Botprobe Indexor is software for theforensic analysis of network traffic – just as you might use Wireshark, but without overheads of the big data volumes.
At Botprobe, we see threat intelligence data gathering as a big data challenge. Today, most network traffic-based threat detection systems use full packet capture (PCAP) to collect network traffic. This data is then analysed to detect threats, and may potentially be stored for a period of time.
This approach has several drawbacks such as:
the multitude of network protocol formats and the unstructured nature of PCAP requires specialist knowledge to interpret and does not transfer well into analysis engines.
For example, WireShark is a powerful tool, but analysis of high traffic volumes rely heavily on an analysits skills in WireShark's filtering. Filtering can narrow down specific packets, but provides little in the way of how a packet fits into the overall context of, say, a threat.
the volumes of data that are being captured and stored, sometimes for years to be compliant with legal interception and retention laws, are becoming increasingly difficult for a security team to analyse.
For example, high traffic volumes make it difficult to retain PCAP captures for analysis in post-event forensic analysis.
So the Botprobe team developed the indexor to overcome these drawbacks:
we take unstructured PCAP data and return structured data which is easily analysed by general purpose business analysis tools from Excel to Elastic Cloud, specialist products such as ThreatConnect or other Security Information and Event Management (SIEM) solution, or incumbent business intelligence solutions;
we provide a small footprint alternative to full packet data. We allow you to select just the fields or protocols you want to retain, rather than storing ALL of EVERY packet. During an investigation into fraudulent use of HTTP, where only half a dozen header fields and a handful of HTTP elements were required, we observed data volume reductions as high as 97%;
we output a range of common data formats for input into business analytic engines. Currently the full version of the indexor outputs to .csv, .json, .solr, .xls file, or directly to the Elastic Cloud. If you have a proprietary format you need to support, we can design the output around your requirements.
The indexor runs from a command prompt.
The demo version is fixed to 16 fields - 11 TCP common header fields, and 5 useful HTTP payload fields, and outputs only to csv format. Download the free demo version below.
The full version is not fixed by number of fields. You can chose any combination from 12 layer-2 fields,19 layer-3 fields, 13 TCP fields, 7 UDP fields, 12 ARP fields, 45 DNS fields, 100+ HTTP fields, and ICMP, Modbus, IGMP, CDP, IRC, SMTP, SSL/TLS, DNP 3.0, Zigbee, IPv6. For more information on the full version contact firstname.lastname@example.org.