SlideShare une entreprise Scribd logo

Log Visualization - Bellua BCS 2006

Télécharger en tant que PPT, PDF
Raffael Marty
Raffael Marty

Log Visualization from Bellua BCS in Jakarta, 2006

TechnologieFormation
1  sur  45
Logfile Visualization– The Beauty of Graphs BCS 2006, Jakarta Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 30th, 2006 *
Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty BCS 2006 Jakarta 2
Table Of Contents ► Introduction ► Graphing Basics ► Graph Use Cases ► Visual Analysis Process ► AfterGlow ► Firewall Log Visualization Raffael Marty BCS 2006 Jakarta 3
Introduction Raffael Marty BCS 2006 Las Vegas 4
Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty BCS 2006 Jakarta 5
A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions Raffael Marty BCS 2006 Jakarta 6
Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty BCS 2006 Jakarta 7
Graphing Basics Raffael Marty BCS 2006 Las Vegas 8
How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty BCS 2006 Jakarta 9
Visual Types Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty BCS 2006 Jakarta 10
Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty BCS 2006 Jakarta 11
Tree Maps All Network Traffic Raffael Marty BCS 2006 Jakarta 12
Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty BCS 2006 Jakarta 13
Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty BCS 2006 Jakarta 14
Graph Use Cases Raffael Marty BCS 2006 Las Vegas 15
Graph Use-Cases Situational Awareness Dashboard Raffael Marty BCS 2006 Jakarta 16
Graph Use-Cases Suspicious Activity? Raffael Marty BCS 2006 Jakarta 17
Graph Use-Cases Network Scan Raffael Marty BCS 2006 Jakarta 18
Graph Use-Cases Port Scan ? ►Port scan or something else? Raffael Marty BCS 2006 Jakarta 19
Graph Use-Cases PortScan SIP DIP DPort Raffael Marty BCS 2006 Jakarta 20
Graph Use-Cases Telecom Malicious Code Propagation From Content To Phone# Type|Size Phone# Raffael Marty BCS 2006 Jakarta 21
Graph Use-Cases Email Relays Grey out “my domain” invisibleDomain Make emails to From: My From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From To Raffael Marty BCS 2006 Jakarta 22
Visual Analysis Process Raffael Marty BCS 2006 Las Vegas 23
Visual Analysis Process Event Feedback Loop Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: Device S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Normalization 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 Filter 195.27.249.139,195.141.69.42,80 Service stopped Correlation Visual Raffael Marty BCS 2006 Jakarta 24
Visual Analysis Process Event Feedback Loop Real-time Visual Data Forensic and Detection Processing Historical Analysis Creation of new Filters Visual and Correlation Components Investigation Assign to Content Author Raffael Marty BCS 2006 Jakarta 25
Visual Analysis Process Visual Detection Beginning of Analyst’s shift Raffael Marty BCS 2006 Jakarta 26
Visual Analysis Process Visual Detection Scanning activity is displayed Firewall Blocks Scan Events Raffael Marty BCS 2006 Jakarta 27
Visual Analysis Process Visual Investigation Raffael Marty BCS 2006 Jakarta 28
Visual Analysis Process Defining New Content 1. Correlation Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers Raffael Marty BCS 2006 Jakarta 29
AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty BCS 2006 Jakarta 30
AfterGlow afterglow.sourceforge.net Raffael Marty BCS 2006 Las Vegas 31
AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty BCS 2006 Jakarta 32
AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty BCS 2006 Jakarta 33
AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty BCS 2006 Jakarta 34
AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty BCS 2006 Jakarta 35
AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty BCS 2006 Jakarta 36
AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty BCS 2006 Jakarta 37
AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty BCS 2006 Jakarta 38
AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty BCS 2006 Jakarta 39
AfterGlow 2.0 Output Raffael Marty BCS 2006 Jakarta 40
AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty BCS 2006 Jakarta 41
AfterGlow Firewall Log Analysis Example Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty BCS 2006 Jakarta 42
AfterGlow Firewall Log Analysis Example Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: cluster.source="External" if (!match("^195.141.69")) color=“red” if (field() eq “External”) color.event=“blue" if (regex("^195.141.69")) color.event=“lightblue” color="red" Port 100 access Raffael Marty BCS 2006 Jakarta 43
Summary ► Quickly Visualize Log Files • Understand Relationships • Find Outliers • Spot suspicious activity ► Visual Don’t Read Log Files Don’t Read Log Files Data Analysis Process ► AfterGlow Visualize Them!! Visualize Them!! ► Firewall Log File Analysis Raffael Marty BCS 2006 Jakarta 44
THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas BCS Jakarta 45

