6.2.1.8. eve-stats

6.2.1.8.1. Introduction

The eve-stats command of the show subgroup enables displaying the Sigflow (monitoring-engine) statistics.

6.2.1.8.2. Prerequisites

  • Users: setup, gviewadm, gview

  • Dependencies: N/A

6.2.1.8.3. Command

show eve-stats

6.2.1.8.4. Example

  • Enter the following command.

    (gcap-cli) show eve-stats

  • Validate.
    The system displays the following information:

    • counter Alerts - Number of Sigflow alerts found

    • counters Files - Files extracted by Sigflow

    • counters Codebreaker samples - Files analysed by the motor which detects shellcodes or powershells

    • counters Protocols - List of protocols seen by Sigflow

    • counters Detection Engine Stats - Sigflow statistics (monitoring-engine)

6.2.1.8.4.1. Counter Alerts details - Number of Sigflow alerts found

Example:

Alerts: 0

6.2.1.8.4.2. Detail of counters Files - Files extracted by Sigflow

  • Observed - Number of files observed by Sigflow.

  • Extracted - Number of files extracted by Sigflow.

  • Uploaded - Data sent to GCenter.

    • Metadata - Number of metadata sent to GCenter.

    • File - Number of files sent to GCenter.

Example:

   Files:
     Observed:           6011816
     Extracted:          0
     Uploaded:
        Metadata:        0
        File:            0

6.2.1.8.4.3. Counter Codebreaker samples details - Files analysed by Codebreaker

  • Extracted - Number of extracted files received by Codebreaker.

  • Uploaded - Data on files received by Codebreaker on GCenter.

    • Shellcodes - Data on shellcodes.

      • Plain - Shellcodes detected without encoding.

      • Encoded - Shellcodes detected with encoding.

    • Powershell - Number of malicious Powershell scripts detected.

Example:

 Codebreaker samples:
   Extracted:          0
   Uploaded:
       Shellcodes:
           Plain:      0
           Encoded:    0
       Powershell:     0

Note

In version GCenter V102, this engine is called Codebreaker
In version GCenter V103, the engine which detects the shellcodes is called Shellcode detect engine
In version GCenter V103, the engine which detects the malicious powershells is called Malicious Powershell detect engine

6.2.1.8.4.4. Detail of counters Protocols - List of protocols seen by Sigflow

  • <protocole> Number of events observed by Sigflow concerning protocol e.g HTTP, SMB, and others.

    Example:

   Protocols:
     DHCP:     0
     DNP3:     0
     DNS:      0
     FTP:      0
     HTTP:     6537929
     HTTP2:    0
     IKEv2:    0
     KRB5:     0
     MQTT:     0
     NETFLOW:  0
     NFS:      0
     RDP:      0
     RFB:      0
     SIP:      0
     SMB:      0
     SMTP:     0
     SNMP:     0
     SSH:      0
     TFTP:     0
     TLS:      0
     Tunnels:  0

6.2.1.8.4.5. Detail of counters Detection Engine Stats - Sigflow statistics (monitoring-engine)

  • Events - Data on events observed by Sigflow

    • Total - Total number of events

    • Stats - Number of statistics generated

  • Capture

    • Received - Number of packets captured

    • Dropped - Number of packets ignored

  • Rules - Sigflow rules data

    • Loaded - Number of rules loaded and validated

    • Invalid - Number of rules that could not be loaded

  • TCP

    • SYN - Number of SYN observed by Sigflow.

    • SYN/ACK - Number of SYN/ACK observed by Sigflow.

    • Sessions - Number of TCP sessions observed by Sigflow.

  • Flow

    • TCP - Number of TCP sessions observed

    • UDP - Number of UDP sessions observed

    • SCTP - Number of SCTP sessions observed

    • ICMPv4 - Number of ICMPv4 messages observed

    • ICMPv6 - Number of ICMPv6 messages observed

    • Timeouts - Statistics on TCP session expirations

      • New - Number of new windows TCP

      • Established - Number of windows established

      • Closed - Number of windows closed

      • Bypassed - Number of windows ignored

    Example :

   Detection Engine Stats:
     Events:
       Total:     12551855
       Stats:     2110
   
     Capture:
       Received:  153439718
       Dropped:   60964966
   
     Rules:
       Loaded:    78
       Invalid:   28
   
     TCP:
       SYN:       10274277
       SYN/ACK:   10274629
       Sessions:  10273062
   
     Flows:
       TCP:       12067611
       UDP:       0
       SCTP:      0
       ICMPv4:    0
       ICMPv6:    0
   
       Timeouts:
           New:          0
           Established:  0
           Closed:       0
           Bypassed:     0

Note

The TCP sessions counter counts the number of sessions once the connection is established (three-way handshake phase).
The TCP Flows counter counts the number of sessions that have been started (including sessions where the connection is in progress).