [2]

bull users An array of all users to be created so multiple users can be created at once If only one useris needed this will be an array of one

bull name The name of the user to be created

bull pass The password for the new user account

bull membership An array of usergroup_ids from the plixerusergroups table The user will be addedto these groups when the account is created

JSON Object Returned

data [

id 3name MyAdmin

id 4name MyGuest

bull data An array of responses for each user account that Scrutinizer attempted to create

bull id The new user_id of the user account that was created

bull name The name of the account created (by design this is identical to the name passed in)

delUser

Allows the deletion of user accounts within Scrutinizer

delUsers[2GuestUser7

bull delUsers must contain an array of user IDs or usernames of accounts to be deleted

data[Deleting user 2Deleting user GuestUserFailed to delete 7 (No such account exists)

bull data An array of responses for each user account that Scrutinizer attempted to delete

createUsergroup

Allows the creation of usergroups within Scrutinizer Members can be added at the sametime

usergroups[

nameGroupAtemplate_usergroup1users[12]

nameGroupBtemplate_usergroup2users[MyUserMyUser2]

bull name The name of the usergroup to be created

bull users An array of all users to be added by user ID or username If only one user is needed thiswill be an array of one An empty array will create an empty usergroup

id5nameGroupAmembers[12]

nameGroupBerrorA usergroup already exists with that name

bull data An array of responses for each usergroup that Scrutinizer attempted to create

bull id The new usergroups_id of the usergroup that was created

bull name The name of the usergroup created (by design this is identical to the name passed in)

bull members An array of user IDs or usernames for the members successfully added to the group

bull error Any errors encountered during the creation of a particular usergroup

delUsergroup

Allows the deletion of usergroups within Scrutinizer

delUsergroups[

3My Usergroup

bull delUsergroups Must contain an array of usergroup IDs or usergroup names to be deleted

Usergroup 3 was deletedFailed to delete My Usergroup (No such group exists)

bull data An array of responses for each usergroup that Scrutinizer attempted to delete

Changes user preferences for individual users

user_id5prefs[

prefstatusTopnsetting10

preflanguagesettingenglish

bull user_id Required for the user with preferences to change

bull prefs contains an array of preferences and new settings

dataupdated[

statusTopn updated to 10 for user_id 5language updated to english for user_id 5

]errors[

Failed to update user_id 5rarr˓s preference favoriteIceCream No such preference exists

bull data An array of responses for each preference change updated or attempted

bull updated Messages for any preference successfully changed

bull errors Any errors encountered while changing preferences

changeUsergroupNames

changeUsergroupNames[

id3newnameMy Best Group

oldnameSad GroupnewnameHappy Group

bull changeUserGroupNames An array of changes to be made to usergroups

bull id The usergroups_id of a group the user desires to change

bull oldname An alternative to the ldquoidrdquo parameter and contains the current usergroup name

bull newname The name this usergroup will be changed to have

dataupdated[

Usergroup 3 renamed to My Best Group]errors[

rarr˓Failed to rename Sad Group to Happy Group Another usergroup already exists with this namerarr˓

bull data An array of responses for each name change attempted

bull updated Messages for any name successfully changed

bull errors Any errors encountered while changing names

changeUsername

Changes usernames

changeUsername

ltuser_id|oldnamegtltN|myUsergtnewnameOpSCT

bull user_id The user ID of the account to be changed

bull oldname An alternative to user ID and contains the current name of the user

bull newname Contains the name which is intended to change

message User myUser successfully renamed to OpSCT

bull message will contain either a statement of success or an error explaining why the name changefailed

membership

Changes usergroup membership

membership

user_idNuser_nameUSER1usergroup_idXusergroup_nameUSERGROUP1

user_idMuser_nameUSER2usergroup_idYusergroup_nameUSERGROUP2

]remove[

user_idLuser_nameUSER3usergroup_idZusergroup_nameUSERGROUP3

bull membership contains two arrays ldquoaddrdquo and ldquoremoverdquo which have information on each member-ship change

bull user_id is the ID from plixerusers the users wishes to add or remove

bull user_name is an alternative to user_id and can be the plain text name of the user

bull usergroup_id is the ID from plixerusergroups that the user will be added to or removed from

bull usergroup_name is an alternative to usergroup_id and can be the plain text name of the usergroup

dataadded[

User N added to usergroup XUser M added to usergroup Y

]removed[

User L removed from usergroup Z]

bull added will contain an array of either statements of success or errors explaining why the membershipchange failed

bull removed will contain an array of either statements of success or errors explaining why the mem-bership change failed

permissions

Changes usergroup permissions

permissions

usergroup_idXusergroup_nameUSERGROUP1typeltusergroups_permissionsfkgtsecCode

]remove[

bull permissions will contain two arrays ldquoaddrdquo and ldquoremoverdquo for each permission to be changed

bull type can be found in plixerusergroups_permissions in the lsquofkrsquo field It differentiates the types ofpermissions (eg ldquointrdquo ldquodevrdquo etc)

bull secCode another field in plixerusergroups_permissions and contains the permission It will bedifferent depending on the ldquotyperdquo (eg ldquo1rdquo for interface 1 ldquo0A010107rdquo for a device etc)

dataupdated[

Added permission int-1 to usergroup USERGROUP1]errors[

Failed to remove permission dev-rarr˓0A010107 from usergroup USERGROUP3 Permission not currently assigned to this usergrouprarr˓

bull updated will contain an array of either statements of success or errors explaining why the permis-sion change failed

bull errors will contain an array of either statements of success or errors explaining why the permissionchange failed

Admin Tab Overview

Data Aggregation

Interface Details

Licensing

Report Designer

Reporting

User Name Reporting Overview

User Name Reporting - Active Directory Integration

User Name Reporting - Cisco ISE Integration

Alarms

Overview

Gear Menu

Configuration Menu

Views Menu

Bulletin Board Events

Reports Menu

Edit Policy

Notification Profile

Threat Index

Baselining

Baselining Overview

Dashboards

Dashboard Overview

Vitals Dashboard

Flow Analytics

Overview

Navigation

Configuration

Exclusions

Algorithm Activation Strategy

Algorithms and Gadgets

Custom Algorithms

FA Bulletin Boards

Optimizing FA

Maps

Main View

Connections

Dependencies

Google Maps

Groups

Objects

Plixer Maps

Settings

Status

Status Tab

CrossCheck

CSV Reporting

Device Overview

Flow Hopper

Flow View

Network Traffic Reporting

Report Thresholds

Run Report

Scheduling a report

Vitals Reporting

System

Backups

Changelog

Check Vulnerabilities

Distributed Collectors

Flowalyzer

Interactive scrut_util

Language Translations

Mailinizer Setup

Meta Data Collection

Migration Utility

Multi-Tenancy Module

NetFlow Help

NetFlow Knights

Searching

Security Updates

SSL

System LEDs

Third Party Licenses

Troubleshooting

Vitals

Web Server Port


Configuring Amazon Web Services flow streaming

How to Add Resources to a Scrutinizer EC2 Instance

Configuring Ciscorsquos FireSIGHT eStreamer Client

Configuring Endace Probe Integration

Configuring Scrutinizer for DualMulti-homing

Creating a Network Map

Creating Thresholds and Notifications

Elasticsearch Kibana (ELK) Integration

Scrutinizer for Splunk Application

Third Party Integration

Using the Reporting API

Using the IP Groups API

Using the User API

Scrutinizer

1 Admin 311 Admin Tab Overview 312 Data Aggregation 1513 Interface Details 1914 Licensing 2115 Report Designer 2216 Reporting 2417 User Name Reporting Overview 2518 User Name Reporting - Active Directory Integration 2619 User Name Reporting - Cisco ISE Integration 41

2 Alarms 4521 Overview 4522 Gear Menu 4723 Configuration Menu 4724 Views Menu 4925 Bulletin Board Events 5226 Reports Menu 5327 Edit Policy 5428 Notification Profile 5629 Threat Index 59

