Technical Library | eSupport
Go to the table of contents Go to the previous page Go to the next page
TRITON RiskVision System Management : Managing RiskVision traffic capture and analysis
Managing RiskVision traffic capture and analysis
52032 | System Management | TRITON RiskVision | 24-Sep-2015
Use the System > Analytics tab in the Local Manager to start and stop traffic capture, test the File Sandboxing connection, and monitor database status for Local Analysis.
Traffic capture
In order for RiskVision to monitor and analyze live traffic in your network, all of the following are required:
1.
An appliance interface must be connected to a span port that has visibility into the network that you want to monitor.
2.
RiskVision must be configured to use the interface connected to the span port to capture traffic (see Configuring network settings for the RiskVision appliance).
3.
The Capture service must be running.
4.
Traffic capture must be enabled.
Enable and disable traffic capture via the Traffic Capture toggle at the top of the Analytics tab. By default, traffic capture is ON.
When the Traffic Capture switch is off:
*
An alert icon is displayed on the System tile in the RiskVision toolbar.
*
Pcap files can still be submitted manually for analysis.
When the Capture service is stopped, the Traffic Capture switch is disabled. In this case, to enable traffic capture:
1.
Start the Capture service from the System > Services tab.
2.
When the Capture service is running, check the Analytics tab to make sure traffic capture has started. If it does not start automatically, switch the toggle to ON.
File sandboxing connection status
Local Analysis flags some files for further analysis by the File Sandboxing cloud service.
*
If Local Analysis determines that a file is malicious, further analysis is not required.
*
If Local Analysis determines that a file has suspicious characteristics, it recommends additional analysis by the File Sandbox service.
*
If Local Analysis does find malicious or suspicious characteristics, but the transaction contains an executable file, it recommends additional analysis by the File Sandbox service.
The RiskVision File Sandbox Processor first sends a file hash to determine whether the File Sandboxing service has already analyzed the file.
*
If the file has already been analyzed, the incident record is updated with a link to the File Sandbox report.
*
If the file has not been analyzed previously, the file is uploaded to the File Sandbox service. When analysis is complete, the incident record is updated with a link to the File Sandbox report.
The connection to the File Sandboxing service is tested automatically every 5 minutes.
To test the connection manually, click Test in the File Sandboxing section of the Connection Status box.
If requests from the Local Manager must go through a proxy to reach the Internet, the File Sandboxing connection will fail until the proxy is configured. See Configure RiskVision proxy settings.
Local analytic status
The analytics that make up RiskVision Local Analysis use databases to help them identify suspicious and malicious traffic.
Use the Local Analytics section of the page to enable or disable automatic database updates for Local Analysis. Automatic database updates are enabled by default, and should remain enabled as a best practice.
The table under the toggle switch shows:
*
Whether or not the analytic is available for use (live)
*
The analytic engine name
*
The analytic engine version
*
The current database version
*
The date and time of the last database update
After installation, Local Analysis may not occur until the analytics have downloaded a database. Use the table to make sure that all of the analytic engines have succeeded in performing a database download.
If the analytics are not running because they have not been able to download a database:
1.
Make sure the appliance interface selected for Local Manager communication has Internet access (see Configuring network settings for the RiskVision appliance).
2.
If Internet communication from the appliance must pass through a proxy, verify that RiskVision has the correct proxy settings (see Configure RiskVision proxy settings).

Go to the table of contents Go to the previous page Go to the next page
TRITON RiskVision System Management : Managing RiskVision traffic capture and analysis
Copyright 2015 Raytheon | Websense. All rights reserved.