Barac interface user guide
- In the “Attack Map” section, you can see the distribution and the number of attacks coming from different countries in the last 7 days.
- In the “Traffic Flow” section, you can see the most frequent IPs exchanging data in your network in the last 7 days.
- In the “Radar” section, you can see a graph illustrating the count of different SSL attacks on your network in the last 7 days.
Blacklisted IP detection:
- In the “Blacklisted IPs” section, you can see the top 7 blacklisted IPs detected in the last 7 days.
- In the “Collector status” section, you can check the status of the collector, the “Green” colour indicates that the collector is working correctly and is connected. Whereas the “Red” colour indicates that the collector is not connected to the ETV platform. If you need to contact us, please do so at firstname.lastname@example.org
Beaconing & certificate attacks:
- In the “Beaconing & Certificate Attacks” section, you can see the count of Beaconing incidents detected under “Beaconing” and the connection detected using malicious certificates under “Certificate Attacks” in the last 7 days.
Unique IP address:
- In the “Unique Ip Address” section there is an overview about the amount of traffic, where the first number indicates the number of distinct source IPs detected using TLS under “Unique IP Address”, the second number indicates the number of sessions initiated from Inside or Outside the network under “Number of Sessions”, The last number indicates the data scanned by the collector in Bytes under “Amount of Data” in the last 7 days.
Attacks over time:
- In the “Attacks Over Time” section, you can see the number of ‘Attacks’ and the ‘Total Encrypted Sessions’ in the last 7 days.
Amount of traffic:
- In the “Amount of Traffic” section you can see the amount of ‘Inbound’, ‘Outbound’ connections over TLS in the last 7 days in bytes.
- In the “TLS version” section, you can see the number of different versions of TLS captured by the collector. When you click on the TLS version you can see more details in the table below.
- In this table, you can see all IPs related to the TLS version selected before, the total connections and the percentage.
- In this section, you can choose the page you want to go to, also you can set the number of rows to show per page and you can navigate between pages using the ‘previous’ and the ‘next’ button.
- In the “Severity” section, you can see the list of incidents classified by severity.
- In the “Heat Map” section, you can see the number of attacks each hour in the last 7 days.
- In the “Connection Table” section, you can choose the time segment that you want to investigate. Each attack is detailed as you can see in the table. When you click on an incident you can see on the right all the connections related to that attack.
- In the “Connection Graph” section, you can see all the details related to the incident by clicking on the specific node.
- On this page, you can see the status of the collector and the company ID used by the collector.
- In the “IP Configuration” you can add the Internal IPs you want to whitelist.
- You can add a TXT file containing a list of IPs separated by a comma using the ‘Browse’ button, then click on ‘ADD’ to add them to whitelisted IPs.
- In this map you can see the flow of attacks followed by the source and destination information of the attack
- In the “Total Certificates” section, you can see the number of certificates used during all TLS connections, both expired and valid, for the last 7 days.
- In the “Certificates’ Flow” section, you can see the number of Inbound/Outbound certificates flow from the last 7 days.
Distribution by authority
- In the “Distribution by Authority” section, you can see the percentage of certificates issued by most known authorities.
- In the “Top Countries” section, you can see the top number of certificates issued by different countries.
- In the “Blacklisted” section, you can see the top occurrences of blacklisted certificates in your network for the last 7 days, where you tag each certificate by its hash in SHA-1.
- In the “Certificates’ Status” section, you can see all instances of ‘Expired’ and ‘Expiring Soon’ certificates within the last week for inbound and outbound traffic.
- On this graph, you can see the number of similarities detected in the last 7 days, those similarities are classed from Normal to Dangerous.
Navigation, Zoom in/out, Menu bar
- By using these buttons, you can modify the output to have more details.
- In this Table, you can choose to print the output based on the Destination IP or DNS. The output is classified by severity. You can investigate more by clicking on the incident itself.
- In this page you can investigate all the attacks related to either IP source, IP destination or both, you can also see full details ordered in a timeline.
- In this field, you can search through all traffic captured by the collector using IP, Certificate hash or Domain name.
- On the “Filter” section, you can filter the traffic using filters listed below.
- In this section, you can choose the week that you would like to investigate.
- On this “Graph” you can see the number of incidents related to filter selected, the output is based on the date selected.
- On this table you can see the output based on the chosen filters. You can sort the outputs by clicking on the headers of the table. To have more details you can click on the row to expand it.
- will show you the malicious SSL/TLS fingerprints detected.
- will show the count of certificates self-signed detected.
- will show the malicious DNS detected by the Barac platform, basing on AI models.
- will verify the integrity of the DNS with the certificate used during that connection.
- will show the newest created certificate issued and used within a short period of time, such behaviour requires an investigation where there is a high possibility that the certificate is malicious.
- will show the count of blacklisted IPs detected.
- will show the malicious certificates used during TLS connections.
- will verify the chain of certificates, either benign or not.
- will show the total time where the certificate will stand active. If the TTL_CERT of the certificate is less than one week there is a high possibility that the connection may be malicious.
- will show the status of the cipher suites used during the connections.
- will show the TOR connection detected over TLS.
- Will show a list of all expired certificates
- In the “Configuration” page, you can choose the ‘Minimum’ and the ‘Maximum’ score of each severity level.
- When you finish you can click on ‘Submit’ to save the changes you made.