Method 1:
The first is simply to configure your QRadar device interface to act as a flow source.
First I will look at my IP configuration, to see which interface on the local QRadar device is generating the most traffic. For me this is "ens33". This is also because this is the interface connected on my virtual machine and to which I'm doing SSH and which can access the internet.
[securitynik@qradarCE ~]# ifconfig ens33 ens33: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet 192.168.208.137 netmask 255.255.255.0 broadcast 192.168.208.255 inet6 fe80::20c:29ff:feca:dff1 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:ca:df:f1 txqueuelen 1000 (Ethernet) RX packets 6039 bytes 1122388 (1.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6205 bytes 5163411 (4.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Having identified the interface, let's configure QRadar to listen for flows on this interface.
Now that we have the flow source configured, you need to deploy your changes. You can do this from the "Admin" tab or menu item, then select "Deploy Changes". Once the changes have been deployed, connect to your QRadar via SSH and do some admin work. Then connect to QRadar, go to your "Network Activity" tab and you should see some data as shown below. Here is an example of my output.
That's it for method 1.
See this post for method 2.
This comment has been removed by a blog administrator.
ReplyDeleteNhư đầu buồi, toàn hỏi mấy câu óc chó
ReplyDelete