Overview

Prev Next

FMADIO Security container provides deeper level analysis of packet data into the application layer. Currently the system supports

  • Signature based detection engine (e.g. Emerging Threats IDS rule sets)

  • DNS Decode

  • TLS Decode

  • HTTP Decode

The system itself can do significantly more analysis of the data, however this small subset of the functionality provides basic application visibility into the network.

Under the hood, the system is running Suricata for decode and signature engines.

Signature Detection

IDS (Intrusion Detection Systems) rely heavily on RegEx signature based thread detection model. Example of a well know feed is the Emerging Threads rule set ( https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence ).

Below is an example of the Signature detection engine running on Realtime data with a Grafana front end for easy monitoring.

Filtering based on Alert level is quite helpful, below the system is displaying only the Level 2 alerts over the last 7 days. Its quite easy to see some unusual activity on the external WAN / internet facing circuits.

DNS Decode

Decoding and analyzing DNS traffic is critical to get a first pass understanding of whats happening on a network. The screenshot below shows the default Grafana dashboard for DNS display and filtering.    

TLS Decode

Similar to DNS decode extracting TLS Certificates from raw PCAPs provide great first pass understanding of where encrypted connections are going to/from. Below is a screenshot from the TLS Dashboard  

HTTP Decode

While not much traffic uses HTTP decode, it can be quite useful for backend service analysis e.g. (application backends which typically run using HTTP ). The example below shows the some of the HTTP fields which can be extracted.