3 Baselining 6131 Baselining Overview 61

4 Dashboards 67

Scrutinizer 1

2 Scrutinizer

CHAPTER 1

111 Settings

Data Aggregation

System LEDs

4 1 Admin

112 Definitions

6 1 Admin

ndash Status

8 1 Admin

113 Security

10 1 Admin

Functional IDs

Ap-plica-tion

User Us-age

Ac-cessLevel

Description

Op-erat-ingSys-tem

root In-ter-ac-tive

Priv-i-leged

Non-privileged

pg-bouncer

Non-interactive

Non-privileged

post-gresqlormysql

Non-interactive

Priv-i-leged

Database User

Priv-i-leged

HTTP services

Databaseroot In-

ter-ac-tive

Priv-i-leged

Non-privileged

scru-ti-nizer

Non-interactive

Priv-i-leged

Webinter-face

ad-min

In-ter-ac-tive

Priv-i-leged

12 1 Admin

bull Usage

bull Access level

User Groups

Settings

Device Status

Device Groups

Dashboard Gadgets

Members

14 1 Admin

Bulletin Boards

Delete Group

115 Reports

12 Data Aggregation

121 Overview

122 Upgrades

16 1 Admin

bull intervalTime

bull commonport

bull flowDirection

bull applicationId

In SAF mode

A Word about sFlow

18 1 Admin

bull Instance

20 1 Admin

131 SNMP

14 Licensing

141 Overview

142 Details

14 Licensing 21

143 License Key

Example License Key

15 Report Designer

22 1 Admin

(c) Rate vs Total

16 Reporting

24 1 Admin

171 Overview

26 1 Admin

28 1 Admin

30 1 Admin

32 1 Admin

bull member=DCip

34 1 Admin

36 1 Admin

38 1 Admin

40 1 Admin

191 Overview

192 Enable ERS

bull ERS Admin

bull ERS Operator

bull Super Admin

bull System Admin

42 1 Admin

44 1 Admin

CHAPTER 2

Alarms

21 Overview

211 Bulletin Boards

212 Heat Maps

213 Threat Index

46 2 Alarms

22 Gear Menu

221 Options

232 Alarm Settings

22 Gear Menu 47

236 IP Groups

238 Policy Manager

48 2 Alarms

239 Syslog Server

24 Views Menu

24 Views Menu 49

50 2 Alarms

24 Views Menu 51

244 Orphans

251 Overview

52 2 Alarms

26 Reports Menu

26 Reports Menu 53

261 Options

27 Edit Policy

271 Overview

272 Policy Fields

273 Filters

54 2 Alarms

274 Logic

ndash Regexp

275 Select Action

27 Edit Policy 55

276 Notifications

bull Trigger

281 Overview

56 2 Alarms

282 Alerts

Required fields are

ndash Priority

ndash Facility

Required fields are

ndash UDP Port

ndash Generic ID

ndash Specific ID

ndash Binding OID

ndash From Host

Required fields are

58 2 Alarms

29 Threat Index

29 Threat Index 59

60 2 Alarms

CHAPTER 3

Baselining

62 3 Baselining

SCRUTINIZERgt

ndash AVG = Average

ndash SUM = Sum

64 3 Baselining

clean baseline

show task baseline

Example

check task ltidgt

Example

66 3 Baselining

CHAPTER 4

Dashboards

Highlights

412 Menus

2 Dashboard name

3 Configuration

68 4 Dashboards

413 Gadget Icons

70 4 Dashboards

2 Choose Settings

42 Vitals Dashboard

72 4 Dashboards

74 4 Dashboards

CHAPTER 5

Flow Analytics

51 Overview

511 Overview

10000817216001219216800161692540016

52 Navigation

76 5 Flow Analytics

53 Configuration

53 Configuration 77

Important Notes

54 Exclusions

541 Overview

542 Exclusion Types

bull IP Address

bull IP Range

bull IP Subnet

78 5 Flow Analytics

54 Exclusions 79

EdgeRouters

FlowPro De-fender

Yes Yes Yes

FlowPro De-fender

Yes No No

FlowPro De-fender

80 5 Flow Analytics

561 Overview

82 5 Flow Analytics

ndash DNS

ndash NTP

ndash SNMP

ndash SSDP

ndash Chargen

ndash RPC Portmap

ndash Sentinel

84 5 Flow Analytics

86 5 Flow Analytics

BotNet Detection

88 5 Flow Analytics

DNS Data Leak

Domain Reputation

90 5 Flow Analytics

bull mcafeecom

bull sophoscom

bull sophosxlnet

bull webcfs03com

bull applecom

6 quit

92 5 Flow Analytics

6 quit

2 show domainlists

4 quit

2 show domainlists

4 quit

571 Getting Started

94 5 Flow Analytics

bull Threshold

2 Click New Policy

96 5 Flow Analytics

bull Policy Events

581 Policy Events

bull P2P Detection

bull DNS Hits

bull Denied Flows

98 5 Flow Analytics

bull FIN Scan

bull NULL Scan

bull RSTACK Scan

bull SYN Scan

bull TCP Scan

bull UDP Scan

bull XMAS Scan

583 Security Events

bull DDoS Detection

bull DNS Data Leak

59 Optimizing FA

CHAPTER 6

61 Main View

611 Overview

bull Objects

bull Backgrounds

bull Link Status

62 Connections

102 6 Maps

63 Dependencies

63 Dependencies 103

64 Google Maps

2 Click Save

104 6 Maps

ndash GPS Location

3 Then click Save

ndash Properties

65 Groups

Highlights

65 Groups 105

66 Objects

106 6 Maps

67 Plixer Maps

bull Settings

67 Plixer Maps 107

bull Objects

bull Connections

108 6 Maps

5 Click Save

bull Background

67 Plixer Maps 109

110 6 Maps

68 Settings

bull Google Maps

68 Settings 111

112 6 Maps

CHAPTER 7

Status

71 Status Tab

711 Interfaces

712 Menus

bull Down Arrow

114 7 Status

71 Status Tab 115

bull Views

ndash CrossCheck

713 Device Explorer

bull Groups

116 7 Status

71 Status Tab 117

714 Current Report

715 Saved Reports

118 7 Status

72 CrossCheck

722 Fault Index

72 CrossCheck 119

Table column header

120 7 Status

73 CSV Reporting

74 Device Overview

75 Flow Hopper

76 Flow View

761 Overview

Notice

122 7 Status

76 Flow View 123

124 7 Status

bull ENGINE_TYPE

bull ENGINE_ID

bull SAMPLER_NAME

bull NF_F_FW_EVENT

bull NF_F_USERNAME

76 Flow View 125

771 Overview

772 Templates

773 Report Types

126 7 Status

774 Current Report

No Data Found

776 Gear icon

128 7 Status

Graph Options

130 7 Status

Date Time Options

777 Saved Reports

For example

1011151

132 7 Status

1030113102711310261135102611310261119

Filter Logic

134 7 Status

779 Thresholds

7711 Other Options

bull Search

bull Alarms

1 Save a report

136 7 Status

781 Notes

79 Run Report

138 7 Status

79 Run Report 139

7101 Prerequisites

140 7 Status

ndash Recipients

bull Action

bull Email Subject

bull Schedule

ndash Hourly

ndash Daily

ndash Weekly

ndash Monthly

142 7 Status

144 7 Status

146 7 Status

CHAPTER 8

System

81 Backups

811 Overview

815 Suggested times

82 Changelog

148 8 System

Version 186 - 6292018

82 Changelog 149

Version 1711 - 11222017

150 8 System

Version 1710 - 10272017

Version 178 - 8302017

82 Changelog 151

Version 17621 - 6212017

Version 176 - 6192017

152 8 System

82 Changelog 153

Version 17227 - 3222017

154 8 System

Version 172 - 2222017

82 Changelog 155

831 Overview

832 Backporting

Here is an example

156 8 System

85 Flowalyzer

861 Overview

SCRUTINIZERgt

SCRUTINIZERgt exit

Exiting

[rootScrutinizer ~]

1) Interactive

158 8 System

863 Help Function

SCRUTINIZERgt help

864 Commands

bull check

bull ciscoise

bull clean

bull collect

bull counteract

bull delete

bull disable

bull download

bull enable

bull endace

bull expire

bull export

bull import

bull moloch

bull optimize

bull repair

bull services

bull set

bull show

bull snoop

bull system

bull upload

bull version

160 8 System

check routeltipgt

ciscoise

ciscoisenodelist

162 8 System

Com-mand

Description

clean base-line

cleandatabase

collect

collect base-line

collect topol-ogy

counteract

delete

164 8 System

delete or-phans

disable

Com-mand

Description

disablevmware-tools

download

enable

166 8 System

endace

expire

Com-mand

Description

expirealarms

expirednscache

expirehistory[trim]

expireifinfo

expireorphans

export

168 8 System

Com-mand

Description

import

1016913377749122419419216861407128740059

170 8 System

moloch

optimize

repair

Com-mand

Description

repairrange_starts

services

172 8 System

Com-mand

Description

sethttpdltportgt

setmyad-dress

setpass-wordrootdb

setpass-wordscrutdb

setreport-menu

set saltltsaltgt

set self-reporter

set ssllton|offgt

set tun-ing

set voiplton|offgt

174 8 System

Com-mand

Description

showalarms[filter]

showdiskspace

showgroups

showipad-dresses

showpcaplist

show task[name]

showtimezone

show tzlist[filter]

