Snare reports begin life extremely simply. As you add more components, and more complex match settings, Snare will enable greater flexibility, and more configuration options.

Example

The simple configuration dialog shown below scans the "Snare Central / Server Logs" data source, for any events produced over the course of the last 30 days, and displays a 15 minute 'Pattern Map' of the resulting data. A PDF has also been added to the output component list.

Email Header

When scheduling a report with email distribution enabled, the email header at the top of the email body, can be customised if needed. To do so, the "Email header" section at the bottom of the configuration dialog, allows the user to define its own header message for the objective.

The "Email Header" supports some useful MACROS separated by a space that can be used as part of the header:

MACRO	Description
_ORGANISATION_	Organisation Name (as specified in the "Configuration Wizard" in the "Organisation" section).
_TITLE_	Objective Title ("Server Logs" in this example).
_IP_	IP Address
_SERVER_	Server Name.
_DATE_	Current Date (YYYY-MM-DD).
_TIME_	Current Time (HH:MM:SS).
_ISODATE_	Current Time and Date in ISO format.
_SPACE_	A space.

Please note that this header is only visible in email messages and are not part of the report.

Please note that if the subject of the email needs to be customised, this is configured in the "Email Setup" section of

the "Configuration Wizard" in the "Classification Header" subsection.

Example

A more complex objective is introduced below, as an indication of how flexible and comprehensive the Snare Modular objective query and output builder can be. The objective:

Defines search criteria that looks for any events that match:
- Dates between this time last month, and yesterday, non-inclusive.
- Events related to login failures.
- For EITHER the users (DJSMITH, PTTHOMP, SJCOOK, KPWEIP, or LTROMA) OR from any source system starting with the word 'WORKSTATION', followed by a number that starts with 10,11,12,13 or 14.
Defines two additional 'tokens':
- 'DESTUSER' scans the 'STRINGS' field of Windows Security logs, for a target account name, which is pulled out of the event using the following regular expression search:
  - (?:logon to account:| User Name:| Target Account Name:|Account For Which Logon Failed: Security ID: ....... Account Name:) *(.*?)(?: *by:| *Domain:| *Target Account ID:| *Account Domain:)
- 'FAILREASON' also scans the 'STRINGS' field of Windows Security logs, for information on why a login failure occurred, using the following regular expression match:
  - (?:Reason:|User Account ) *(.*?) *(?:Status:|User Name:|Domain:|: *Target Account Name:)
Outputs a standard 15 minute pattern map, using yellow and red to show parts of the day where low or high volumes (respectively) of event data have been discovered.
Outputs a pattern map highlighting occurrences of each destination user account name.
Sets the objective up as a real-time objective, sending the output to the email list defined in the 'Objective Schedule' area of the objective. The title of the email has been configured to be "Failed login on sensitive workstations, or by monitored users".
Outputs a Table of the first 500 results that match the criteria outlined above, 50 results per page, displaying only the fields Date, Time, System, EventID, DestUser, and FailReason. A CSV dump of the table will also be produced.
Outputs a horizontal graph of the top 20 systems that match the search criteria for the objective.
Outputs a line graph of events-per-day that match the search criteria for an objective.

Although the information above, and the image below, are likely to be quite overwhelming when first encountered, this document will explain each section in more detail.

A more complex modular objective configuration dialog

Objective Header

The objective header displays:

The icon that is currently associated with the objective.
The objective title (Failed User Logins), the data source it currently interrogates (Windows Security), and the documentation assigned to the objective.
A modular objective configuration management panel, described below.

Criticality

An objective can be assigned a criticality level by clicking on the green, yellow, orange or red radio buttons.

The initial Snare Central dashboard will highlight generated objectives that fall into each criticality category.

Objective Type

Snare includes a range of 'templates' (often referred to as an 'Objective Type' in the Snare Central user interface) to make the job of a Snare administrator easier when crafting a new objective. These templates are hard-coded in Snare Central, may pre-define custom search criteria for you, will sometimes include custom code to perform tasks, and may be updated and expanded on each release of Snare Central.

