GSOC 2021 PROJECT SUMMARY - PcapMonkey

07 Sep 2021 Federico Foschini gsoc pcap

Our GSoC student Hariom Chaturved was working for three months on the network capture analysis tool PcapMonkey, specifically introducing live capture, testing architecture, and the introduction of zkg support.

Read on for an overview of their achievements and how they successfully contributed towards PcapMonkey and some considerations for the future.

Student: Hariom Chaturved (GitHub)

Organization: The Honeynet Project

Project: PcapMonkey Improvements

About PcapMonkey

PcapMonkey is a Linux based Security tool that provides an easier way to analyze packet captures and Windows Event Logs. The latest release of PcapMonkey adds support for live analysis over an interface. It is based on Elasticsearch, and Kibana to index, process and analyze the logs generated by Suricata and Zeek(formerly Bro).

About the Project

The project aimed to add multiple functionalities (like live traffic analysis, implementation of a test architecture, and zkg support) and improve logging configurations. Over the span of 10 weeks, I worked on the same as well as wrote the Wiki and upgraded the Zeek docker image to the latest release.

Pre-GSoC Commits

Following is the list of pull requests merged before the start of GSoC Coding Period.

  • Elastic Stack Upgradation: #12
  • Documentation Improvements: #13 and #9

GSoC Commits

Contributions to PcapMonkey

Following is my contributions to PcapMonkey:

  • Improved Suricata Configuration and added logging support for multiple protocols (#19 and #24)
    • Previously Suricata was only logging some common protocols(like tls, dns, http, krb5), the current config supports a wide number of protocols(such as ntp, dcerpc, smb, smtp, snmp, etc.).
  • Upgraded the ELK Stack to 7.13.2, Suricata to 6.0.0 and Zeek to 4.0.2 (#23).
  • Created custom dashboards and saved searches (#25 and #27)
    • Created Kibana dashboard for Suricata and Zeek, also added saved searches for Zeek, Suricata, and evtxtoelk.
  • Implemented test architecture for PcapMonkey with GitHub Actions (#28)
    • Added workflows to test data dumped by Elasticsearch, originated from Filebeat and evtxtoelk.
  • Created Wiki and updated documentation (Wiki and #29).

Contributions to docker-zeek

Following is my contributions to docker-zeek:

  • Created docker image for Zeek v4.0.2 (#1)
    • The docker image originally uses Zeek AF_Packet plugin. It had to be eliminated in the latest release, due to breaking changes in the Af Packet.
    • The latest release builds Zeek without AF_Packet plugin.
  • Added Bash Script for Live Traffic Analysis (#2)
    • The script listens on the interface provided and captures and analyzes all communication occurred over the interface.
  • Added zkg support for docker-zeek (#3 and #4)
    • Added a bash script to install the zeek packages with Zeek Package Manager.

Contributions to evtxtoelk

Following is my contributions to evtxtoelk:

  • Mapped evtxtoelk output fields to ECS fields (#1)
    • Mapped the evtxtoelk exported fields to that of winlogbeat to unlock the Elasticsearch SIEM and other functionalities.

Other

The zkg integration to docker-zeek is done however, its integration to PcapMonkey is still in progress, and require little more work to be done.

My Experience

My learning experience over the last two months has been very fruitful and extremely beneficial.

The Honeynet Project mentors were amazing. I received excellent mentorship from them whenever I needed it.

I appreciate the GSoC program for providing a good way to get involved in the community and to get started with Open Source Development.