Abstract [eng] |
The goal of this paper is to create an incident detection and examination tool by integrating a full packet capturing, indexing, and database system Moloch with malware sharing platform MISP. The need for such tool is based on the conclusion of contemporary network security appliances analysis that most of them are aimed for incident prevention and protection, but the analysis and forensics parts are neglected. The integrated tool successfully detects incidents automatically and thus greatly improves investigation, because investigator no longer needs to enter queries and filters by hand, what also eliminates human error factor. In the final chapter, 3 possible use case scenarios are provided: using newly created tool along with IDPS, using it alone as low-cost but also less-effective IDS and using Moloch and MISP integration as an analysis tool for imported pcap files only. |