showunknown-columns

showyum_proxy

system

176 8 System

upload

version

178 8 System

88 Mailinizer Setup

891 Overview

180 8 System

8101 NAME

8102 SYNOPSIS

Run Modes

Options

182 8 System

8103 DESCRIPTION

8104 PRE-MIGRATION

PostgreSQL

8105 CONFIGURATION

184 8 System

_db_host

_db_user

_db_pass

_db_port

_db_dialect

186 8 System

[exporters]

inclusions

exclusions

[data range]

intervals

startend_epoch

[scrutinizer data]

alarms

dashboards

ipgroups

objects

reports

188 8 System

systemprefs

8106 EXAMPLES

migrateexe -t

migrateexe -c -m

migrateexe --finish

812 NetFlow Help

813 NetFlow Knights

190 8 System

814 Searching

8141 Overview

2 Host Index search

bull Source Host

bull Client

bull Server

bull User as Source

bull Wireless Host

bull Wireless SSID

814 Searching 191

bull First Seen

bull Last Seen

bull Flow Count

192 8 System

8151 Overview

INTERACTIVE

194 8 System

816 SSL

SCRUTINIZERgt

8162 Enabling SSL

816 SSL 195

State Province

Email Ad-dress

CommonName

8164 Disabling SSL

196 8 System

817 System LEDs

8171 Overview

817 System LEDs 197

NA NA NA

bull Free Disk DB

198 8 System

817 System LEDs 199

Apache Giraph

200 8 System

202 8 System

204 8 System

JSONXS

206 8 System

NetPacket

208 8 System

strace

210 8 System

212 8 System

214 8 System

216 8 System

218 8 System

220 8 System

819 Troubleshooting

820 Vitals

821 Web Server Port

8211 Overview

3 And run

8212 SSL Support

222 8 System

CHAPTER 9

911 Overview

bull Top AWS users

bull Action

bull Interface

bull Pair Interface

912 Prerequisites

1 AWS Account ID

2 Users gt Add User

(b) AWS Region Name

(d) AWS Stream Name

Default 4739

Overview

Enabling

Running

Debugging

921 Overview

SCRUTINIZERgt quit

Exiting

choose Start

931 Overview

bull Firewall List

932 Prerequisites

bull eStreamer 54

(b) example

936 Wait for Flows

941 Overview

bull Add a probe

bull Remove a probe

2 Violated Alarms

bull Initiator IP

bull Target IP

bull Protocol

5 Click Search

Violated Alarms

7 Click Search

5 Click Search

961 Overview

971 Overview

bull and more

3 Click Save

Example

Navigate to

2 Click Add Alert

981 Overview

982 What is ELK

Kibana 42

Scrutinizer v1512+

bull CPU

bull Memory

bull Disk Usage

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

3 And run

Preparing Kibana

991 Overview

bull CPU

bull Memory

bull Disk Usage

bull Dashboards

bull Maps

bull Alarms

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

bull and more

bull plixercom

bull Latest Blogs

(a) Run

2 Log into Splunk

ndash Click Next

9111 Overview

Authentication

bull rm=report_api

bull action=get

bull rpt_json=

9113 Examples

JavaScript

times start 1426001640end 1426088100

filters

selected auto

var data_i_need =

outbound

table query_limit

$ajax(

Python

selected 1m

data_i_need =

inbound table

rpt_json

ndash conversations

ndash host2host

ndash ipGroupGroup

ndash applications

ndash trafficTrend

ndash inbound

ndash outbound

ndash both

LastFiveMinutes

LastTenMinutes

LastFifteenMinutes

LastTwentyMinutes

LastThirtyMinutes

LastHour

LastFullHour

LastThreeDays

LastSevenDays

LastThirtyDays

Yesterday

Last24Hours

ThisWeek

LastWeek

ThisMonth

LastMonth

ThisYear

Last year

ndash start

ndash end

ndash 1

ndash 5

ndash 30

ndash 120

ndash 720

ndash 1440

ndash 10080

bull rateTotal

selected rate total

bull byInt

selected 1

data_requested

Return Data

Example

report

]rows [[

rawValue 20132651

]footer [

menuType filterType

report (Object)

table (Object)

rows (Array)

footer (Array)

9121 Overview

Authentication

9123 Examples

bull ipgrouppl

rm=ipgroups

action

search_ipgroups

create_ipgroup

bull IP Range

bull Network

bull Child IP Group

update_ipgroup

Output

delete_ipgroup

delete_rule

Output

retrieve_rules

Output

9125 Using the CLI

Command

import

Description

9131 Overview

Authentication

bull rm=user_api

bull action=

bull json=

9133 Examples

JavaScript

users [name MyAdmin

name MyGuest

]$ajax(

Python

users [

membership [2]

