Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3260
Views
0
Helpful
2
Replies

How to test the ETA

Tsunoda
Level 1
Level 1

‎09-25-2018 03:36 AM

Hello all,

 

I setup CTA and ETA with Catalyst9300 and Stealthwatch.
How can I confirm that ETA works fine?
I uploaded the large file to the web server which has self signed certificate.
But no alarm occurred.
Should I use real malware? If yes, which malware do you recommend?

 

Best regards,

 

Labels:
0 Helpful
2 Replies 2

alexander05
Level 1
Level 1

‎10-02-2018 08:03 AM

Hi,

Are you used test from documentation? 

Cognitive Analytics implements malware detection capability within the Encrypted Traffic Analytics (ETA) solution. To verify the ETA solution is set up correctly, CTA can generate ETA test incidents using specific test site domains. To generate these test incidents, browse to one of the following test sites using a host where the HTTPS session is passing through an ETA enabled switch and router::

- Malware: https://examplemalwaredomain.com

- Botnet: https://examplebotnetdomain.com

- Phishing: https://internetbadguys.com

- TOR detection: Download and install the TOR browser from https://www.torproject.org/projects/torbrowser.html.en. Launch the browser and go to a few websites.

 

0 Helpful

brford
Cisco Employee
Cisco Employee

‎10-24-2018 10:49 AM

The easy way to test that basic Encrypted Traffic Analytics is working is to connect a client computer running a web browser using SSL/TLS to a server or website.  The Catalyst needs to be inline preferably connected to the client or the server.  The Catalyst should create both NetFlow and ET Analytics data for that connection and export it to the Flow Collector.  Once processed you'll be able to create a Flow Query (Flow Search) using either the Client or server IP address as the 'Subject' and then find the connection.  If you look through the fields available you'll find the TLS version and other fields related to  the establishment of that SSL/TLS connection.  If you make the Subject IP the servers's address you'll be able to see data about all SSL/TLS connections going through that Catalyst (or other ETA capable device) to the server.  We called this the 'Crypto Audit' use case.  Try using different browsers or an older version of a browser that may not support TLS 1.2 or 1.3.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
0 Helpful
Customers Also Viewed These Support Documents