08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Event Graphs - EUSecWest 2006
1. A Visual Approach to Security
Event Management
EuSecWest ‘06, London
Raffael Marty, GCIA, CISSP
Senior Security Engineer @ ArcSight
February 21th, 2006
*
2. Raffael Marty, GCIA, CISSP
Enterprise Security Management (ESM) specialist
Strategic Application Solutions @ ArcSight, Inc.
Intrusion Detection Research @ IBM Research
See http://thor.cryptojail.net
IT Security Consultant @ PriceWaterhouse Coopers
Open Vulnerability and Assessment Language
(OVAL) board member
Passion for Visual Security Event Analysis
Raffael Marty EuSecWest 2006 London 2
3. Table Of Contents
► Introduction
► Basics
► Examples of Graphs you
can draw with AfterGlow
► AfterGlow
1.x – Event Graphs
2.0 – TreeMaps
Future – All in One!
Raffael Marty EuSecWest 2006 London 3
5. Disclaimer
IP addresses and host names showing
up in event graphs and descriptions were
obfuscated/changed. The addresses are
completely random and any resemblance
with well-known addresses or host names
are purely coincidental.
Raffael Marty EuSecWest 2006 London 5
6. Text or Visuals?
► What would you rather look at?
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...
Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?
Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed
Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded
Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded
Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 rmarty last message repeated 2 times
Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)
Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root
Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)
Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root
Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)
Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192
Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Raffael Marty EuSecWest 2006 London 6
7. A Picture is Worth a Thousand Log Entries
Detect the Expected
Detect the Expected
& Discover the Unexpected
& Discover the Unexpected
Reduce Analysis and Response Times
Reduce Analysis and Response Times
Make Better Decisions
Make Better Decisions
Raffael Marty EuSecWest 2006 London 7
8. Three Aspects of Visual Security Event Analysis
► Situational Awareness
• What is happening in a specific business area
(e.g., compliance monitoring)
• What is happening on a specific network
• What are certain servers doing
► Real-Time Monitoring and Incident Response
• Capture important activities and take action
• Event Workflow
• Collaboration
► Forensic and Historic Investigation
• Selecting arbitrary set of events for investigation
• Understanding big picture
• Analyzing relationships - Exploration
• Reporting
Raffael Marty EuSecWest 2006 London 8
10. How To Generate A Graph?
... | Normalization | ...
Device Parser Event Visualizer
Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...
Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?
Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed
Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded
Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded
Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded
Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded
Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Jun 17 09:45:42 rmarty last message repeated 2 times
Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Visual
Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
NH
Log File
Raffael Marty EuSecWest 2006 London 10
11. Visual Types I
► Will focus on visuals that AfterGlow supports:
Event Graphs TreeMaps
(Link Graphs)
AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA
Raffael Marty EuSecWest 2006 London 11
25. Firewall Activity
External Machine
Internal Machine
Rule#
Next Steps: Outgoing
Incoming
1. Visualize “FW Blocks” of outgoing traffic
-> Why do internal machines trigger blocks?
2. Visualize “FW Blocks” of incoming traffic
-> Who and what tries to enter my network?
3. Visualize “FW Passes” of outgoing traffic
-> What is leaving the network?SIP Rule# DIP
Raffael Marty EuSecWest 2006 London 25
29. DefCon 2004 Capture The Flag
DstPort < 1024
DstPort > 1024
Source Of Evil
Internal Target
Other Team's Target
Internal Source
Internet Target
Exposed Services
Our Servers
SIP DIP DPort
Raffael Marty EuSecWest 2006 London 29
30. DefCon 2004 Capture The Flag – TTL Games
TTL
Source Of Evil
Internal Target
Internal Source
Offender TTL
Our Servers
SIP DIP TTL
Raffael Marty EuSecWest 2006 London 30
31. DefCon 2004 Capture The Flag – More TTL
DPort Flags TTL
Show Node Counts
Raffael Marty EuSecWest 2006 London 31
32. Telecom Malicious Code Propagation
From Content To
Phone# Type|Size Phone#
Raffael Marty EuSecWest 2006 London 32
33. Email Cliques
From: My Domain
From: Other Domain
To: My Domain
To: Other Domain
From To
Raffael Marty EuSecWest 2006 London 33
34. Email Relays
Grey out “my domain” invisibleDomain
Make emails to From: My
From: Other Domain
and from “my domain” To: My Domain
To: Other Domain
Do you run an open relay?
From To
Raffael Marty EuSecWest 2006 London 34
35. Email SPAM?
Size > 10.000
Omit threshold = 1
To Size
Multiple recipients with
same-size messages
Raffael Marty EuSecWest 2006 London 35
36. Email SPAM?
nrcpt => 2
Omit threshold = 1
From nrcpt
Raffael Marty EuSecWest 2006 London 36
37. BIG Emails
Size > 100.000
Omit Threshold = 2
Documents leaving the
network?
From To Size
Raffael Marty EuSecWest 2006 London 37
38. Email Server Problems?
2:00 < Delay < 10:00
Delay > 10:00
To
To Delay
Raffael Marty EuSecWest 2006 London 38
39. AfterGlow
afterglow.sourceforge.net
Raffael Marty EuSecWest 2006 London 39
40. AfterGlow
► http://afterglow.sourceforge.net
► Two Versions:
• AfterGlow 1.x – Perl for Event Graphs
• AfterGlow 2.0 – Java for TreeMaps
Raffael Marty EuSecWest 2006 London 40
41. AfterGlow 1.x - Perl
Parser AfterGlow Grapher
Graph
CSV File LanguageFile
► Supported graphing tools:
• GraphViz from AT&T (dot and neato)
http://www.research.att.com/sw/tools/graphviz/
• LGL (Large Graph Layout) by Alex Adai
http://bioinformatics.icmb.utexas.edu/lgl/
Raffael Marty EuSecWest 2006 London 41
42. AfterGlow 1.x – Command Line Parameters
●
Some command line arguments:
-h : help
-t : two node mode
-d : print count on nodes
-e : edge length
-n : no node labels
-o threshold : omit threshold (fan-out for nodes to be displayed)
-c configfile : color configuration file
Raffael Marty EuSecWest 2006 London 42
43. AfterGlow 1.x – color.properties
color.[source|event|target|edge]=
<perl expression returning a color name>
●
Array @fields contains input-line, split into tokens:
color.event=“red” if ($fields[1] =~ /^192..*)
●
Special color “invisible”:
color.target=“invisible” if ($fields[0] eq
“IIS Action”)
●
Edge color
color.edge=“blue”
Raffael Marty EuSecWest 2006 London 43
44. AfterGlow 1.x – color.properties - Example
color.source="olivedrab"
if ($fields[0]=~/191.141.69.4/);
color.source="olivedrab"
if ($fields[0]=~/211.254.110./);
color.source="orangered1"
color.event="slateblue4"
color.target="olivedrab"
if ($fields[2]=~/191.141.69.4/);
color.target="olivedrab"
if ($fields[2]=~/211.254.110./);
color.target="orangered1"
color.edge="firebrick"
if (($fields[0]=~/191.141.69..4/) or
($fields[2]=~/191.141.69.4/))
color.edge="cyan4"
Raffael Marty EuSecWest 2006 London 44
45. AfterGlow 2.0 - Java
Parser AfterGlow - Java
CSV File
► Command line arguments:
-h : help
-c file : property file
-f file : data file
Raffael Marty EuSecWest 2006 London 45
46. AfterGlow 2.0 - Example
► Data:
## AfterGlow -- JAVA 2.0
AfterGlow JAVA 2.0
## Properties File
Properties File
Target System Type,SIP,DIP,User,Outcome
Development,192.168.10.1,10.10.2.1,ram,failure
## File to load
File to load
file.name=/home/ram/afterglow/data/sample.csv
VPN,192.168.10.1,10.10.2.1,ram,success
file.name=/home/ram/afterglow/data/sample.csv
Financial System,192.168.20.1,10.0.3.1,drob,success
## Column Types (default is STRING), start with 0!
VPN,192.168.10.1,10.10.2.1,ram,success
Column Types (default is STRING), start with 0!
## Valid values:
Valid values:
VPN,192.168.10.1,10.10.2.1,jmoe,failure
## STRING
STRING
Financial System,192.168.10.1,10.10.2.1,jmoe,success
## INTEGER
INTEGER
Financial System,192.168.10.1,10.10.2.1,jmoe,failure
## CATEGORICAL
CATEGORICAL
column.type.count=4
column.type.count=4
► Launch: column.type[0].column=0
column.type[0].column=0
column.type[0].type=INTEGER
column.type[0].type=INTEGER
column.type[1].column=1
column.type[1].column=1
./afterglow-java.sh –c afterglow.properties
column.type[1].type=CATEGORICAL
column.type[1].type=CATEGORICAL
column.type[2].column=2
column.type[2].column=2
column.type[2].type=CATEGORICAL
column.type[2].type=CATEGORICAL
column.type[3].column=3
column.type[3].column=3
column.type[3].type=CATEGORICAL
column.type[3].type=CATEGORICAL
## Size Column (default is 0)
Size Column (default is 0)
size.column=0
size.column=0
## Color Column (default is 0)
Color Column (default is 0)
color.column=2
color.column=2
Raffael Marty EuSecWest 2006 London 46
48. AfterGlow 2.0 – Java - Interaction
► Left-click:
• Zoom in
► Right-click:
• Zoom all the way out
► Middle-click
• Change Coloring to current
depth
(Hack: Use SHIFT for leafs)
Raffael Marty EuSecWest 2006 London 48
49. AfterGlow 3.0 – The Future
► Generating LinkGraphs with the Java version
► Adding more output formats
► Saving output as image file
► Animation
Raffael Marty EuSecWest 2006 London 49
51. Summary
Detect the expected
& discover the unexpected
Reduce analysis and response times
Make better decisions
Raffael Marty EuSecWest 2006 London 51
This graph utilizes a filter that only passes events targeting Web servers (the green nodes). It is configured to show what events (red nodes) target Web servers (green nodes) on what destination port (white nodes). You can see that there is one event that deserves some attention (the “Attack From Suspicious Source”). To assess what happened, it is probably necessary to drill-down into a channel for further investigation. Furthermore it can be seen that only well-known Web destination ports (80, 443) are being accessed on the Web servers, indicating probably benign traffic!
Focus on the little circles (especially on the bottom of the graph). These circles indicate sources (red nodes) that are connecting to many machines (green nodes) on the same port (white node). The zoom on the right side shows that there is one machine (the left red node) which connects to about a dozen machines on the same port. Depending on the source machine, this is normal or possibly anomalous behavior! Certainly worth investigating. For graphs like this it might make sense to apply a filter which prevents servers (especially Windows Domain Controllers) from being drawn. Those usually show very different behavior than all the other machines.
The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
This s an example of a graph that is useful in analyzing firewall rule-sets.
This shows a somewhat unconventional graph which greatly helps to analyze the firewall rule-set. On the left we see all the rules (red nodes) which passed traffic as opposed to the right side, which shows blocked traffic. Along with the rule-set the destination port of the traffic blocked by this rule-set is displayed. This helps debug the rule-set to see why a certain port was passed or blocked. In this graph it can be seen that there is one rule on the right side (in the middle of the green cluster), which seems to be responsible for most of the blocked packets.
Visualizing tcpdump logs can be very eye-opening. In this case I imported a tcpdump log which shows traffic going to three Web servers (white nodes). I was interested in where the traffic comes from (red nodes). There were too many source addresses to be visualized and therefore some aggregation had to be done. In this case I decided to have a look at the region where the events are coming from (again, the red nodes). Green nodes are showing through which access router the packets entered the network to get to the Web servers. It turned out that the Web servers are located behind a load balancer, indicated by the two distinct entry points for the traffic (two green nodes). How is it possible to determine the entry point? Tcpdump logs the source MAC address of incoming traffic, which reflects the router/machine passing the traffic into the internal network. This is why I used the sourceMac address as event nodes. The graph nicely shows that traffic from certain regions entered the network through either of the load balancers (all the red nodes in the middle of the graph). Other regions of the world entered only through one of the balancers. It would be interesting to plot this data onto a world map to see whether it is true that certain regions of the world always enter through the same entry point (i.e., the load balancers are setup to do regional balancing).
Fans like the one shown in this graph are very prominent for worm behavior. It has to be investigated whether this is indeed a worm spreading on the network or some other behavior generated this kind of graph.
In this graph we are looking at a zoom of the graph from the previous slide again. Because we chose to show the destination ports only once in the graph (configure the graph to be show nodes “once per distinct source node”), we can quickly identify all the machines that are using a specific service on the network (red nodes connecting to to the same white node) and also what machines are making use of those services (green nodes connecting to the white nodes). Filter out all the services (i.e., ports) that you know are running on your network and you will be able to spot servers that you did not know of and should not exist on the network!