Recommandé

Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Raffael Marty
 
Services
ServicesServices
ServicesTerry Hernandez
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 

Recommandé

Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Raffael Marty
 
Services
ServicesServices
ServicesTerry Hernandez
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~Ryousei Takano
 
Port tcp
Port tcpPort tcp
Port tcpVina Necko
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)NYversity
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationSatoru Matsushima
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalAbdel-Fattah M. Hmoud
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape ManualYasin KAPLAN
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesGateway Business Solutions
 
Networking
NetworkingNetworking
NetworkingMarian Marinov
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation IneAlp isik
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedbackJavier Quílez Oliete
 
Rip
RipRip
RipMohamed Gamel
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfHiroshi Ono
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRazorpoint Security
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwardingMars Chen
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackRaffael Marty
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceRaffael Marty
 

Contenu connexe

Tendances

HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~Ryousei Takano
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)NYversity
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationSatoru Matsushima
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation IneAlp isik
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfHiroshi Ono
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwardingMars Chen
 

Tendances (19)

HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
 
Port tcp
Port tcpPort tcp
Port tcp
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U Translation
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
 
Networking
NetworkingNetworking
Networking
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local Networks
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation Ine
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback
 
Rip
RipRip
Rip
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdf
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwarding
 

En vedette

Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big DataRaffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackRaffael Marty
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceRaffael Marty
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data MiningRaffael Marty
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 

En vedette (9)

Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 

Similaire à Log Visualization - Bellua BCS 2006

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Plug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismPlug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismShinsuke SUZUKI
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0A Achyar Nur
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Raffael Marty
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsPeter R. Egli
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service providerThomas Mangin
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challengesIvan Pepelnjak
 
How To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/WindowsHow To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/WindowsNaoto MATSUMOTO
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
 

Similaire à Log Visualization - Bellua BCS 2006 (20)

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdf
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Plug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismPlug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation Mechanism
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
 
Icnd210 s08l02
Icnd210 s08l02Icnd210 s08l02
Icnd210 s08l02
 
Tech f42
Tech f42Tech f42
Tech f42
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE Protocols
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
How To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/WindowsHow To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/Windows
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 

Plus de Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for SecurityRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightRaffael Marty
 

Plus de Raffael Marty (19)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Log Visualization - Bellua BCS 2006

  • 1. Logfile Visualization– The Beauty of Graphs BCS 2006, Jakarta Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 30th, 2006 *
  • 2. Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty BCS 2006 Jakarta 2
  • 3. Table Of Contents ► Introduction ► Graphing Basics ► Graph Use Cases ► Visual Analysis Process ► AfterGlow ► Firewall Log Visualization Raffael Marty BCS 2006 Jakarta 3
  • 4. Introduction Raffael Marty BCS 2006 Las Vegas 4
  • 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty BCS 2006 Jakarta 5
  • 6. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions Raffael Marty BCS 2006 Jakarta 6
  • 7. Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty BCS 2006 Jakarta 7
  • 8. Graphing Basics Raffael Marty BCS 2006 Las Vegas 8
  • 9. How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty BCS 2006 Jakarta 9
  • 10. Visual Types Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty BCS 2006 Jakarta 10
  • 11. Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty BCS 2006 Jakarta 11
  • 12. Tree Maps All Network Traffic Raffael Marty BCS 2006 Jakarta 12
  • 13. Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty BCS 2006 Jakarta 13
  • 14. Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty BCS 2006 Jakarta 14
  • 15. Graph Use Cases Raffael Marty BCS 2006 Las Vegas 15
  • 16. Graph Use-Cases Situational Awareness Dashboard Raffael Marty BCS 2006 Jakarta 16
  • 17. Graph Use-Cases Suspicious Activity? Raffael Marty BCS 2006 Jakarta 17
  • 18. Graph Use-Cases Network Scan Raffael Marty BCS 2006 Jakarta 18
  • 19. Graph Use-Cases Port Scan ? ►Port scan or something else? Raffael Marty BCS 2006 Jakarta 19
  • 20. Graph Use-Cases PortScan SIP DIP DPort Raffael Marty BCS 2006 Jakarta 20
  • 21. Graph Use-Cases Telecom Malicious Code Propagation From Content To Phone# Type|Size Phone# Raffael Marty BCS 2006 Jakarta 21
  • 22. Graph Use-Cases Email Relays Grey out “my domain” invisibleDomain Make emails to From: My From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From To Raffael Marty BCS 2006 Jakarta 22
  • 23. Visual Analysis Process Raffael Marty BCS 2006 Las Vegas 23
  • 24. Visual Analysis Process Event Feedback Loop Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: Device S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Normalization 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 Filter 195.27.249.139,195.141.69.42,80 Service stopped Correlation Visual Raffael Marty BCS 2006 Jakarta 24
  • 25. Visual Analysis Process Event Feedback Loop Real-time Visual Data Forensic and Detection Processing Historical Analysis Creation of new Filters Visual and Correlation Components Investigation Assign to Content Author Raffael Marty BCS 2006 Jakarta 25
  • 26. Visual Analysis Process Visual Detection Beginning of Analyst’s shift Raffael Marty BCS 2006 Jakarta 26
  • 27. Visual Analysis Process Visual Detection Scanning activity is displayed Firewall Blocks Scan Events Raffael Marty BCS 2006 Jakarta 27
  • 28. Visual Analysis Process Visual Investigation Raffael Marty BCS 2006 Jakarta 28
  • 29. Visual Analysis Process Defining New Content 1. Correlation Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers Raffael Marty BCS 2006 Jakarta 29
  • 30. AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty BCS 2006 Jakarta 30
  • 31. AfterGlow afterglow.sourceforge.net Raffael Marty BCS 2006 Las Vegas 31
  • 32. AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty BCS 2006 Jakarta 32
  • 33. AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty BCS 2006 Jakarta 33
  • 34. AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty BCS 2006 Jakarta 34
  • 35. AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty BCS 2006 Jakarta 35
  • 36. AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty BCS 2006 Jakarta 36
  • 37. AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty BCS 2006 Jakarta 37
  • 38. AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty BCS 2006 Jakarta 38
  • 39. AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty BCS 2006 Jakarta 39
  • 40. AfterGlow 2.0 Output Raffael Marty BCS 2006 Jakarta 40
  • 41. AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty BCS 2006 Jakarta 41
  • 42. AfterGlow Firewall Log Analysis Example Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty BCS 2006 Jakarta 42
  • 43. AfterGlow Firewall Log Analysis Example Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: cluster.source="External" if (!match("^195.141.69")) color=“red” if (field() eq “External”) color.event=“blue" if (regex("^195.141.69")) color.event=“lightblue” color="red" Port 100 access Raffael Marty BCS 2006 Jakarta 43
  • 44. Summary ► Quickly Visualize Log Files • Understand Relationships • Find Outliers • Spot suspicious activity ► Visual Don’t Read Log Files Don’t Read Log Files Data Analysis Process ► AfterGlow Visualize Them!! Visualize Them!! ► Firewall Log File Analysis Raffael Marty BCS 2006 Jakarta 44
  • 45. THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas BCS Jakarta 45

Notes de l'éditeur

  1. Focus on the little circles (especially on the bottom of the graph). These circles indicate sources (red nodes) that are connecting to many machines (green nodes) on the same port (white node). The zoom on the right side shows that there is one machine (the left red node) which connects to about a dozen machines on the same port. Depending on the source machine, this is normal or possibly anomalous behavior! Certainly worth investigating. For graphs like this it might make sense to apply a filter which prevents servers (especially Windows Domain Controllers) from being drawn. Those usually show very different behavior than all the other machines.
  2. The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
  3. In this graph we are looking at a zoom of the graph from the previous slide again. Because we chose to show the destination ports only once in the graph (configure the graph to be show nodes “once per distinct source node”), we can quickly identify all the machines that are using a specific service on the network (red nodes connecting to to the same white node) and also what machines are making use of those services (green nodes connecting to the white nodes). Filter out all the services (i.e., ports) that you know are running on your network and you will be able to spot servers that you did not know of and should not exist on the network!