Suspicious Proxy

elopezsa edited this page Sep 21, 2016 · 1 revision

Purpose and Audience

This section contains a walk-through of the Suspicious Connects Web Page. The intended audience is Security Analysts responsible for reviewing the results for potential threats.

###Walk-through 1. Open the analyst view for Suspicious Proxy: http://"server-ip":8889/files/ui/proxy/suspicious.html. Select the date that you want to review (defaults to current date). Your screen should now look like this:

2. The Suspicious frame

Located at the top left of the Web page, this frame shows the top 250 Suspicious Proxy connections from the Machine Learning (ML) output.

  1. By moving the mouse over a suspicious Proxy record, you will highlight the entire row as well as a blur effect that allows you to quickly identify current connection within the Network View frame.
  2. The Shield icon. Represents the output for any Reputation Services results that has been enabled, user can mouse over in order to obtain additional information. The icon will change its color depending upon the results from the Reputation Service.
  3. The List icon. When the user mouse over this icon, it presents the Web Categories provided by the Reputation Service
  4. By selecting on a Suspicious Proxy record, you will highlight current row as well as the node from Network View frame. In addition, Details frame will be populated with additional communications directed to the same Proxy record.

3. The Network View frame

Located at the top right corner, Network View is a hierarchical force graph used to represent the "Suspicious Proxy" connections. ####Network View Force Graph Order Hierarchy

  • Root Proxy Node
  • Proxy Request Method
  • Proxy Host
  • Proxy Path
  • Client IP Address

####Network View Functionality

  1. As soon as you move your mouse over a node, a dialog shows up providing additional information.
  2. Graph can be zoomed in/out and can be moved in the frame
  3. By double-clicking in the Root Proxy Node the graph can be fully expanded/collapsed
  4. By double-clicking a node, the node can be expanded/collapsed one level
  5. The path in yellow represents the Suspicious record selected in the suspicious frame
  6. Records will be highlighted with different colors depending upon the Risk Reputation provided by the Reputation Service
  7. A secondary mouse click over the Proxy Path or Client IP address nodes populates the Filter Box which eventually filter Suspicious & Network View Frames

4. The Details frame

Located at the bottom right corner of the Web page. It provides additional information for the selected connection in the Suspicious frame. It includes columns that are not part of the Suspicious frame such as User Agent, MIME Type, Proxy Server IP, Bytes.

5. The Notebook frame

This frame contains an initialized Jupyter Notebook. The main function is to allow the Analyst to score Proxy records with different values. In order to assign a risk to a specific connection, select the correct rating (1=High risk, 2 = Medium/Potential risk, 3 = Low/Accepted risk) and click Score button.

####The Score button Pressing the 'Score' button will find all exact matches of the selected threat (Proxy Record) in the proxy_scores.csv file and update them with the selected rating value. These results are temporarily stored in the score_tmp.csv file and copied back to the proxy_scores.csv file at the end of the process.

####The Save button Analysts must use the Save button in order to store the scored records. After you click it, the rest of the frames in the page will be refreshed and the connections that you already scored will disappear on the suspicious connects page. A shell script will be executed to copy the file with the scored connections to the ML Node and specific path. The following values will be obtained from the .conf file:

  • LPATH
  • MLNODE
  • LUSER

For this process to work correctly, it's important to create an ssh key to enable secure communication between nodes, in this case, the ML node and the node where the UI runs. To learn more on how to create and copy the ssh key, please refer to the "Configure User Accounts" section.

Input files

proxy_scores.csv  
proxy_scores_bu.csv  
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.