FMADIO Security container provides deeper level analysis of packet data into the application layer. Currently the system supports
Signature based detection engine (e.g. Emerging Threats IDS rule sets)
DNS Decode
TLS Decode
HTTP Decode
The system itself can do significantly more analysis of the data, however this small subset of the functionality provides basic application visibility into the network.
Under the hood, the system is running Suricata for decode and signature engines.
Signature Detection
IDS (Intrusion Detection Systems) rely heavily on RegEx signature based thread detection model. Example of a well know feed is the Emerging Threads rule set ( https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence ).
Below is an example of the Signature detection engine running on Realtime data with a Grafana front end for easy monitoring.
Filtering based on Alert level is quite helpful, below the system is displaying only the Level 2 alerts over the last 7 days. Its quite easy to see some unusual activity on the external WAN / internet facing circuits.
DNS Decode
Decoding and analyzing DNS traffic is critical to get a first pass understanding of whats happening on a network. The screenshot below shows the default Grafana dashboard for DNS display and filtering.
TLS Decode
Similar to DNS decode extracting TLS Certificates from raw PCAPs provide great first pass understanding of where encrypted connections are going to/from. Below is a screenshot from the TLS Dashboard
HTTP Decode
While not much traffic uses HTTP decode, it can be quite useful for backend service analysis e.g. (application backends which typically run using HTTP ). The example below shows the some of the HTTP fields which can be extracted.