9.3.1.4. show eve-stats

A - Introduction

The `eve-stats` command in the `show` sub-group enables displaying the Sigflow (monitoring-engine) statistics.

B - Prerequisites

  • User: setup, gviewadm, gview

  • Dependencies: N/A

C - Command

`show eve-stats`

D - Procedure

The command prompt is displayed.

(gcap-cli)

  1. Enter the command

    show eve-stats
  2. Validate
    The system displays the following information

  • counter `Alerts` - Number of Sigflow alerts found

  • counters `Files` - Files extracted by Sigflow

  • Counters `Codebreaker samples` - Files analyzed by Codebreaker

  • Counters `Protocols` - List of protocols seen by Sigflow

  • Counters `Detection Engine Stats` - Sigflow statistics (monitoring-engine)

E - Details of Counter `Alerts` - Number of Sigflow alerts found

Example :

Alerts: 0

F - Detail of counters `Files` - Files extracted by Sigflow

  • `Observed` - Number of files observed by Sigflow.

  • `Extracted` - Number of files extracted by Sigflow.

  • `Uploaded` - Data sent to GCenter.

    • `Metadata` - Number of metadata sent to GCenter.

    • `File` - Number of files sent to GCenter.

Example :

Files:
 Observed:           6011816
 Extracted:          0
 Uploaded:
    Metadata:        0
    File:            0

G - `Codebreaker samples` counter details - Files analysed by Codebreaker

  • `Extracted` - Number of extracted files received by Codebreaker.

  • `Uploaded` - Data on files received by Codebreaker on GCenter.

    • `Shellcodes` - Data on shellcodes.

      • `Plain` - Shellcodes detected without encoding.

      • `Encoded` - Shellcodes detected with encoding.

    • `Powershell`- Number of malicious Powershell scripts detected.

Example :
Codebreaker samples:
   Extracted:         0
   Uploaded:
      Shellcodes:
         Plain:       0
         Encoded:     0
      Powershell:     0

Note

In version GCenter V102, this engine is called Codebreaker
In version GCenter V103, the engine which detects the shellcodes is called Shellcode detect engine
In version GCenter V103, the engine which detects the malicious powershells is called Malicious Powershell detect engine.

H - Details of the `Protocols` counters - Lists of protocols seen by Sigflow

  • `<protocole>` Number of events observed by Sigflow concerning protocol e.g HTTP, SMB, and others.

    Example :

Protocols:
  DHCP:     0
  DNP3:     0
  DNS:      0
  FTP:      0
  HTTP:     6537929
  HTTP2:    0
  IKEv2:    0
  KRB5:     0
  MQTT:     0
  NETFLOW:  0
  NFS:      0
  RDP:      0
  RFB:      0
  SIP:      0
  SMB:      0
  SMTP:     0
  SNMP:     0
  SSH:      0
  TFTP:     0
  TLS:      0
  Tunnels:  0source/gcap-cli/6-3-show/eve-stats.rst:97: (WARNING/2) Literal block expected; none found.

I - Details of the `Detection Engine Stats` counters - Statistics of Sigflow (monitoring-engine)

  • `Events` - Data on events observed by Sigflow

    • `Total` - Total number of events

    • `Stats` - Number of statistics generated

  • `Capture`

    • `Received` - Number of packets captured

    • `Dropped` - Number of packets ignored

  • `Rules` - Sigflow rules data

    • `Loaded` -Number of rules loaded and validated

    • `Invalid` - Number of rules that could not be loaded

  • `TCP`

    • `SYN` - Number of SYN observed by Sigflow.

    • `SYN/ACK` - Number of SYN/ACK observed by Sigflow.

    • `Sessions` - Number of TCP sessions observed by Sigflow.

  • `Flow`

    • `TCP` - Number of TCP sessions observed

    • `UDP` - Number of UDP sessions observed

    • `SCTP` - Number of SCTP sessions observed

    • `ICMPv4` - Number of ICMPv4 messages observed

    • `ICMPv6` - Number of ICMPv6 messages observed

    • `Timeouts` - Statistics on TCP session expirations

      • `New` - Number of new windows TCP

      • `Established` - Number of windows established

      • `Closed` - Number of windows closed

      • `Bypassed` - Number of windows ignored

Exemple

Detection Engine Stats:
  Events:
    Total:     12551855
    Stats:     2110

  Capture:
    Received:  153439718
    Dropped:   60964966

  Rules:
    Loaded:    78
    Invalid:   28

  TCP:
    SYN:       10274277
    SYN/ACK:   10274629
    Sessions:  10273062

  Flows:
    TCP:       12067611
    UDP:       0
    SCTP:      0
    ICMPv4:    0
    ICMPv6:    0

    Timeouts:
        New:          0
        Established:  0
        Closed:       0
        Bypassed:     0

Note

The TCP sessions counter counts the number of sessions once the connection is established (three-way handshake phase).
The TCP Flows counter counts the number of sessions that have been started (including sessions where the connection is in progress).