Cyber Software - sofwerx/mad-jack GitHub Wiki

Open source network protocol analyzer (or sniffer) – It allows us to see what is happening on the network (analyzes the contents of packets being receive d and sent).
Command line version of Wireshark.

Wireshark and Tshark should both be installed onto the laptop and configured to analyze the pcap dump from the network wiretap.

Open-source search and analytics engine that is installed on the laptop.

Web interface that is used to visualize the Elasticsearch data.

Tool for collecting, parsing, and storing logs for future use.

• Elasticsearch/Kibana should be installed in a docker container on the cyber laptop.

• A pcap index in Elasticsearch should be created into which all the packets from the wiretap are dumped.

• A logstash index should be created into which the syslogs from the Safehouse access point are downloaded.

Plugin for Elasticsearch that allows the creation of watcher (alert) scripts written in JSon that search for and report anomalies. Json (JavaScript Object Notation) is a lightweight subset of the JavaScript programming language which is used for transferring data.

Event notification via HTTP POST (occurs when something happens and posts the message).

Each watcher uses a webhook that downloads "hits" into an Elasticsearch index.

The "hits" automatically generate an event in the Safehouse 3d model such as turning an icon into a different color. This means that a potential malicious event has been detected.

The following five Watchers were created:

See Watcher Scripts to view the watcher scripts