Breaking the Kubernetes Kill Chain: Host Path Mount
Log Visualization - Bellua BCS 2006
1. Logfile Visualization– The Beauty of Graphs
BCS 2006, Jakarta
Raffael Marty, GCIA, CISSP
Manager Solutions @ ArcSight
August 30th, 2006
*
2. Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc.
Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers
Open Vulnerability and Assessment Language
(OVAL) board member
Passion for Visual Security Event Analysis
Raffael Marty BCS 2006 Jakarta 2
3. Table Of Contents
► Introduction
► Graphing Basics
► Graph Use Cases
► Visual Analysis Process
► AfterGlow
► Firewall Log Visualization
Raffael Marty BCS 2006 Jakarta 3
5. Disclaimer
IP addresses and host names showing
up in event graphs and descriptions were
obfuscated/changed. The addresses are
completely random and any resemblance
with well-known addresses or host names
are purely coincidental.
Raffael Marty BCS 2006 Jakarta 5
6. A Picture is Worth a Thousand Log Entries
Detect the Expected
Detect the Expected
& Discover the Unexpected
& Discover the Unexpected
Reduce Analysis and Response Times
Reduce Analysis and Response Times
Make Better Decisions
Make Better Decisions
Raffael Marty BCS 2006 Jakarta 6
7. Text or Visuals?
►What would you rather look at?
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...
Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?
Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed
Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded
Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded
Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 rmarty last message repeated 2 times
Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)
Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root
Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)
Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root
Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)
Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Raffael Marty BCS 2006 Jakarta 7
9. How To Generate A Graph
... | Normalization | ...
Device Parser Event Visualizer
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...
Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?
Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed
Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded
Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded
Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 rmarty last message repeated 2 times
Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Visual
Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
NH
Log File
Raffael Marty BCS 2006 Jakarta 9
10. Visual Types
Link Graphs TreeMaps
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
Raffael Marty BCS 2006 Jakarta 10
11. Link Graph Configurations
Raw Event:
[**] [1:1923:2] RPC portmap UDP proxy attempt [**]
[Classification: Decode of an RPC Query] [Priority: 2]
06/04-15:56:28.219753 192.168.10.90:32859 ->
192.168.10.255:111
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF
Len: 120
Different node configurations:
SIP Name DIP SIP DIP DPort
192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111
SIP SPort DPort Name SIP DIP
192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255
Raffael Marty BCS 2006 Jakarta 11
12. Tree Maps
All Network Traffic
Raffael Marty BCS 2006 Jakarta 12
13. Tree Maps
20% 80%
UDP TCP
Configuration (Hierarchy): Protocol
Raffael Marty BCS 2006 Jakarta 13
14. Tree Maps
UDP TCP
HTTP
DNS
UDP TCP
SSH
SNMP FTP
Configuration (Hierarchy): Protocol -> Service
Raffael Marty BCS 2006 Jakarta 14
21. Graph Use-Cases
Telecom Malicious Code Propagation
From Content To
Phone# Type|Size Phone#
Raffael Marty BCS 2006 Jakarta 21
22. Graph Use-Cases
Email Relays
Grey out “my domain” invisibleDomain
Make emails to From: My
From: Other Domain
and from “my domain” To: My Domain
To: Other Domain
Do you run an open relay?
From To
Raffael Marty BCS 2006 Jakarta 22
24. Visual Analysis Process
Event Feedback Loop
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80:
Device S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF)
Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80:
S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF)
Normalization 195.27.249.139,195.141.69.42,80
195.27.249.139,195.141.69.42,80
Filter
195.27.249.139,195.141.69.42,80 Service stopped
Correlation
Visual
Raffael Marty BCS 2006 Jakarta 24
25. Visual Analysis Process
Event Feedback Loop
Real-time
Visual
Data
Forensic and Detection
Processing
Historical Analysis
Creation of new Filters Visual
and Correlation Components Investigation
Assign to
Content Author
Raffael Marty BCS 2006 Jakarta 25
26. Visual Analysis Process
Visual Detection
Beginning of Analyst’s shift
Raffael Marty BCS 2006 Jakarta 26
27. Visual Analysis Process
Visual Detection
Scanning activity is displayed
Firewall Blocks
Scan Events
Raffael Marty BCS 2006 Jakarta 27
29. Visual Analysis Process
Defining New Content
1. Correlation
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
3. Open a ticket for Operations to
quarantine and clean infected machines
2. Filter
• Internal machines on white-list
• connecting to active directory servers
Raffael Marty BCS 2006 Jakarta 29
30. AfterGlow
http://afterglow.sourceforge.net
► Two Versions:
• AfterGlow 1.x – Perl for Link Graphs
• AfterGlow 2.0 – Java for TreeMaps
► Collection of Parsers:
• pf2csv.pl BSD PacketFilter (pf)
• tcpdump2csv.pl tcpdump 3.9
• sendmail2csv.pl Sendmail transaction logs
Raffael Marty BCS 2006 Jakarta 30
31. AfterGlow
afterglow.sourceforge.net
Raffael Marty BCS 2006 Las Vegas 31