rm=user_api

action

createUser

users [

data [

id 3name MyAdmin

id 4name MyGuest

delUser

createUsergroup

usergroups[

delUsergroup

delUsergroups[

3My Usergroup

user_id5prefs[

dataupdated[

]errors[

dataupdated[

changeUsername

Changes usernames

changeUsername

membership

]remove[

dataadded[

]removed[

permissions

]remove[

dataupdated[

Admin Tab Overview

Data Aggregation

Interface Details

Licensing

Report Designer

Reporting




Alarms

Overview

Gear Menu

Configuration Menu

Views Menu


Reports Menu

Edit Policy


Threat Index

Baselining

Baselining Overview

Dashboards

Dashboard Overview

Vitals Dashboard

Flow Analytics

Overview

Navigation

Configuration

Exclusions



Custom Algorithms

FA Bulletin Boards

Optimizing FA

Maps

Main View

Connections

Dependencies

Google Maps

Groups

Objects

Plixer Maps

Settings

Status

Status Tab

CrossCheck

CSV Reporting

Device Overview

Flow Hopper

Flow View


Report Thresholds

Run Report

Scheduling a report

Vitals Reporting

System

Backups

Changelog



Flowalyzer



Mailinizer Setup


Migration Utility


NetFlow Help

NetFlow Knights

Searching

Security Updates

SSL

System LEDs


Troubleshooting

Vitals

Web Server Port














Using the User API

Scrutinizer 1

2 Scrutinizer

CHAPTER 1

111 Settings

Data Aggregation

System LEDs

4 1 Admin

112 Definitions

6 1 Admin

ndash Status

8 1 Admin

113 Security

10 1 Admin

Functional IDs

Ap-plica-tion

User Us-age

Ac-cessLevel

Description

Op-erat-ingSys-tem

root In-ter-ac-tive

Priv-i-leged

Non-privileged

pg-bouncer

Non-interactive

Non-privileged

post-gresqlormysql

Non-interactive

Priv-i-leged

Database User

Priv-i-leged

HTTP services

Databaseroot In-

ter-ac-tive

Priv-i-leged

Non-privileged

scru-ti-nizer

Non-interactive

Priv-i-leged

Webinter-face

ad-min

In-ter-ac-tive

Priv-i-leged

12 1 Admin

bull Usage

bull Access level

User Groups

Settings

Device Status

Device Groups

Dashboard Gadgets

Members

14 1 Admin

Bulletin Boards

Delete Group

115 Reports

12 Data Aggregation

121 Overview

122 Upgrades

16 1 Admin

bull intervalTime

bull commonport

bull flowDirection

bull applicationId

In SAF mode

A Word about sFlow

18 1 Admin

bull Instance

20 1 Admin

131 SNMP

14 Licensing

141 Overview

142 Details

14 Licensing 21

143 License Key

Example License Key

15 Report Designer

22 1 Admin

(c) Rate vs Total

16 Reporting

24 1 Admin

171 Overview

26 1 Admin

28 1 Admin

30 1 Admin

32 1 Admin

bull member=DCip

34 1 Admin

36 1 Admin

38 1 Admin

40 1 Admin

191 Overview

192 Enable ERS

bull ERS Admin

bull ERS Operator

bull Super Admin

bull System Admin

42 1 Admin

44 1 Admin

CHAPTER 2

Alarms

21 Overview

211 Bulletin Boards

212 Heat Maps

213 Threat Index

46 2 Alarms

22 Gear Menu

221 Options

232 Alarm Settings

22 Gear Menu 47

236 IP Groups

238 Policy Manager

48 2 Alarms

239 Syslog Server

24 Views Menu

24 Views Menu 49

50 2 Alarms

24 Views Menu 51

244 Orphans

251 Overview

52 2 Alarms

26 Reports Menu

26 Reports Menu 53

261 Options

27 Edit Policy

271 Overview

272 Policy Fields

273 Filters

54 2 Alarms

274 Logic

ndash Regexp

275 Select Action

27 Edit Policy 55

276 Notifications

bull Trigger

281 Overview

56 2 Alarms

282 Alerts

Required fields are

ndash Priority

ndash Facility

Required fields are

ndash UDP Port

ndash Generic ID

ndash Specific ID

ndash Binding OID

ndash From Host

Required fields are

58 2 Alarms

29 Threat Index

29 Threat Index 59

60 2 Alarms

CHAPTER 3

Baselining

62 3 Baselining

SCRUTINIZERgt

ndash AVG = Average

ndash SUM = Sum

64 3 Baselining

clean baseline

show task baseline

Example

check task ltidgt

Example

66 3 Baselining

CHAPTER 4

Dashboards

Highlights

412 Menus

2 Dashboard name

3 Configuration

68 4 Dashboards

413 Gadget Icons

70 4 Dashboards

2 Choose Settings

42 Vitals Dashboard

72 4 Dashboards

74 4 Dashboards

CHAPTER 5

Flow Analytics

51 Overview

511 Overview

10000817216001219216800161692540016

52 Navigation

76 5 Flow Analytics

53 Configuration

53 Configuration 77

Important Notes

54 Exclusions

541 Overview

542 Exclusion Types

bull IP Address

bull IP Range

bull IP Subnet

78 5 Flow Analytics

54 Exclusions 79

EdgeRouters

FlowPro De-fender

Yes Yes Yes

FlowPro De-fender

Yes No No

FlowPro De-fender

80 5 Flow Analytics

561 Overview

82 5 Flow Analytics

ndash DNS

ndash NTP

ndash SNMP

ndash SSDP

ndash Chargen

ndash RPC Portmap

ndash Sentinel

84 5 Flow Analytics

86 5 Flow Analytics

BotNet Detection

88 5 Flow Analytics

DNS Data Leak

Domain Reputation

90 5 Flow Analytics

bull mcafeecom

bull sophoscom

bull sophosxlnet

bull webcfs03com

bull applecom

6 quit

92 5 Flow Analytics

6 quit

2 show domainlists

4 quit

2 show domainlists

4 quit

571 Getting Started

94 5 Flow Analytics

bull Threshold

2 Click New Policy

96 5 Flow Analytics

bull Policy Events

581 Policy Events

bull P2P Detection

bull DNS Hits

bull Denied Flows

98 5 Flow Analytics

bull FIN Scan

bull NULL Scan

bull RSTACK Scan

bull SYN Scan

bull TCP Scan

bull UDP Scan

bull XMAS Scan

583 Security Events

bull DDoS Detection

bull DNS Data Leak

59 Optimizing FA

CHAPTER 6

61 Main View

611 Overview

bull Objects

bull Backgrounds

bull Link Status

62 Connections

102 6 Maps

63 Dependencies

63 Dependencies 103

64 Google Maps

2 Click Save

104 6 Maps

ndash GPS Location

3 Then click Save

ndash Properties

65 Groups

Highlights

65 Groups 105

66 Objects

106 6 Maps

67 Plixer Maps

bull Settings

67 Plixer Maps 107

bull Objects

bull Connections

108 6 Maps

5 Click Save

bull Background

67 Plixer Maps 109

110 6 Maps

68 Settings

bull Google Maps

68 Settings 111

112 6 Maps

CHAPTER 7

Status

71 Status Tab

711 Interfaces

712 Menus

bull Down Arrow

114 7 Status

71 Status Tab 115

bull Views

ndash CrossCheck

713 Device Explorer

bull Groups

116 7 Status

71 Status Tab 117

714 Current Report

715 Saved Reports

118 7 Status

72 CrossCheck

722 Fault Index

72 CrossCheck 119

Table column header

120 7 Status

73 CSV Reporting

74 Device Overview

75 Flow Hopper

76 Flow View

761 Overview

Notice

122 7 Status

76 Flow View 123

124 7 Status

bull ENGINE_TYPE

bull ENGINE_ID

bull SAMPLER_NAME

bull NF_F_FW_EVENT

bull NF_F_USERNAME

76 Flow View 125

771 Overview

772 Templates

773 Report Types

126 7 Status

774 Current Report

No Data Found

776 Gear icon

128 7 Status

Graph Options

130 7 Status

Date Time Options

777 Saved Reports

For example

1011151

132 7 Status

1030113102711310261135102611310261119

Filter Logic

134 7 Status

779 Thresholds

7711 Other Options

bull Search

bull Alarms

1 Save a report

136 7 Status

781 Notes

79 Run Report

138 7 Status

79 Run Report 139

7101 Prerequisites

140 7 Status

ndash Recipients

bull Action

bull Email Subject

bull Schedule

ndash Hourly

ndash Daily

ndash Weekly

ndash Monthly

142 7 Status

144 7 Status

146 7 Status

CHAPTER 8

System

81 Backups

811 Overview

815 Suggested times

82 Changelog

148 8 System

Version 186 - 6292018

82 Changelog 149

Version 1711 - 11222017

150 8 System

Version 1710 - 10272017

Version 178 - 8302017

82 Changelog 151

Version 17621 - 6212017

Version 176 - 6192017

152 8 System

82 Changelog 153

Version 17227 - 3222017

154 8 System

Version 172 - 2222017

82 Changelog 155

831 Overview

832 Backporting

Here is an example

156 8 System

85 Flowalyzer

861 Overview

SCRUTINIZERgt

SCRUTINIZERgt exit

Exiting

[rootScrutinizer ~]

1) Interactive

158 8 System

863 Help Function

SCRUTINIZERgt help

864 Commands

bull check

bull ciscoise

bull clean

bull collect

bull counteract

bull delete

bull disable

bull download

bull enable

bull endace

bull expire

bull export

bull import

bull moloch

bull optimize

bull repair

bull services

bull set

bull show

bull snoop

bull system

bull upload

bull version

160 8 System

check routeltipgt

ciscoise

ciscoisenodelist

162 8 System

Com-mand

Description

clean base-line

cleandatabase

collect

collect base-line

collect topol-ogy

counteract

delete

164 8 System

delete or-phans

disable

Com-mand

Description

disablevmware-tools

download

enable

166 8 System

endace

expire

Com-mand

Description

expirealarms

expirednscache

expirehistory[trim]

expireifinfo

expireorphans

export

168 8 System

Com-mand

Description

import

1016913377749122419419216861407128740059

170 8 System

moloch

optimize

repair

Com-mand

Description

repairrange_starts

services

172 8 System

Com-mand

Description

sethttpdltportgt

setmyad-dress

setpass-wordrootdb

setpass-wordscrutdb

setreport-menu

set saltltsaltgt

set self-reporter

set ssllton|offgt

set tun-ing

set voiplton|offgt

174 8 System

Com-mand

Description

showalarms[filter]

showdiskspace

showgroups

showipad-dresses

showpcaplist

show task[name]

showtimezone

show tzlist[filter]

showunknown-columns

showyum_proxy

system

176 8 System

upload

version

178 8 System

88 Mailinizer Setup

891 Overview

180 8 System

8101 NAME

8102 SYNOPSIS

Run Modes

Options

182 8 System

8103 DESCRIPTION

8104 PRE-MIGRATION

PostgreSQL

8105 CONFIGURATION

184 8 System

_db_host

_db_user

_db_pass

_db_port

_db_dialect

186 8 System

[exporters]

inclusions

exclusions

[data range]

intervals

startend_epoch

[scrutinizer data]

