INTRUSION

Savant can create independent, device agnostic audits of the communication patterns of all network devices, including desktops, servers, printers and IoT devices. Savant enables network engineers and forensic analysts to drill down from network-wide performance views to individual session flows.
Savant’s multi-CPU, multi-thread architecture is designed to systematically trigger on events, index and organize the entity relation of the data, and capture data based on a plurality of rules and policies defined by the user.
Unlike any other known network audit device, Savant decodes every defined field of hundreds of protocols and builds graph analytics in real time in the RAM of the Savant – so no way of hiding covert communications is beyond its scope of logging and graph analytics. Every Savant allows for logging and triggering of thousands of high and low layer protocol attributes, including MAC addresses, IP addresses, DNS requests and responses, TCP and UDP port numbers, HTTP user agents, FTP commands, SMB transfer checksums, SIP information, SSL protocols, JA3 signatures – and even looks into historical minutia like hiding data in stuff bits, undefined or obscure fields, message IDs and the like.

image

S

Savant Features

  • 20Gbps bidirectional protocol decoding and packet capture, including full 100% rolling packet capture to reach back in time such that when any anomaly is detected, the investigator can reach back to the beginning for full forensic
  • Customizable metadata extraction tasks for logging thousands of attributes across hundreds of network protocols
  • Patented accumulator techniques for compressing log file size enabling retention of years worth of audit logs on the device
  • Patented real-time packet capture buffer and indexing for fast PCAP reconstruction
  • Customizable scripting for defining actions and integrating with SIEM tools
  • Passive operation that consumes flows from a network tap or switch mirror port
  • User-defined enrichment dictionaries
  • PCAP and NetFlow ingestion, along with remote mirrored capture using GRE, RSPAN, or ERSPAN
  • SQL query interface and CSV export
  • Multiple hardware platforms to scale from 1Gbps to 20Gbps needs