Metrics metrics metrics !
You have the best IDS deployed, but do you have all of the metrics ??
If you dont have the traffic metrics, you may not know your network all that well. This is where Trisul Network Analytics comes in, with over 100+ metrics ready to go.
Our latest release Trisul 3.6 introduces the following new metrics. Lets take closer look at each of them.
- HTTP Status Codes
- HTTP Methods
- ICMP Types and Codes
- Long Fat Tail Hosts (already described here)
- Long Thin Tail Hosts (already described here)
HTTP Status Codes
Do you know how much of your traffic is 404 Not Found ? This new counter group breaks up your HTTP traffic stats by response code. Gain valuable insights into web activity and add another entry point to begin hunting style analysis.
Metrics over time
Totals for any time interval. Use Retro→Counters
Things to try
- Download PCAPS of all Permission Denied flows for further investigation
- Create Threshold Crossing Alerts for these once you have a baseline
- Create flow taggers for “abnormal” responses.
Flows tagged by HTTP responses, query and pull PCAPs for further analysis
In addition to HTTP Hosts and HTTP Content-Types now you can keep an eye on what kinds of HTTP methods are traversing your network. This new counter group breaks up web traffic by HTTP methods, such as GET/POST/HEAD/PUTs.
Traffic by HTTP methods
Do you know what percent of your traffic is ICMP ? Trisul 3.6 takes it a bit further and gives you a complete breakup of ICMP Type + Codes This can be of great use to detecting a number of network level issues.
Complete breakup of ICMP traffic can give deep insight into network issues
We’ve also added the following meters to existing counter groups.
Flows per host
All Host based counter groups (Hosts/ Internal Hosts/ External Hosts) get a new meter
- Meter 13 Total Flows : Counts the number of flows involving the host
Flows per IP protocol
The Network Layer counter group contains meters for IP protocols such as TCP / UDP / GRE/ IPSEC etc. We’ve added two new meters.
- Meter 3 Active Flows : A gauge that measures number of simultaneous flows
- Meter 4 Total Flows : A counter that gives you total flows for UDP/TCP/GRE/ICMP etc