Network security analysts love to see packets, however most commercial security products don't record them, instead they provide packet-less event messages that can leave you asking yourself "Did that event really happen?" This talk investigates this situation and covers the history that lead the speaker to start an Open Source project that has helped him to enrich security detection events with packets as required.
OpenFPC is a packet capture framework that is designed to help retro-fit full packet data into external existing packet-less event generating tools (think Intrusion detection, firewalls, SIEMs, or log managers). Learn how to rapidly deploy a distributed full packet capture system using only a few commands, and then enrich other tools with it to augment your current event analysis process.
Leon Ward has spent over ten years in "day jobs" working closely with both open source and proprietary network security tools. Following years of experience of helping to design and deploy large intrusion prevention deployments, he decided to focus on trying to advance the products themselves. While working as Director of Product Management at Sourcefire, he became responsible for network detection technologies including the famous Snort open source intrusion prevention engine. OpenFPC was started is a spare time "passion" project for Leon (read "not his day job") that enables him to stay knee-deep in packets and code.