Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

QRadar Incident Forensics Automated Back-end Benchmark Suite (QRIFABS)

IP.com Disclosure Number: IPCOM000243284D
Publication Date: 2015-Sep-18
Document File: 6 page(s) / 185K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to use QRadar Incident Forensics Automated Back-end Benchmark Suite (QRIFABS) to automate the benchmarking process and take the benchmarking step further by installing tools and establishing predefined screens to make the process much easier for the user.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 34% of the total text.

Page 01 of 6

QRadar Incident Forensics Automated Back-end Benchmark Suite (QRIFABS)

Performance Benchmarking of QRadar Incident Forensics (QRIF) is a challenging task requiring a lot of manual intervention, from data generation to process analysis, on the QRIF Box. It is a time consuming and stressful process as the data gathering and analysis and graphing are prone to human error.

The solution is to use QRadar Incident Forensics Automated Back-end Benchmark Suite (QRIFABS) to automate the process and take the benchmarking step further by installing tools and establishing predefined screens to make the process much easier for the user.

The QRIFABS has the following major components: Data generator, Sender, Search Suite Executor, Analyzer, and Grapher. It creates and sends data, and monitors, logs, searches, analyzes, and graphs the behavior during the tests and benchmark. QRIFABS works with minimal to no user supervision and the user can concurrently benchmark multiple boxes without needing any further configuration.

QRIFABS has two sides: sender box and remote box.

Sender Box


Forensics Data Generator [Bash* + Python*]: Data generation is a six-step process, which provides the density in data. Later, this data file is constantly played to an interface and captured in chunks.

In the Initial Data Generation phase, the original packet capture (PCAP) file is split into individual flows. Then flowPcapPerparer.py utilizes the Tcpreplay suite. It gets the folder path, does not go through the whole folder as there are couple of tens of thousands files there, retrieves the files one by one, randomizes, plays, and deletes IPs, and then continues. The replay steps are as follows:

1. TcpPrep - prepares the cache file for each flow, which is used to"split" traffic into two sides (often called primary/secondary or client/server)

2. TcpRewrite - Rewrites the flow with the cache file from TcpPrep. It can also randomize Source and Destination IPs in the Flow.


3. TcpReplay- Replays the newly created PCAP to the interface


4. Tcpdump to capture the replayed traffic


5. PCAP file - All the played PCAPs are accumulated in this file. This phase provides a much denser version of the original

PCAP file.

1


Page 02 of 6

In the Data Generation for Forensics Box phase, the generated dense PCAP file is replayed to the interface and grabbed by the tcpdump at the same time, splitting to 500MB PCAP files. The sender script uses these files to send data to the remote box . The following parameters are configurable:

Path of remote repository (remote folder path to send)

Path of local repository (local folder path to send from)

Shards (it is an array, so that user can send the data to all the boxes concurrently), Case name (case to send to in the remote box)

File size (file size to send)

Back off threshold (if processing slows down in the remote box, we will send up to number of files so that the data will not

over accumulate)

Sender Script - ToForensicsA...