SlideShare ist ein Scribd-Unternehmen logo

Log Visualization - Bellua BCS 2006

Als PPT, PDF herunterladen
Raffael Marty
Raffael Marty

Log Visualization from Bellua BCS in Jakarta, 2006

TechnologieBildung
1 von 45
Logfile Visualization– The Beauty of Graphs BCS 2006, Jakarta Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 30th, 2006 *
Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty BCS 2006 Jakarta 2
Table Of Contents ► Introduction ► Graphing Basics ► Graph Use Cases ► Visual Analysis Process ► AfterGlow ► Firewall Log Visualization Raffael Marty BCS 2006 Jakarta 3
Introduction Raffael Marty BCS 2006 Las Vegas 4
Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty BCS 2006 Jakarta 5
A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions Raffael Marty BCS 2006 Jakarta 6
Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty BCS 2006 Jakarta 7
Graphing Basics Raffael Marty BCS 2006 Las Vegas 8
How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty BCS 2006 Jakarta 9
Visual Types Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty BCS 2006 Jakarta 10
Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty BCS 2006 Jakarta 11
Tree Maps All Network Traffic Raffael Marty BCS 2006 Jakarta 12
Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty BCS 2006 Jakarta 13
Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty BCS 2006 Jakarta 14
Graph Use Cases Raffael Marty BCS 2006 Las Vegas 15
Graph Use-Cases Situational Awareness Dashboard Raffael Marty BCS 2006 Jakarta 16
Graph Use-Cases Suspicious Activity? Raffael Marty BCS 2006 Jakarta 17
Graph Use-Cases Network Scan Raffael Marty BCS 2006 Jakarta 18
Graph Use-Cases Port Scan ? ►Port scan or something else? Raffael Marty BCS 2006 Jakarta 19
Graph Use-Cases PortScan SIP DIP DPort Raffael Marty BCS 2006 Jakarta 20
Graph Use-Cases Telecom Malicious Code Propagation From Content To Phone# Type|Size Phone# Raffael Marty BCS 2006 Jakarta 21
Graph Use-Cases Email Relays Grey out “my domain” invisibleDomain Make emails to From: My From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From To Raffael Marty BCS 2006 Jakarta 22
Visual Analysis Process Raffael Marty BCS 2006 Las Vegas 23
Visual Analysis Process Event Feedback Loop Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: Device S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Normalization 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 Filter 195.27.249.139,195.141.69.42,80 Service stopped Correlation Visual Raffael Marty BCS 2006 Jakarta 24
Visual Analysis Process Event Feedback Loop Real-time Visual Data Forensic and Detection Processing Historical Analysis Creation of new Filters Visual and Correlation Components Investigation Assign to Content Author Raffael Marty BCS 2006 Jakarta 25
Visual Analysis Process Visual Detection Beginning of Analyst’s shift Raffael Marty BCS 2006 Jakarta 26
Visual Analysis Process Visual Detection Scanning activity is displayed Firewall Blocks Scan Events Raffael Marty BCS 2006 Jakarta 27
Visual Analysis Process Visual Investigation Raffael Marty BCS 2006 Jakarta 28
Visual Analysis Process Defining New Content 1. Correlation Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers Raffael Marty BCS 2006 Jakarta 29
AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty BCS 2006 Jakarta 30
AfterGlow afterglow.sourceforge.net Raffael Marty BCS 2006 Las Vegas 31
AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty BCS 2006 Jakarta 32
AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty BCS 2006 Jakarta 33
AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty BCS 2006 Jakarta 34
AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty BCS 2006 Jakarta 35
AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty BCS 2006 Jakarta 36
AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty BCS 2006 Jakarta 37
AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty BCS 2006 Jakarta 38
AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty BCS 2006 Jakarta 39
AfterGlow 2.0 Output Raffael Marty BCS 2006 Jakarta 40
AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty BCS 2006 Jakarta 41
AfterGlow Firewall Log Analysis Example Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty BCS 2006 Jakarta 42
AfterGlow Firewall Log Analysis Example Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: cluster.source="External" if (!match("^195.141.69")) color=“red” if (field() eq “External”) color.event=“blue" if (regex("^195.141.69")) color.event=“lightblue” color="red" Port 100 access Raffael Marty BCS 2006 Jakarta 43
Summary ► Quickly Visualize Log Files • Understand Relationships • Find Outliers • Spot suspicious activity ► Visual Don’t Read Log Files Don’t Read Log Files Data Analysis Process ► AfterGlow Visualize Them!! Visualize Them!! ► Firewall Log File Analysis Raffael Marty BCS 2006 Jakarta 44
THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas BCS Jakarta 45