A list of the templates included in Snare Central is available in the 'Modular Objective Templates' chapter, but here are some representative samples:

Report whenever a user attempts to access a sensitive file on a Windows file server.
Notify administrators when a particular Solaris user attempts to run a command.
Show modifications to permission flags, for ACF2 accounts.
Show all attempts to gain access to the root account on AIX systems.
Compare the current CISCO PIX or Router configuration to an authorised version.
Display events related to electronic mail delivery, for Gauntlet firewalls.
Search syslog data for attempts to use the 'sudo' or 'su' commands to escalate privileges.
Search IPTables firewall logs for dropped packets that have a source address of a non-routable IP block.
Highlight attempts to port-scan a NetScreen firewall.
Show attempts to change the configuration of a Nortel VPN Router.
Monitor attempts to access RACF resources.
Highlight failed authentication attempts on a SOCKS server.
Display results from the Snort network intrusion detection system.
Report on inappropriate material accessed through the corporate proxy server.
Show out-of-hours login access for Windows systems.

Example

A Windows failed login template, will pre-define a match setting that looks for events that contain an EventID of 529, 530, 531, 532, 533, 534, 535, 536, 537, 539, 644, 681 or 4625 - all of which indicate a failed login event. If Microsoft adds a new failed login event to Windows, a future version of Snare Central will update the windows failed login template so that existing objectives also pick up the new information.

Example

A Windows successful login template, also defines two new modular features: "User Flags", and "Event Threshold". When the "User Flags" module is added to the objective, it allows users to be included or excluded from the final report, based on whether the account is disabled, locked, or has the "Don't expire password" or "Password cannot change" flags set. The objective will derive this information from scans performed by appropriate Snare Agents.

Once the "Objective Type" button is selected, a new dialog will appear in the objective window.

Objective Type - available templates

General objective template categories are displayed in the tree-menu to the left. Once an objective category is selected, a list of available objective types will be displayed in the right-hand section of the dialog. Click on the appropriate 'Select' button to choose a template.

A checkbox is available at the bottom left hand side of the dialog window, which will hide categories for which there is no event data on your Snare Central.

Unlock Objective

Objectives that are based on a pre-defined objective template can be 'unlocked', in order to change the pre-defined match settings, but once they are unlocked, they may no longer include the custom tokens, or custom modular components, and will not have their components upgraded by the InterSect Alliance team with new releases.

Objectives that are 'locked' can still have additional match settings and tokens, added to the mix. Match settings and tokens are explored further below.

Field Settings

The field settings section displays a list of the 'fields' that are available to use in your search criteria, and also as input fields for modular output components.

Snare also allows you to 'break apart' an existing field, and place the resulting sub-string into a field with a new name; this is known as a 'Token'.

Tokens

If a small part of an existing field needs to be captured for further analysis, or reporting reasons, a new token can be defined by clicking on the green 'Add New' button.
A new dialog window will appear, which will allow you to configure your new token.

Defining a new Token

"Field Name" defines the name that you wish to assign to the new field.

"Configure the Field" asks you to select the source field that contains the information you are looking for.

"Search Criteria" asks you to define the regular expression that will be used to pull the substring out of the field content.

A regular expression is a complex, but extremely powerful tool, that will facilitate flexible matching, and extraction of substrings. We will cover regular expressions in more detail below, but in Snare, they take the general form:

Text to match before substring (Substring match) Text to match after substring

So, for example, assume the DETAILS field of an event includes the following string:


Safend Protector File Logging Alter Details: User: george Computer: Machine1234 Client GMT: 8/10/2011 4:13:23 AM Client Local Time: 8/10/2011 3:13:23 PM Server Time: 8/10/2011 4:13:30 AM Group: Policy: policy Device Description: Disk drive Device Info: Kingston DataTraveler 2.0 USB Device Port: USB Device Type: Removable Storage Devices Vendor: 13FE Model: 1D00 Distinct ID: ID001 Details: File Name: file.pdf File Type: pdf File Size: 50945 Created: 8/10/2011 3:13:23 PM Modified: 8/10/2011 2:23:44 PM Action: Write

In order to capture the user (highlighted in bold and red) from the above string, the regular expression would need to look for the word after the "User: " sub-string, that is composed of alphanumeric characters (with the addition of the '@' symbol).

The token required to achieve this looks like:

Field Name: USER
Source Field: STRINGS
Search Criteria: User:\s*([A-Za-z0-9@]+)*

This translates as: look for a "User:" sub-string, then 0 or more white spaces, then anything after that which contains 1 or more letters, numbers, or an @ symbol. This is then a valid token according to our search criteria.

