Chances are that your organization has already made significant investments in setting up security related Incident Response processes and accompanied monitoring systems:
- Web application and other type of firewalls to assure only well-known, trusted application traffic is passing.
- SIEM systems like for example Splunk or its Open Source equivalent known as Elasticsearch (completed with Logstash and Kibana) to monitor the content of log files.
- Intrusion Detection System (i.e. an IDS) to detect strange behavior of application traffic once beyond the firewall.
- Intrusion Prevention System (i.e. an IPS) to detect and (optionally) clean-up strange application traffic once beyond the firewall and before it is forwarded to its final destination.
Selectively storing and analyzing packetsThese type of monitoring systems have different data sources. One of these data sources is the network and its packets. The good part of network packets is that they always contain the absolute truth of what is happening with an application and its data. The lesser part is that storing and processing a large amount of packets is very expensive and even more time consuming. It would be more than welcome to have "something" that is able to capture and store only the packets belonging to a suspicious application flow as identified by an IDS/IPS type of monitoring system; ideally completed with the packets shortly before and after the suspicious packets!
This is exactly what Vigil (from Savvius) is built for! The complementary Omnipeek Security Forensic Packet Analyzer supports you in quickly analyzing the remaining packets. For example in determining to what extend the integrity of an application and its data is not what it should be.