Introduction:
The Violation Report analysis tool is a Zentera command line utility to generate detailed reports on violations and traffic logs exported from Zentera zCenter. This tool and the generated reports can be used to gain visibility of network traffic to and from servers/applications where the traffic was collected (with the help of the zLink agent or micro-segmentation gatekeeper). Furthermore, this traffic analysis can be used to prepare chamber rules and policies to apply for application segmentation.
Types of Logs It Can Used With:
Violation Report can be used with any of the following logs:
- Learn Logs from the Learn feature in zCenter
- Retrieved from admin portal > application chambering > shield icon > scroll to learned rules > view learned rules > export to CSV
- Detection logs when putting an application in detection mode
- Retrieved from admin portal > application chambering > click detection mode> shield icon > scroll to learned rules > view learned rules > export to CSV
- Prevention Logs when putting an application in prevention mode
- Retrieved from admin portal > application chambering > click prevention mode> shield icon > scroll to learned rules > view learned rules > export to CSV
Steps to Running the Tool:
The following steps are needed to run the tool:
- Firstly, download one of the logs in zCenter. Once you have used the Learn, Detection, or Prevention features, use the Export to CSV button to export the logs into an excel format. Let’s call the CSV file example_learn_file.csv
- Download the latest, stable binary of the Violation Report, attached to this post.
- Find the file labeled violation_report.exe, then run it with any of the command line argument options we have. For example:
violation_report.exe --csv example_learn_file.csv
Additional Options
- zlink report for hostname annotations
- rulebook (don't need to discuss details, just a teaser)
Output File Description:
Depending on which command line arguments were used, the output file might come out different. Here is a general description of what the output file should look like:
- If not specified, the file name should be violation_report.xlsx
- The file should open multiple sheets, each sheet labeled at the bottom tab of the excel window.
- Many of the tabs separate the different entries based on public/private/special IPs, as well as inbound and outbound connections
Comments
0 comments
Please sign in to leave a comment.