Hello, welcome to the Thursday, August 13th, 2020 edition of the Sand Center at Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

In diaries today, we have one by Russ, who as usual talks about tools that he lately came across

and found useful. Now, actually, two tools that he lately came across and found useful.

Now, actually, two things that he's sort of mixing up here.

First one is the motor project.

It looks really interesting in that it does provide standard data sets

that essentially record what happens during some specific adversarial techniques.

This is something I often hear people ask for, where, you know, where can I find essentially sort of a packet capture that shows a particular type of attack or other logs related to this.

And that's exactly what the

mortar project is doing and not just packet captures but actually you know the

whole data set from some of these attacks and they sort of came up with their

standard JSON format to express all the data that they have to offer.

Now, Russ uses the data from Mordor to actually introduce a tool, and that tool here is Prim.

I was actually surprised that I didn't come across this tool earlier.

It really sort of tries to be similar to

WyrShark, but for large datasets. So Prim can digest multi-gigabyte files, which of course

Wireshark has problems with, provides some similar functionality, but can also ingest seek logs.

And then with the combination of having PCAP data and seek logs in one console, also

having a query language available to query all of those logs and correlate them.

Looks like a real powerful tool.

Haven't had a lot of time today to really experiment with the tool,

...