Full Packet Capture for the Masses

Security BSides Athens 2018 (Sat, 23/Jun/2018) Full Packet Capture for the Masses - Xavier Mertens Abstract: When you are facing a security incident, your investigations will depend on the data that you can analyze. If logs are often the first source of evidence, sometimes, it could be interesting to have access to a full packet capture to "dive deeper" in the traffic generated from/to the compromised network or host. Full packet capture (FPC) is like your insurance, you implement it and you never know if you'll have to use it... Until something weird happened! In my presentation, I'll present a simple way to implement FPC for small organizations and based on open source solutions (Moloch, Docker) and how to interconnect them. This talk is an extension of my SANS ISC diary (The easy way to analyze huge amounts of PCAP data) with more practical details. Bio: Xavier Mertens, is a freelance security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT). Besides his daily job, Xavier is also a security blogger (https://blog.rootshell.be), an ISC SANS handler (https://isc.sans.org) and co-organizer of the BruCON (http://www.brucon.org) security conference.