Empfohlen

Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005
Raffael Marty
 
Services
ServicesServices
Services
Terry Hernandez
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Jim Geovedi
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
julievreeland
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 

Empfohlen

Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
Raffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
Raffael Marty
 
Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005Visual Security Event Analysis - DefCon 13 - 2005
Visual Security Event Analysis - DefCon 13 - 2005
Raffael Marty
 
Services
ServicesServices
Services
Terry Hernandez
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Jim Geovedi
 
How You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from NowHow You Will Get Hacked Ten Years from Now
How You Will Get Hacked Ten Years from Now
julievreeland
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
Andriy Berestovskyy
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
Ryousei Takano
 
Port tcp
Port tcpPort tcp
Port tcp
Vina Necko
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
NYversity
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U Translation
Satoru Matsushima
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
Abdel-Fattah M. Hmoud
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
Yasin KAPLAN
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
Gateway Business Solutions
 
Networking
NetworkingNetworking
Networking
Marian Marinov
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409
Abdel-Fattah M. Hmoud
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local Networks
Andriy Berestovskyy
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
Kazuho Oku
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
Lex Nederbragt
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation Ine
Alp isik
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback
Javier Quílez Oliete
 
Rip
RipRip
Rip
Mohamed Gamel
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdf
Hiroshi Ono
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
Razorpoint Security
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwarding
Mars Chen
 
Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
Raffael Marty
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
Raffael Marty
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
Raffael Marty
 

Weitere ähnliche Inhalte

Was ist angesagt?

HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
Ryousei Takano
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
NYversity
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdf
Hiroshi Ono
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwarding
Mars Chen
 

Was ist angesagt? (19)

HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
HPCユーザが知っておきたいTCP/IPの話 ~クラスタ・グリッド環境の落とし穴~
 
Port tcp
Port tcpPort tcp
Port tcp
 
Computer network (16)
Computer network (16)Computer network (16)
Computer network (16)
 
VPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U TranslationVPP for Stateless SRv6/GTP-U Translation
VPP for Stateless SRv6/GTP-U Translation
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
 
Matrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x seriesMatrix sapex vs grandstream gxe502 x series
Matrix sapex vs grandstream gxe502 x series
 
Networking
NetworkingNetworking
Networking
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409
 
Networking Fundamentals: Local Networks
Networking Fundamentals: Local NetworksNetworking Fundamentals: Local Networks
Networking Fundamentals: Local Networks
 
Programming TCP for responsiveness
Programming TCP for responsivenessProgramming TCP for responsiveness
Programming TCP for responsiveness
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
 
Mpls Presentation Ine
Mpls Presentation IneMpls Presentation Ine
Mpls Presentation Ine
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback20161021_master_lesson_no_feedback
20161021_master_lesson_no_feedback
 
Rip
RipRip
Rip
 
SACSIS2009_TCP.pdf
SACSIS2009_TCP.pdfSACSIS2009_TCP.pdf
SACSIS2009_TCP.pdf
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
Juniper policy based filter based forwarding
Juniper policy based filter based forwardingJuniper policy based filter based forwarding
Juniper policy based filter based forwarding
 

Andere mochten auch

Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
Raffael Marty
 

Andere mochten auch (9)

Cloud - Security - Big Data
Cloud - Security - Big DataCloud - Security - Big Data
Cloud - Security - Big Data
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 
Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't ChangedAI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
AI & ML in Cyber Security - Welcome Back to 1999 - Security Hasn't Changed
 

Ähnlich wie Log Visualization - Bellua BCS 2006

3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
Cassio Ramos
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PROIDEA
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE Protocols
Peter R. Egli
 

Ähnlich wie Log Visualization - Bellua BCS 2006 (20)

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub
 
MPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdfMPLS LAB Practice Vol.1.pdf
MPLS LAB Practice Vol.1.pdf
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Plug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation MechanismPlug and Play Using Prefix Delegation Mechanism
Plug and Play Using Prefix Delegation Mechanism
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
 
