09-25-2018 03:36 AM
Hello all,
I setup CTA and ETA with Catalyst9300 and Stealthwatch.
How can I confirm that ETA works fine?
I uploaded the large file to the web server which has self signed certificate.
But no alarm occurred.
Should I use real malware? If yes, which malware do you recommend?
Best regards,
10-02-2018 08:03 AM
Hi,
Are you used test from documentation?
Cognitive Analytics implements malware detection capability within the Encrypted Traffic Analytics (ETA) solution. To verify the ETA solution is set up correctly, CTA can generate ETA test incidents using specific test site domains. To generate these test incidents, browse to one of the following test sites using a host where the HTTPS session is passing through an ETA enabled switch and router:: - Malware: https://examplemalwaredomain.com - Botnet: https://examplebotnetdomain.com - Phishing: https://internetbadguys.com - TOR detection: Download and install the TOR browser from https://www.torproject.org/projects/torbrowser.html.en. Launch the browser and go to a few websites.
10-24-2018 10:49 AM
The easy way to test that basic Encrypted Traffic Analytics is working is to connect a client computer running a web browser using SSL/TLS to a server or website. The Catalyst needs to be inline preferably connected to the client or the server. The Catalyst should create both NetFlow and ET Analytics data for that connection and export it to the Flow Collector. Once processed you'll be able to create a Flow Query (Flow Search) using either the Client or server IP address as the 'Subject' and then find the connection. If you look through the fields available you'll find the TLS version and other fields related to the establishment of that SSL/TLS connection. If you make the Subject IP the servers's address you'll be able to see data about all SSL/TLS connections going through that Catalyst (or other ETA capable device) to the server. We called this the 'Crypto Audit' use case. Try using different browsers or an older version of a browser that may not support TLS 1.2 or 1.3.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide