SlideShare uma empresa Scribd logo

Visual Log Analysis - DefCon 2006

Transferir como PPT, PDF
Raffael Marty
Raffael Marty

Presentation on

Tecnologia
1 de 41
Visual Log Analysis – The Beauty of Graphs DefCon 2006, Las Vegas Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 5th, 2006 *
Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty DefCon 2006 Las Vegas 2
Table Of Contents ► Introduction ► Graphing Basics ► AfterGlow ► Firewall Log File Analysis Raffael Marty DefCon 2006 Las Vegas 3
Introduction Raffael Marty DefCon 2006 Las Vegas 4
Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty DefCon 2006 Las Vegas 5
Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) A Picture is Worth a Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root A Picture is Worth a Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Thousand Log Lines Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Thousand Log Lines Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty DefCon 2006 Las Vegas 6
Graphing Basics Raffael Marty DefCon 2006 Las Vegas 7
How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty DefCon 2006 Las Vegas 8
Visual Types ►Visuals that AfterGlow supports: Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty DefCon 2006 Las Vegas 9
Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty DefCon 2006 Las Vegas 10
Tree Maps All Network Traffic Raffael Marty DefCon 2006 Las Vegas 11
Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty DefCon 2006 Las Vegas 12
Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty DefCon 2006 Las Vegas 13
AfterGlow afterglow.sourceforge.net Raffael Marty DefCon 2006 Las Vegas 14
AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty DefCon 2006 Las Vegas 15
AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty DefCon 2006 Las Vegas 16
AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty DefCon 2006 Las Vegas 17
AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty DefCon 2006 Las Vegas 18
AfterGlow 1.x Command Line Parameters  Some command line arguments: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -f threshold : fan out threshold for source node -c configfile : color configuration file Raffael Marty DefCon 2006 Las Vegas 19
AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty DefCon 2006 Las Vegas 20
AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty DefCon 2006 Las Vegas 21
AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty DefCon 2006 Las Vegas 22
AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty DefCon 2006 Las Vegas 23
AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty DefCon 2006 Las Vegas 24
AfterGlow 2.0 Output Raffael Marty DefCon 2006 Las Vegas 25
AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty DefCon 2006 Las Vegas 26
Firewall Log File Analysis Raffael Marty DefCon 2006 Las Vegas 27
Firewall Log File Analysis Overview 1. Parse Firewall Log 2. Investigate allowed incoming traffic ► Do you know what you are dealing with? 3. Investigate allowed outgoing traffic ► What is leaving the network? 4. Investigate blocked outgoing traffic ► Mis-configured or compromised internal machines OR ACL problem 5. Investigate blocked incoming traffic ► What is trying to attack me? Raffael Marty DefCon 2006 Las Vegas 28
Firewall Log File Analysis Parsing PF Firewall Log Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty DefCon 2006 Las Vegas 29
Firewall Log File Analysis Passed Incoming Traffic Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: Features/Functions: cluster.source="External" if (!match("^195.141.69")) field() color=“red” if (field() eq “External”) cluster color.event=“blue" if (regex("^195.141.69")) match() color.event=“lightblue” color="red" Port 100 access Raffael Marty DefCon 2006 Las Vegas 30
Firewall Log File Analysis Passed Outgoing Traffic Command: cat log | grep pass_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif Raffael Marty DefCon 2006 Las Vegas 31
Firewall Log File Analysis Blocked Outgoing Traffic Command: cat log | grep block_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif What happened? Rule-set logs on response  block in on xl1 Firewall request response Client xl0 xl1 Server Raffael Marty DefCon 2006 Las Vegas 32
Firewall Log File Analysis Blocked Outgoing Traffic – 2nd Attempt cat log | pf2csv.pl “sip dip dport reversed” | grep –v “R$” Uses heuristics to filter responses out Port 427/svrlog Raffael Marty DefCon 2006 Las Vegas 33
Firewall Log File Analysis Blocked Incoming Traffic Command: cat log | grep block_in | ./afterglow –c properties –d | neato –Tgif –o foo.gif You guessed right: WAY TOO MESSY! Raffael Marty DefCon 2006 Las Vegas 34
Firewall Log File Analysis Blocked Incoming Port-Scans Command: cat log |grep block_in |./afterglow –c properties –d –g 2 | neato –Tgif –o foo.gif Properties: cluster.target=“>30000” if ($fields[2]>30000) cluster.target=“>1024” if ($fields[2]>1024) color= . . . Feature: -g 2 : Filter based on event-node fan-out! i.e., more than two ports accessed! Raffael Marty DefCon 2006 Las Vegas 35
Firewall Log File Analysis Blocked Incoming Port-Scans SIP DIP DPort Raffael Marty DefCon 2006 Las Vegas 36
Firewall Log File Analysis Blocked Incoming Bogon Addresses Command: cat log | grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif This is going to be crazy! Raffael Marty DefCon 2006 Las Vegas 37
Firewall Log File Analysis Blocked Incoming Bogon Addresses Command: cat log |grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif Properties: Bogon Address Space variable=@ranges=qw{0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 77.0.0.0/8 78.0.0.0/7 92.0.0.0/6 96.0.0.0/4 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 192.0.2.0/24 192.168.0.0/16 197.0.0.0/8 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3}; color=$value=0; map{ ($value+=subnet(field(),$_)) } @ranges cluster.source=$value=0; map{ $value+=subnet(field(),$_) } "red" if ($value) @ranges; regex_replace("(d+)")."/8" if color="green" if (!match("^(195.141.69)")) (!match("^(195.141.69)") && !$value); color="blue" cluster.target=$value=0; map{ $value+=subnet(field(),$_) } @ranges; regex_replace("(d+)")."/8" if (!match("^(195.141.69)") && !$value); Features: variable= regex_replace() subnet(IP,range) e.g., subnet(“10.0.0.2”,”10.0.0.0/8”)  1 (true) Raffael Marty DefCon 2006 Las Vegas 38
Firewall Log File Analysis Blocked Incoming Bogon Addresses Bogon Addresses External Addresses Internal Addresses Raffael Marty DefCon 2006 Las Vegas 39
Summary ► Introduced AfterGlow • Filtering • Coloring • Clustering ► Quickly Visualize Log Files Log Files Don’t Read Log Files Don’t Read • Understand Relationships Visualize Them!! Visualize Them!! • Find Outliers • Spot suspicious activity Raffael Marty DefCon 2006 Las Vegas 40
THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas 41

Recomendados

Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Raffael Marty
 
Services
ServicesServices
ServicesTerry Hernandez
 
7.protocols 2
7.protocols 27.protocols 2
7.protocols 2Marian Marinov
 
7. protocols
7. protocols7. protocols
7. protocolsMarian Marinov
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 

Recomendados

Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Raffael Marty
 
Services
ServicesServices
ServicesTerry Hernandez
 
7.protocols 2
7.protocols 27.protocols 2
7.protocols 2Marian Marinov
 
7. protocols
7. protocols7. protocols
7. protocolsMarian Marinov
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsivenessKazuho Oku
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of MeltdownsAndriy Berestovskyy
 
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~Ryousei Takano
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationSatoru Matsushima
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondKazuho Oku
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)Andriy Berestovskyy
 
Networking
NetworkingNetworking
NetworkingMarian Marinov
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PROIDEA
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfHiroshi Ono
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]APNIC
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesGateway Business Solutions
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation IneAlp isik
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 

Mais conteúdo relacionado

Mais procurados

HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~Ryousei Takano
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksAndriy Berestovskyy
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Nowjulievreeland
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationSatoru Matsushima
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondKazuho Oku
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackMaximilan Wilhelm
 
Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)Andriy Berestovskyy
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PROIDEA
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data Lex Nederbragt
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDPDaniel T. Lee
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFMaximilan Wilhelm
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfHiroshi Ono
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]APNIC
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation IneAlp isik
 

Mais procurados (20)

The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
 
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local Networks
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U Translation
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
 
Reorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and BeyondReorganizing Website Architecture for HTTP/2 and Beyond
Reorganizing Website Architecture for HTTP/2 and Beyond
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-NetzwerkstackL2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
 
Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)Networking Fundamentals: Transport Protocols (TCP and UDP)
Networking Fundamentals: Transport Protocols (TCP and UDP)
 
Networking
NetworkingNetworking
Networking
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
 
6.Routing
6.Routing6.Routing
6.Routing
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPFDynamische Routingprotokolle Aufzucht und Pflege - OSPF
Dynamische Routingprotokolle Aufzucht und Pflege - OSPF
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdf
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation Ine
 

Semelhante a Visual Log Analysis - DefCon 2006

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdffaker1842002
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Raffael Marty
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features雄也 日下部
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonMaximilan Wilhelm
 
WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspectiveshwetank
 
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Igalia
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hesslereurobsdcon
 

Semelhante a Visual Log Analysis - DefCon 2006 (20)

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Tech f42
Tech f42Tech f42
Tech f42
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features20141102 VyOS 1.1.0 and NIFTY Cloud New Features
20141102 VyOS 1.1.0 and NIFTY Cloud New Features
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Charla ipv6
Charla ipv6Charla ipv6
Charla ipv6
 
Crash
CrashCrash
Crash
 
Building your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and pythonBuilding your own sdn with debian linux salt stack and python
Building your own sdn with debian linux salt stack and python
 
WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspective
 
Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64Cloud RPI4 tomcat ARM64
Cloud RPI4 tomcat ARM64
 
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
Lightweight 4-over-6: One step further Dual-Stack Lite Networks (RIPE 76)
 
Ltsp talk
Ltsp talkLtsp talk
Ltsp talk
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
Using routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter HesslerUsing routing domains / routing tables in a production network by Peter Hessler
Using routing domains / routing tables in a production network by Peter Hessler
 

Mais de Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedRaffael Marty
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big DataRaffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for SecurityRaffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 

Mais de Raffael Marty (20)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 

Último

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Visual Log Analysis - DefCon 2006

  • 1. Visual Log Analysis – The Beauty of Graphs DefCon 2006, Las Vegas Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 5th, 2006 *
  • 2. Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty DefCon 2006 Las Vegas 2
  • 3. Table Of Contents ► Introduction ► Graphing Basics ► AfterGlow ► Firewall Log File Analysis Raffael Marty DefCon 2006 Las Vegas 3
  • 4. Introduction Raffael Marty DefCon 2006 Las Vegas 4
  • 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty DefCon 2006 Las Vegas 5
  • 6. Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) A Picture is Worth a Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root A Picture is Worth a Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Thousand Log Lines Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Thousand Log Lines Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty DefCon 2006 Las Vegas 6
  • 7. Graphing Basics Raffael Marty DefCon 2006 Las Vegas 7
  • 8. How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty DefCon 2006 Las Vegas 8
  • 9. Visual Types ►Visuals that AfterGlow supports: Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty DefCon 2006 Las Vegas 9
  • 10. Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty DefCon 2006 Las Vegas 10
  • 11. Tree Maps All Network Traffic Raffael Marty DefCon 2006 Las Vegas 11
  • 12. Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty DefCon 2006 Las Vegas 12
  • 13. Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty DefCon 2006 Las Vegas 13
  • 14. AfterGlow afterglow.sourceforge.net Raffael Marty DefCon 2006 Las Vegas 14
  • 15. AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty DefCon 2006 Las Vegas 15
  • 16. AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty DefCon 2006 Las Vegas 16
  • 17. AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty DefCon 2006 Las Vegas 17
  • 18. AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty DefCon 2006 Las Vegas 18
  • 19. AfterGlow 1.x Command Line Parameters  Some command line arguments: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -f threshold : fan out threshold for source node -c configfile : color configuration file Raffael Marty DefCon 2006 Las Vegas 19
  • 20. AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty DefCon 2006 Las Vegas 20
  • 21. AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty DefCon 2006 Las Vegas 21
  • 22. AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty DefCon 2006 Las Vegas 22
  • 23. AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty DefCon 2006 Las Vegas 23
  • 24. AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty DefCon 2006 Las Vegas 24
  • 25. AfterGlow 2.0 Output Raffael Marty DefCon 2006 Las Vegas 25
  • 26. AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty DefCon 2006 Las Vegas 26
  • 27. Firewall Log File Analysis Raffael Marty DefCon 2006 Las Vegas 27
  • 28. Firewall Log File Analysis Overview 1. Parse Firewall Log 2. Investigate allowed incoming traffic ► Do you know what you are dealing with? 3. Investigate allowed outgoing traffic ► What is leaving the network? 4. Investigate blocked outgoing traffic ► Mis-configured or compromised internal machines OR ACL problem 5. Investigate blocked incoming traffic ► What is trying to attack me? Raffael Marty DefCon 2006 Las Vegas 28
  • 29. Firewall Log File Analysis Parsing PF Firewall Log Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty DefCon 2006 Las Vegas 29
  • 30. Firewall Log File Analysis Passed Incoming Traffic Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: Features/Functions: cluster.source="External" if (!match("^195.141.69")) field() color=“red” if (field() eq “External”) cluster color.event=“blue" if (regex("^195.141.69")) match() color.event=“lightblue” color="red" Port 100 access Raffael Marty DefCon 2006 Las Vegas 30
  • 31. Firewall Log File Analysis Passed Outgoing Traffic Command: cat log | grep pass_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif Raffael Marty DefCon 2006 Las Vegas 31
  • 32. Firewall Log File Analysis Blocked Outgoing Traffic Command: cat log | grep block_out | ./afterglow –c properties –d | neato –Tgif –o foo.gif What happened? Rule-set logs on response  block in on xl1 Firewall request response Client xl0 xl1 Server Raffael Marty DefCon 2006 Las Vegas 32
  • 33. Firewall Log File Analysis Blocked Outgoing Traffic – 2nd Attempt cat log | pf2csv.pl “sip dip dport reversed” | grep –v “R$” Uses heuristics to filter responses out Port 427/svrlog Raffael Marty DefCon 2006 Las Vegas 33
  • 34. Firewall Log File Analysis Blocked Incoming Traffic Command: cat log | grep block_in | ./afterglow –c properties –d | neato –Tgif –o foo.gif You guessed right: WAY TOO MESSY! Raffael Marty DefCon 2006 Las Vegas 34
  • 35. Firewall Log File Analysis Blocked Incoming Port-Scans Command: cat log |grep block_in |./afterglow –c properties –d –g 2 | neato –Tgif –o foo.gif Properties: cluster.target=“>30000” if ($fields[2]>30000) cluster.target=“>1024” if ($fields[2]>1024) color= . . . Feature: -g 2 : Filter based on event-node fan-out! i.e., more than two ports accessed! Raffael Marty DefCon 2006 Las Vegas 35
  • 36. Firewall Log File Analysis Blocked Incoming Port-Scans SIP DIP DPort Raffael Marty DefCon 2006 Las Vegas 36
  • 37. Firewall Log File Analysis Blocked Incoming Bogon Addresses Command: cat log | grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif This is going to be crazy! Raffael Marty DefCon 2006 Las Vegas 37
  • 38. Firewall Log File Analysis Blocked Incoming Bogon Addresses Command: cat log |grep block_in |./afterglow –c properties –d | neato –Tgif –o foo.gif Properties: Bogon Address Space variable=@ranges=qw{0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 49.0.0.0/8 50.0.0.0/8 77.0.0.0/8 78.0.0.0/7 92.0.0.0/6 96.0.0.0/4 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 192.0.2.0/24 192.168.0.0/16 197.0.0.0/8 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3}; color=$value=0; map{ ($value+=subnet(field(),$_)) } @ranges cluster.source=$value=0; map{ $value+=subnet(field(),$_) } "red" if ($value) @ranges; regex_replace("(d+)")."/8" if color="green" if (!match("^(195.141.69)")) (!match("^(195.141.69)") && !$value); color="blue" cluster.target=$value=0; map{ $value+=subnet(field(),$_) } @ranges; regex_replace("(d+)")."/8" if (!match("^(195.141.69)") && !$value); Features: variable= regex_replace() subnet(IP,range) e.g., subnet(“10.0.0.2”,”10.0.0.0/8”)  1 (true) Raffael Marty DefCon 2006 Las Vegas 38
  • 39. Firewall Log File Analysis Blocked Incoming Bogon Addresses Bogon Addresses External Addresses Internal Addresses Raffael Marty DefCon 2006 Las Vegas 39
  • 40. Summary ► Introduced AfterGlow • Filtering • Coloring • Clustering ► Quickly Visualize Log Files Log Files Don’t Read Log Files Don’t Read • Understand Relationships Visualize Them!! Visualize Them!! • Find Outliers • Spot suspicious activity Raffael Marty DefCon 2006 Las Vegas 40
  • 41. THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas 41