Endace

When Endace integration is enabled, the following additional host inspection options become available after a report is run:

  • Endace - Pivot2Vision: Opens the Endace Vision view

  • Endace - Pivot2InvestigationManager: Opens the Endace Investigation Manager view

  • EndaceProbe P2P: Downloads a packet capture with user-specified parameters (*.pcap or *.erf)

The pivot options can be accessed after clicking on an IP address or hostname in the report results view, under Other Options in the tray. For P2P packet capture downloads, run a report from the Plixer Scrutinizer Classic UI, and then select the option after clicking on a host in the results view.

Note

  • Data will only be available for hosts/traffic seen on the EndaceProbe.

  • It may be necessary to log in to Endace when pivoting to the Endace Vision or Investigation Manager view for the first time.

Configuration requirements

The following details will be required to enable/configure Endace integration:

  • Endace server IP address (and DNS hostname, if desired)

  • Port to use to connect to the Endace server (typically 443 or 80)

  • Credentials to use for the Endace server

  • [Optional] Names of data sources configured on the Endace server

Adding an EndaceProbe

To enable Endace integration, add the server by launching scrut_util and running the following at the SCRUTINIZER> prompt:

Note

This command requires an IP address and will not work with a hostname.

endace add <ENDACE_IP_ADDRESS> <PORT> <USER> <PASSWORD>

For example:

SCRUTINIZER> endace add 10.11.12.13 443 adminuser adminuserpass

See this page for other scrut_util commands related to Endace integration.

Enabling Endace pivot options

After the Endace server has been added to Scrutinizer, the Pivot2Vision and Pivot2InvestigationManager options can be enabled as followed:

Note

  • Data sources are defined in the EndaceProbe configuration. To use all available data sources on a probe, replace DATA_SOURCES with tag%3Aall.

  • When using port 80, it may be necessary to replace https:// with http:// in the below URLs.

  1. SSH to the Scrutinizer server as the plixer user.

  2. Configure the EndaceProbe IP address or hostname and data sources to use by adding the following lines to the end of /home/plixer/scrutinizer/files/applications.cfg:

    https://<ENDACEPROBE_IP_OR_HOSTNAME>/vision2/pivotintovision/?datasources=<DATA_SOURCES>&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=conversations_by_ipaddress%2Cbandwidth%2CtopTalkers_by_ipaddress%2CtrafficOverTime_by_prot&ip=%i, Endace Vision 2 - Investigation
https://<ENDACEPROBE_IP_OR_HOSTNAME>/vision2/pivotintovision/?datasources=<DATA_SOURCES>&title=Pivot%3Ato%3AVision%3Afrom%3AScrutinizer&start=%zs&end=%ze&tools=bandwidth%2CtrafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Investigation Manager

    Examples:

    https://endace-probe.company.com/vision2/pivotintovision/?datasources=tag%3Aall&title=Scrutinizer-Investigation&start=%zs&end=%ze&tools=conversations_by_ipaddress%2Cbandwidth%2CtopTalkers_by_ipaddress%2CtrafficOverTime_by_prot&ip=%i, Endace Vision 2 - Investigation
https://10.11.12.13/vision2/pivotintovision/?datasources=default-capture-nic-1%2Cdefault-capture-nic-2&title=Pivot%3Ato%3AVision%3Afrom%3AScrutinizer&start=%zs&end=%ze&tools=bandwidth%2CtrafficOverTime_by_app%2Cconversations_by_ipaddress&ip=%i, Endace Investigation Manager