- Detect Advanced Network Threats: Surface even the most advanced threats in real time with application recognition, customizable Deep Packet Analytics, and multidimensional network traffic and behavioral analytics
- Detect even the most sophisticated threats across a broad set of IT environment-generated log and audit data, endpoint activity, and Layer 7 application flow
- Recognize data exfiltration, spear phishing, botnet beaconing, inappropriate network usage, lateral movement, and suspicious file transfers
- Corroborate high-risk events at the network or application level with environmental activity from your SIEM
- Take the Guesswork out of Incident Response: Enable your incident response team to work effectively and efficiently with unstructured search, session playback, and file reconstruction.
- Determine the scope of the incident and understand exactly which systems have been compromised
- Generate irrefutable network-based evidence
- Reconstruct files transferred across the network to investigate suspicious data exfiltration, malware infiltration, and unauthorized data access
- True Application Identification: Automatically identify over 3,000 applications to expedite network forensics with advanced classification methods and deep packet inspection.
- SmartFlow™ Session Classification: Recover Layer 7 application details and packet data for all sessions.
- Deep Packet Analytics (DPA): Automate threat detection by correlating against full packet payload and SmartFlow data using out-of-the-box rules and customizable scripts.
- Full Packet Capture: See every bit that crosses your network with Layer 2–7 packet capture stored in industry-standard PCAP format.
- SmartCapture™: Automatically capture sessions based on application or packet content to preserve the information you need. Unstructured Search: Drill down to critical packet and flow data with our Elasticsearch backend to streamline your investigation.
- File Reconstruction: Reconstruct email file attachments to support malware analysis and data loss monitoring.
- Alerts & Dashboards: Surface continuous, automated analysis on saved searches through customizable analyst dashboards.
- API Integration: Provide third-party tools access to session-based packet captures and reconstructed files.
- Alert Data: HIDS alerts from Wazuh and NIDS alerts from Snort/Suricata
- Asset Data: Asset Data from Bro
- Full content data: Full packet capture from netsniff-ng
- Host data: Host data via Beats, Wazuh, syslog, and more
- Session data: Session data from Bro
- Transaction data: http/ftp/dns/ssl/other logs from Bro
- Surface data exfiltration activities: Identify long-running sessions, “low and slow” sessions hidden in normal traffic, anomalous outbound network sessions, and other activities indicative of data exfiltration.
- Discover operational anomalies: Verify that you aren’t seeing protocols or traffic that you think you’ve blocked or traffic between systems that should be isolated from each other.
- Find hiding security threats: Catch security threats hiding in low-level chatty protocol like DNS, SNMP, or Kerberos.
- Detect botnets and beaconing: Identify traffic using anomalous ports. View malformed packet headers. Recognize command and control callbacks.
- Expose nuisance apps and bandwidth hogs: Discover when apps that are against corporate policy are being used. Find out who or what is taking up the most bandwidth.
- See where your network traffic is going: Identify outbound IP and URL destinations and classify traffic by ingress, egress or lateral motion in your network.
OpenSource
Commercial
- SecurityOnion
- Waterfall IDS: https://waterfall-security.com/waterfall-for-ids/
- NIKSUN NetDetector: https://www.niksun.com/product.php?id=112
- Bro IDS/Zeek