Tokens, once created, are then treated as if they were a normal field, and can be filtered, grouped, sorted, or used as a target field in any modular output component that uses fields (eg: Graphs or Tables). This creates a powerful mechanism to effectively query sub-strings which are contained within a much larger string. Any number of tokens can be created which allows for a variety of choices when querying strings within strings.

A regular expression tester is also available, which can assist you with the process of creating a token; it can be accessed by clicking the 'Regular expression tester' link near the base of the token definition dialog.

Testing a regular expression match

If the expression you are using has a match somewhere in the sample log entry, it will be highlighted in yellow. Red text indicates the area of the sample that exactly matches your token expression, and a section highlighted in green shows the actual substring that will be pulled out by the token.

Once you are happy that the regular expression meets your requirements, you can copy the expression back to your token with a click of a button, rather than copying/pasting the information from the dialog.

Example

Regular expression samples:

from=<([^>]+)
- search for the word 'from' followed by an equal sign, and a less than symbol. Retrieve any characters after that, until you encounter a greater-than symbol (>)
- from=<john@somewhere.com>
Account Name: (.*?)(?:New Account|New Domain|Target Domain|Account|Domain|Caller)
- Retrieve any text between the strings "Account Name: " and one of either " New Account", " New Domain", " Target Domain", " Account", " Domain" or " Caller"
- Account Name: DNI\UserLP Target Domain: DNI
open(([^)]+))
- Search for the string "open(", and retrieve any characters after that until you encounter a close bracket.
- open(O_RDONLY|O_RDWR)
^.............(..........)
- Ignore the first 13 characters of this field, and retrieve the next 10.
- INFORMATION: SUCCESS USER: JABLOGGS
^.{12}(.{9})
- Same as the above example, but using the regular expression 'repeat' function: Ignore the first 13 characters of this field, and retrieve the next 10.
- INFORMATION: SUCCESS USER: JABLOGGS
^.{12}([a-zA-Z0-9]{9})
- Same as the above example, but cuts out the extra spaces after "SUCCESS", by limiting the valid retrieved characters to alphanumerics only.
- INFORMATION: SUCCESS USER: JABLOGGS

Tokens that you have created, or can modify, are highlighted in green. Tokens that are part of an underlying objective template, and are therefore locked, will be highlighted in red.

Configure Match Settings

Snare's query builder is a flexible tool that allows you to create very complex search criteria, incorporating precedence, logical operations, and advanced matching capabilities.

Show Current Query

Although Snare does not utilise a database back-end for data storage, queries created with the Snare query builder are translated into SQL syntax, and passed through a translation layer.

Selecting the '[Show Current Query]' link in the title panel, will pop up a new dialog that displays the SQL query that would be run against the Snare datastore, based on your current match settings.

Adding a New Match

Selecting the 'Add New Match' button will append a new row to your existing match settings. By default, the new row will use 'Date' as the target field, ">" as the comparison operator, and the input field will be initially blank.

Match Row Components

Drag and Drop grab bar

Each match row can be moved up or down, and positioned before or after other match criteria. Click and hold the grab bar, and drag the match row, to rearrange. Snare evaluates matches from top to bottom.

Field to use

Select the field to use for your search criteria, by clicking on this button. A drop-down menu will appear, that will detail the fields that you can choose from.

Snare breaks up event logs into a series of fields for you, when the event arrives at Snare Central. As described in the section on 'Tokens' above, you can also choose to create meta-fields that represent a predictable portion of a larger field. These tokens will appear in the drop-down menu after you create them.

Comparison operator

The comparison operators available for selection depend on the field you have chosen. Numeric, date, and time values will have the following comparison operators available:

Equals (=)
Greater than (>)
Less than (<)
Greater than or equal to (>=)
Less than or equal to (<=)
Not equal to (!=)
Includes
- You may include several comma-separated values in the input field - eg: 1,2,3,7,9
Excludes
- You may include several comma-separated values in the input field - eg: 1,2,3,7,9

String values will have the following comparison operators available:

Equals (=)
Not equal to (!=)
Contains
- This will search for a simple case insensitive substring
Like
- Implements a SQL LIKE operator. LIKE uses the 'percent' sign for wildcards - so for example, a search for "%login%failed%" will match the string "attempted login for user 'fred' failed at 17:23:01"
Regexp
- Implements a RE2-compatible regular expression search. As highlighted above, regular expressions are complex, but extremely powerful and flexible string search functions.
  - Tip: Snare co-opts the "start of string" and "end of string" characters ("^" and "$" respectively) to refer to the start of the contents of the field you are currently operating on, and the end of the field, rather than referencing the entire line.
Not Regexp
- Excludes all fields that match the supplied regular expression.
Includes
- You may include several comma-separated values in the input field - eg: fred,jim,tony
Excludes
- You may include several comma-separated values in the input field - eg: fred,jim,tony

Input field

A flexible input field that allows you to specify search criteria based on your field and comparison operator.