Icnd210 s08l02
Icnd210 s08l02Icnd210 s08l02
Icnd210 s08l02
 
Tech f42
Tech f42Tech f42
Tech f42
 
6th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.06th floorsharingsession ep 1 - networking - arp v 1.0
6th floorsharingsession ep 1 - networking - arp v 1.0
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
RARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE ProtocolsRARP, BOOTP, DHCP and PXE Protocols
RARP, BOOTP, DHCP and PXE Protocols
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
How To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/WindowsHow To Install OFED Linux/VMware/Windows
How To Install OFED Linux/VMware/Windows
 
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGPDynamische Routingprotokolle Aufzucht und Pflege - BGP
Dynamische Routingprotokolle Aufzucht und Pflege - BGP
 

Mehr von Raffael Marty

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
Raffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
Raffael Marty
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
Raffael Marty
 

Mehr von Raffael Marty (19)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
Visualization in the Age of Big Data
Visualization in the Age of Big DataVisualization in the Age of Big Data
Visualization in the Age of Big Data
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Visualization for Security
Visualization for SecurityVisualization for Security
Visualization for Security
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Log Visualization - Bellua BCS 2006

  • 1. Logfile Visualization– The Beauty of Graphs BCS 2006, Jakarta Raffael Marty, GCIA, CISSP Manager Solutions @ ArcSight August 30th, 2006 *
  • 2. Raffael Marty, GCIA, CISSP  Enterprise Security Management (ESM) specialist  Strategic Application Solutions @ ArcSight, Inc.  Intrusion Detection Research @ IBM Research  See http://thor.cryptojail.net  IT Security Consultant @ PriceWaterhouse Coopers  Open Vulnerability and Assessment Language (OVAL) board member  Passion for Visual Security Event Analysis Raffael Marty BCS 2006 Jakarta 2
  • 3. Table Of Contents ► Introduction ► Graphing Basics ► Graph Use Cases ► Visual Analysis Process ► AfterGlow ► Firewall Log Visualization Raffael Marty BCS 2006 Jakarta 3
  • 4. Introduction Raffael Marty BCS 2006 Las Vegas 4
  • 5. Disclaimer IP addresses and host names showing up in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental. Raffael Marty BCS 2006 Jakarta 5
  • 6. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions Raffael Marty BCS 2006 Jakarta 6
  • 7. Text or Visuals? ►What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Raffael Marty BCS 2006 Jakarta 7
  • 8. Graphing Basics Raffael Marty BCS 2006 Las Vegas 8
  • 9. How To Generate A Graph ... | Normalization | ... Device Parser Event Visualizer Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Visual Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Log File Raffael Marty BCS 2006 Jakarta 9
  • 10. Visual Types Link Graphs TreeMaps AfterGlow 1.x - Perl AfterGlow 2.0 - JAVA Raffael Marty BCS 2006 Jakarta 10
  • 11. Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: SIP Name DIP SIP DIP DPort 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 SIP SPort DPort Name SIP DIP 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255 Raffael Marty BCS 2006 Jakarta 11
  • 12. Tree Maps All Network Traffic Raffael Marty BCS 2006 Jakarta 12
  • 13. Tree Maps 20% 80% UDP TCP Configuration (Hierarchy): Protocol Raffael Marty BCS 2006 Jakarta 13
  • 14. Tree Maps UDP TCP HTTP DNS UDP TCP SSH SNMP FTP Configuration (Hierarchy): Protocol -> Service Raffael Marty BCS 2006 Jakarta 14
  • 15. Graph Use Cases Raffael Marty BCS 2006 Las Vegas 15
  • 16. Graph Use-Cases Situational Awareness Dashboard Raffael Marty BCS 2006 Jakarta 16
  • 17. Graph Use-Cases Suspicious Activity? Raffael Marty BCS 2006 Jakarta 17
  • 18. Graph Use-Cases Network Scan Raffael Marty BCS 2006 Jakarta 18
  • 19. Graph Use-Cases Port Scan ? ►Port scan or something else? Raffael Marty BCS 2006 Jakarta 19
  • 20. Graph Use-Cases PortScan SIP DIP DPort Raffael Marty BCS 2006 Jakarta 20
