Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Appendices > Forensic Report Types > Servers As Src With Ports

Servers As Src With Ports

Table Query: select srcadd ,srcport,dstcount,localports,remoteports,sessions,(bytes*8) as bits from (select srcadd as srcadd,srcport,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as sessions,cast(sum((bytes)) as bigint) as bytes from netflow WHERECLAUSE group by srcadd,srcport ) as a where a.sessions>5 and a.localports<5 and a.dstcount>5 group by srcadd,srcport,dstcount,sessions,localports,remoteports,bytes ORDERBY LIMITROW
Table Value Field: dstcount
Graph Query: select afirstseen ,srcadd ,srcport,dstcount as dstsavgsec,localports,bits_avgsec from (select FIRSTSEEN as afirstseen,srcadd as srcadd ,srcport,count(distinct(dstadd)) as dstcount,count(distinct(srcport)) as localports,count(distinct(dstport)) as remoteports,count(*) as records,cast(sum((bytes)*8)/(MODER/1000) as bigint) as bits_avgsec from netflow WHERECLAUSE group by afirstseen,srcadd ,srcport) as a where a.records>5 and a.localports<3 and a.dstcount>5 group by afirstseen,srcadd ,srcport,dstcount,localports,bits_avgsec order by srcadd,afirstseen asc
Graph Time Field: afirstseen
Graph Value Field: dstsavgsec
Graph Key Field(s) separated by __: srcadd__srcport