Note that Snare also allows you to compare two fields, rather than entering an actual value here. If, for example, you had two username fields (USERNAME, and TARGETUSER) in your data source, and you wished to return events in the query where the two were not equal, you could:

Set USERNAME as your 'Field to Use'
Set != as your 'Comparison Operator'
Enter TARGETUSER in the Input field, surrounded by two '@' characters:
- @TARGETUSER@

These two '@' symbols, indicate to Snare that the contents of the input field refers to a "Field to use" as highlighted above, rather than a static comparison value. The '@' symbols will be removed, and processed by Snare. Tokens are supported, and the following comparison operations are valid:

Some fields allow you to specify indirect values. The 'Date' field, for example, generally takes arguments of the format "YYYY-MM-DD", but values such as the following are also valid, and will be reinterpreted each time the objective runs:

last week
next thursday
-7 weeks
first day of next month
last day of april 2012
first day of last month
3rd april this year + 20 days

The 'Time' field generally prefers times in the format "HH:MM:DD", however it also accepts standard integer values. A number in the 'Time' field will be interpreted as "Now minus 'x' minutes", where 'x' is the value you entered, and 'Now' is the time at which the objective runs. For example:

TIME >= 120
- This will be interpreted by Snare as: "TIME is greater or equal to NOW minus 120 minutes".
- If the objective runs at 10:05am, Snare will calculate the value to be 08:05:00
- The match term will then be extrapolated to "TIME IS greater or equal to 08:05:00"
Note that TIME >= 120, does NOT NECESSARILY equate to "in the last two hours". Since Snare extrapolates the value to TIME >= 08:05:00, then if you have set your objective to report on data from the last 30 days, it will mean your objective will display data from ANY DAY that matches your other match terms, between 08:05:00 and 23:59:59. Data between 00:00:00 and 08:04:59 will not be displayed by the objective. If you specifically need to ONLY show data within the last two hours, you would need to add a second match term: DATE = today, or alternatively, set your "Maximum Days to Search" slider to "1 day".

Note also that the logical sign direction is somewhat counter-intuitive if you do not understand how Snare Central extrapolates the time value. It could be argued that "<= 120 (minutes)" would be better syntax for "in the last two hours"; however, that would assume that a value in the time field also automatically controls the date field; this is not the case. Please be cautious with your logical sign direction.

Contextual selection button

This button appears for some fields, and provides you with the ability to quickly select either:

A range of values that have been captured from the last 30 days' worth of log data, or
A range of common, or recommended, values.

Selecting multiple values will generally turn on the 'INCLUDES' comparison operator, if you have not already selected 'INCLUDES' or 'EXCLUDES'.

Examples of dialogs generated as a result of selecting the contextual selection button

Match row indentation

The Snare Central query builder is able to implement explicit operation precedence for your match terms, by using indentation of match and logic rows. In this way, groups of match terms can be joined using a variety of logical operations such as AND and OR.

If you are familiar with the use of brackets in mathematical operations, an increase in indentation is analogous to opening a bracket. A decrease of indentation is analogous to closing a bracket.

Many queries do not require row indentation. For example, if we were trying to implement a simple 'outside of work hours' query, we would want to look for events that occur outside of 9am to 5pm (for example), or that occur on a weekend.

If we were writing this in mathematical, or SQL-like notation, we would use the following:

IF TIME < '09:00:00' OR TIME > '17:00:00' OR DATE = 'saturday' OR DATE = 'sunday'

In the Snare Central query builder, it would look like this:

However, if we wanted to ONLY report on out-of-hours events that are tagged with the username "Fred", then we would need to do something a little more complex, and add in operational precedence / brackets. Our new string would look like this:

IF USERNAME = "Fred" AND (TIME < '09:00:00' OR TIME > '17:00:00' OR DATE = 'saturday' OR DATE = 'sunday')

Note the addition of the AND, and the brackets. This would mean that both the date/time component AND the UserName component had to be matched, for an event to be reported. If an event occurred on a weekend, but it was not for the user Fred, it would not meet the criteria we specified.

