Pages

Tuesday, September 28

OpenFPC, in other words, Leon is a Ninja

I put this up to basically draw attention to this project.  Leon (a fellow Sourcefire employee and Ninja over in the UK) can explain the project much better than I can, so I'll let him:



OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.

OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or set watch events for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.





Full packet capture is something that has been suggest as the answer to all by many.  I don't disagree, it does aid in the forensic investigation of traffic.  Heck I do it at my house (full packet capture).  I find this idea to very intuitive and interesting, especially the search capabilities.

To be honest, I've seen something like this before when I worked for the military.  I don't want to disclose where or what agency was using this, but it was vastly helpful when we wanted to investigate something.

We used Snort and another IDS to prompt us to look for something and we'd start going through the full packet captures to investigate it.  I got the idea for this from another Army agency that had a GUI for it, and the whole nine yards.  I thought it was a beautiful system and it worked great.  I was quite impressed.

Anyway, I'm glad to see that Leon is making a tool like this Open-Source.  I think this is a phenomenal idea, and I'd like to see something like this used in a test-production network system somewhere, just to prove how useful it could be.

OpenFPC.

2 comments:

Leon said...

Hey, thanks for the mention Joel.

-Leon

Joel Esler said...

You are the man.

On Wednesday, September 29, 2010, Disqus