  • 21. Graph Use-Cases Telecom Malicious Code Propagation From Content To Phone# Type|Size Phone# Raffael Marty BCS 2006 Jakarta 21
  • 22. Graph Use-Cases Email Relays Grey out “my domain” invisibleDomain Make emails to From: My From: Other Domain and from “my domain” To: My Domain To: Other Domain Do you run an open relay? From To Raffael Marty BCS 2006 Jakarta 22
  • 23. Visual Analysis Process Raffael Marty BCS 2006 Las Vegas 23
  • 24. Visual Analysis Process Event Feedback Loop Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: Device S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Normalization 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 Filter 195.27.249.139,195.141.69.42,80 Service stopped Correlation Visual Raffael Marty BCS 2006 Jakarta 24
  • 25. Visual Analysis Process Event Feedback Loop Real-time Visual Data Forensic and Detection Processing Historical Analysis Creation of new Filters Visual and Correlation Components Investigation Assign to Content Author Raffael Marty BCS 2006 Jakarta 25
  • 26. Visual Analysis Process Visual Detection Beginning of Analyst’s shift Raffael Marty BCS 2006 Jakarta 26
  • 27. Visual Analysis Process Visual Detection Scanning activity is displayed Firewall Blocks Scan Events Raffael Marty BCS 2006 Jakarta 27
  • 28. Visual Analysis Process Visual Investigation Raffael Marty BCS 2006 Jakarta 28
  • 29. Visual Analysis Process Defining New Content 1. Correlation Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers Raffael Marty BCS 2006 Jakarta 29
  • 30. AfterGlow http://afterglow.sourceforge.net ► Two Versions: • AfterGlow 1.x – Perl for Link Graphs • AfterGlow 2.0 – Java for TreeMaps ► Collection of Parsers: • pf2csv.pl BSD PacketFilter (pf) • tcpdump2csv.pl tcpdump 3.9 • sendmail2csv.pl Sendmail transaction logs Raffael Marty BCS 2006 Jakarta 30
  • 31. AfterGlow afterglow.sourceforge.net Raffael Marty BCS 2006 Las Vegas 31
  • 32. AfterGlow Parsers ► tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" ► sendmail_parser.pl • Reassemble email conversations: Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent ► pf2csv.pl • Parsing OpenBSD pf output Raffael Marty BCS 2006 Jakarta 32
  • 33. AfterGlow 1.x - Perl Parser AfterGlow Grapher Graph CSV File LanguageFile ► Supported graphing tools: • GraphViz from AT&T (dot, neato, circo, twopi) http://www.graphviz.org • LGL (Large Graph Layout) by Alex Adai http://bioinformatics.icmb.utexas.edu/lgl/ Raffael Marty BCS 2006 Jakarta 33
  • 34. AfterGlow 1.x Features ► Generate Link Graphs ► Filtering Nodes • Based on name Fan Out: 3 • Based on number of occurrences ► Fan Out Filtering ► Coloring • Edges • Nodes ► Clustering Raffael Marty BCS 2006 Jakarta 34
  • 35. AfterGlow 1.x Hello World Input Data: Command: a,b cat file | ./afterglow –c simple.properties –t neato –Tgif –o test.gif a,c b,c simple.properties: d,e color.source=“green” if ($fields[0] ne “d”) color.target=“blue” if ($fields[1] ne “e”) Output: d color.source=“red” color=“green” b e a c Raffael Marty BCS 2006 Jakarta 35
  • 36. AfterGlow 1.x Property File – Color Definition  Coloring: color.[source|event|target|edge]= <perl expression returning a color name>  Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192..*)  Filter nodes with “invisible” color: color.target=“invisible” if ($fields[0] eq “IIS Action”) Raffael Marty BCS 2006 Jakarta 36
  • 37. AfterGlow 1.x Property File - Clustering  Clustering: cluster.[source|event|target]= <perl expression returning a cluster name> Raffael Marty BCS 2006 Jakarta 37
  • 38. AfterGlow 2.0 - Java Parser AfterGlow - Java CSV File ► Command line arguments: -h : help -c file : property file -f file : data file Raffael Marty BCS 2006 Jakarta 38
