Those of us who work in security operations are well accustomed to blind spots. Depending on the size of the network, our security technologies can trigger thousands of security alerts daily. We know from experience that the vast majority of these alerts are false-positives – innocuous activity that behaves a bit funny. But we also know that real threats are hiding in plain sight among the throng, finding safety in numbers. If threats are wolves in sheep’s clothing, false-positives are the sheep masquerading as wolves. How can we know the difference?
We can eliminate a sizable proportion of false-positives with reasonable certainty through investigation, but we struggle to cut this list down to a small number of confirmed threats, and we waste a lot of time chasing wild geese in the process. To hone in on confirmed threats, we need a better sieve for sifting through alerts. Advanced analytics and granular forensic technologies enable overburdened security operations personnel to separate the wheat from the chaff through high-fidelity threat investigation. Using advanced data analytics methodologies enables Cisco Active Threat Analytics investigators to weed out a huge proportion of false-positive alerts with great accuracy, and applying data enrichment and deep packet inspection tools in the threat investigation process equips us to validate confirmed threats quickly. Read More »
Tags: Active Threat Analytics, ATA, full packet capture, pcap, threat detection, threat investigation, threat management
The Compressed Pcap Packet Indexing Program (cppip) is a tool to enable extremely fast extraction of packets from a compressed pcap file. This tool is intended for security and network folk who work with large pcap files. This article provides a complete discussion of the tool and is split into two parts. The first part, intended for end-users, will explain in detail how to build and use the tool. The second part, intended for C programmers, covers cppip’s inner workings.
Cppip is a command line utility designed to make packet extraction from large pcap files extremely fast — without having to uncompress the entire file. It relies on pcap files that have been compressed using the freely available bgzip, a backward compatible gzip utility that boasts a special additive — the ability to quickly and cheaply uncompress specific regions of the file on the fly. You will find cppip quite useful if you work with large pcap files and have the need to extract one or more packets for subsequent inspection. As you’ll see, preparing your pcap files for use with cppip is a two step process of compressing the pcap file with bgzip and then indexing it with cppip. But before you can use cppip, you first have to install it. Read More »
Tags: open source, packet capture, pcap, security