33. AfterGlow 1.x - Perl
Parser AfterGlow Grapher
Graph
CSV File LanguageFile
► Supported graphing tools:
• GraphViz from AT&T (dot, neato, circo, twopi)
http://www.graphviz.org
• LGL (Large Graph Layout) by Alex Adai
http://bioinformatics.icmb.utexas.edu/lgl/
Raffael Marty BCS 2006 Jakarta 33
34. AfterGlow 1.x
Features
► Generate Link Graphs
► Filtering Nodes
• Based on name
Fan Out: 3
• Based on number of occurrences
► Fan Out Filtering
► Coloring
• Edges
• Nodes
► Clustering
Raffael Marty BCS 2006 Jakarta 34
35. AfterGlow 1.x
Hello World
Input Data: Command:
a,b cat file | ./afterglow –c simple.properties –t
neato –Tgif –o test.gif
a,c
b,c simple.properties:
d,e color.source=“green” if ($fields[0] ne “d”)
color.target=“blue” if ($fields[1] ne “e”)
Output:
d color.source=“red”
color=“green”
b e
a
c
Raffael Marty BCS 2006 Jakarta 35
36. AfterGlow 1.x
Property File – Color Definition
Coloring:
color.[source|event|target|edge]=
<perl expression returning a color name>
Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192..*)
Filter nodes with “invisible” color:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
Raffael Marty BCS 2006 Jakarta 36
38. AfterGlow 2.0 - Java
Parser AfterGlow - Java
CSV File
► Command line arguments:
-h : help
-c file : property file
-f file : data file
Raffael Marty BCS 2006 Jakarta 38
39. AfterGlow 2.0
Example
► Data:
## AfterGlow -- JAVA 2.0
AfterGlow JAVA 2.0
## Properties File
Properties File
Target System Type,SIP,DIP,User,Outcome
Development,192.168.10.1,10.10.2.1,ram,failure
## File to load
File to load
file.name=/home/ram/afterglow/data/sample.csv
VPN,192.168.10.1,10.10.2.1,ram,success
file.name=/home/ram/afterglow/data/sample.csv
Financial System,192.168.20.1,10.0.3.1,drob,success
## Column Types (default is STRING), start with 0!
VPN,192.168.10.1,10.10.2.1,ram,success
Column Types (default is STRING), start with 0!
## Valid values:
Valid values:
VPN,192.168.10.1,10.10.2.1,jmoe,failure
## STRING
STRING
Financial System,192.168.10.1,10.10.2.1,jmoe,success
## INTEGER
INTEGER
Financial System,192.168.10.1,10.10.2.1,jmoe,failure
## CATEGORICAL
CATEGORICAL
column.type.count=4
column.type.count=4
► Launch: column.type[0].column=0
column.type[0].column=0
column.type[0].type=INTEGER
column.type[0].type=INTEGER
column.type[1].column=1
column.type[1].column=1
./afterglow-java.sh –c afterglow.properties
column.type[1].type=CATEGORICAL
column.type[1].type=CATEGORICAL
column.type[2].column=2
column.type[2].column=2
column.type[2].type=CATEGORICAL
column.type[2].type=CATEGORICAL
column.type[3].column=3
column.type[3].column=3
column.type[3].type=CATEGORICAL
column.type[3].type=CATEGORICAL
## Size Column (default is 0)
Size Column (default is 0)
size.column=0
size.column=0
## Color Column (default is 0)
Color Column (default is 0)
color.column=2
color.column=2
Raffael Marty BCS 2006 Jakarta 39
40. AfterGlow 2.0
Output
Raffael Marty BCS 2006 Jakarta 40
41. AfterGlow 2.0
Interaction
► Left-click:
• Zoom in
► Right-click:
• Zoom all the way out
► Middle-click
• Change Coloring to current
depth
(Hack: Use SHIFT for leafs)
Raffael Marty BCS 2006 Jakarta 41
42. AfterGlow
Firewall Log Analysis Example
Input (pflog):
Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 >
195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale
0,nop,nop,timestamp 24053 0> (DF)
Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 >
195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale
0,nop,nop,timestamp 24054 0> (DF)
Command:
cat pflog | pf2csv.pl “sip dip dport”
Output:
195.27.249.139,195.141.69.42,80
195.27.249.139,195.141.69.42,80
AfterGlow Input
Visualization:
cat pflog | pf2csv.pl “sip dip dport” |
afterglow –c properties | neato –Tgif –o foo.gif
Raffael Marty BCS 2006 Jakarta 42
43. AfterGlow
Firewall Log Analysis Example
Command:
cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif
Properties:
cluster.source="External" if (!match("^195.141.69"))
color=“red” if (field() eq “External”)
color.event=“blue" if (regex("^195.141.69"))
color.event=“lightblue”
color="red"
Port 100 access
Raffael Marty BCS 2006 Jakarta 43
45. THANKS!
raffy@arcsight.com
Raffael Marty DefCon 2006 Las Vegas
BCS Jakarta 45
Notes de l'éditeur
Focus on the little circles (especially on the bottom of the graph). These circles indicate sources (red nodes) that are connecting to many machines (green nodes) on the same port (white node). The zoom on the right side shows that there is one machine (the left red node) which connects to about a dozen machines on the same port. Depending on the source machine, this is normal or possibly anomalous behavior! Certainly worth investigating. For graphs like this it might make sense to apply a filter which prevents servers (especially Windows Domain Controllers) from being drawn. Those usually show very different behavior than all the other machines.
The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
In this graph we are looking at a zoom of the graph from the previous slide again. Because we chose to show the destination ports only once in the graph (configure the graph to be show nodes “once per distinct source node”), we can quickly identify all the machines that are using a specific service on the network (red nodes connecting to to the same white node) and also what machines are making use of those services (green nodes connecting to the white nodes). Filter out all the services (i.e., ports) that you know are running on your network and you will be able to spot servers that you did not know of and should not exist on the network!