Friday, November 2, 2018

Obtaining packets/flows for your IBM QRadar - The easy way

In this previous post, I focused on replaying logs in your QRadar lab environment. However, I never took the time to show the same for how you may be able to replay packets/flows. Whereas getting sample events into your QRadar (I believe) is relatively easy, I don't believe the same can be said for packets and flows. However, there are still two quick ways I can think about to get network packet/flows into QRadar. Both of those will be addressed. However, each method will be in its own post.

Method 1:
The first is simply to configure your QRadar device interface to act as a flow source.

First I will look at my IP configuration, to see which interface on the local QRadar device is generating the most traffic. For me this is "ens33". This is also because this is the interface connected on my virtual machine and to which I'm doing SSH and which can access the internet.

[securitynik@qradarCE ~]# ifconfig ens33
ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.208.137  netmask 255.255.255.0  broadcast 192.168.208.255
        inet6 fe80::20c:29ff:feca:dff1  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ca:df:f1  txqueuelen 1000  (Ethernet)
        RX packets 6039  bytes 1122388 (1.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6205  bytes 5163411 (4.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Having identified the interface, let's configure QRadar to listen for flows on this interface.



















Now that we have the flow source configured, you need to deploy your changes. You can do this from the "Admin" tab or menu item, then select "Deploy Changes". Once the changes have been deployed, connect to your QRadar via SSH and do some admin work. Then connect to QRadar, go to your "Network Activity" tab and you should see some data as shown below. Here is an example of my output.
















That's it for method 1.

See this post for method 2.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete