Welcome to the PacketTotal development blog! PacketTotal launched February 10th, 2017 and is now one week old.
First, thank you to everyone who has given the engine a try, it has made all of the work that went into it worthwhile. This first week has been incredibly busy. I've patched around thirty minor bugs, scaled up the Elasticsearch backend, and begun laying the ground-work for some cool new analysis features.
So what's next for this project?
The main goal of PacketTotal has and will continue to be providing a framework for analysts and researchers to share malicious packet-captures.
Right now the tool does a decent job indexing packet metadata and making it available for search. This is fairly useful, because it allows you to search across all packets submitted, look for similar traffic, and grow your list of IOCs.
Right now the only way to correlate similar traffic between packet-captures is through the search UI. In the next couple of weeks I'll be adding similar functionality to the analysis console, providing the ability to pivot between packet-captures on a single IOC.
Suricata does an excellent job of identifying suspicious/malicious traffic, but does not tell you X traffic is associated with Y malware campaign (in most cases). I will be adding features into the analysis console to let users associate information like this to packet-captures. This information would then become searchable to the public and greatly improve he intelligence gathered from the tool.
From a usability standpoint I plan on tweaking the way that users submit packet-capture files. Specifically the logic that is used for determining whether or not a packet-capture file can be analyzed. The current code is over-engineered and borders on paranoia. I will be ripping out the custom header validation, and replacing it with a libmagic, reducing the number of "Invalid PCAP" errors for legitimate packet-captures.
Thanks again for giving PacketTotal a try, and as always I welcome any criticism/suggestions that will make the tool work better for you.
No comments:
Post a Comment