Recall that increasing our indentation factor for a particular row, is equivalent to opening a bracket. In this case, we would need to add the 'UserName = Fred' match row at the top of the match rows, and then increase the indentation of every row after the logic element associated with the UserName match:

In effect, because all of the rows with the same indentation (as indicated by the number of exposed arrows to the left of the row) are 'grouped', they are enclosed within the same bracket group, as illustrated by the following image.

By utilising the indentation of match and logic rows, complex logical precedence operations can be designed.

It is sometimes easy to overlook an un-indented logic row. Remember that an increase, or decrease in indentation for both match AND logic rows, will affect your bracket placement.

The 'decrease row indentation' arrow will be enabled (green) or disabled (grey) depending on the current row indentation, and whether it is possible to decrease the indentation of the row any more.

Remove match and logic row

Removes the current match row, and the associated logic row, from the Snare query builder. Snare will ask you for confirmation that you wish to remove the row, and then remove the appropriate match from the configuration settings.

Logical operators

Choose from "AND", "OR", or "NOT" (which translates to "AND NOT").

Output and Configuration Component

Output and configuration components can be dragged from the top half of this section, into the bottom half, titled "Drop Components Here to add them to the objective output". This will result in either:

A new output component being added to the report (for example, a line graph, or a table of log data), or
Additional configuration settings displayed, that can be applied to the objective (for example, adding the option to only display users who have an expired account, on the Windows domain).

The number, and type of output components, depends significantly on the data source that is being interrogated.

Example

Objectives that scan firewall or router related event log data may include a 'geolocation map' that attempts to draw a line from the approximate geographic location of a source IP address, to destination IP addresses, on a map of the world.
Objectives that scan proxy log data may include special output components that measure bandwidth by target site or user.
UNIX systems that use the concept of a 'home directory' may make a special output component available that highlights attempts by users other than the owner, to access a home directory.
Objectives focused on network intrusion detection system log data may introduce a 'target port map' output component, that can visually map attempts to port scan a corporate network.

Most components, when added to the objective, will also create a 'configuration panel' that allows you to control the output of each component. A '15 minute pattern map', for example, will provide the option of using a standard linear colour scale for the output, an exponential colour scale that highlights different ranges of data, or even a visual map of a particular target output field. Some of the more common output components are highlighted below.

Some components, when dragged to the drop area, will reveal a second version of the same component in the drag section (eg: Pattern Map, and Pattern Map 2). As such, an objective can have two copies of many components, with slightly different configuration settings applied to each.

Pattern Map

The 15 minute pattern map provides a visual overview of event log data, displaying an indication of the volume, or contents of each separate 15 minute segment within the reporting period, as a colour selected from an appropriate area of graduated scale.

The pattern map can be configured to use a standard scale, an exponential scale, or to map the contents of a particular field. Exponential mode can highlight particular patterns that are difficult to see in the standard colour mode.

15 minute pattern map - standard configuration 15 minute pattern map - showing the contents of the 'Username' field

Each element of the pattern map can be clicked on, with your left mouse button, to search for the data that comprises that particular 15 minute segment. A new dialog will appear in the objective panel that shows the underlying data. The data can be sorted by clicking on a column header.

Sorting on 'Date' will sort on both Date and Time. Selecting 'Time' will only sort on the Time column.

Selecting a 15 minute segment - firewall log data

Clicking on a date, to the left of the pattern map, will attempt to generate a table listing all events for that particular day, that match the objective search criteria.

For high volume sites, this process may take a long time to complete.

Table

To include a dump of event data that matches the search criteria specified for an objective, the 'Tabular Details' modular component can be dragged into the inclusion list.

Fields that should be included within the table output can be dragged from the top half of this section, into the panel titled "Include these fields in the table output".

When a field is dragged into the inclusion list, ascending and descending sort buttons will appear next to the field. Sort criteria is evaluated left to right. Fields can be reordered within the inclusion list in order to modify the sort output. The order of the fields in the inclusion list, will also define the order that they appear in the tabular output component.

Table output for a firewall-related objective

By default, the table will display a subset of the data that matches the objective search criteria. The default settings are 500 rows, at 50 rows per page.

