cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
242
Views
0
Helpful
0
Replies

Using Filters in StealthWatch

james.hendrick
Level 1
Level 1

I am relatively new to SW although I have been using the system for ~ a year probably once or so a week and I have taken the SW Security Operations and Network Operations training.

My question is this: I do not understand how to effectively create filters, specifically there are filters for "Server Services", "Server Applications", "Client Services", "Client Applications" (and this is just within the "Host Information" view). If I am creating a flow table - I also can do it by port and protocol.

Why would I use one over the other?

Specifically - I want to find all the systems that provide DNS services (i.e. listen on UDP or TCP port 53 and provide name resolution).

I get *vastly* different results when I choose "Server Services" "dns or dnstcp" than when I choose "Server Applications" and choose "DNS or DNS (unclassified"

I have looked through the documentation and it is not at all clear what the difference is that SW is doing behind the scenes. 

Thank you!

Jim H.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: