SSL- what the Connected metric means in ExtraHop

ExtraHop tracks the SSL Connected metric in the same way we track flows in general. We see a flow open that we recognize as SSL (SSL_OPEN), and then when we later see a CLOSED, ABORTED or EXPIRED event we know the conversation is now over. The Connected metric is a count of the open SSL sessions that we have not yet seen the closed, abort or expired tags for. The number of Connected sessions gets counted and written to the ExtraHop datastore every 30 seconds.

Thank you, @acro.

I have a need for detailed SSL monitoring connections for monitoring connections to external entities. I see constant payloads but very few connected, closed, etc… sessions when using this method under the SSL_OPEN event to generate the app: SSL.addApplication(appName)

In order to make a comparison to the L4 connection counts, I also added to the SSL_OPEN event this method:
Flow.addApplication(appName, true)

The ‘network’ TCP metrics generated do not match the SSL metrics at all. How do we extract maximum monitoring from un-decrypted SSL?

@bbarltropfnma, could you provide more detail about how the metrics don’t match? Thanks!

There are only a handful of SSL connected, but hundreds of TCP connected, for one.

@bbarltropfnma, this topic may flow best as a Support case, but if you’d like to take a look here, could you post a chart screenshot showing a couple of metrics that seem like they should match up, but aren’t?

I think I get what you’re trying and expecting, but a visual would help confirm.

Thanks!