alarms

dashboards

ipgroups

objects

reports

188 8 System

systemprefs

8106 EXAMPLES

migrateexe -t

migrateexe -c -m

migrateexe --finish

812 NetFlow Help

813 NetFlow Knights

190 8 System

814 Searching

8141 Overview

2 Host Index search

bull Source Host

bull Client

bull Server

bull User as Source

bull Wireless Host

bull Wireless SSID

814 Searching 191

bull First Seen

bull Last Seen

bull Flow Count

192 8 System

8151 Overview

INTERACTIVE

194 8 System

816 SSL

SCRUTINIZERgt

8162 Enabling SSL

816 SSL 195

State Province

Email Ad-dress

CommonName

8164 Disabling SSL

196 8 System

817 System LEDs

8171 Overview

817 System LEDs 197

NA NA NA

bull Free Disk DB

198 8 System

817 System LEDs 199

Apache Giraph

200 8 System

202 8 System

204 8 System

JSONXS

206 8 System

NetPacket

208 8 System

strace

210 8 System

212 8 System

214 8 System

216 8 System

218 8 System

220 8 System

819 Troubleshooting

820 Vitals

821 Web Server Port

8211 Overview

3 And run

8212 SSL Support

222 8 System

CHAPTER 9

911 Overview

bull Top AWS users

bull Action

bull Interface

bull Pair Interface

912 Prerequisites

1 AWS Account ID

2 Users gt Add User

(b) AWS Region Name

(d) AWS Stream Name

Default 4739

Overview

Enabling

Running

Debugging

921 Overview

SCRUTINIZERgt quit

Exiting

choose Start

931 Overview

bull Firewall List

932 Prerequisites

bull eStreamer 54

(b) example

936 Wait for Flows

941 Overview

bull Add a probe

bull Remove a probe

2 Violated Alarms

bull Initiator IP

bull Target IP

bull Protocol

5 Click Search

Violated Alarms

7 Click Search

5 Click Search

961 Overview

971 Overview

bull and more

3 Click Save

Example

Navigate to

2 Click Add Alert

981 Overview

982 What is ELK

Kibana 42

Scrutinizer v1512+

bull CPU

bull Memory

bull Disk Usage

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

3 And run

Preparing Kibana

991 Overview

bull CPU

bull Memory

bull Disk Usage

bull Dashboards

bull Maps

bull Alarms

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

bull and more

bull plixercom

bull Latest Blogs

(a) Run

2 Log into Splunk

ndash Click Next

9111 Overview

Authentication

bull rm=report_api

bull action=get

bull rpt_json=

9113 Examples

JavaScript

times start 1426001640end 1426088100

filters

selected auto

var data_i_need =

outbound

table query_limit

$ajax(

Python

selected 1m

data_i_need =

inbound table

rpt_json

ndash conversations

ndash host2host

ndash ipGroupGroup

ndash applications

ndash trafficTrend

ndash inbound

ndash outbound

ndash both

LastFiveMinutes

LastTenMinutes

LastFifteenMinutes

LastTwentyMinutes

LastThirtyMinutes

LastHour

LastFullHour

LastThreeDays

LastSevenDays

LastThirtyDays

Yesterday

Last24Hours

ThisWeek

LastWeek

ThisMonth

LastMonth

ThisYear

Last year

ndash start

ndash end

ndash 1

ndash 5

ndash 30

ndash 120

ndash 720

ndash 1440

ndash 10080

bull rateTotal

selected rate total

bull byInt

selected 1

data_requested

Return Data

Example

report

]rows [[

rawValue 20132651

]footer [

menuType filterType

report (Object)

table (Object)

rows (Array)

footer (Array)

9121 Overview

Authentication

9123 Examples

bull ipgrouppl

rm=ipgroups

action

search_ipgroups

create_ipgroup

bull IP Range

bull Network

bull Child IP Group

update_ipgroup

Output

delete_ipgroup

delete_rule

Output

retrieve_rules

Output

9125 Using the CLI

Command

import

Description

9131 Overview

Authentication

bull rm=user_api

bull action=

bull json=

9133 Examples

JavaScript

users [name MyAdmin

name MyGuest

]$ajax(

Python

users [

membership [2]