  • 39. AfterGlow 2.0 Example ► Data: ## AfterGlow -- JAVA 2.0 AfterGlow JAVA 2.0 ## Properties File Properties File Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure ## File to load File to load file.name=/home/ram/afterglow/data/sample.csv VPN,192.168.10.1,10.10.2.1,ram,success file.name=/home/ram/afterglow/data/sample.csv Financial System,192.168.20.1,10.0.3.1,drob,success ## Column Types (default is STRING), start with 0! VPN,192.168.10.1,10.10.2.1,ram,success Column Types (default is STRING), start with 0! ## Valid values: Valid values: VPN,192.168.10.1,10.10.2.1,jmoe,failure ## STRING STRING Financial System,192.168.10.1,10.10.2.1,jmoe,success ## INTEGER INTEGER Financial System,192.168.10.1,10.10.2.1,jmoe,failure ## CATEGORICAL CATEGORICAL column.type.count=4 column.type.count=4 ► Launch: column.type[0].column=0 column.type[0].column=0 column.type[0].type=INTEGER column.type[0].type=INTEGER column.type[1].column=1 column.type[1].column=1 ./afterglow-java.sh –c afterglow.properties column.type[1].type=CATEGORICAL column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].column=3 column.type[3].type=CATEGORICAL column.type[3].type=CATEGORICAL ## Size Column (default is 0) Size Column (default is 0) size.column=0 size.column=0 ## Color Column (default is 0) Color Column (default is 0) color.column=2 color.column=2 Raffael Marty BCS 2006 Jakarta 39
  • 40. AfterGlow 2.0 Output Raffael Marty BCS 2006 Jakarta 40
  • 41. AfterGlow 2.0 Interaction ► Left-click: • Zoom in ► Right-click: • Zoom all the way out ► Middle-click • Change Coloring to current depth (Hack: Use SHIFT for leafs) Raffael Marty BCS 2006 Jakarta 41
  • 42. AfterGlow Firewall Log Analysis Example Input (pflog): Feb 18 13:39:15.598491 rule 71/0(match): pass in on xl0: 195.27.249.139.63263 > 195.141.69.42.80: S 492525755:492525755(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24053 0> (DF) Feb 18 13:39:15.899644 rule 71/0(match): pass in on xl0: 195.27.249.139.63264 > 195.141.69.42.80: S 875844783:875844783(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 24054 0> (DF) Command: cat pflog | pf2csv.pl “sip dip dport” Output: 195.27.249.139,195.141.69.42,80 195.27.249.139,195.141.69.42,80 AfterGlow Input Visualization: cat pflog | pf2csv.pl “sip dip dport” | afterglow –c properties | neato –Tgif –o foo.gif Raffael Marty BCS 2006 Jakarta 42
  • 43. AfterGlow Firewall Log Analysis Example Command: cat log | grep pass_in | ./afterglow –c properties –d | dot –Tgif –o foo.gif Properties: cluster.source="External" if (!match("^195.141.69")) color=“red” if (field() eq “External”) color.event=“blue" if (regex("^195.141.69")) color.event=“lightblue” color="red" Port 100 access Raffael Marty BCS 2006 Jakarta 43
  • 44. Summary ► Quickly Visualize Log Files • Understand Relationships • Find Outliers • Spot suspicious activity ► Visual Don’t Read Log Files Don’t Read Log Files Data Analysis Process ► AfterGlow Visualize Them!! Visualize Them!! ► Firewall Log File Analysis Raffael Marty BCS 2006 Jakarta 44
  • 45. THANKS! raffy@arcsight.com Raffael Marty DefCon 2006 Las Vegas BCS Jakarta 45

Hinweis der Redaktion

  1. Focus on the little circles (especially on the bottom of the graph). These circles indicate sources (red nodes) that are connecting to many machines (green nodes) on the same port (white node). The zoom on the right side shows that there is one machine (the left red node) which connects to about a dozen machines on the same port. Depending on the source machine, this is normal or possibly anomalous behavior! Certainly worth investigating. For graphs like this it might make sense to apply a filter which prevents servers (especially Windows Domain Controllers) from being drawn. Those usually show very different behavior than all the other machines.
  2. The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
  3. In this graph we are looking at a zoom of the graph from the previous slide again. Because we chose to show the destination ports only once in the graph (configure the graph to be show nodes “once per distinct source node”), we can quickly identify all the machines that are using a specific service on the network (red nodes connecting to to the same white node) and also what machines are making use of those services (green nodes connecting to the white nodes). Filter out all the services (i.e., ports) that you know are running on your network and you will be able to spot servers that you did not know of and should not exist on the network!