View Specific Details About Traffic
Hi, new guy here. I know enough about firewalls to be dangerous. I work in a building with about 8 employees that use the internet. The other day we had a security breach that wasn't detected for a few days. I was able to find out about this breach by stumbling across irregular data usage in graphs in our Meraki Firewall. One client used downloaded about 130 gigs of data (with only a couple hundred megs of data uploaded during that time). Once we took that machine down, the next night another PC uploaded about 20 gigs of data which was abnormal. I can see how much data was used and I can see where the data went but what I want to see is what the data was and it's driving me nuts. If files were moved what files were they? What data was in the 130 gigs of data that the firewall says was downloaded to the first PC?
How do I do this? Most connections used port 80 or 443. We are currently using a Meraki firewall. I've used pfSense in the past and we're playing with it now. I just don't know how to dial down and see what the data was.
Crickets? Lol ;)
I doubt you can know what files were uploaded. You should ask Meraki for support, or post in their forums.
You could check the logs to see what IPs were involved and try to get some data on them with a whois lookup. Talk to the users, check their machines for malware, and applications that could have downloaded and uploaded such amounts of data. No need to say, that if the machines are running Windows 10 and they have the option to share windows updates by peer-to-peer to the internet, that could do it. Microsoft in their incredible wisdom decided to enable things like that with little (if any) control over the amount of BW used.