rm=user_api

action

createUser

users [

data [

id 3name MyAdmin

id 4name MyGuest

delUser

createUsergroup

usergroups[

delUsergroup

delUsergroups[

3My Usergroup

user_id5prefs[

dataupdated[

]errors[

dataupdated[

changeUsername

Changes usernames

changeUsername

membership

]remove[

dataadded[

]removed[

permissions

]remove[

dataupdated[

Admin Tab Overview

Data Aggregation

Interface Details

Licensing

Report Designer

Reporting




Alarms

Overview

Gear Menu

Configuration Menu

Views Menu


Reports Menu

Edit Policy


Threat Index

Baselining

Baselining Overview

Dashboards

Dashboard Overview

Vitals Dashboard

Flow Analytics

Overview

Navigation

Configuration

Exclusions



Custom Algorithms

FA Bulletin Boards

Optimizing FA

Maps

Main View

Connections

Dependencies

Google Maps

Groups

Objects

Plixer Maps

Settings

Status

Status Tab

CrossCheck

CSV Reporting

Device Overview

Flow Hopper

Flow View


Report Thresholds

Run Report

Scheduling a report

Vitals Reporting

System

Backups

Changelog



Flowalyzer



Mailinizer Setup


Migration Utility


NetFlow Help

NetFlow Knights

Searching

Security Updates

SSL

System LEDs


Troubleshooting

Vitals

Web Server Port














Using the User API

Scrutinizer 1

2 Scrutinizer

CHAPTER 1

111 Settings

Data Aggregation

System LEDs

4 1 Admin

112 Definitions

6 1 Admin

ndash Status

8 1 Admin

113 Security

10 1 Admin

Functional IDs

Ap-plica-tion

User Us-age

Ac-cessLevel

Description

Op-erat-ingSys-tem

root In-ter-ac-tive

Priv-i-leged

Non-privileged

pg-bouncer

Non-interactive

Non-privileged

post-gresqlormysql

Non-interactive

Priv-i-leged

Database User

Priv-i-leged

HTTP services

Databaseroot In-

ter-ac-tive

Priv-i-leged

Non-privileged

scru-ti-nizer

Non-interactive

Priv-i-leged

Webinter-face

ad-min

In-ter-ac-tive

Priv-i-leged

12 1 Admin

bull Usage

bull Access level

User Groups

Settings

Device Status

Device Groups

Dashboard Gadgets

Members

14 1 Admin

Bulletin Boards

Delete Group

115 Reports

12 Data Aggregation

121 Overview

122 Upgrades

16 1 Admin

bull intervalTime

bull commonport

bull flowDirection

bull applicationId

In SAF mode

A Word about sFlow

18 1 Admin

bull Instance

20 1 Admin

131 SNMP

14 Licensing

141 Overview

142 Details

14 Licensing 21

143 License Key

Example License Key

15 Report Designer

22 1 Admin

(c) Rate vs Total

16 Reporting

24 1 Admin

171 Overview

26 1 Admin

28 1 Admin

30 1 Admin

32 1 Admin

bull member=DCip

34 1 Admin

36 1 Admin

38 1 Admin

40 1 Admin

191 Overview

192 Enable ERS

bull ERS Admin

bull ERS Operator

bull Super Admin

bull System Admin

42 1 Admin

44 1 Admin

CHAPTER 2

Alarms

21 Overview

211 Bulletin Boards

212 Heat Maps

213 Threat Index

46 2 Alarms

22 Gear Menu

221 Options

232 Alarm Settings

22 Gear Menu 47

236 IP Groups

238 Policy Manager

48 2 Alarms

239 Syslog Server

24 Views Menu

24 Views Menu 49

50 2 Alarms

24 Views Menu 51

244 Orphans

251 Overview

52 2 Alarms

26 Reports Menu

26 Reports Menu 53

261 Options

27 Edit Policy

271 Overview

272 Policy Fields

273 Filters

54 2 Alarms

274 Logic

ndash Regexp

275 Select Action

27 Edit Policy 55

276 Notifications

bull Trigger

281 Overview

56 2 Alarms

282 Alerts

Required fields are

ndash Priority

ndash Facility

Required fields are

ndash UDP Port

ndash Generic ID

ndash Specific ID

ndash Binding OID

ndash From Host

Required fields are

58 2 Alarms

29 Threat Index

29 Threat Index 59

60 2 Alarms

CHAPTER 3

Baselining

62 3 Baselining

SCRUTINIZERgt

ndash AVG = Average

ndash SUM = Sum

64 3 Baselining

clean baseline

show task baseline

Example

check task ltidgt

Example

66 3 Baselining

CHAPTER 4

Dashboards

Highlights

412 Menus

2 Dashboard name

3 Configuration

68 4 Dashboards

413 Gadget Icons

70 4 Dashboards

2 Choose Settings

42 Vitals Dashboard

72 4 Dashboards

74 4 Dashboards

CHAPTER 5

Flow Analytics

51 Overview

511 Overview

10000817216001219216800161692540016

52 Navigation

76 5 Flow Analytics

53 Configuration

53 Configuration 77

Important Notes

54 Exclusions

541 Overview

542 Exclusion Types

bull IP Address

bull IP Range

bull IP Subnet

78 5 Flow Analytics

54 Exclusions 79

EdgeRouters

FlowPro De-fender

Yes Yes Yes

FlowPro De-fender

Yes No No

FlowPro De-fender

80 5 Flow Analytics

561 Overview

82 5 Flow Analytics

ndash DNS

ndash NTP

ndash SNMP

ndash SSDP

ndash Chargen

ndash RPC Portmap

ndash Sentinel

84 5 Flow Analytics

86 5 Flow Analytics

BotNet Detection

88 5 Flow Analytics

DNS Data Leak

Domain Reputation

90 5 Flow Analytics

bull mcafeecom

bull sophoscom

bull sophosxlnet

bull webcfs03com

bull applecom

6 quit

92 5 Flow Analytics

6 quit

2 show domainlists

4 quit

2 show domainlists

4 quit

571 Getting Started

94 5 Flow Analytics

bull Threshold

2 Click New Policy

96 5 Flow Analytics

bull Policy Events

581 Policy Events

bull P2P Detection

bull DNS Hits

bull Denied Flows

98 5 Flow Analytics

bull FIN Scan

bull NULL Scan

bull RSTACK Scan

bull SYN Scan

bull TCP Scan

bull UDP Scan

bull XMAS Scan

583 Security Events

bull DDoS Detection

bull DNS Data Leak

59 Optimizing FA

CHAPTER 6

61 Main View

611 Overview

bull Objects

bull Backgrounds

bull Link Status

62 Connections

102 6 Maps

63 Dependencies

63 Dependencies 103

64 Google Maps

2 Click Save

104 6 Maps

ndash GPS Location

3 Then click Save

ndash Properties

65 Groups

Highlights

65 Groups 105

66 Objects

106 6 Maps

67 Plixer Maps

bull Settings

67 Plixer Maps 107

bull Objects

bull Connections

108 6 Maps

5 Click Save

bull Background

67 Plixer Maps 109

110 6 Maps

68 Settings

bull Google Maps

68 Settings 111

112 6 Maps

CHAPTER 7

Status

71 Status Tab

711 Interfaces

712 Menus

bull Down Arrow

114 7 Status

71 Status Tab 115

bull Views

ndash CrossCheck

713 Device Explorer

bull Groups

116 7 Status

71 Status Tab 117

714 Current Report

715 Saved Reports

118 7 Status

72 CrossCheck

722 Fault Index

72 CrossCheck 119

Table column header

120 7 Status

73 CSV Reporting

74 Device Overview

75 Flow Hopper

76 Flow View

761 Overview

Notice

122 7 Status

76 Flow View 123

124 7 Status

bull ENGINE_TYPE

bull ENGINE_ID

bull SAMPLER_NAME

bull NF_F_FW_EVENT

bull NF_F_USERNAME

76 Flow View 125

771 Overview

772 Templates

773 Report Types

126 7 Status

774 Current Report

No Data Found

776 Gear icon

128 7 Status

Graph Options

130 7 Status

Date Time Options

777 Saved Reports

For example

1011151

132 7 Status

1030113102711310261135102611310261119

Filter Logic

134 7 Status

779 Thresholds

7711 Other Options

bull Search

bull Alarms

1 Save a report

136 7 Status

781 Notes

79 Run Report

138 7 Status

79 Run Report 139

7101 Prerequisites

140 7 Status

ndash Recipients

bull Action

bull Email Subject

bull Schedule

ndash Hourly

ndash Daily

ndash Weekly

ndash Monthly

142 7 Status

144 7 Status

146 7 Status

CHAPTER 8

System

81 Backups

811 Overview

815 Suggested times

82 Changelog

148 8 System

Version 186 - 6292018

82 Changelog 149

Version 1711 - 11222017

150 8 System

Version 1710 - 10272017

Version 178 - 8302017

82 Changelog 151

Version 17621 - 6212017

Version 176 - 6192017

152 8 System

82 Changelog 153

Version 17227 - 3222017

154 8 System

Version 172 - 2222017

82 Changelog 155

831 Overview

832 Backporting

Here is an example

156 8 System

85 Flowalyzer

861 Overview

SCRUTINIZERgt

SCRUTINIZERgt exit

Exiting

[rootScrutinizer ~]

1) Interactive

158 8 System

863 Help Function

SCRUTINIZERgt help

864 Commands

bull check

bull ciscoise

bull clean

bull collect

bull counteract

bull delete

bull disable

bull download

bull enable

bull endace

bull expire

bull export

bull import

bull moloch

bull optimize

bull repair

bull services

bull set

bull show

bull snoop

bull system

bull upload

bull version

160 8 System

check routeltipgt

ciscoise

ciscoisenodelist

162 8 System

Com-mand

Description

clean base-line

cleandatabase

collect

collect base-line

collect topol-ogy

counteract

delete

164 8 System

delete or-phans

disable

Com-mand

Description

disablevmware-tools

download

enable

166 8 System

endace

expire

Com-mand

Description

expirealarms

expirednscache

expirehistory[trim]

expireifinfo

expireorphans

export

168 8 System

Com-mand

Description

import

1016913377749122419419216861407128740059

170 8 System

moloch

optimize

repair

Com-mand

Description

repairrange_starts

services

172 8 System

Com-mand

Description

sethttpdltportgt

setmyad-dress

setpass-wordrootdb

setpass-wordscrutdb

setreport-menu

set saltltsaltgt

set self-reporter

set ssllton|offgt

set tun-ing

set voiplton|offgt

174 8 System

Com-mand

Description

showalarms[filter]

showdiskspace

showgroups

showipad-dresses

showpcaplist

show task[name]

showtimezone

show tzlist[filter]

showunknown-columns

showyum_proxy

system

176 8 System

upload

version

178 8 System

88 Mailinizer Setup

891 Overview

180 8 System

8101 NAME

8102 SYNOPSIS

Run Modes

Options

182 8 System

8103 DESCRIPTION

8104 PRE-MIGRATION

PostgreSQL

8105 CONFIGURATION

184 8 System

_db_host

_db_user

_db_pass

_db_port

_db_dialect

186 8 System

[exporters]

inclusions

exclusions

[data range]

intervals

startend_epoch

[scrutinizer data]

alarms

dashboards

ipgroups

objects

reports

188 8 System

systemprefs

8106 EXAMPLES

migrateexe -t

migrateexe -c -m

migrateexe --finish

812 NetFlow Help

813 NetFlow Knights

190 8 System

814 Searching

8141 Overview

2 Host Index search

bull Source Host

bull Client

bull Server

bull User as Source

bull Wireless Host

bull Wireless SSID

814 Searching 191

bull First Seen

bull Last Seen

bull Flow Count

192 8 System

8151 Overview

INTERACTIVE

194 8 System

816 SSL

SCRUTINIZERgt

8162 Enabling SSL

816 SSL 195

State Province

Email Ad-dress

CommonName

8164 Disabling SSL

196 8 System

817 System LEDs

8171 Overview

817 System LEDs 197

NA NA NA

bull Free Disk DB

198 8 System

817 System LEDs 199

Apache Giraph

200 8 System

202 8 System

204 8 System

JSONXS

206 8 System

NetPacket

208 8 System

strace

210 8 System

212 8 System

214 8 System

216 8 System

218 8 System

220 8 System

819 Troubleshooting

820 Vitals

821 Web Server Port

8211 Overview

3 And run

8212 SSL Support

222 8 System

CHAPTER 9

911 Overview

bull Top AWS users

bull Action

bull Interface

bull Pair Interface

912 Prerequisites

1 AWS Account ID

2 Users gt Add User

(b) AWS Region Name

(d) AWS Stream Name

Default 4739

Overview

Enabling

Running

Debugging

921 Overview

SCRUTINIZERgt quit

Exiting

choose Start

931 Overview

bull Firewall List

932 Prerequisites

bull eStreamer 54

(b) example

936 Wait for Flows

941 Overview

bull Add a probe

bull Remove a probe

2 Violated Alarms

bull Initiator IP

bull Target IP

bull Protocol

5 Click Search

Violated Alarms

7 Click Search

5 Click Search

961 Overview

971 Overview

bull and more

3 Click Save

Example

Navigate to

2 Click Add Alert

981 Overview

982 What is ELK

Kibana 42

Scrutinizer v1512+

bull CPU

bull Memory

bull Disk Usage

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

3 And run

Preparing Kibana

991 Overview

bull CPU

bull Memory

bull Disk Usage

bull Dashboards

bull Maps

bull Alarms

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

bull and more

bull plixercom

bull Latest Blogs

(a) Run

2 Log into Splunk

ndash Click Next

9111 Overview

Authentication

bull rm=report_api

bull action=get

bull rpt_json=

9113 Examples

JavaScript

times start 1426001640end 1426088100

filters

selected auto

var data_i_need =

outbound

table query_limit

$ajax(

Python

selected 1m

data_i_need =

inbound table

rpt_json

ndash conversations

ndash host2host

ndash ipGroupGroup

ndash applications

ndash trafficTrend

ndash inbound

ndash outbound

ndash both

LastFiveMinutes

LastTenMinutes

LastFifteenMinutes

LastTwentyMinutes

LastThirtyMinutes

LastHour

LastFullHour

LastThreeDays

LastSevenDays

LastThirtyDays

Yesterday

Last24Hours

ThisWeek

LastWeek

ThisMonth

LastMonth

ThisYear

Last year

ndash start

ndash end

ndash 1

ndash 5

ndash 30

ndash 120

ndash 720

ndash 1440

ndash 10080

bull rateTotal

selected rate total

bull byInt

selected 1

data_requested

Return Data

Example

report

]rows [[

rawValue 20132651

]footer [

menuType filterType

report (Object)

table (Object)

rows (Array)

footer (Array)

