Friday, July 27, 2018

Private Instance & Public API

A busy seven months since our last post, and now that we're past the half way mark an update is well overdue. With that being said we are super excited about the updates we have planned, and I wanted to share some of the highlights of what we have accomplished and what we are working on this year.

General Updates

  1. WhoIs/IP2Geo lookups are experiencing transient issues, as we are having to switch backends for both services. We expect to have these services at 100% by end of August.
  2. Our team is growing! As we are a free service we are always looking for contributors! Last month we welcomed @BigDataBryce to the team who is already making some massive improvements to the codebase.
  3. Due to popular demand we've shifted almost all our focus to a private instance of the tool.

Private Instance

A lot of discussion at the beginning of the year went into prioritizing feature additions. We received quite a bit of feedback around how people we're using the tool, and what is lacking. The request repeated most often was for a private version of the tool; understandable given the sensitive nature of packet-captures.

The first half of the year was spent re-writing the analysis engine, and laying the groundwork for a several major enhancements. Because of this I have little to show from a UI perspective, however the private version will include several UI improvements that were impractical to implement on PacketTotal.com


File Rendering/PE Details
Current PCAP analysis solutions do a poor job (in my opinion) of representing extracted content. We'd love to change this by providing a simple view of extracted content, where additional post-processing is conducted against executables. 


Below is an example of media extracted, identified, enriched, and rendered in new "files" view. This view will support rendering of all major video types and images, and provide additional metadata around these. 



Analyze 1, 10 or 10,000 PCAPs
PacketTotal.com relies on multiple levels of analysis in order to extract metadata and artifacts from submitted PCAPs. This process is computationally expensive and we we're hesitant to allow this on the public site for this reason. However, we considered bulk analysis a must-have feature for a private instance.

Again, the UI is still very much in the works, but you will be able to upload practically any archive format containing the PCAPs you wish to analyze.





Other Features Additions
  1. Geo View for location based data both inferred and extracted from the capture
  2. Improved Timeline View will include timelines for every protocol, not just sessions
  3. VOIP Extraction & Replay
  4. A/V detection against extracted artifacts
  5. JavaScript de-obfuscation
  6. PacketTotal.com Integration - search for similar PCAPs across our public datastore.

Public API

Even with the shift in priorities to develop a private instance of this tool we have no intention of abandoning development of the public site. Indeed, our second most requested addition was to expose search capabilities through a public API. Much of the required groundwork has already been laid to facilitate this addition. At this point most of the changes that need to be made to make a public API a reality are infrastructure related. Users can expect a public search API by end of year, early next year.

I am working to share updates more frequently with our users, if you have any feature suggestions or questions please feel free to comment below!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)