Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Appendices > Forensic Report Types > Servers As Dest With Ports

Servers As Dest With Ports

Table Query: select dstadd ,dstport,srccount,localports,remoteports,sessions,(bytes*8) as bits from (select dstadd as dstadd,dstport,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by dstadd,dstport ) as a where a.sessions>5 and a.localports<5 and a.srccount>5 group by dstadd,dstport,srccount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: srccount
Graph Query: select afirstseen ,dstadd ,dstport,srccount as srcsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,dstadd as dstadd ,dstport,count(distinct(srcadd)) as srccount,count(distinct(dstport)) as localports,count(distinct(srcport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,dstadd ,dstport) as a where a.records>5 and a.localports<3 and a.srccount>5 group by afirstseen,dstadd ,dstport,srccount,localports,bits_avgsec order by dstadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: srcsavgsec
Graph Key Field(s) separated by __: dstadd__dstport