9121 Overview

Authentication

9123 Examples

bull ipgrouppl

rm=ipgroups

action

search_ipgroups

create_ipgroup

bull IP Range

bull Network

bull Child IP Group

update_ipgroup

Output

delete_ipgroup

delete_rule

Output

retrieve_rules

Output

9125 Using the CLI

Command

import

Description

9131 Overview

Authentication

bull rm=user_api

bull action=

bull json=

9133 Examples

JavaScript

users [name MyAdmin

name MyGuest

]$ajax(

Python

users [

membership [2]

rm=user_api

action

createUser

users [

data [

id 3name MyAdmin

id 4name MyGuest

delUser

createUsergroup

usergroups[

delUsergroup

delUsergroups[

3My Usergroup

user_id5prefs[

dataupdated[

]errors[

dataupdated[

changeUsername

Changes usernames

changeUsername

membership

]remove[

dataadded[

]removed[

permissions

]remove[

dataupdated[

Admin Tab Overview

Data Aggregation

Interface Details

Licensing

Report Designer

Reporting




Alarms

Overview

Gear Menu

Configuration Menu

Views Menu


Reports Menu

Edit Policy


Threat Index

Baselining

Baselining Overview

Dashboards

Dashboard Overview

Vitals Dashboard

Flow Analytics

Overview

Navigation

Configuration

Exclusions



Custom Algorithms

FA Bulletin Boards

Optimizing FA

Maps

Main View

Connections

Dependencies

Google Maps

Groups

Objects

Plixer Maps

Settings

Status

Status Tab

CrossCheck

CSV Reporting

Device Overview

Flow Hopper

Flow View


Report Thresholds

Run Report

Scheduling a report

Vitals Reporting

System

Backups

Changelog



Flowalyzer



Mailinizer Setup


Migration Utility


NetFlow Help

NetFlow Knights

Searching

Security Updates

SSL

System LEDs


Troubleshooting

Vitals

Web Server Port














Using the User API

Scrutinizer 1

2 Scrutinizer

CHAPTER 1

111 Settings

Data Aggregation

System LEDs

4 1 Admin

112 Definitions

6 1 Admin

ndash Status

8 1 Admin

113 Security

10 1 Admin

Functional IDs

Ap-plica-tion

User Us-age

Ac-cessLevel

Description

Op-erat-ingSys-tem

root In-ter-ac-tive

Priv-i-leged

Non-privileged

pg-bouncer

Non-interactive

Non-privileged

post-gresqlormysql

Non-interactive

Priv-i-leged

Database User

Priv-i-leged

HTTP services

Databaseroot In-

ter-ac-tive

Priv-i-leged

Non-privileged

scru-ti-nizer

Non-interactive

Priv-i-leged

Webinter-face

ad-min

In-ter-ac-tive

Priv-i-leged

12 1 Admin

bull Usage

bull Access level

User Groups

Settings

Device Status

Device Groups

Dashboard Gadgets

Members

14 1 Admin

Bulletin Boards

Delete Group

115 Reports

12 Data Aggregation

121 Overview

122 Upgrades

16 1 Admin

bull intervalTime

bull commonport

bull flowDirection

bull applicationId

In SAF mode

A Word about sFlow

18 1 Admin

bull Instance

20 1 Admin

131 SNMP

14 Licensing

141 Overview

142 Details

14 Licensing 21

143 License Key

Example License Key

15 Report Designer

22 1 Admin

(c) Rate vs Total

16 Reporting

24 1 Admin

171 Overview

26 1 Admin

28 1 Admin

30 1 Admin

32 1 Admin

bull member=DCip

34 1 Admin

36 1 Admin

38 1 Admin

40 1 Admin

191 Overview

192 Enable ERS

bull ERS Admin

bull ERS Operator

bull Super Admin

bull System Admin

42 1 Admin

44 1 Admin

CHAPTER 2

Alarms

21 Overview

211 Bulletin Boards

212 Heat Maps

213 Threat Index

46 2 Alarms

22 Gear Menu

221 Options

232 Alarm Settings

22 Gear Menu 47

236 IP Groups

238 Policy Manager

48 2 Alarms

239 Syslog Server

24 Views Menu

24 Views Menu 49

50 2 Alarms

24 Views Menu 51

244 Orphans

251 Overview

52 2 Alarms

26 Reports Menu

26 Reports Menu 53

261 Options

27 Edit Policy

271 Overview

272 Policy Fields

273 Filters

54 2 Alarms

274 Logic

ndash Regexp

275 Select Action

27 Edit Policy 55

276 Notifications

bull Trigger

281 Overview

56 2 Alarms

282 Alerts

Required fields are

ndash Priority

ndash Facility

Required fields are

ndash UDP Port

ndash Generic ID

ndash Specific ID

ndash Binding OID

ndash From Host

Required fields are

58 2 Alarms

29 Threat Index

29 Threat Index 59

60 2 Alarms

CHAPTER 3

Baselining

62 3 Baselining

SCRUTINIZERgt

ndash AVG = Average

ndash SUM = Sum

64 3 Baselining

clean baseline

show task baseline

Example

check task ltidgt

Example

66 3 Baselining

CHAPTER 4

Dashboards

Highlights

412 Menus

2 Dashboard name

3 Configuration

68 4 Dashboards

413 Gadget Icons

70 4 Dashboards

2 Choose Settings

42 Vitals Dashboard

72 4 Dashboards

74 4 Dashboards

CHAPTER 5

Flow Analytics

51 Overview

511 Overview

10000817216001219216800161692540016

52 Navigation

76 5 Flow Analytics

53 Configuration

53 Configuration 77

Important Notes

54 Exclusions

541 Overview

542 Exclusion Types

bull IP Address

bull IP Range

bull IP Subnet

78 5 Flow Analytics

54 Exclusions 79

EdgeRouters

FlowPro De-fender

Yes Yes Yes

FlowPro De-fender

Yes No No

FlowPro De-fender

80 5 Flow Analytics

561 Overview

82 5 Flow Analytics

ndash DNS

ndash NTP

ndash SNMP

ndash SSDP

ndash Chargen

ndash RPC Portmap

ndash Sentinel

84 5 Flow Analytics

86 5 Flow Analytics

BotNet Detection

88 5 Flow Analytics

DNS Data Leak

Domain Reputation

90 5 Flow Analytics

bull mcafeecom

bull sophoscom

bull sophosxlnet

bull webcfs03com

bull applecom

6 quit

92 5 Flow Analytics

6 quit

2 show domainlists

4 quit

2 show domainlists

4 quit

571 Getting Started

94 5 Flow Analytics

bull Threshold

2 Click New Policy

96 5 Flow Analytics

bull Policy Events

581 Policy Events

bull P2P Detection

bull DNS Hits

bull Denied Flows

98 5 Flow Analytics

bull FIN Scan

bull NULL Scan

bull RSTACK Scan

bull SYN Scan

bull TCP Scan

bull UDP Scan

bull XMAS Scan

583 Security Events

bull DDoS Detection

bull DNS Data Leak

59 Optimizing FA

CHAPTER 6

61 Main View

611 Overview

bull Objects

bull Backgrounds

bull Link Status

62 Connections

102 6 Maps

63 Dependencies

63 Dependencies 103

64 Google Maps

2 Click Save

104 6 Maps

ndash GPS Location

3 Then click Save

ndash Properties

65 Groups

Highlights

65 Groups 105

66 Objects

106 6 Maps

67 Plixer Maps

bull Settings

67 Plixer Maps 107

bull Objects

bull Connections

108 6 Maps

5 Click Save

bull Background

67 Plixer Maps 109

110 6 Maps

68 Settings

bull Google Maps

68 Settings 111

112 6 Maps

CHAPTER 7

Status

71 Status Tab

711 Interfaces

712 Menus

bull Down Arrow

114 7 Status

71 Status Tab 115

bull Views

ndash CrossCheck

713 Device Explorer

bull Groups

116 7 Status

71 Status Tab 117

714 Current Report

715 Saved Reports

118 7 Status

72 CrossCheck

722 Fault Index

72 CrossCheck 119

Table column header

120 7 Status

73 CSV Reporting

74 Device Overview

75 Flow Hopper

76 Flow View

761 Overview

Notice

122 7 Status

76 Flow View 123

124 7 Status

bull ENGINE_TYPE

bull ENGINE_ID

bull SAMPLER_NAME

bull NF_F_FW_EVENT

bull NF_F_USERNAME

76 Flow View 125

771 Overview

772 Templates

773 Report Types

126 7 Status

774 Current Report

No Data Found

776 Gear icon

128 7 Status

Graph Options

130 7 Status

Date Time Options

777 Saved Reports

For example

1011151

132 7 Status

1030113102711310261135102611310261119

Filter Logic

134 7 Status

779 Thresholds

7711 Other Options

bull Search

bull Alarms

1 Save a report

136 7 Status

781 Notes

79 Run Report

138 7 Status

79 Run Report 139

7101 Prerequisites

140 7 Status

ndash Recipients

bull Action

bull Email Subject

bull Schedule

ndash Hourly

ndash Daily

ndash Weekly

ndash Monthly

142 7 Status

144 7 Status

146 7 Status

CHAPTER 8

System

81 Backups

811 Overview

815 Suggested times

82 Changelog

148 8 System

Version 186 - 6292018

82 Changelog 149

Version 1711 - 11222017

150 8 System

Version 1710 - 10272017

Version 178 - 8302017

82 Changelog 151

Version 17621 - 6212017

Version 176 - 6192017

152 8 System

82 Changelog 153

Version 17227 - 3222017

154 8 System

Version 172 - 2222017

82 Changelog 155

831 Overview

832 Backporting

Here is an example

156 8 System

85 Flowalyzer

861 Overview

SCRUTINIZERgt

SCRUTINIZERgt exit

Exiting

[rootScrutinizer ~]