The table width will be set to the size of your browser window, minus a small space around the border of the table. For small screens, this can mean that long lines 'squash up' into very narrow columns, and you see very few lines per page.

You can make your entire table bigger by scrolling up to the top-right corner of the table, grabbing the very top-right edge (click and hold your left mouse button), and dragging your mouse off to the right hand side, beyond the boundaries of your page (ie: to the right hand limit of your browser window, or beyond). This will increase the size of the table beyond the visible area of your browser window, and a new scroll-bar will appear at the bottom of your browser window. You can then rearrange the width of each column as appropriate, and each line will take up less vertical screen real-estate.

Results can be 'grouped' to produce a tally of events that contain common field values. In order to activate this, choose the fields that should participate in the 'group', and add them to the table field inclusion list. Select the checkbox next to "Produce a total of the unique values for the included fields", in the "Summary Information" section of the table configuration component. You may also choose to sort by the total unique values column, and potentially rename the column from the default "TOTAL" to something that better represents your data.

For example, based on the table output screenshot above, if you wanted to analyse the most common destination ports by date, you could add fields 'Date', 'Proto', 'Action' and 'DstPort' to the field inclusion list.

Grouping Table data

After the objective regenerates, your table displays a new column, which shows how many events share the same Date, Protocol, Action and Destination port, out of all events that match the search criteria specified in the objective.

Grouping values in the table output component

Fields that are numeric, or tokens that are derived from a numeric field, will also be included as an option under the 'Produce a SUM of the values of the following integer field'. This feature is useful in situations where you wish to know information like:

Who are the top 10 users of bandwidth, through our corporate proxy server or firewall? (ie: Produce a sum of 'Bytes' per-user or per-IP)

SUMMED column values will respect the sort criteria you have attached to the original field. If you ask Snare to produce a SUM of the 'Bytes' field, for example, and have chosen to sort Bytes in descending order, the SUMMED values will be sorted in descending order.

CSV (Tab delimited) and text dumps of the table data can also be produced. These will be available as an attachment to the objective.

Horizontal Graph

Horizontal graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a horizontal graph of the total event count for this element".

The number of graph 'rows' to be included can be defined, and you can also sort the graph by either the total count (descending), or by the actual field value (alphanumerically).

Pie Graph

Pie graphs can be created by adding this element to your modular inclusion list. Select a field to use as a basis for the graph by choosing an option under "Produce a pie graph of the total event count for this element".

You can specify the preferred number of segments to be shown in the pie graph. If these segments do not represent 100% of the returned results, an additional 'Other' segments will be displayed on the pie graph.

Line Graph

A line graph of total events can be created by adding this element to your modular inclusion list. You may specify that events should be graphed by Day, Week, Month or Year.

PDF Output

To include a PDF of the objective output, add this component to the modular objective inclusion list. The PDF will be available from the 'Attachments' button in the top panel, and will be included with any electronic mail messages that are sent as a result of this objective being regenerated.

Annotations

To make objective annotations add this component to the modular objective inclusion list. Once the objective is regenerated, the annotations form is available for editing. By default this content does not go out to end-users in email or when a PDF report is generated, however this can be changed by ticking the associated checkbox in the Annotations configuration.

Real-time Alert

Activating real-time alerts for any objective activates a module in the collection subsystem, that scans incoming data for events that match your query terms. Real-time alerts can be sent out via email.

Activating real-time alerts will significantly reduce your maximum potential event collection speeds. Each additional real-time alert that is activated, will also increase the amount of processing that your server needs to do, per-event, and will slightly decrease your maximum potential event collection speed.

Destination Port Map

This output component appears for data sources that include a destination IP address, and destination port - such as firewalls, or network intrusion detection systems.
The destination port map shows destination ports hit during the period specified in the objective match settings, as a clickable exponentially-scaled dot-map. Areas of higher activity are represented as colours towards the top end of the colour spectrum.

Port map showing web server activity, netbios (windows file share), and mail/DNS. A small high-port port-scan is also visible just after 4am

Geolocation Map

This output component draws lines that represent the country of origin for source and destination IP addresses, for firewall/NIDS related data sources.

Random Image Selection

For proxy-server related objectives, a random selection of images can be displayed to provide a general overview of image-related browsing habits.

Bandwidth by User / Site

For proxy-server related objectives, the top sites by bandwidth, and/or top authenticated users by bandwidth utilisation can be displayed.

Browser not supported