1) Interactive

158 8 System

863 Help Function

SCRUTINIZERgt help

864 Commands

bull check

bull ciscoise

bull clean

bull collect

bull counteract

bull delete

bull disable

bull download

bull enable

bull endace

bull expire

bull export

bull import

bull moloch

bull optimize

bull repair

bull services

bull set

bull show

bull snoop

bull system

bull upload

bull version

160 8 System

check routeltipgt

ciscoise

ciscoisenodelist

162 8 System

Com-mand

Description

clean base-line

cleandatabase

collect

collect base-line

collect topol-ogy

counteract

delete

164 8 System

delete or-phans

disable

Com-mand

Description

disablevmware-tools

download

enable

166 8 System

endace

expire

Com-mand

Description

expirealarms

expirednscache

expirehistory[trim]

expireifinfo

expireorphans

export

168 8 System

Com-mand

Description

import

1016913377749122419419216861407128740059

170 8 System

moloch

optimize

repair

Com-mand

Description

repairrange_starts

services

172 8 System

Com-mand

Description

sethttpdltportgt

setmyad-dress

setpass-wordrootdb

setpass-wordscrutdb

setreport-menu

set saltltsaltgt

set self-reporter

set ssllton|offgt

set tun-ing

set voiplton|offgt

174 8 System

Com-mand

Description

showalarms[filter]

showdiskspace

showgroups

showipad-dresses

showpcaplist

show task[name]

showtimezone

show tzlist[filter]

showunknown-columns

showyum_proxy

system

176 8 System

upload

version

178 8 System

88 Mailinizer Setup

891 Overview

180 8 System

8101 NAME

8102 SYNOPSIS

Run Modes

Options

182 8 System

8103 DESCRIPTION

8104 PRE-MIGRATION

PostgreSQL

8105 CONFIGURATION

184 8 System

_db_host

_db_user

_db_pass

_db_port

_db_dialect

186 8 System

[exporters]

inclusions

exclusions

[data range]

intervals

startend_epoch

[scrutinizer data]

alarms

dashboards

ipgroups

objects

reports

188 8 System

systemprefs

8106 EXAMPLES

migrateexe -t

migrateexe -c -m

migrateexe --finish

812 NetFlow Help

813 NetFlow Knights

190 8 System

814 Searching

8141 Overview

2 Host Index search

bull Source Host

bull Client

bull Server

bull User as Source

bull Wireless Host

bull Wireless SSID

814 Searching 191

bull First Seen

bull Last Seen

bull Flow Count

192 8 System

8151 Overview

INTERACTIVE

194 8 System

816 SSL

SCRUTINIZERgt

8162 Enabling SSL

816 SSL 195

State Province

Email Ad-dress

CommonName

8164 Disabling SSL

196 8 System

817 System LEDs

8171 Overview

817 System LEDs 197

NA NA NA

bull Free Disk DB

198 8 System

817 System LEDs 199

Apache Giraph

200 8 System

202 8 System

204 8 System

JSONXS

206 8 System

NetPacket

208 8 System

strace

210 8 System

212 8 System

214 8 System

216 8 System

218 8 System

220 8 System

819 Troubleshooting

820 Vitals

821 Web Server Port

8211 Overview

3 And run

8212 SSL Support

222 8 System

CHAPTER 9

911 Overview

bull Top AWS users

bull Action

bull Interface

bull Pair Interface

912 Prerequisites

1 AWS Account ID

2 Users gt Add User

(b) AWS Region Name

(d) AWS Stream Name

Default 4739

Overview

Enabling

Running

Debugging

921 Overview

SCRUTINIZERgt quit

Exiting

choose Start

931 Overview

bull Firewall List

932 Prerequisites

bull eStreamer 54

(b) example

936 Wait for Flows

941 Overview

bull Add a probe

bull Remove a probe

2 Violated Alarms

bull Initiator IP

bull Target IP

bull Protocol

5 Click Search

Violated Alarms

7 Click Search

5 Click Search

961 Overview

971 Overview

bull and more

3 Click Save

Example

Navigate to

2 Click Add Alert

981 Overview

982 What is ELK

Kibana 42

Scrutinizer v1512+

bull CPU

bull Memory

bull Disk Usage

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

3 And run

Preparing Kibana

991 Overview

bull CPU

bull Memory

bull Disk Usage

bull Dashboards

bull Maps

bull Alarms

bull Top Countries

bull Top Flows

bull Top Hosts

bull Top Jitter

bull Top Networks

bull and more

bull plixercom

bull Latest Blogs

(a) Run

2 Log into Splunk

ndash Click Next

9111 Overview

Authentication

bull rm=report_api

bull action=get

bull rpt_json=

9113 Examples

JavaScript

times start 1426001640end 1426088100

filters

selected auto

var data_i_need =

outbound

table query_limit

$ajax(

Python

selected 1m

data_i_need =

inbound table

rpt_json

ndash conversations

ndash host2host

ndash ipGroupGroup

ndash applications

ndash trafficTrend

ndash inbound

ndash outbound

ndash both

LastFiveMinutes

LastTenMinutes

LastFifteenMinutes

LastTwentyMinutes

LastThirtyMinutes

LastHour

LastFullHour

LastThreeDays

LastSevenDays

LastThirtyDays

Yesterday

Last24Hours

ThisWeek

LastWeek

ThisMonth

LastMonth

ThisYear

Last year

ndash start

ndash end

ndash 1

ndash 5

ndash 30

ndash 120

ndash 720

ndash 1440

ndash 10080

bull rateTotal

selected rate total

bull byInt

selected 1

data_requested

Return Data

Example

report

]rows [[

rawValue 20132651

]footer [

menuType filterType

report (Object)

table (Object)

rows (Array)

footer (Array)

9121 Overview

Authentication

9123 Examples

bull ipgrouppl

rm=ipgroups

action

search_ipgroups

create_ipgroup

bull IP Range

bull Network

bull Child IP Group

update_ipgroup

Output

delete_ipgroup

delete_rule

Output

retrieve_rules

Output

9125 Using the CLI

Command

import

Description

9131 Overview

Authentication

bull rm=user_api

bull action=

bull json=

9133 Examples

JavaScript

users [name MyAdmin

name MyGuest

]$ajax(

Python

users [

membership [2]

rm=user_api

action

createUser

users [

data [

id 3name MyAdmin

id 4name MyGuest

delUser

createUsergroup

usergroups[

delUsergroup

delUsergroups[

3My Usergroup

user_id5prefs[

dataupdated[

]errors[

dataupdated[

changeUsername

Changes usernames

changeUsername

membership

]remove[

dataadded[

]removed[

permissions

]remove[

dataupdated[

Admin Tab Overview

Data Aggregation

Interface Details

Licensing

Report Designer

Reporting




Alarms

Overview

Gear Menu

Configuration Menu

Views Menu


Reports Menu

Edit Policy


Threat Index

Baselining

Baselining Overview

Dashboards

Dashboard Overview

Vitals Dashboard

Flow Analytics

Overview

Navigation

Configuration

Exclusions



Custom Algorithms

FA Bulletin Boards

Optimizing FA

Maps

Main View

Connections

Dependencies

Google Maps

Groups

Objects

Plixer Maps

Settings

Status

Status Tab

CrossCheck

CSV Reporting

Device Overview

Flow Hopper

Flow View


Report Thresholds

Run Report

Scheduling a report

Vitals Reporting

System

Backups

Changelog



Flowalyzer



Mailinizer Setup


Migration Utility


NetFlow Help

NetFlow Knights

Searching

Security Updates

SSL

System LEDs


Troubleshooting

Vitals

Web Server Port














Using the User API

Documents

Version 18.6 Plixer - readthedocs.com